mail server compromised?

[bobsa32]

Hi,

We have exchange 2003 (on sbs 2003) which we think has been compromised.

First signs of something wrong was the hardware firewall disconnecting all outbound connections. there appears to be hundreds of emails going out through the postmaster account, however there is not traffic in the exchange queues. any ideas?

PS virus and spyware scans done

 

[Spirit]

How do you know that 100's of emails are going out under the postmaster account?

I would suspect either
1. You're being used as a relay server.
2. A client has a virus and is the source of the mail.

But from what you say above about nothing in the queues I'd suspect number 1.

Make sure that relaying is disabled check out this guide:

http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm

Iain

 

[nsantin]

or #3: You have been bombarded with a ton of spam messgaes to invalid addresses and your postmaster account is sending out NDRs (mostly bogus, as spammers typically use invalid Reply-To addresses)

 

[eod]

Yeah sort of sounds like a NDR attack.