Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SMTP issue after sp 2 installation possible relate to imf
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
SMTP issue after sp 2 installation possible relate to imf - 7.Sep.2008 10:17:22 PM
|
|
|
simonchtan
Posts: 7
Joined: 3.Sep.2008
Status: offline
|
Hi,
Recently I notice my exchange smtp connection has alot of inbound connection that is not disconnected. these connection are usually accosicated with inbound.
My settting to time out a smtp is 30 min = 1800 seconds
i been reading up some acticle and this is the one seems most likely caused.
http://support.microsoft.com/kb/918283/en-us however the problem still persist
I do have sender id turned on.
Would someone share their experience with me on this issue.
Some example of the connection details.
User From Connected Time
mx244.flowerpensdirect.com 74.211.99.96 217788 seconds
guidedwhitewatertrips.com 67.218.255.151 204641 seconds
habitmap.com 66.252.196.165 200916 seconds
habitmap.com 66.252.196.185 192738 seconds
mx48.guidedtoursbargain.com 208.87.93.87 191033 seconds
guidedtoursbargain.com 208.87.93.46 186058 seconds
lakelandactionworld.com 67.219.113.61 177848 seconds
lakecharlesathletics.com 67.218.255.139 176507 seconds
mx15.lakecharlesathletics.com 66.248.135.176 172433 seconds
lakecharlesathletics.com 67.218.255.145 171026 seconds
mx19.pencilshow.com 208.53.29.180 119245 seconds
pencilshow.com 74.211.100.69 114806 seconds
pencilshow.com 74.211.100.80 113359 seconds
pencilshow.com 208.53.29.169 104189 seconds
mx45.whalewatchingecuador.com 74.211.100.81 46876 seconds
mx8.sportingbookworld.com 67.219.101.201 44303 seconds
whalewatchingecuador.com 208.53.29.189 42428 seconds
whalewatchingecuador.com 74.211.100.66 40774 seconds
sportingbookworld.com 67.219.112.139 39732 seconds
|
|
|
|
|
RE: SMTP issue after sp 2 installation possible relate ... - 8.Sep.2008 11:49:39 AM
|
|
|
Sembee
Posts: 3583
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
Are those valid recipients at your domain?
Are you using recipient filtering?
Do you have the tarpit enabled?
It could be a directory harvest attack, spammers aren't very good when it comes to mass attacks, they will end connections in non standard ways which can upset Exchange/SMTP.
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
|
RE: SMTP issue after sp 2 installation possible relate ... - 15.Sep.2008 11:38:41 PM
|
|
|
simonchtan
Posts: 7
Joined: 3.Sep.2008
Status: offline
|
Hi Simon,
thanks for the tip. here what i have at the moment.
1. They are not valid sender most likely spammer. usual vaild sender get disconnected after the email is delivered.
2. I have tried to turn on recipent filtering.
3. I heard of Tarpit but have not install it. could you show me the article for this?
i believe your conclusion are correct. Please assist me on this matter.
thanks.
|
|
|
|
|
RE: SMTP issue after sp 2 installation possible relate ... - 16.Sep.2008 6:50:24 PM
|
|
|
Sembee
Posts: 3583
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
If you have recipient filtering on without the tarpit then you have exposed your server to a directory harvest attack. The signs you have posted are an indication of a directory harvest attack taking place. Setting the tarpit now is rather late.
http://www.amset.info/exchange/filter-unknown.asp
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
|
RE: SMTP issue after sp 2 installation possible relate ... - 16.Sep.2008 10:11:56 PM
|
|
|
simonchtan
Posts: 7
Joined: 3.Sep.2008
Status: offline
|
Hi simon,
Thanks for the help. though it might be too late however this will slow down future attacks.
It very diffcuit for me single handedly monitor so many type of servers hotfix and update therefore it great to have such a good community to aid ppl like myself.
|
|
|
|
|
RE: SMTP issue after sp 2 installation possible relate ... - 8.Oct.2008 10:49:58 PM
|
|
|
simonchtan
Posts: 7
Joined: 3.Sep.2008
Status: offline
|
Hi Simon,
thanks for the help eariler, i would like to follow up on this topic once more.
I have add in the reg entry for the SMTP Tar Pit for Windows 2003.
however the problem still persist and after reading this http://support.microsoft.com/kb/823866
Point 4: Exchange Server determines whether the Filter recipients who are not in the Directory check box is selected on the Recipient Filtering tab of the Message Delivery Properties dialog box. If this check box is selected, and if the recipient does not appear in the Active Directory directory service, Exchange Server returns the following error message to the sender:
550 5.1.1 User unknown
In this scenario, Exchange Server does not close the connection, and the sender can continue to try to deliver mail to other e-mail addresses.
In this last statement, does that means exchange will still open the connection for unlimited time even with the 5 seconds Tar Pit?
Is there a way to force close such connections like a time-out?
|
|
|
|
|
RE: SMTP issue after sp 2 installation possible relate ... - 11.Oct.2008 2:58:02 PM
|
|
|
Sembee
Posts: 3583
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
While a seconder could try and send email on the same connection, it become pointless to do. Each time they try and send an email to a new address, the tarpit time takes effect. The point of tarpit is to stop directory harvest attacks, where a large number of addresses are tried in very short time, and for that it is very effective. If data continues to flow then the connection will be held open.
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
