Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

What is going on? Open Relay?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Server Security >> What is going on? Open Relay? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
What is going on? Open Relay? - 21.Apr.2007 2:46:45 PM   
Max Power

 

Posts: 4
Joined: 21.Apr.2007
Status: offline 		I run a Windows 2003 Server running Exchange 2003 and I also run a Bes server on a seperate server.  Everything has been running great and still is except today I received about 5 emails telling me that a bunch of emails are undeliverable.  These messages were not sent from my users so I need to figure out where they are coming from and why.  I have done all the open relay tests and it appears to me that I am not an open relay.  Can anyone shed some light as to what is going on?  Below is a copy of one of the emails:





Your message did not reach some or all of the intended recipients.
Subject: Re:?????????????? ? ?????????? ?????????????? ????????
Sent: 4/21/2007 10:14 AM

The following recipient(s) could not be reached:
info@dobavit-1.truboreze.cv.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
anna@esc.odessa.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
yoghurt_man@mail.ru on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
stabin@online.com.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
ziack@torba.com on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
doctrilla@ukr.net on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
obbie@ukr.net on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
scorpion@unet.lg.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
nikolbj@vidikon.sumy.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
sales@zstu.edu.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
vant@carrier.kiev.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
faktor2@gomail.com.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
info@innovatsiya.ozsux.od.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
paliyopalij@isto.lviv.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
info@khmelevskiyviktor.openua.net on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
vip@pif.org.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
maribel@tm.odessa.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
cupa@torba.com on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
styil@torba.com on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
s_2004@ukr.net on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>


_____________________________

Windows 2003 Server - Exchange 2003
BES Server running on Windows 2003 Server
Post #: 1
RE: What is going on? Open Relay? - 22.Apr.2007 1:22:54 AM   
uemurad

 

Posts: 5485
Joined: 7.Jan.2004
From: California, USA
Status: offline 		Look at Message Tracking.  Use the search parameters of one of the failed recipient addresses and the date/time specified (a few minutes before and after).

There you will learn what Exchange thought the sending address was, and what your server attempted to do with the message.  It will also indicate if this was a single message or multiple messages going out.


_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to Max Power)
Post #: 2
RE: What is going on? Open Relay? - 22.Apr.2007 8:48:48 PM   
Max Power

 

Posts: 4
Joined: 21.Apr.2007
Status: offline 		I ended up getting about 15 of these total on Saturaday and so far none on Sunday. 

Unfortunately I didn't have message tracking enabled but it is now.  Thanks for the advice and I will post back here if it happens again.


_____________________________

Windows 2003 Server - Exchange 2003
BES Server running on Windows 2003 Server

(in reply to uemurad)
Post #: 3
RE: What is going on? Open Relay? - 23.Apr.2007 1:04:04 PM   
jchong

 

Posts: 2516
Joined: 1.Dec.2005
From: Centreville, Virginia
Status: offline 		Looks like you are getting ndr backscatter. It's possible that someone is spoofing your email addresses to send spam as and you getting the ndr. Given that the ndrs are saying that they are being blocked by content it's likley this is the case.

http://spamlinks.net/prevent-secure-backscatter.htm


James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

(in reply to Max Power)
Post #: 4
RE: What is going on? Open Relay? - 23.Apr.2007 2:10:44 PM   
Max Power

 

Posts: 4
Joined: 21.Apr.2007
Status: offline
quote:

ORIGINAL: jchong

Looks like you are getting ndr backscatter. It's possible that someone is spoofing your email addresses to send spam as and you getting the ndr. Given that the ndrs are saying that they are being blocked by content it's likley this is the case.

http://spamlinks.net/prevent-secure-backscatter.htm


James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com


Thanks, that's what I assumed it was too.  The only reason I suspected differently is that the messages appeared to be coming from my internal 'System Administrator'.  Is that possible with what you speak of?

(in reply to jchong)
Post #: 5
RE: What is going on? Open Relay? - 23.Apr.2007 2:35:45 PM   
jchong

 

Posts: 2516
Joined: 1.Dec.2005
From: Centreville, Virginia
Status: offline 		Ahh didn't know that, then it is possible that your system is sending these outs. Enable smtp logging as well. When this occurs look through the logs, filter by the domain and see if you see the source IP. Usually if a client is infected even if MAPI it will be sending over smtp and IP will be logged.


James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

(in reply to Max Power)
Post #: 6
RE: What is going on? Open Relay? - 23.Apr.2007 2:49:15 PM   
Max Power

 

Posts: 4
Joined: 21.Apr.2007
Status: offline 		Thanks, I will do that.

(in reply to jchong)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Server Security >> What is going on? Open Relay? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts