<domain>\Administrator logging on to several mailboxes. Concern?

[sleepyd]

Hello. We have been getting a lot of SPAM and some spoofing going on in our network. I have been desperately trying to track this down. Doing some diagnostics logging on the Exchange 5.5 I came across SEVERAL of these entires in the event log (Event ID 1016)

"NT User <our domain>\Administrator logged on to <User> mailbox, and is not the primary Windows NT account on this mailbox."

Is it unusual to see so many of these? There are several entries in the event log of these for several of our users, some even occuring when no one is in the office (like 3am, etc). I'm just wondering if it is possible that someone is authenticating in our network as administrator. I am changing our password today, which I would consider strong. A couple of these mailboxes being accessed are no longer even being used, but we have to keep them active for a little while so all their email is being forwarded to the new person. So, is this normal? I understand that these events will be recorded when one user might access another users calendar, etc, but the fact administrator is accessing several has me a little puzzled.

Thanks in advance for any feedback, I sincerely appreciate it.

-sleepyd

 

[godcom]

Do you have any anti virus software that runs on your server at set times? Who knows the admin password?

Check out Microsoft Knowledge Base Q173692 and Q252543

Steve

 

[DestinysDream]

I see this all of the time. If they have permission but are not the primary NT then you will get one everytime. Also look to see if the time matches when you do backups or anything else that touches all mailboxes. It sounds more like a program with legitimate access to your servers.

 

[clubleo]

This sounds like the backup admin account. Are you using Veritas? Usually, a admin account has to be created for the backup program in order for the backup to be able to access the mailboxes.