• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Not an Open Relay But...

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2000] >> Server Security >> Not an Open Relay But... Page: [1]
Login
Message << Older Topic   Newer Topic >>
Not an Open Relay But... - 24.Mar.2006 6:00:56 PM   
tcstrub2

 

Posts: 14
Joined: 19.Nov.2002
From: USA
Status: offline
Hello,

I have a client that is not setup as an open relay, however they are getting tons of emails in their outgoing que.  I believe it must be either a virus on a remote users computer, or a password has been hacked.  How do I find out, what username is being used to send this mail? 

I have to stop it, it is out of control, right now I just deleted 750 messages destined for the eyeou.com domain, all coming from various yahoo accounts, please HELP!!!

TIA

Tom Strubinger
http://soflanetworking.com
Post #: 1
RE: Not an Open Relay But... - 27.Mar.2006 4:38:33 PM   
Rookie6

 

Posts: 18
Joined: 11.May2005
From: SA
Status: offline
Hi,
Im in a similar situation, not being an open relay but having a lot of messages in the queue. AFAIK, the messages are not sent and end up in the BadMail folder.

(@tcstrub2, I was able to catch at least a couple of offending IPs by going to Exch Administrator > protocols > smtp > current connections.
But you need to do it in real time)

The usernames being used were foreing or not really existant in the AD (i.e. shaw.net or localhost).

The sistem is running W2k with patches, Exch 2k with patches, and behind a routers firewall, no open ports other than the required ones.

Id like to know if there is something I could do other that blocking IPs.

Thanks in advance.

(in reply to tcstrub2)
Post #: 2
RE: Not an Open Relay But... - 12.May2006 10:55:49 AM   
mdemon

 

Posts: 4
Joined: 17.Nov.2005
Status: offline
Same here.  W2k Svr/Exch2k.

In the SMTP queues are lots of connections marked "Remote delivery" to places like tips.love.myminsk.com...  Not caught anything in the current sessions either.

Using McAffee, clients WXP, a few 2k and 2 W98 (yuk). 

Any idea how to track down the offending client?  Not a relay, although we use SMTP direct to the internet through the router. 

Any thoughts please?

(in reply to Rookie6)
Post #: 3
RE: Not an Open Relay But... - 15.May2006 3:10:12 PM   
Rookie6

 

Posts: 18
Joined: 11.May2005
From: SA
Status: offline
Hi mdemon,

I never got an answer about this, but this is what I could chime in

- You can detect th offending IPs in real-time as I stated above.
- You can also turn on smtp logging in the exch admin, that will give you a lot of details about the connections going on.
- I did found an account that _could_ have been compromised.

- The smtp log was very cluttered, so it was easier to monitor the server while there was noone working and client PCs were off, since connections where still occurring I concluded that the SPAM attempts where in fact coming from the internet, noted the most serious offenders and blocked them (the whole net range in some cases) at the router.
- After a couple of days the abuse wave seemed to fade out.

- Also, the abuse attempts were making the system crash, so I tuned the BadMail clean-up script to a very aggresive schedule. That seems to have made the system stand much better to the situation.

remember, this is not a "proven solution", but the meassures I took that seemed to help with the issue.

Hope this helps, good louck.

(in reply to mdemon)
Post #: 4
RE: Not an Open Relay But... - 15.May2006 6:25:04 PM   
mdemon

 

Posts: 4
Joined: 17.Nov.2005
Status: offline
Thanks for that!

In my case, it turns out that it's spam NDRs - in other words, spammers are using bogus From fields so when Exchange tries to report the NDR to the Postmaster of spam domain, the connection isn't made and the queue ends up filling up with these.

The solution is to change the NDR settings - I put a link to the solution I found on another website on here somewhere...  A search will find it - I've only posted 3 times!

HTH 

(in reply to Rookie6)
Post #: 5
RE: Not an Open Relay But... - 17.May2006 1:27:35 AM   
Rookie6

 

Posts: 18
Joined: 11.May2005
From: SA
Status: offline
Hey, good tip you give in that other thread, thank you.

My case was like yours with NDRs filling the BadMail folder. Now, I just took a glance at the link you posted, so maybe I am missing something, but by disabling the NDRs you loose being alerted when some (potentially) important message fails, and that's a risk I can't afford.

Rejecting mails with an empty "From" fild is great though, as I had lots of those when theproblem was at it's peak.

Thanks again.

(in reply to mdemon)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2000] >> Server Security >> Not an Open Relay But... Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter