Re: Administrator account hijacked?

Never mind. I found it.

We have thousands of e-mails sending out from Administrator as postmaster at
moderntravel d01t net. Any idea as to how to stop this?


"Torrey Lauer" <torrey no spam moderntravel no spam net> wrote in message
news:enhdopYeIHA.2448@xxxxxxxxxxxxxxxxxxxxxxx
Where do I find the Exchange System Management tools?

"Sean" <Sean@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E349AAD1-9977-4256-8369-C2CC6558A5FD@xxxxxxxxxxxxxxxx
Torrey,
Having just headed this off let me suggest a couple things for you to
check:

1. Use the Exchange System Management tools and run the message tracking
center to see what messages are being sent/received by any accounts.
You'll
only see the header info but it will help your determine if it's an NDR
(Non-Deliverable Response) or an actuall message.

2. You can logon OWA (Outlook Web Access) as the domain administrator and
see mail messages that are being received and sent through this account.

Chances are it is Exchange sending responses to Spam or bad addresses for
your domain. If so, then turn of NDR's for your server.

I found details on how to do all of this by searching this group, sorry I
don't have links.....

--
Sean


"Torrey Lauer" wrote:

Our ISP has been consistently blocking our e-mails by the time the
afternoon
comes around. I ran a report last night, and see that over 12,000
e-mails
have been sent from the Administrator account in the past two weeks. Is
there a way to figure out 1) How someone has gained access to the server
and/or the Administrator e-mail account? 2) Is there a way to block the
Administrator account from sending e-mails to anyone outside of the
local
network? 3) The server and workstations all have Trend Micro. If this
is
caused from a virus or a trojan, wouldn't Trend Micro have picked this
up?
This leads me to think that it's not a virus or a trojan, etc. So,
then,
I'm at a loss as to how somone could have gained access to the
Administrator
account. I have even changed the password two days ago, but we were
blocked
again from our ISP yesterday afternoon. So, I'm not sure that whoever
is
using our Administrator account is actually logging in to it.

Ideas?

Thanks.

Torrey Lauer
Modern Travel Services







.

Relevant Pages

  • Re: Administrator account hijacked?
    ... Torrey, if you haven't yet installed the SBS BPA, the link is in my ... We have thousands of e-mails sending out from Administrator as ... You can logon OWA as the domain administrator ... have been sent from the Administrator account in the past two weeks. ...
    (microsoft.public.windows.server.sbs)
  • Re: Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... policy to rename the account although it is not really necessary or useful. ... Did I check Group Policies for references to the Administrator ... Failed to perform redirection of folder Desktop. ...
    (microsoft.public.windows.server.general)
  • Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... one referencing the original administrator account: ... specific policy setting that was flagged with a big, ... I used an incorrect procedure to rename the ...
    (microsoft.public.windows.server.general)
  • Re: Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... Did you check the Group Policies for references to the Administrator ... Administrator account? ... what policy do you have? ... referencing the former administrator account. ...
    (microsoft.public.windows.server.general)
  • Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... Did I check Group Policies for references to the Administrator account? ... enabling the Rename Administrator account policy in Group Policy. ... Failed to perform redirection of folder Desktop. ...
    (microsoft.public.windows.server.general)
Loading