• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

My IP address get blocked everyday

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Server Security >> My IP address get blocked everyday Page: [1]
Login
Message << Older Topic   Newer Topic >>
My IP address get blocked everyday - 15.Sep.2010 6:11:23 AM   
newgen

 

Posts: 2
Joined: 15.Sep.2010
Status: offline
Hi,

Iam facing a serious issue since i implement Exchange 2003 on my domain, i get blacklisted direct the next day after implementation. I have closed the open relay, blocked port 25 on most network PCs, Installed AV and Anti Spam from kaspersky, enabled recepient Filter, intelligent message filter, sender filter.... there is nothing on my queue. event log shows that handrends of Spamers are trying to send email through my server but since the open realy is closed they are unable to

here is an example:
This is an SMTP protocol log for virtual server ID 1, connection #388. The client at "66.204.17.50" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for bob@macsoft.com ". The full command sent was "rcpt TO: <bob@macsoft.com>". This will probably cause the connection to fail.


i have enabled the logging on my SMTP virtual Server, i have seen very much attacks on it like

92.80.169.145, [92.80.169.145], 9/14/2010, 2:10:47, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 20, 318, 250, 0, EHLO, -, [92.80.169.145],
92.80.169.145, [92.80.169.145], 9/14/2010, 2:10:47, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 60, 53, 250, 0, MAIL, -, FROM:<Dee@ceedhjcehg.qwerty777.com>,
92.80.169.145, [92.80.169.145], 9/14/2010, 2:10:47, SMTPSVC1, DFI-MAIL, 192.168.0.1, 281, 30, 0, 550, 0, RCPT, -, TO:<smail@dfi-jordan.com>,
92.80.169.145, [92.80.169.145], 9/14/2010, 2:10:47, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 4, 0, 503, 0, DATA, -, -,
92.80.169.145, [92.80.169.145], 9/14/2010, 2:10:47, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 4, 74, 240, 1000, QUIT, -, [92.80.169.145],

also i found many attacks from my own static IP address like

212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:25, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 318, 250, 0, EHLO, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:25, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 318, 240, 16, QUIT, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:25, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 53, 250, 0, HELO, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:25, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 28, 41, 250, 0, MAIL, -, FROM:<ann_hvoz@msn.com>,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:25, SMTPSVC1, DFI-MAIL, 192.168.0.1, 250, 30, 0, 550, 0, RCPT, -, TO:<nickowei@hotmail.com>,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:25, SMTPSVC1, DFI-MAIL, 192.168.0.1, 266, 30, 52, 240, 281, QUIT, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 53, 250, 0, HELO, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 554, 0, MAIL, -, FROM:<postmaster@iotnextoldin.net>,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 240, 0, QUIT, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 53, 250, 0, HELO, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 554, 0, MAIL, -, FROM:<postmaster@iotnextoldin.net>,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 240, 0, QUIT, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 53, 250, 0, HELO, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 554, 0, MAIL, -, FROM:<postmaster@iotnextoldin.net>,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 240, 15, QUIT, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 53, 250, 0, HELO, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 554, 0, MAIL, -, FROM:<postmaster@iotnextoldin.net>,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 240, 0, QUIT, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 53, 250, 0, HELO, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 554, 0, MAIL, -, FROM:<postmaster@iotnextoldin.net>,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 240, 0, QUIT, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 53, 250, 0, HELO, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 554, 0, MAIL, -, FROM:<postmaster@iotnextoldin.net>,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 240, 16, QUIT, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 53, 250, 0, HELO, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 554, 0, MAIL, -, FROM:<postmaster@iotnextoldin.net>,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:27, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 240, 0, QUIT, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:28, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 53, 250, 0, HELO, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:28, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 554, 0, MAIL, -, FROM:<postmaster@iotnextoldin.net>,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:28, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 240, 15, QUIT, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:28, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 53, 250, 0, HELO, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:28, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 554, 0, MAIL, -, FROM:<postmaster@iotnextoldin.net>,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:28, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 240, 0, QUIT, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:28, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 53, 250, 0, HELO, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:28, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 554, 0, MAIL, -, FROM:<postmaster@iotnextoldin.net>,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:28, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 39, 25, 240, 47, QUIT, -, mail.dfi-jordan.com,
212.118.15.82, mail.dfi-jordan.com, 9/14/2010, 8:37:28, SMTPSVC1, DFI-MAIL, 192.168.0.1, 0, 24, 53, 250, 0, HELO, -, mail.dfi-jordan.com,

from event viewer
This is an SMTP protocol log for virtual server ID 1, connection #312. The client at "212.118.15.82" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for nickowei@hotmail.com ". The full command sent was "rcpt TO:<nickowei@hotmail.com>". This will probably cause the connection to fail.


now i am stuck and i dont know how to solve this weird issue, ihave never faced issue like this before ?? any advice will be more than appreciated.
Post #: 1
RE: My IP address get blocked everyday - 8.Oct.2010 9:29:06 AM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
Newgen,

Let me ask you some questions:
Do you understand what it means to relay?
Do you understand what a smarthost is?
Do you understand your SMTP routing configuration?
How many Exchange servers are in your Organization?

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to newgen)
Post #: 2
RE: My IP address get blocked everyday - 12.Oct.2010 1:17:37 PM   
newgen

 

Posts: 2
Joined: 15.Sep.2010
Status: offline
uemurad,

thanks for your replay.

Yes i do know what is the mean of all of those terms.

I have figured out what my problem was, i discovered that one of the employee bring his laptop with him everyday and connected it to the network without informing anyone. since i blocked him from accessing the internet my problem disappeared. it seems that he has a worm on his PC.

(in reply to uemurad)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Server Security >> My IP address get blocked everyday Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter