Re: Administrator account hijacked?

Sean, heres an instruction (even though you might have found the solution,
if not ..)(Im not the author, dont remember how or from were but It was
public so Im pasting a snipped copy).

Disabling NDR (non-delivery reports) on Exchange 2003

Non-delivery reports have a very legitimate purpose and are used to notify
senders of any errors that may have been encountered during message
delivery. Such reports can help the sender find out if the email address no
longer exists, if the remote mailbox is over quota or provide information
detailing why the message was not delivered.

Unfortunately, spammers have started abusing this system to get around
global white lists defined by mail server administrators. Most anti-spam
software does not attempt to filter non-delivery reports for spam content.
These two circumstances alone create a wonderful opportunity for spammers to
relay their spam without being tracked or blacklisted. They spoof your email
address and send the spam message to a non-existent email address on the
target mail server. The target mail server produces an error and returns it
to you along with the content of the spam message.

Non-delivery reports should be kept in place for error reporting, but if
your email server becomes a target of a spammer, you should have the option
of disabling it. Thankfully, in Exchange 2003 this process is simple:

Disable Non-delivery Reports:
Open your Exchange Server Manger, usually by clicking Start > All Programs >
Microsoft Exchange > System Manager.

Expand your Organization, select the Global Settings folder and then select
the Internet Message Formats. Right click on the Default Internet Message
Format and select properties. Click on the Advanced tab and clear the
checkmark next to the ?Allow Non-delivery Reports?

Click on Apply to disable NDR's.

While temporarily disabling NDR's to combat spam is acceptable, permanently
removing them can disable crucial error reporting to legitimate users and
email senders will not know if the message has reached you.



--
Henrik Arenblad, MCP SBS,







"Torrey Lauer" <torrey no spam moderntravel no spam net> wrote in message
news:uT1i3rZeIHA.4312@xxxxxxxxxxxxxxxxxxxxxxx
Hi Sean,

Thanks for all your help. I did a search and was able to find how setup
recipient filtering. Since I activated recipient filtering, only one
e-mail has gone out as postmaster. So, it appears to be working.

Thanks again for your help. I appreciate it.

Torrey

"Sean" <Sean@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8663F3B1-8FF7-4564-8554-FDDE31683977@xxxxxxxxxxxxxxxx
I get to it from the start button, all programs, Microsoft Exchange,
"System
Manager" then it will be under tools

I guess I could have put that in before... Sorry
--
Sean


"Torrey Lauer" wrote:

Where do I find the Exchange System Management tools?

"Sean" <Sean@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E349AAD1-9977-4256-8369-C2CC6558A5FD@xxxxxxxxxxxxxxxx
Torrey,
Having just headed this off let me suggest a couple things for you to
check:

1. Use the Exchange System Management tools and run the message
tracking
center to see what messages are being sent/received by any accounts.
You'll
only see the header info but it will help your determine if it's an
NDR
(Non-Deliverable Response) or an actuall message.

2. You can logon OWA (Outlook Web Access) as the domain administrator
and
see mail messages that are being received and sent through this
account.

Chances are it is Exchange sending responses to Spam or bad addresses
for
your domain. If so, then turn of NDR's for your server.

I found details on how to do all of this by searching this group,
sorry I
don't have links.....

--
Sean


"Torrey Lauer" wrote:

Our ISP has been consistently blocking our e-mails by the time the
afternoon
comes around. I ran a report last night, and see that over 12,000
e-mails
have been sent from the Administrator account in the past two weeks.
Is
there a way to figure out 1) How someone has gained access to the
server
and/or the Administrator e-mail account? 2) Is there a way to block
the
Administrator account from sending e-mails to anyone outside of the
local
network? 3) The server and workstations all have Trend Micro. If
this
is
caused from a virus or a trojan, wouldn't Trend Micro have picked
this
up?
This leads me to think that it's not a virus or a trojan, etc. So,
then,
I'm at a loss as to how somone could have gained access to the
Administrator
account. I have even changed the password two days ago, but we were
blocked
again from our ISP yesterday afternoon. So, I'm not sure that
whoever is
using our Administrator account is actually logging in to it.

Ideas?

Thanks.

Torrey Lauer
Modern Travel Services










.

Loading