Not an Open Relay But... (Full Version)

All Forums >> [Microsoft Exchange 2000] >> Server Security



Message

tcstrub2 -> Not an Open Relay But... (24.Mar.2006 6:00:56 PM)

Hello,

I have a client that is not setup as an open relay, however they are getting tons of emails in their outgoing que.  I believe it must be either a virus on a remote users computer, or a password has been hacked.  How do I find out, what username is being used to send this mail? 

I have to stop it, it is out of control, right now I just deleted 750 messages destined for the eyeou.com domain, all coming from various yahoo accounts, please HELP!!!

TIA

Tom Strubinger
http://soflanetworking.com



Rookie6 -> RE: Not an Open Relay But... (27.Mar.2006 4:38:33 PM)

Hi,
Iīm in a similar situation, not being an open relay but having a lot of messages in the queue. AFAIK, the messages are not sent and end up in the BadMail folder.

(@tcstrub2, I was able to catch at least a couple of offending IPs by going to Exch Administrator > protocols > smtp > current connections.
But you need to do it in real time)

The usernames being used were foreing or not really existant in the AD (i.e. shaw.net or localhost).

The sistem is running W2k with patches, Exch 2k with patches, and behind a routerīs firewall, no open ports other than the required ones.

Iīd like to know if there is something I could do other that blocking IPs.

Thanks in advance.



mdemon -> RE: Not an Open Relay But... (12.May2006 10:55:49 AM)

Same here.  W2k Svr/Exch2k.

In the SMTP queues are lots of connections marked "Remote delivery" to places like tips.love.myminsk.com...  Not caught anything in the current sessions either.

Using McAffee, clients WXP, a few 2k and 2 W98 (yuk). 

Any idea how to track down the offending client?  Not a relay, although we use SMTP direct to the internet through the router. 

Any thoughts please?



Rookie6 -> RE: Not an Open Relay But... (15.May2006 3:10:12 PM)

Hi mdemon,

I never got an answer about this, but this is what I could chime in

- You can detect th offending IPs in real-time as I stated above.
- You can also turn on smtp logging in the exch admin, that will give you a lot of details about the connections going on.
- I did found an account that _could_ have been compromised.

- The smtp log was very cluttered, so it was easier to monitor the server while there was noone working and client PCs were off, since connections where still occurring I concluded that the SPAM attempts where in fact coming from the internet, noted the most serious offenders and blocked them (the whole net range in some cases) at the router.
- After a couple of days the abuse wave seemed to fade out.

- Also, the abuse attempts were making the system crash, so I tuned the BadMail clean-up script to a very aggresive schedule. That seems to have made the system stand much better to the situation.

remember, this is not a "proven solution", but the meassures I took that seemed to help with the issue.

Hope this helps, good louck.



mdemon -> RE: Not an Open Relay But... (15.May2006 6:25:04 PM)

Thanks for that!

In my case, it turns out that it's spam NDRs - in other words, spammers are using bogus From fields so when Exchange tries to report the NDR to the Postmaster of spam domain, the connection isn't made and the queue ends up filling up with these.

The solution is to change the NDR settings - I put a link to the solution I found on another website on here somewhere...  A search will find it - I've only posted 3 times!

HTH 



Rookie6 -> RE: Not an Open Relay But... (17.May2006 1:27:35 AM)

Hey, good tip you give in that other thread, thank you.

My case was like yours with NDRs filling the BadMail folder. Now, I just took a glance at the link you posted, so maybe I am missing something, but by disabling the NDRs you loose being alerted when some (potentially) important message fails, and that's a risk I can't afford.

Rejecting mails with an empty "From" fild is great though, as I had lots of those when theproblem was at it's peak.

Thanks again.



Page: [1]