Tons of 550s (unable to relay) and 553 (possible forgery)

Tons of 550s (unable to relay) and 553 (possible forgery) (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Message Routing

Message

Netmon1 -> Tons of 550s (unable to relay) and 553 (possible forgery) (24.Oct.2006 12:49:59 PM)
It seems like just recenetly all of these 550 and 553 error messages are coming in all of the time. Are these messages saying some external user is trying to relay and is being successful but the other server wont accept or that they are trying to relay through us and we are shutting them down? This is an SMTP protocol error log for virtual server ID 1, connection #226. The remote host "198.185.x.x", responded to the SMTP command "rcpt" with "550 gvfchwox@spratley.com...User unknown ". The full command sent was "RCPT TO:<gvfchwox@spratley.com> ". This will probably cause the connection to fail. This is an SMTP protocol log for virtual server ID 1, connection #89. The client at "220.133.x.x" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for 111@jfrur.101main.com ". The full command sent was "rcpt TO: <111@jfrur.101main.com>". This will probably cause the connection to fail. This is an SMTP protocol error log for virtual server ID 1, connection #218. The remote host "202.93.x.x", responded to the SMTP command "rcpt" with "553 VS10-RT Possible forgery or deactivated due to abuse (#5.1.1) ". The full command sent was "RCPT TO:<dwiw@yahoo.co.jp> ". This will probably cause the connection to fail.

jchong -> RE: Tons of 550s (unable to relay) and 553 (possible forgery) (24.Oct.2006 1:25:57 PM)
Can you enable SMTP logging and post the output? It looks like someone is trying to relay but your server is rejecting, but I would like to confirm by looking at your SMTP logs.

Netmon1 -> RE: Tons of 550s (unable to relay) and 553 (possible forgery) (24.Oct.2006 2:09:25 PM)
Here are the logs for 2 of the examples I posted above. I have changed the actual server name in the log to MYSERVER and our actual domain to MYDOMAIN. 2006-10-10 20:36:37 148.235.52.20 OutboundConnectionCommand SMTPSVC1 MYSERVER - 25 RCPT - TO:<sportilloa@prodigy.net.mx> 0 0 4 0 4297 SMTP - - - - 2006-10-10 15:56:13 202.93.77.230 OutboundConnectionResponse SMTPSVC1 MYSERVER - 25 - - 220+YSmtp+mta89.mail.bbt.yahoo.co.jp+ESMTP+service+ready 0 0 56 0 156 SMTP - - - - 2006-10-10 15:56:13 202.93.77.230 OutboundConnectionCommand SMTPSVC1 MYSERVER - 25 HELO - MAIL.MYDOMAIN.COM 0 0 4 0 156 SMTP - - - - 2006-10-10 15:56:13 202.93.77.230 OutboundConnectionResponse SMTPSVC1 MYSERVER - 25 - - 250+mta89.mail.bbt.yahoo.co.jp 0 0 30 0 297 SMTP - - - - 2006-10-10 15:56:13 202.93.77.230 OutboundConnectionCommand SMTPSVC1 MYSERVER - 25 MAIL - FROM:<> 0 0 4 0 297 SMTP - - - - 2006-10-10 15:56:13 202.93.77.230 OutboundConnectionResponse SMTPSVC1 MYSERVER - 25 - - 250+null+sender+<>+ok 0 0 21 0 422 SMTP - - - - 2006-10-10 15:56:13 202.93.77.230 OutboundConnectionCommand SMTPSVC1 MYSERVER - 25 RCPT - TO:<dwiw@yahoo.co.jp> 0 0 4 0 422 SMTP - - - - 2006-10-10 15:56:13 202.93.77.230 OutboundConnectionResponse SMTPSVC1 MYSERVER - 25 - - 553+VS10-RT+Possible+forgery+or+deactivated+due+to+abuse+(#5.1.1) 0 0 65 0 562 SMTP - - - - 2006-10-10 15:56:13 202.93.77.230 OutboundConnectionCommand SMTPSVC1 MYSERVER - 25 RSET - - 0 0 4 0 562 SMTP - - - - 2006-10-10 15:56:13 202.93.77.230 OutboundConnectionResponse SMTPSVC1 MYSERVER - 25 - - 250+reset+ok 0 0 12 0 687 SMTP - - - - 2006-10-10 15:56:13 202.93.77.230 OutboundConnectionCommand SMTPSVC1 MYSERVER - 25 QUIT - - 0 0 4 0 703 SMTP - - - - 2006-10-10 15:56:13 202.93.77.230 OutboundConnectionResponse SMTPSVC1 MYSERVER - 25 - - 221+mta89.mail.bbt.yahoo.co.jp 0 0 30 0 828 SMTP - - - -

