Exchange 2019

How to Fix Exchange Spam Queue from a Compromised Mailbox (Kapothi Ritual Guide)

Leave a comment

🌄 Introduction

If you’ve ever woken up to find your Microsoft Exchange server queues overflowing with spam, you know the panic it brings. Outbound messages pile up, inboxes go silent, and your domain risks being blacklisted. This guide shares a real incident response: how we identified the compromised mailbox ([email protected]), reset its password, purged the Exchange queue with PowerShell, and traced the attacker’s IP using IIS logs.

By walking through these steps — containment, queue cleanup, IIS log filtering, inbox rule audit, and mailbox permission checks — you’ll learn how to stop spam at the source and harden your Exchange environment against future attacks.

⚡ Morning Containment Ritual

First, we identified the spammer in Exchange Toolbox → Queue Viewer, reset the password, and purged the queue.

# Reset the compromised account password
Set-ADAccountPassword -Identity [email protected]

# (Optional) Disable the account temporarily to freeze access
Disable-ADAccount -Identity [email protected]
# Purge spam messages from Exchange queue
Get-Queue | Get-Message |
Where {$_.FromAddress -eq [email protected]} |
Remove-Message -WithNDR $false

🔎 IIS Log Filtering

We confirmed the login source by filtering IIS logs.

# Filter IIS logs for the account
Select-String -Path “C:\inetpub\logs\LogFiles\W3SVC1\u_ex260430.log”
-Pattern [email protected]
| Out-File C:\Temp\dc02_iis_filtered.log

🔎 IIS Log Sample Extraction

To create a smaller sample of the filtered IIS log for analysis:

# Extract first 200 matching lines from filtered IIS log
Select-String -Path “C:\Temp\dc02_iis_filtered.log”
-Pattern [email protected]
| Select-Object -First 200
| Out-File C:\Temp\dc02_sample.log

📜 Inbox Rule Audit

We found and removed a malicious rule named DELETE.

# Inspect inbox rules
Get-InboxRule -Mailbox [email protected]

# Inspect specific rule
Get-InboxRule -Mailbox [email protected]
-Identity “RuleName” | Format-List

# Remove malicious rule
Remove-InboxRule -Mailbox [email protected]
-Identity “RuleName”

🛡️ Mailbox Permission Audit

We confirmed no rogue delegates were added.

# Audit mailbox permissions
Get-MailboxPermission -Identity [email protected]

📖 Lessons Learned

  • Attackers often use inbox rules to hide their tracks.
  • IIS logs reveal the true client IP.
  • Password resets and queue purges are the fastest containment.
  • MFA and conditional access are the long‑term shields.

🌌 Closing

This Kapothi scroll reminds us: even in the quiet shrine‑home observatory, vigilance is ritual. The inbox can be turned against us, but with methodical steps — Contain → Eradicate → Recover → Audit → Harden — balance is restored.

Leave a Reply

Your email address will not be published. Required fields are marked *

Are you human? Please solve:Captcha