Exchange 2000 Relay Persistant Problem

[DWax]

I cannot close an open relay. I have tried every exchange 2000 fix I can find with no results.
MS Server 2000 with exchange 2000 fully service packed.

mail.fpccolumbia.com
63.113.56.60

I see an IP connect for 200 to 8350 seconds then I have a full queue and later lots of badmail. I can block that IP but another shows up.

If someone can test and suggest a fix Any help appreciated.

Dan

 

[dkediger]

Sounds like a user account has been hacked.

Be sure that the Guest account is disabled.

Change the Administrator password. Note that this might affect some 3rd party services that use the Administrator account to sign on. Check the Services utility for this.

Enable Logon Event auditing to try to determine which account is being used to get into the mail server.

 

[tim2002]

I have the same thing going on.

Made sure relaying is closed;

created a new smpt virtual server;

used cmd prompt to delete a very large Badmail folder that had about consumed my harddrive;

Have reinstalled virus software and did scans all clean
i turned off NDR;

still seeing unknow users in current sessions

Logging is enabled see below, i expected to see user names

18:06:30 216.254.118.253 HELO - 250
18:06:30 216.254.118.253 MAIL - 250
18:06:30 216.254.118.253 RCPT - 250
18:06:30 216.254.118.253 DATA - 250
18:06:30 216.254.118.253 QUIT - 240
18:06:46 65.24.5.137 EHLO - 250
18:06:46 65.24.5.137 MAIL - 250
18:06:46 65.24.5.137 RCPT - 250
18:06:46 65.24.5.137 DATA - 250
18:06:46 65.24.5.137 QUIT - 240



i dont see the mail being dumped in now, but still see people connected

 

[tim2002]

I called microsoft on this one.

They had me turn off allow Authenticated users to relay, since we dont need anyone to relay. since it was a dafault setting i never changed it, figured it was needed for our OWA.

Everything is fine. Stopped the old virtual server, created a new, and linked it in connections.

I guess we had an account hacked, changed all passwords, just to make sure

tim