• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

After Relay Messages Blocked We're Still Getting Bogus E-mails

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Message Routing >> After Relay Messages Blocked We're Still Getting Bogus E-mails Page: [1]
Login
Message << Older Topic   Newer Topic >>
After Relay Messages Blocked We're Still Getting Bogus ... - 27.Sep.2007 4:23:32 PM   
GeoffShop

 

Posts: 11
Joined: 27.Sep.2007
Status: offline
    Hello,

We have recently blocked Relay messages on Microsoft Exchange server due to having spam e-mails left and right (our ISP cut us off due to sending bogus emails out from our domain). It worked for a few days it seems but now we're getting a ton again and they're actually forcing some users in our Active Directory to send out e-mail.

Is there a way to find out what the problem is exactly? And how to solve it?

For example of our logs:

#Version: 1.0

#Date: 2007-09-26 00:00:57

#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)

2007-09-26 00:00:57 83.98.189.158 melissasdandylittlecandys.com SMTPSVC1 OurServer  OurIP 0 HELO - +melissasdandylittlecandys.com 250 0 46 34 0 SMTP - - - -

2007-09-26 00:00:57 83.98.189.158 melissasdandylittlecandys.com SMTPSVC1 OurServer OurIP 0 MAIL - +FROM:+<ret@melissasdandylittlecandys.com> 250 0 58 46 0 SMTP - - - -

2007-09-26 00:00:57 83.98.189.158 melissasdandylittlecandys.com SMTPSVC1 OurServer OurIP 0 RCPT - +TO:+<OneOfOurWorkers@work.com> 250 0 0 27 0 SMTP - - - -

2007-09-26 00:00:57 83.98.189.158 melissasdandylittlecandys.com SMTPSVC1 OurServer OurIP 0 DATA - +<1190749784.2224@melissasdandylittlecandys.com> 250 0 131 1596 156 SMTP - - - -

2007-09-26 00:00:57 83.98.189.158 melissasdandylittlecandys.com SMTPSVC1 OurServer OurIP 0 QUIT - melissasdandylittlecandys.com 240 906 131 1596 312 SMTP - - - -

2007-09-26 00:05:27 216.66.235.83 83.srv.static.versans1.com SMTPSVC1 OurServer OurIP 0 HELO - +83.srv.static.versans1.com 250 0 46 31 0 SMTP - - - -

2007-09-26 00:05:27 216.66.235.83 83.srv.static.versans1.com SMTPSVC1 OurServer OurIP 0 MAIL - +FROM:+<ManualCompton@$domain> 501 0 27 34 0 SMTP - - - -

2007-09-26 00:05:27 216.66.235.83 83.srv.static.versans1.com SMTPSVC1 OurServer OurIP 0 QUIT - 83.srv.static.versans1.com 240 328 67 4 0 SMTP - - - -
Post #: 1
RE: After Relay Messages Blocked We're Still Getting Bo... - 27.Sep.2007 4:34:52 PM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
If the messages are from an external address, and to an external address, you have a relay problem or possibly a virus/worm-infected internal system sending out mail.

If the messages are from an administrative address in your domain (e.g. postmaster) and to external addresses, you are getting hit with spoofed spam and your system is busy sending out NDRs.

If the messages are from a real internal address, check for sent items in that mailbox to see if that person is actually sending them.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to GeoffShop)
Post #: 2
RE: After Relay Messages Blocked We're Still Getting Bo... - 27.Sep.2007 4:52:40 PM   
GeoffShop

 

Posts: 11
Joined: 27.Sep.2007
Status: offline
I have a picture of our queue; take a look:

http://img511.imageshack.us/img511/6481/exchangegm7.jpg

I am pretty sure that it's got to be something along the lines of a virus internally.

I looked and our user did not have any of those messages in his sent box. What does this mean?

(in reply to uemurad)
Post #: 3
RE: After Relay Messages Blocked We're Still Getting Bo... - 27.Sep.2007 5:08:43 PM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
Bear with this - lots to say and it's sort of a stream-of-consciousness blurb...

So you opened up some of those and saw it was addressed from a single user?  Search for them in Message Tracking.  Any insights there?  Anyone have "send as" permissions for that user?  If not, and the messages don't appear in his Sent Items, then it's probable that the messages aren't coming from Outlook.  If that's the case, then it's likely the messages are coming from an SMTP connection to your Exchange server - in which case I'd look at the SMTP log to see if you can spot what machine is making that connection.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to GeoffShop)
Post #: 4
RE: After Relay Messages Blocked We're Still Getting Bo... - 27.Sep.2007 5:31:31 PM   
GeoffShop

 

Posts: 11
Joined: 27.Sep.2007
Status: offline
Thank you for the quickl replies.

Could you explain in detail of what I should be doing? I'm rather new to exchange server and have been only futzing around with it for about a week, and that's not even at a full-time position, so still fairly new.

When I opened those, it says it was coming from only one user in our active directory

We run two sets of e-mail hosts, let's call them @abx.com and @tjl.com. We really no longer use the @tjl.com, and that is where these messages are being addressed from, not our @abx.com, the address we normally use.

quote:

Anyone have "send as" permissions for that user?

How do I check this?

