Re: Administrator account hijacked?

Don't disable NDR's, that is not the solution. Kill the spam. The steps, using the built in capabilities of Exchange 2003 SP2 and a third pary such as zen.spamhaus.org, (all no cost) have been posted in here many times, and disabling NDR's isn't one of them ;-).

--
Les Connor [SBS MVP]
________________________
Get the SBS BPA here:
http://support.microsoft.com/kb/940439/en-us


"Henrik" <hear01@xxxxxxxxxxx> wrote in message news:uPRNI3ZeIHA.4056@xxxxxxxxxxxxxxxxxxxxxxx
Sean, heres an instruction (even though you might have found the solution, if not ..)(Im not the author, dont remember how or from were but It was public so Im pasting a snipped copy).

Disabling NDR (non-delivery reports) on Exchange 2003

Non-delivery reports have a very legitimate purpose and are used to notify senders of any errors that may have been encountered during message delivery. Such reports can help the sender find out if the email address no longer exists, if the remote mailbox is over quota or provide information detailing why the message was not delivered.

Unfortunately, spammers have started abusing this system to get around global white lists defined by mail server administrators. Most anti-spam software does not attempt to filter non-delivery reports for spam content. These two circumstances alone create a wonderful opportunity for spammers to relay their spam without being tracked or blacklisted. They spoof your email address and send the spam message to a non-existent email address on the target mail server. The target mail server produces an error and returns it to you along with the content of the spam message.

Non-delivery reports should be kept in place for error reporting, but if your email server becomes a target of a spammer, you should have the option of disabling it. Thankfully, in Exchange 2003 this process is simple:

Disable Non-delivery Reports:
Open your Exchange Server Manger, usually by clicking Start > All Programs > Microsoft Exchange > System Manager.

Expand your Organization, select the Global Settings folder and then select the Internet Message Formats. Right click on the Default Internet Message Format and select properties. Click on the Advanced tab and clear the checkmark next to the ?Allow Non-delivery Reports?

Click on Apply to disable NDR's.

While temporarily disabling NDR's to combat spam is acceptable, permanently removing them can disable crucial error reporting to legitimate users and email senders will not know if the message has reached you.



--
Henrik Arenblad, MCP SBS,







"Torrey Lauer" <torrey no spam moderntravel no spam net> wrote in message news:uT1i3rZeIHA.4312@xxxxxxxxxxxxxxxxxxxxxxx
Hi Sean,

Thanks for all your help. I did a search and was able to find how setup recipient filtering. Since I activated recipient filtering, only one e-mail has gone out as postmaster. So, it appears to be working.

Thanks again for your help. I appreciate it.

Torrey

"Sean" <Sean@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:8663F3B1-8FF7-4564-8554-FDDE31683977@xxxxxxxxxxxxxxxx
I get to it from the start button, all programs, Microsoft Exchange, "System
Manager" then it will be under tools

I guess I could have put that in before... Sorry
--
Sean


"Torrey Lauer" wrote:

Where do I find the Exchange System Management tools?

"Sean" <Sean@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E349AAD1-9977-4256-8369-C2CC6558A5FD@xxxxxxxxxxxxxxxx
> Torrey,
> Having just headed this off let me suggest a couple things for you to
> check:
>
> 1. Use the Exchange System Management tools and run the message > tracking
> center to see what messages are being sent/received by any accounts.
> You'll
> only see the header info but it will help your determine if it's an > NDR
> (Non-Deliverable Response) or an actuall message.
>
> 2. You can logon OWA (Outlook Web Access) as the domain administrator > and
> see mail messages that are being received and sent through this > account.
>
> Chances are it is Exchange sending responses to Spam or bad addresses > for
> your domain. If so, then turn of NDR's for your server.
>
> I found details on how to do all of this by searching this group, > sorry I
> don't have links.....
>
> -- > Sean
>
>
> "Torrey Lauer" wrote:
>
>> Our ISP has been consistently blocking our e-mails by the time the
>> afternoon
>> comes around. I ran a report last night, and see that over 12,000
>> e-mails
>> have been sent from the Administrator account in the past two weeks. >> Is
>> there a way to figure out 1) How someone has gained access to the >> server
>> and/or the Administrator e-mail account? 2) Is there a way to block >> the
>> Administrator account from sending e-mails to anyone outside of the >> local
>> network? 3) The server and workstations all have Trend Micro. If >> this
>> is
>> caused from a virus or a trojan, wouldn't Trend Micro have picked >> this
>> up?
>> This leads me to think that it's not a virus or a trojan, etc. So, >> then,
>> I'm at a loss as to how somone could have gained access to the
>> Administrator
>> account. I have even changed the password two days ago, but we were
>> blocked
>> again from our ISP yesterday afternoon. So, I'm not sure that >> whoever is
>> using our Administrator account is actually logging in to it.
>>
>> Ideas?
>>
>> Thanks.
>>
>> Torrey Lauer
>> Modern Travel Services
>>
>>
>>








.