Check Relay configurations on the Exchange server. Check for password compromise on the Exchange server.
FYI, Declude Hijack would have captured and quarantined this mass of messages. John T eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:IMail_Forum- > [EMAIL PROTECTED] On Behalf Of Kevin Rogers > Sent: Thursday, June 09, 2005 2:06 PM > To: [email protected] > Subject: [IMail Forum] Exchange issue > > Our company has many locations throughout the country and a few of them > use Exchange locally. This past Monday, 2 of our offices with Exchange > sent out over 10K messages through our Imail server (normally they would > send out a few hundred). Each of these messages had hundreds of > recipients - all of them within our company. They were all written by > one person. But they weren't written by anyone in these offices. They > were actually messages *delivered* to them 3 weeks ago by someone else > at a different company. He's a VP and so I had (idiot!) whitelisted his > email address. So thousands of these emails were being sent out, > written 3 weeks ago by someone at a different company. And this was > happening at 2 different offices (Virginia Beach and Tampa) who are not > connected to each other in any way (except that they both use Exchange > and they both send out and receive messages through our Imail server). > > Any ideas??? > > Here's some log entries: > > Here's a normal POP session for Tampa users: > > 06:06 00:02 POP3D (18D0CF94) logon success for someuser mydomain.com > from 69.38.121.129 > 06:06 00:02 POP3D (18D0D001) logon success for someuser mydomain.com > from 69.38.121.129 > 06:06 00:02 POP3D (18D0CF94) logoff for someuser mydomain.com R:0, D:0, > P:0, RS:0 from 69.38.121.129 > 06:06 00:02 POP3D (18D0D001) logoff for someuser mydomain.com R:0, D:0, > P:0, RS:0 from 69.38.121.129 > 06:06 00:02 POP3D (18D0D495) logon success for someuser mydomain.com > from 69.38.121.129 > 06:06 00:02 POP3D (18D0D532) logon success for someuser mydomain.com > from 69.38.121.129 > 06:06 00:02 POP3D (18D0D495) logoff for someuser mydomain.com R:0, D:0, > P:0, RS:0 from 69.38.121.129 > > That gives us the IP address they are connecting from. > > Here is what our logs are full of: > 06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] HELO mydomain.com > 06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] MAIL > FROM:<[EMAIL PROTECTED]> > 06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT > TO:<[EMAIL PROTECTED]> > 06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT > TO:<[EMAIL PROTECTED]> > 06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT > TO:<[EMAIL PROTECTED]> > 06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT > TO:<[EMAIL PROTECTED]> > 06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT > TO:<[EMAIL PROTECTED]> > 06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT > TO:<[EMAIL PROTECTED]> > 06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT > TO:<[EMAIL PROTECTED]> > etc............... > 06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] 452 Too many > recipients RCPT TO:<[EMAIL PROTECTED]> > 06:06 15:25 SMTP-(cd2c0ffa00005a0f) ldeliver Rogersbenefit.com > akerr-main (1) <[EMAIL PROTECTED]> 83340 > 06:06 15:25 SMTP-(cd2c0ffa00005a0f) ldeliver Rogersbenefit.com > aknorpp-main (1) <[EMAIL PROTECTED]> 83340 > 06:06 15:25 SMTP-(cd2c0ffa00005a0f) ldeliver Rogersbenefit.com > amcbride-main (1) <[EMAIL PROTECTED]> 83340 > 06:06 15:25 SMTP-(cd2c0ffa00005a0f) ldeliver Rogersbenefit.com > amccullough-main (1) <[EMAIL PROTECTED]> 83340 > 06:06 15:25 SMTP-(cd2c0ffa00005a0f) ldeliver Rogersbenefit.com > arhodes-main (1) <[EMAIL PROTECTED]> 83340 > 06:06 15:25 SMTP-(cd2c0ffa00005a0f) ldeliver Rogersbenefit.com > asvadeba-main (1) <[EMAIL PROTECTED]> 83340 > etc. .................... > > --- > [This E-mail was scanned for viruses.] > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
