Category Archives: Exchange 2019

Exchange 2019

How to Fix Exchange Spam Queue from a Compromised Mailbox (Kapothi Ritual Guide)

Leave a comment

🌄 Introduction

If you’ve ever woken up to find your Microsoft Exchange server queues overflowing with spam, you know the panic it brings. Outbound messages pile up, inboxes go silent, and your domain risks being blacklisted. This guide shares a real incident response: how we identified the compromised mailbox ([email protected]), reset its password, purged the Exchange queue with PowerShell, and traced the attacker’s IP using IIS logs.

By walking through these steps — containment, queue cleanup, IIS log filtering, inbox rule audit, and mailbox permission checks — you’ll learn how to stop spam at the source and harden your Exchange environment against future attacks.

⚡ Morning Containment Ritual

First, we identified the spammer in Exchange Toolbox → Queue Viewer, reset the password, and purged the queue.

# Reset the compromised account password
Set-ADAccountPassword -Identity [email protected]

# (Optional) Disable the account temporarily to freeze access
Disable-ADAccount -Identity [email protected]
# Purge spam messages from Exchange queue
Get-Queue | Get-Message |
Where {$_.FromAddress -eq [email protected]} |
Remove-Message -WithNDR $false

🔎 IIS Log Filtering

We confirmed the login source by filtering IIS logs.

# Filter IIS logs for the account
Select-String -Path “C:\inetpub\logs\LogFiles\W3SVC1\u_ex260430.log”
-Pattern [email protected]
| Out-File C:\Temp\dc02_iis_filtered.log

🔎 IIS Log Sample Extraction

To create a smaller sample of the filtered IIS log for analysis:

# Extract first 200 matching lines from filtered IIS log
Select-String -Path “C:\Temp\dc02_iis_filtered.log”
-Pattern [email protected]
| Select-Object -First 200
| Out-File C:\Temp\dc02_sample.log

đź“ś Inbox Rule Audit

We found and removed a malicious rule named DELETE.

# Inspect inbox rules
Get-InboxRule -Mailbox [email protected]

# Inspect specific rule
Get-InboxRule -Mailbox [email protected]
-Identity “RuleName” | Format-List

# Remove malicious rule
Remove-InboxRule -Mailbox [email protected]
-Identity “RuleName”

🛡️ Mailbox Permission Audit

We confirmed no rogue delegates were added.

# Audit mailbox permissions
Get-MailboxPermission -Identity [email protected]

đź“– Lessons Learned

  • Attackers often use inbox rules to hide their tracks.
  • IIS logs reveal the true client IP.
  • Password resets and queue purges are the fastest containment.
  • MFA and conditional access are the long‑term shields.

🌌 Closing

This Kapothi scroll reminds us: even in the quiet shrine‑home observatory, vigilance is ritual. The inbox can be turned against us, but with methodical steps — Contain → Eradicate → Recover → Audit → Harden — balance is restored.

Exchange 2013, Exchange 2016, Exchange 2019

📨 How to Set Out of Office Replies in Exchange Server (2013/2016/2019)

Leave a comment

📨 How to Set Out of Office Replies in Exchange Server (2013/2016/2019)

When a colleague is away, it’s important to let senders know automatically. Microsoft Exchange provides a simple way to configure Out of Office (Automatic Replies) either by the user themselves or by an administrator. Here’s the complete guide.

1. User Method (Outlook / OWA)

  • Outlook (desktop app)
    Go to File → Automatic Replies (Out of Office). Select Send automatic replies. Add your message for Inside My Organization and Outside My Organization. Optionally set start and end dates.
  • Outlook Web App (OWA)
    Log in to OWA. Navigate to Options → Organize Email → Automatic Replies. Enable automatic replies and configure your message.

2. Admin Method (Exchange Management Shell)

If the user cannot log in, administrators can set Out of Office replies on their behalf using PowerShell:

Set-MailboxAutoReplyConfiguration -Identity "[email protected]" -AutoReplyState Scheduled -StartTime "MM/DD/YYYY HH:MMAM" -EndTime "MM/DD/YYYY HH:MMPM" -InternalMessage "Internal auto-reply message here." -ExternalMessage "External auto-reply message here."

Key Parameters

  • Identity → the user’s mailbox (email address or alias).
  • AutoReplyState → Enabled, Disabled, or Scheduled.
  • StartTime / EndTime → define when replies begin and stop.
  • InternalMessage → message for colleagues.
  • ExternalMessage → message for outside senders.

3. Verification Ritual

After setting the configuration, always verify:

Get-MailboxAutoReplyConfiguration -Identity "[email protected]"
  • AutoReplyState is set to Scheduled.
  • StartTime and EndTime match the intended period.
  • InternalMessage and ExternalMessage are correct.

4. Testing

  • Send a test email from an internal account → confirm the internal reply.
  • Send a test email from an external account → confirm the external reply.
  • After the EndTime, send another test → confirm no auto-reply is sent.

🛡️ Comfort Insight

Think of this process as carving a temporary scroll into the Exchange shrine: the scroll activates at the start time, delivers the message faithfully to all senders, and at the end time, the scroll rolls up automatically, leaving the mailbox back to normal.

✨ With these steps, your organization can ensure smooth communication even when team members are away.