I have an Exchange 2013 server (single Exchange server environment) that recently had thousands of SPAM messages sent through it, causing a delay in delivery to some external recipients.

The message Sender was 'test@server.domain.local'

The Source for these messages were from 'SERVER\Client Proxy SERVERNAME'

These were the only messages coming from this source.

I could not find an associated user account that had that specific e-mail address configured.

Note - the original e-mail policy included adding 'domain.local' to the user accounts as an alias, and the server was configured to be Authoritative for 'domain.local' addresses. I have since deleted the domain from the address policy and removed the accepted domain. The sender from the messages were not test@domain.local, however, they were test@SERVER.domain.local.

The Client Proxy receive connector is configured with the default scope (Port 465) and security.

Since our firewall doesn't allow communication coming in over 465, I'm assuming that this originated on port 25 and was then sent to the Client Proxy receive connector over port 465. 

How could these messages have gotten through? And should I have all users change their account passwords, assuming that this was a hack of a user account with weak credentials?

I'd appreciate any thoughts on this one.

Do you have protocol logging enabled on the FrontEnd receive connectors?  It's likely that the message came in through one of these and passed to the backend connector.

https://technet.microsoft.com/en-us/library/aa996395

Hi,

Is there any third-party program installed in your Exchange server? If that is the case, please disable the program to have a try.

Additionally, please run the following command to collect more information:

Get-TransportAgent

Get-AcceptedDomain

Get-DomainController | fl name, dnshostname, adsite

Get-receiveconnector -server SERVERNAME | fl name, auth*, perm*, bind*, remote*, iden*, transport*, *port*, *fqdn*

In Exchange server, please check whether there is any error logs in Event Viewer.

Regards,

Ed, 

I checked all of the log files for the string 'test@servername.domain.local' and nothing came up. I also didn't see anything while browsing through the receive connector log files.

Other thoughts?

Jason

We are using Symantec Mail Security for Microsoft Exchange, and the associated Transport Agents are at the bottom of the list of agents. 

The problem isn't that messages were getting blocked due to a misconfiguration, it was due to the server getting compromised, and then having thousands of messages sent out from the e-mail 'test@servername.domain.local.'

After removing 'domain.local' from the Accepted Domains list, the SPAM messages seem to have ceased. And now I'm just dealing with the aftermath of getting the external mail servers to accept e-mail from this server.

The information that you are requesting me to provide (Domain controller, adsite, etc.) doesn't really apply to my problem. (Not to mention I really don't want to be putting that information on the web if I can avoid it.)

I am primarily trying to track down where the malicious messages came from, and how to prevent them in the future.