Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Open relay... but not?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
Open relay... but not? - 12.Apr.2008 8:19:34 AM
|
|
|
phild
Posts: 21
Joined: 27.Jun.2006
Status: offline
|
OK, I'm mega confused... a server I'm looking after all of a sudden started allowing people to send emails through it as of about a week ago. I can't figure out why.
Exchange best practices confirms my settings are correct, according to telnet I don't have an open relay. However just looking at the logs I can see people using the smtp connector! In fact at times i can see people in the "current sessions"!!!
I thought I had it when I disabled "anonymous access" under the authentication tab, but obviously while stopping my problem it also stopped all incoming email (which I didn't know it would do!)
Any other ideas?
To confirm.
All exchange default settings are in place - as confirmed by the exchange best practices software.
The source seems to be unauthenticated people! - As far as I can tell as users have still been sending emails out of the company with the anon access disabled today so theoretically the spammers would have too if they had authenticated.
I'm desperate here as I'm out of ideas!
:: edit::
Just been looking over the logs again and it would appear that the emails are being "sent" from random accounts or distribution lists TO my users or other distribution list.
However they don't go to my users or the distribution lists the go outward bound!
For example this morning at 11:37 I have an entry in my logs stating (cut down a bit for ease of reading
11:37:17 GMT
83.153.29.200 (client ip)
dyn-83-153-29-200.ppp.tiscali.fr - (client host)
distribution.list@mydomain.com (recipient - note it goes to a distribution list on my domain - but doesn't get there it goes out to randoms in the world)
1024 (event-id)
944 (byte size)
1 (no. recipients - note again, just one email but i'm getting multiple bouncebacks per email!)
experience more pleasure (subject - no surprise there :/)
gfdgdsg@mydomain.com (sender)
Additionally here - if i get a bounceback it goes to the user or distribution list! not the random garbled sender i.e. gesgdsg@mydomain.com
Hopefully this helps in debugging.
< Message edited by phild -- 12.Apr.2008 8:46:37 AM >
|
|
|
|
|
RE: Open relay... but not? - 14.Apr.2008 7:02:22 AM
|
|
|
Sembee
Posts: 3503
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
Authenticated relaying would be my first thought. Do you have that enabled?
Do you have recipient filtering enabled as well?
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
|
RE: Open relay... but not? - 3.May2008 5:33:02 AM
|
|
|
phild
Posts: 21
Joined: 27.Jun.2006
Status: offline
|
OK, so it randomly stopped for a while when i blocked all emails being sent as a distribution list. However it's now started again going directly through the directors email now (so it's a big problem!!)
Recipient filtering is enabled on the SMTP Virtual Server and Authenticated Relaying is disabled.
There has to be some other options - again it comes up as closed for relaying but obviously isn't. I've never come across this before.
|
|
|
|
|
RE: Open relay... but not? - 3.May2008 12:00:43 PM
|
|
|
Sembee
Posts: 3503
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
Are you sure that messages are actually going through your server? If a spammer is abusing the server then you can usually tell as there are lots of messages in the queues - the list that the spammers use isn't that clean.
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
|
RE: Open relay... but not? - 4.May2008 1:25:05 PM
|
|
|
phild
Posts: 21
Joined: 27.Jun.2006
Status: offline
|
Well thats the thing - at first I was certain, now not so much. However these bouncebacks aren't your usual bouncebacks they seem like someone has genuinely been sending as the company - what I have found interesting is that some of the emails that have been returned have a "returned because IP address has been blacklisted" and the IP address they give are random ones.
My question here is why are they bouncing back to my client, surely there isn't any way to spoof emails that legitimately!
|
|
|
|
|
RE: Open relay... but not? - 4.May2008 5:49:01 PM
|
|
|
Sembee
Posts: 3503
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
If you are seeing NDRs in the user mailboxes then it sounds like spoofing is going on. This is where email messages are sent out by spammers with the From and/or reply to address set as another address - which is your users. The antispam software used on the recipients rejects the message back to the "sender", which is your user.
The real problem of course is the clueless network admins who accept the email and then try and reject it as spam. All spam is spoofed so that kind of behaviour is a waste of time, except for sending back false positives (which shouldn't happen of course).
There is little you can do. If you attempt to block the delivery of NDRs to the server then you will get blacklisted as your server has to accept NDRs that are destined for it.
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
|
RE: Open relay... but not? - 4.May2008 6:32:47 PM
|
|
|
phild
Posts: 21
Joined: 27.Jun.2006
Status: offline
|
Thanks Simon for your help in this. What I've done is have NDR's get filtered to folders in the users mailboxes - that way they can check for legit ones but it's not filling their inboxes.
What a pain - I assumed servers were smarter than that and looked past things like reply to email addresses etc.
|
|
|
|
|
RE: Open relay... but not? - 6.May2008 3:55:37 PM
|
|
|
Sembee
Posts: 3503
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
If SMTP was smart then spam wouldn't be a problem. SMTP belongs to another age, the time my grandmother remembers when you could leave your back door open and everyone knew their neighbours, and servers trusted each other. Unfortunately evil people abuse that trust to make money.
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
