Thanks.
John Tolmachoff (Lists) wrote:
Check Relay configurations on the Exchange server.
Check for password compromise on the Exchange server.
FYI, Declude Hijack would have captured and quarantined this mass of
messages.
John T
eServices For You
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:IMail_Forum-
[EMAIL PROTECTED] On Behalf Of Kevin Rogers
Sent: Thursday, June 09, 2005 2:06 PM
To: [email protected]
Subject: [IMail Forum] Exchange issue
Our company has many locations throughout the country and a few of them
use Exchange locally. This past Monday, 2 of our offices with Exchange
sent out over 10K messages through our Imail server (normally they would
send out a few hundred). Each of these messages had hundreds of
recipients - all of them within our company. They were all written by
one person. But they weren't written by anyone in these offices. They
were actually messages *delivered* to them 3 weeks ago by someone else
at a different company. He's a VP and so I had (idiot!) whitelisted his
email address. So thousands of these emails were being sent out,
written 3 weeks ago by someone at a different company. And this was
happening at 2 different offices (Virginia Beach and Tampa) who are not
connected to each other in any way (except that they both use Exchange
and they both send out and receive messages through our Imail server).
Any ideas???
Here's some log entries:
Here's a normal POP session for Tampa users:
06:06 00:02 POP3D (18D0CF94) logon success for someuser mydomain.com
from 69.38.121.129
06:06 00:02 POP3D (18D0D001) logon success for someuser mydomain.com
from 69.38.121.129
06:06 00:02 POP3D (18D0CF94) logoff for someuser mydomain.com R:0, D:0,
P:0, RS:0 from 69.38.121.129
06:06 00:02 POP3D (18D0D001) logoff for someuser mydomain.com R:0, D:0,
P:0, RS:0 from 69.38.121.129
06:06 00:02 POP3D (18D0D495) logon success for someuser mydomain.com
from 69.38.121.129
06:06 00:02 POP3D (18D0D532) logon success for someuser mydomain.com
from 69.38.121.129
06:06 00:02 POP3D (18D0D495) logoff for someuser mydomain.com R:0, D:0,
P:0, RS:0 from 69.38.121.129
That gives us the IP address they are connecting from.
Here is what our logs are full of:
06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] HELO mydomain.com
06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] MAIL
FROM:<[EMAIL PROTECTED]>
06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT
TO:<[EMAIL PROTECTED]>
06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT
TO:<[EMAIL PROTECTED]>
06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT
TO:<[EMAIL PROTECTED]>
06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT
TO:<[EMAIL PROTECTED]>
06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT
TO:<[EMAIL PROTECTED]>
06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT
TO:<[EMAIL PROTECTED]>
06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] RCPT
TO:<[EMAIL PROTECTED]>
etc...............
06:06 15:24 SMTPD(cd2c0ffa00005a0f) [69.38.121.129] 452 Too many
recipients RCPT TO:<[EMAIL PROTECTED]>
06:06 15:25 SMTP-(cd2c0ffa00005a0f) ldeliver Rogersbenefit.com
akerr-main (1) <[EMAIL PROTECTED]> 83340
06:06 15:25 SMTP-(cd2c0ffa00005a0f) ldeliver Rogersbenefit.com
aknorpp-main (1) <[EMAIL PROTECTED]> 83340
06:06 15:25 SMTP-(cd2c0ffa00005a0f) ldeliver Rogersbenefit.com
amcbride-main (1) <[EMAIL PROTECTED]> 83340
06:06 15:25 SMTP-(cd2c0ffa00005a0f) ldeliver Rogersbenefit.com
amccullough-main (1) <[EMAIL PROTECTED]> 83340
06:06 15:25 SMTP-(cd2c0ffa00005a0f) ldeliver Rogersbenefit.com
arhodes-main (1) <[EMAIL PROTECTED]> 83340
06:06 15:25 SMTP-(cd2c0ffa00005a0f) ldeliver Rogersbenefit.com
asvadeba-main (1) <[EMAIL PROTECTED]> 83340
etc. ....................
---
[This E-mail was scanned for viruses.]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
---
[This E-mail was scanned for viruses.]
---
[This E-mail was scanned for viruses.]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
