Re: Administrator account hijacked?

Thanks les, I have not seen any discussions on pros and cons regarding NDRs
so Im greatfull If you could give me some reasons to not, and for that sake,
why I should disable NDRs. The reason for posting the instruction was for
the previous posts were that was suggested. I actually my self has disabled
NDRs so I would love to learn why I should or should not disable it.

Thanks

--
Henrik Arenblad, MCP SBS,







"Les Connor [SBS MVP]" <les.connor@xxxxxxxxxxxx> wrote in message
news:16C8A602-2C50-4A6F-8459-8772AC3E4B88@xxxxxxxxxxxxxxxx
Don't disable NDR's, that is not the solution. Kill the spam. The steps,
using the built in capabilities of Exchange 2003 SP2 and a third pary such
as zen.spamhaus.org, (all no cost) have been posted in here many times,
and disabling NDR's isn't one of them ;-).

--
Les Connor [SBS MVP]
________________________
Get the SBS BPA here:
http://support.microsoft.com/kb/940439/en-us


"Henrik" <hear01@xxxxxxxxxxx> wrote in message
news:uPRNI3ZeIHA.4056@xxxxxxxxxxxxxxxxxxxxxxx
Sean, heres an instruction (even though you might have found the
solution, if not ..)(Im not the author, dont remember how or from were
but It was public so Im pasting a snipped copy).

Disabling NDR (non-delivery reports) on Exchange 2003

Non-delivery reports have a very legitimate purpose and are used to
notify senders of any errors that may have been encountered during
message delivery. Such reports can help the sender find out if the email
address no longer exists, if the remote mailbox is over quota or provide
information detailing why the message was not delivered.

Unfortunately, spammers have started abusing this system to get around
global white lists defined by mail server administrators. Most anti-spam
software does not attempt to filter non-delivery reports for spam
content. These two circumstances alone create a wonderful opportunity for
spammers to relay their spam without being tracked or blacklisted. They
spoof your email address and send the spam message to a non-existent
email address on the target mail server. The target mail server produces
an error and returns it to you along with the content of the spam
message.

Non-delivery reports should be kept in place for error reporting, but if
your email server becomes a target of a spammer, you should have the
option of disabling it. Thankfully, in Exchange 2003 this process is
simple:

Disable Non-delivery Reports:
Open your Exchange Server Manger, usually by clicking Start > All
Programs > Microsoft Exchange > System Manager.

Expand your Organization, select the Global Settings folder and then
select the Internet Message Formats. Right click on the Default Internet
Message Format and select properties. Click on the Advanced tab and clear
the checkmark next to the ?Allow Non-delivery Reports?

Click on Apply to disable NDR's.

While temporarily disabling NDR's to combat spam is acceptable,
permanently removing them can disable crucial error reporting to
legitimate users and email senders will not know if the message has
reached you.



--
Henrik Arenblad, MCP SBS,







"Torrey Lauer" <torrey no spam moderntravel no spam net> wrote in message
news:uT1i3rZeIHA.4312@xxxxxxxxxxxxxxxxxxxxxxx
Hi Sean,

Thanks for all your help. I did a search and was able to find how setup
recipient filtering. Since I activated recipient filtering, only one
e-mail has gone out as postmaster. So, it appears to be working.

Thanks again for your help. I appreciate it.

Torrey

"Sean" <Sean@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8663F3B1-8FF7-4564-8554-FDDE31683977@xxxxxxxxxxxxxxxx
I get to it from the start button, all programs, Microsoft Exchange,
"System
Manager" then it will be under tools

I guess I could have put that in before... Sorry
--
Sean


"Torrey Lauer" wrote:

Where do I find the Exchange System Management tools?

"Sean" <Sean@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E349AAD1-9977-4256-8369-C2CC6558A5FD@xxxxxxxxxxxxxxxx
Torrey,
Having just headed this off let me suggest a couple things for you
to
check:

1. Use the Exchange System Management tools and run the message
tracking
center to see what messages are being sent/received by any accounts.
You'll
only see the header info but it will help your determine if it's an
NDR
(Non-Deliverable Response) or an actuall message.

2. You can logon OWA (Outlook Web Access) as the domain
administrator and
see mail messages that are being received and sent through this
account.

Chances are it is Exchange sending responses to Spam or bad
addresses for
your domain. If so, then turn of NDR's for your server.

I found details on how to do all of this by searching this group,
sorry I
don't have links.....

--
Sean


"Torrey Lauer" wrote:

Our ISP has been consistently blocking our e-mails by the time the
afternoon
comes around. I ran a report last night, and see that over 12,000
e-mails
have been sent from the Administrator account in the past two
weeks. Is
there a way to figure out 1) How someone has gained access to the
server
and/or the Administrator e-mail account? 2) Is there a way to
block the
Administrator account from sending e-mails to anyone outside of the
local
network? 3) The server and workstations all have Trend Micro. If
this
is
caused from a virus or a trojan, wouldn't Trend Micro have picked
this
up?
This leads me to think that it's not a virus or a trojan, etc. So,
then,
I'm at a loss as to how somone could have gained access to the
Administrator
account. I have even changed the password two days ago, but we
were
blocked
again from our ISP yesterday afternoon. So, I'm not sure that
whoever is
using our Administrator account is actually logging in to it.

Ideas?

Thanks.

Torrey Lauer
Modern Travel Services













.

Loading