jchong -> RE: Tons of 550s (unable to relay) and 553 (possible forgery) (24.Oct.2006 3:55:03 PM)
Can you enable all the options for SMTP logging? Hit the properties button and select all options. It also looks to me that you may be sending NDR's to bogus addresses. Have you enabled recipient filtering?

Netmon1 -> RE: Tons of 550s (unable to relay) and 553 (possible forgery) (24.Oct.2006 4:38:30 PM)
I have all of the options for logging enabled and recepiant filtering was not enabled but I just enabled it. Will this eliminate the messages or is someone still trying to relay and are getting dropped?

jchong -> RE: Tons of 550s (unable to relay) and 553 (possible forgery) (25.Oct.2006 1:31:26 PM)
Recipient filter should stop alot of the stuff you're seeing, because the SMTP logs appear to show your server sending NDR <> messages to bogus users and domains. Have you noticed any decrease?

quiklnr2000 -> RE: Tons of 550s (unable to relay) and 553 (possible forgery) (26.Oct.2006 10:14:31 AM)
This has recently happened to me also. Our ISP called up and stated that we were sending NDRs to bogus email addresses and it looked like spam. So, they were telling me to disable NDRs all together by referencing Article 294757, http://support.microsoft.com/default.aspx?scid=kb;en-us;294757. I really don't want to disable NDRs, but am looking for another option to fix this issue. The reason that I am posting a reply to this message is because I've seen a bunch of Relay Prohibited entries in the Event Viewer recently also, and was wondering where they were coming from. I'm pretty sure that I have everything set up correctly, but then I received the call from our ISP. Any suggestions?? Thanks, Bob

jchong -> RE: Tons of 550s (unable to relay) and 553 (possible forgery) (26.Oct.2006 1:03:49 PM)
Bob, If you are using 2003 you can enable recipient filtering which will stop you guys from sending NDR to bogus addresses. You really don't want to disable NDR's since it's rfc compliant. http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

quiklnr2000 -> RE: Tons of 550s (unable to relay) and 553 (possible forgery) (31.Oct.2006 9:29:57 AM)
Thanks James. I've filtered by recipient, and now it looks okay. I was just hesitant to filter by AD because then eventually that will give away the real addresses. I have also seen a dramatic decrease in the queues. We used to run around 275 open/retry queues and now it's down to around 140. I still have some work to do, but it looks good now. Thanks for all your help!

jchong -> RE: Tons of 550s (unable to relay) and 553 (possible forgery) (31.Oct.2006 10:17:59 AM)
[:)] Cool. I was just hesitant to filter by AD because then eventually that will give away the real addresses. Valid concern, it is recommended to enable SMTP tarpitting when using recipient filtering to mitigate against DHA attacks. http://www.msexchange.org/tutorials/Windows-based-SMTP-Tar-Pitting-Explained.html

quiklnr2000 -> RE: Tons of 550s (unable to relay) and 553 (possible forgery) (6.Nov.2006 10:24:30 PM)
James, Thanks for the info. FYI, our queues are down to 15. I'll check out the link about tar-pitting and let you know how I fare. Bob

Page: [1]