Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Someone is relaying off this server but it is set up correctly to block relaying -???
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
Someone is relaying off this server but it is set up co... - 3.Sep.2003 1:54:00 AM
|
|
|
dlavely
Posts: 13
Joined: 3.Sep.2003
From: Akron, OH
Status: offline
|
Hi, all. This is really weird. My client has Exchange 2000. By default relaying is disabled. I have checked the settings 20 times and they are correct. But the message queues are full of relay messages! Is there some hack that can get past these settings? I have been through relaying problems before and fixed them, so I am confident my settings are correct. They do match up with the setup doc on this site, which are all default settings anyway.
This is getting serious because their ISP is shutting them down, and I can't figure out how to stop it! Any suggestions?
Thanks!
Dan
|
|
|
|
|
RE: Someone is relaying off this server but it is set u... - 3.Sep.2003 5:39:00 AM
|
|
|
mfugatt
Posts: 479
Joined: 7.Apr.2002
From: Rochester, NY
Status: offline
|
Is the guest account enabled?, maybe one of the users account information has been compromised?, are there any SMTP Connectors and how are they configured?
Are you sure that the messages in the q are not just NDR's
|
|
|
|
|
RE: Someone is relaying off this server but it is set u... - 3.Sep.2003 3:18:00 PM
|
|
|
dlavely
Posts: 13
Joined: 3.Sep.2003
From: Akron, OH
Status: offline
|
Thanks for the reply. The guest account is not enabled. I don't think the messages are ndr's/. When I check the poperties of a message in one of the queues they all have different addresses in the From and To fields. There are no SMTP connectors. This is a simple domain with 1 AD/Exchange server and 1 Citrix server, going through DSL to the Internet.
I'm stumped right now.
|
|
|
|
RE: Someone is relaying off this server but it is set u... - 3.Sep.2003 8:15:00 PM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
Hello dlavely,
As Mark mentions it could very well be a SMTP AUTH relay attack, which are quite common these days. They are as well quite easy to fullfill, cause of the users, way too often, use weak passwords.
Take a look at below article from Vamsoft to read more about these types of attacks:
http://www.vamsoft.com/orf/authattack.asp
Regards
[ September 04, 2003, 03:56 PM: Message edited by: Henrik Walther ]
|
|
|
|
|
RE: Someone is relaying off this server but it is set u... - 3.Sep.2003 8:56:00 PM
|
|
|
Guest
|
I will enable auditing to find out if one of our user's accounts is being used. Some of them do have weak passwords. Also, can you tell me where I disable the server's option to send NDRs? Thanks!
|
|
|
|
|
RE: Someone is relaying off this server but it is set u... - 4.Sep.2003 4:13:00 PM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
You can disable NDR's by doing the following in ESM:
- Expand Global Settings
- Leftclick Internet Message Formats
- Rightclick Default in right pane
- Click Advanced
- Disable Allow non-delivery reports
Regards
|
|
|
|
|
RE: Someone is relaying off this server but it is set u... - 8.Sep.2003 1:49:00 AM
|
|
|
Guest
|
Mark and Henrik,
I disabled the "allow authenticated to relay" checkbox and told them to changed everyone's password. The evil spammer has been defeated! I shouldn't gloat, though, because I don't know what actually solved the problem. My best guess is that the account that was compromised changed the password. I turned on security auditing but haven't gone through the logs yet.
Thanks to you both for your help! You are greatly appreciated out here!
Dan
|
|
|
|
|
RE: Someone is relaying off this server but it is set u... - 10.Sep.2003 4:13:00 PM
|
|
|
Guest
|
I have the same problem but when I turn on the audit feature I do not see anything in the eventvwr. What gives?
|
|
|
|
|
RE: Someone is relaying off this server but it is set u... - 10.Sep.2003 9:23:00 PM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
Hello <jimp>,
Inform your users to change their password.
Regards
|
|
|
|
RE: Someone is relaying off this server but it is set u... - 19.Nov.2003 10:06:00 PM
|
|
|
new435
Posts: 3
Joined: 19.Nov.2003
From: Hackensack, NJ
Status: offline
|
I have a similar issue....191 domains listed in the queues folder. When I enumerate the messages, most say they are from postmaster@xxxx.com where xxxx is my clients smtp domain name, so it looks like it's just NDR's. But I have another problem....there are some legitimate usernames and domains....the most well known being verizon.net, where the exchange server, within an hour of receiving the item from the user, sends a delay message...."delivery to the following recipients has been delayed". These items DO show up in the queues, and are know good email addresses. We've been able to send to these users thru a yahoo or aol mail account but the exchange server won't.
|
|
|
|
|
RE: Someone is relaying off this server but it is set u... - 22.Nov.2003 3:56:00 AM
|
|
|
dariley
Posts: 13
Joined: 16.Jun.2002
From: Houston, TX
Status: offline
|
I've tried everything else and this was the only one that actually worked! Thanks!
According to ORDB, my server wasn't an open relay. But, it was trying to send thousands of NDR's to addresses that didn't exist. With NDR's turned off, the queues finally cleaned out.
Thanks Again!
Dave
quote:
Originally posted by Henrik Walther:
You can disable NDR's by doing the following in ESM:
- Expand Global Settings
- Leftclick Internet Message Formats
- Rightclick Default in right pane
- Click Advanced
- Disable Allow non-delivery reports
Regards
[ November 22, 2003, 03:58 AM: Message edited by: dariley ]
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
