What is going on? Open Relay? (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Server Security



Message

Max Power -> What is going on? Open Relay? (21.Apr.2007 2:46:45 PM)

I run a Windows 2003 Server running Exchange 2003 and I also run a Bes server on a seperate server.  Everything has been running great and still is except today I received about 5 emails telling me that a bunch of emails are undeliverable.  These messages were not sent from my users so I need to figure out where they are coming from and why.  I have done all the open relay tests and it appears to me that I am not an open relay.  Can anyone shed some light as to what is going on?  Below is a copy of one of the emails:





Your message did not reach some or all of the intended recipients.
Subject: Re:?????????????? ? ?????????? ?????????????? ????????
Sent: 4/21/2007 10:14 AM

The following recipient(s) could not be reached:
info@dobavit-1.truboreze.cv.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
anna@esc.odessa.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
yoghurt_man@mail.ru on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
stabin@online.com.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
ziack@torba.com on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
doctrilla@ukr.net on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
obbie@ukr.net on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
scorpion@unet.lg.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
nikolbj@vidikon.sumy.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
sales@zstu.edu.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08326-09 (in reply to end of DATA command)>
vant@carrier.kiev.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
faktor2@gomail.com.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
info@innovatsiya.ozsux.od.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
paliyopalij@isto.lviv.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
info@khmelevskiyviktor.openua.net on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
vip@pif.org.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
maribel@tm.odessa.ua on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
cupa@torba.com on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
styil@torba.com on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>
s_2004@ukr.net on 4/21/2007 9:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail4.ipbolaget.com #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=08846-05 (in reply to end of DATA command)>



uemurad -> RE: What is going on? Open Relay? (22.Apr.2007 1:22:54 AM)

Look at Message Tracking.  Use the search parameters of one of the failed recipient addresses and the date/time specified (a few minutes before and after).

There you will learn what Exchange thought the sending address was, and what your server attempted to do with the message.  It will also indicate if this was a single message or multiple messages going out.



Max Power -> RE: What is going on? Open Relay? (22.Apr.2007 8:48:48 PM)

I ended up getting about 15 of these total on Saturaday and so far none on Sunday. 

Unfortunately I didn't have message tracking enabled but it is now.  Thanks for the advice and I will post back here if it happens again.



jchong -> RE: What is going on? Open Relay? (23.Apr.2007 1:04:04 PM)

Looks like you are getting ndr backscatter. It's possible that someone is spoofing your email addresses to send spam as and you getting the ndr. Given that the ndrs are saying that they are being blocked by content it's likley this is the case.

http://spamlinks.net/prevent-secure-backscatter.htm


James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com



Max Power -> RE: What is going on? Open Relay? (23.Apr.2007 2:10:44 PM)

quote:

ORIGINAL: jchong

Looks like you are getting ndr backscatter. It's possible that someone is spoofing your email addresses to send spam as and you getting the ndr. Given that the ndrs are saying that they are being blocked by content it's likley this is the case.

http://spamlinks.net/prevent-secure-backscatter.htm


James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com


Thanks, that's what I assumed it was too.  The only reason I suspected differently is that the messages appeared to be coming from my internal 'System Administrator'.  Is that possible with what you speak of?



jchong -> RE: What is going on? Open Relay? (23.Apr.2007 2:35:45 PM)

Ahh didn't know that, then it is possible that your system is sending these outs. Enable smtp logging as well. When this occurs look through the logs, filter by the domain and see if you see the source IP. Usually if a client is infected even if MAPI it will be sending over smtp and IP will be logged.


James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com



Max Power -> RE: What is going on? Open Relay? (23.Apr.2007 2:49:15 PM)

Thanks, I will do that.



Page: [1]