No announcement yet.

Exchange 2003 being used as spam relay

  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2003 being used as spam relay

    Hey all.

    I have an exchange 2003 server, which until recently has worked fine. Now, twice a week at midnight around 400,000 emails are being sent through it via an external source. I cannot work out how this is as:

    1. We are not an open relay
    2. All the online tests say security is fine
    3. There is no malware or viruses on the network (everything apart from the server is shut down at night).
    4. I have blocked the IP addresses that are sending the spam but every couple of days a new IP address is used.

    Anyone have any ideas how I can stop this for good? How is it possible for a third party to connect to the server and stream thousands of messages through it when I've got it pretty much locked down?

    Am going insane here.


  • #2
    Re: Exchange 2003 being used as spam relay

    Probably an authenticated relay 'attack'. This generally tends to happen when you have a compromised PC that has malware on it that is using valid domain credentials to relay. Turn up your logging in Exchange to find out which account is being used. The SMTP logs should also be able to tell which IP address is making numerous connections to Exchange. The best place to start is by changing all domain passwords which is easily done via GPO for most end users. Failing that have a look at the article below which details 'how' you may harden your server build.
    Last edited by scurlaruntings; 19th March 2012, 14:12.