Re: Administrator account hijacked?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

You're doing just fine, Sean :-) Good advice on the filtering.

The link to clean up the queues:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;324958

Torrey, if you haven't yet installed the SBS BPA, the link is in my signature.

To find answers in this newsgroup, use google groups search.

http://groups.google.ca/group/microsoft.public.windows.server.sbs/topics?hl=en

To find answers at MS, use the SBS technical library:

http://technet2.microsoft.com/WindowsServerSolutions/SBS/en/library/4082d695-2075-4ca0-8af8-99fd04b78b2d1033.mspx?mfr=true

--
Les Connor [SBS MVP]
________________________
Get the SBS BPA here:
http://support.microsoft.com/kb/940439/en-us


"Sean" <Sean@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:9A5633F4-7CBA-40FA-9E8C-CCF9F01B97DE@xxxxxxxxxxxxxxxx
I wish I could send you links like the MVPs but I found out how to enable
recipient filtering and disable NDRs by searching this forum.

Recipient filtering will ignore/drop mail received that doesn't belong to a
valid user on your system, there isn't an NDR sent for this.

Disabling NDRs just stops the server from ever sending these error messages.

Your outbound mail is probably due to a [Censored] person trying a
dictionary attack againt your domain in order to find good/bad addr4esses to
sell and send more SPAM to, if I understand the process......

You can also try looking up recipient filtering on Google/Yahoo/etc for a
how to guide.

I had hoped an MVP would have jumped in by now to bail me out... But I hope
this is at least helpful.


--
Sean


"Torrey Lauer" wrote:

Never mind. I found it.

We have thousands of e-mails sending out from Administrator as postmaster at
moderntravel d01t net. Any idea as to how to stop this?


"Torrey Lauer" <torrey no spam moderntravel no spam net> wrote in message
news:enhdopYeIHA.2448@xxxxxxxxxxxxxxxxxxxxxxx
> Where do I find the Exchange System Management tools?
>
> "Sean" <Sean@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:E349AAD1-9977-4256-8369-C2CC6558A5FD@xxxxxxxxxxxxxxxx
>> Torrey,
>> Having just headed this off let me suggest a couple things for you to
>> check:
>>
>> 1. Use the Exchange System Management tools and run the message >> tracking
>> center to see what messages are being sent/received by any accounts.
>> You'll
>> only see the header info but it will help your determine if it's an >> NDR
>> (Non-Deliverable Response) or an actuall message.
>>
>> 2. You can logon OWA (Outlook Web Access) as the domain administrator >> and
>> see mail messages that are being received and sent through this >> account.
>>
>> Chances are it is Exchange sending responses to Spam or bad addresses >> for
>> your domain. If so, then turn of NDR's for your server.
>>
>> I found details on how to do all of this by searching this group, >> sorry I
>> don't have links.....
>>
>> -- >> Sean
>>
>>
>> "Torrey Lauer" wrote:
>>
>>> Our ISP has been consistently blocking our e-mails by the time the
>>> afternoon
>>> comes around. I ran a report last night, and see that over 12,000
>>> e-mails
>>> have been sent from the Administrator account in the past two weeks. >>> Is
>>> there a way to figure out 1) How someone has gained access to the >>> server
>>> and/or the Administrator e-mail account? 2) Is there a way to block >>> the
>>> Administrator account from sending e-mails to anyone outside of the
>>> local
>>> network? 3) The server and workstations all have Trend Micro. If >>> this
>>> is
>>> caused from a virus or a trojan, wouldn't Trend Micro have picked >>> this
>>> up?
>>> This leads me to think that it's not a virus or a trojan, etc. So,
>>> then,
>>> I'm at a loss as to how somone could have gained access to the
>>> Administrator
>>> account. I have even changed the password two days ago, but we were
>>> blocked
>>> again from our ISP yesterday afternoon. So, I'm not sure that >>> whoever
>>> is
>>> using our Administrator account is actually logging in to it.
>>>
>>> Ideas?
>>>
>>> Thanks.
>>>
>>> Torrey Lauer
>>> Modern Travel Services
>>>
>>>
>>>
>
>




.

Relevant Pages

  • Re: connect computer setup fails
    ... The administrator account you use to login - this is an account with ... Les Connor [SBS MVP] ... > willswing01 is the SBS server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to login to SBS Server
    ... Error 0x534 occurs when a user account in one or more Group Policy objects ... administrator in the domain to perform the following actions: ... Remove unresolved accounts from Group Policy ... Les Connor [SBS MVP] ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to login to SBS Server
    ... Error 0x534 occurs when a user account in one or more Group Policy ... contact an administrator in the domain to perform ... Les Connor [SBS MVP] ...
    (microsoft.public.windows.server.sbs)
  • RE: 7019 messages of external mail sent by "administrator" in last 2 w
    ... Welcome to SBS newsgroup. ... I understand that you want to disable the administrator user to send some ... we will use administrator account to send system ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: SBS 2K3 R2 and Outlook
    ... The archive file created on the SBS is the folder redirection function. ... | account create a new user profile on client computer. ... | transfer the local user profile to domain user profile. ...
    (microsoft.public.windows.server.sbs)