I have an Exchange 2013 server (single Exchange server environment) that recently had thousands of SPAM messages sent through it, causing a delay in delivery to some external recipients.
The message Sender was 'test@server.domain.local'
The Source for these messages were from 'SERVER\Client Proxy SERVERNAME'
These were the only messages coming from this source.
I could not find an associated user account that had that specific e-mail address configured.
Note - the original e-mail policy included adding 'domain.local' to the user accounts as an alias, and the server was configured to be Authoritative for 'domain.local' addresses. I have since deleted the domain from the address policy and removed the accepted domain. The sender from the messages were not test@domain.local, however, they were test@SERVER.domain.local.
The Client Proxy receive connector is configured with the default scope (Port 465) and security.
Since our firewall doesn't allow communication coming in over 465, I'm assuming that this originated on port 25 and was then sent to the Client Proxy receive connector over port 465.
How could these messages have gotten through? And should I have all users change their account passwords, assuming that this was a hack of a user account with weak credentials?
I'd appreciate any thoughts on this one.