| Author |
Message |
Tarak
Guest
|
 Posted:
Fri Jan 21, 2005 1:55 am Post subject:
Exchange 2000 highjacked Please help |
|
|
Hi,
we use exchange 2000. The serveris not a open realy server and asks for
authentication. The problem:
1. I see tons of ques in the SMTP with messages that do not belong to us.
2. In the current sessions I saw a user wchish does not exist in our AD!! I
know it sounds crazy but thats a fact. i disconnected him (or her). SMTP and
IMAP have diagnostic logging switched on but I dont see this user in events
logs or in security logs.
I am confused and defeated. All and any help is heighly appreciated.
Tarak
|
|
| Back to top |
|
 |
Ben Winzenz [Exchange MVP
Guest
|
| Posted:
Fri Jan 21, 2005 2:58 am Post subject:
Re: Exchange 2000 highjacked Please help |
|
|
Look at the queues and see if the messages all have a orignator of
Administrator or <>. If so, they are NDR's that are being generated by your
server. You can temporarily turn off NDRs, but that won't get rid of the
current queues.
You can also enable SMTP logging and see if all the connections are coming
from one IP (spammer). If they are, then you can block that IP from
accessing your SMTP server.
--
Ben Winzenz
Exchange MVP
"Tarak" <Tarak@discussions.microsoft.com> wrote in message
news:593434FB-13DE-4F66-BBD3-748D35DFE766@microsoft.com...
| Quote: | Hi,
we use exchange 2000. The serveris not a open realy server and asks for
authentication. The problem:
1. I see tons of ques in the SMTP with messages that do not belong to us.
2. In the current sessions I saw a user wchish does not exist in our AD!!
I
know it sounds crazy but thats a fact. i disconnected him (or her). SMTP
and
IMAP have diagnostic logging switched on but I dont see this user in
events
logs or in security logs.
I am confused and defeated. All and any help is heighly appreciated.
Tarak |
|
|
| Back to top |
|
|
Tarak
Guest
|
| Posted:
Fri Jan 21, 2005 4:43 am Post subject:
Re: Exchange 2000 highjacked Please help |
|
|
Thanks Ben.
1. The sent from field has random addresses including ones form AOL and COX.
2.The user uses more than one IP addresses and more than one userid . But I
cant see those userid's in my AD.
Thanks again for your help. Looking forward to your reply!
Tarak
"Ben Winzenz [Exchange MVP]" wrote:
| Quote: | Look at the queues and see if the messages all have a orignator of
Administrator or <>. If so, they are NDR's that are being generated by your
server. You can temporarily turn off NDRs, but that won't get rid of the
current queues.
You can also enable SMTP logging and see if all the connections are coming
from one IP (spammer). If they are, then you can block that IP from
accessing your SMTP server.
--
Ben Winzenz
Exchange MVP
"Tarak" <Tarak@discussions.microsoft.com> wrote in message
news:593434FB-13DE-4F66-BBD3-748D35DFE766@microsoft.com...
Hi,
we use exchange 2000. The serveris not a open realy server and asks for
authentication. The problem:
1. I see tons of ques in the SMTP with messages that do not belong to us.
2. In the current sessions I saw a user wchish does not exist in our AD!!
I
know it sounds crazy but thats a fact. i disconnected him (or her). SMTP
and
IMAP have diagnostic logging switched on but I dont see this user in
events
logs or in security logs.
I am confused and defeated. All and any help is heighly appreciated.
Tarak
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in