im running sbs server 2003 with exchange, recently the system has been very slow and emails taking longer than usual to send, sometimes not at all untill system restart, they sit in the queue folder also. Looking at the exchange log I have found the following:
2010-3-4 4:17:15 GMT 41.130.3.209 olajide-PC - AKLSERVER09 192.168.5.2 XXXX@aol.com 1020 AKLSERVER09md6wUZLE0000a61a@XXXXXX.co.nz 0 0 2990 1 2010-3-4 3:24:35 GMT 0 Version: 6.0.3790.3959 - - career.entry@cocacola.com -
2010-3-4 4:17:15 GMT 41.130.3.209 olajide-PC RELAY AKLSERVER09 192.168.5.2 XXXX@aol.com 1031 AKLSERVER091KVHYS8Y0000a5f4@XXXXX.co.nz 0 0 2994 1 2010-3-4 3:24:29 GMT 0 Version: 6.0.3790.3959 - - career.entry@cocacola.com -
2010-3-4 4:17:15 GMT 41.130.3.209 olajide-PC - AKLSERVER09 192.168.5.2 XXXX@aol.com 1020 AKLSERVER09pqpEq8hZ0000a61b@XXXXX.co.nz 0 0 2994 1 2010-3-4 3:24:36 GMT 0 Version: 6.0.3790.3959 - - career.entry@cocacola.com -
2010-3-4 4:17:15 GMT 41.130.3.209 olajide-PC RELAY AKLSERVER09 192.168.5.2 XXXX@aol.com 1031 AKLSERVER09VhjNIjmM0000a616@XXXXXX.co.nz 0 0 2990 1 2010-3-4 3:24:33 GMT 0 Version: 6.0.3790.3959 - - career.entry@cocacola.com -
2010-3-4 4:17:15 GMT 41.130.3.209 olajide-PC - AKLSERVER09 192.168.5.2 XXXX@aol.com 1020 AKLSERVER090Qzfud7b0000a611@XXXX.co.nz 0 0 2993 1 2010-3-4 3:24:33 GMT 0 Version: 6.0.3790.3959 - - career.entry@cocacola.com -
Basicly there are hunders of entries like thisin the log, where emails are addresses to lots of different random email addresses at aol, hotmail, yahoo etc... the from address is always career.entry at cocacola dot com.
The computer name where the emails originate can vary, in this log its olajide-PC, at the beginning of the log its troojan-PC with an ip address also logged of 41.153.131.103.
Now problem is I just cant work out where these emails are comming from, im assuming someone of something is trying to use the exchange server as a spam distribution point, but cant work out how they are connecting in. I have double and triple checked the SMTP settings and all is secure, only local lan pc's and users who successfully authenticate are allowed to relay using the smtp server.
I have two possible scenarios as to why the server is being spammed, #1 one of the accounts have been compromised, #2 one of the local lan pc's is infected. Highly unlikely one of the lan pc's is infected given the ip address logged 41.153.131.103, also both the computer names "olajide-PC" and "troojan-PC" do not exist on the local network.
My next point of attack will be to analyse the smtp logs, because im assuming possibly one of the accounts have been compromised, there are test accounts currently existing which were used for testing purposes after the initial migration from the old server, these have weak passwords so possibly compromised, and also some of the exchange users have weak passwords, so may need to set a password policy and force them to change their passwords at next logon to domain.