And I didn't check his @tjl.com address, just his @abx.com address. So, there very well could be something there, which will have to wait till tomorrow morning as no one is here! :(

Few questions:

1. If they're in the Sent folder of this single user's e-mail, what does that mean and how do I fix it?

2. If they're not there in that e-mail sent folder, I find the IP of the machine the SMTP log will give me and do what with this machine? Also, how abouts do I go about doing this the right way? (Maybe an easier way you've noticed?)

3. Since it's coming from only one machine, does this seem more suspucious that it could be a virus on this person's machine?

Thanks again,

Geoff

(in reply to uemurad)
Post #: 5
RE: After Relay Messages Blocked We're Still Getting Bo... - 27.Sep.2007 5:39:21 PM   
GeoffShop

 

Posts: 11
Joined: 27.Sep.2007
Status: offline
Also,

I froze those messages; however, I unfroze a couple of them and they're saying "retry" under State. So, I take it they're not actually being sent out... But why are they in the queue in the first place? And are they not being sent due to having the Relay turned off?

Thanks,

Geoff

(in reply to GeoffShop)
Post #: 6
RE: After Relay Messages Blocked We're Still Getting Bo... - 27.Sep.2007 6:30:30 PM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
Let's start with your questions:
quote:

If they're in the Sent folder of this single user's e-mail, what does that mean and how do I fix it?
If they are there, it means the user sent them.  This can only happen if the messages were sent using client software (e.g. Outlook) that uses that account as its primary connection (e.g. Outlook profile).  This will not happen if the mail is created with a virus or worm.
quote:

If they're not there in that e-mail sent folder, I find the IP of the machine the SMTP log will give me and do what with this machine?
If you discover the source, then I'd scan it for viruses or investigate who has access that could be sending out messages.
quote:

Since it's coming from only one machine, does this seem more suspucious that it could be a virus on this person's machine?
Possibly.
quote:

I froze those messages; however, I unfroze a couple of them and they're saying "retry" under State. So, I take it they're not actually being sent out
If they are frozen, then they are not going out.
quote:

But why are they in the queue in the first place?
Messages always go to a queue to be delivered.  If they remain in the queue, it's typically because there is a transmission problem that prevents its delivery.  It's likely that there is no such domain or user at that domain.  Your Exchange server will dutifully retry every six hours for 48 hours before giving up.
quote:

And are they not being sent due to having the Relay turned off?
Disabling relaying prevents the messages from getting into the queue.  It does not do anything to messages already there.  Once in a queue, Exchange will retry until it succeeds or times out.
quote:

Anyone have "send as" permissions for that user?  How do I check this?
Open AD Users & Computers (ADUC).  Under the View menu make sure that "Advanced Features" is checked.  Open the properties of the user in question.  You'll now see a Security tab.  Go to it, and for each of the objects in the list, click on it and look in the properties for "Send as".  Any object with a check mark has the permission.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to GeoffShop)
Post #: 7
RE: After Relay Messages Blocked We're Still Getting Bo... - 27.Sep.2007 8:04:30 PM   
GeoffShop

 

Posts: 11
Joined: 27.Sep.2007
Status: offline
Okay I checked the user and under Group or User Names this is where I found that Send As was checked for "Allow":

Administrators (TDCO\Administrators)
Domain Admins (TDCO\Domain Admins)
Enterprise Admins (TDCO\Enterprise Admins)
System

What does this mean? :)

Geoff

(in reply to uemurad)
Post #: 8
RE: After Relay Messages Blocked We're Still Getting Bo... - 28.Sep.2007 12:02:35 AM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
Hopefully it means that no one is maliciously using "Send as" because members of those groups are trustworthy.

Are you sure those outbound messages aren't NDRs?  Do the subject lines indicate they are actually messages, or automatic responses to messages?

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to GeoffShop)
Post #: 9
RE: After Relay Messages Blocked We're Still Getting Bo... - 28.Sep.2007 7:02:34 AM   
GeoffShop

 

Posts: 11
Joined: 27.Sep.2007
Status: offline
http://img229.imageshack.us/img229/6366/emailsyr5.jpg

There's a screenshot of the 'properties' of the e-mail.

It says "Subject is Hidden"

I read that there is a way to reverse NDR or turn them off. Would this fix the problem perhaps?

I think this is the link:
http://www.cmsconnect.com/praetor/rndr/prrndr.htm

Let me know what you would like me to do. I would like to get this problem resolved sometime in the near future. :)

Thanks again,

Geoff

Edit: Also, they're frozen at the moment, with the exception of the top two in which I unfroze to see if they would actually send. They're not sending and will eventually fail out, hopefully.

< Message edited by GeoffShop -- 28.Sep.2007 7:04:14 AM >

(in reply to uemurad)
Post #: 10
RE: After Relay Messages Blocked We're Still Getting Bo... - 28.Sep.2007 12:33:12 PM   
GeoffShop

 

Posts: 11
Joined: 27.Sep.2007
Status: offline
I thought I would mention that I unfroze the frozen queries this morning and none of them have went through as far as I know. It looks like they'll fail out and delete themselves within 48 hours.

Any other tips/pointers?

(in reply to GeoffShop)
Post #: 11
RE: After Relay Messages Blocked We're Still Getting Bo... - 28.Sep.2007 2:05:43 PM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
If the sender in your screenshot is not a member of your domain, then it would appear you might have a relaying issue.  Let's try to determine where the message is coming from.  Use Message Tracking to look for anything sent to that recipient address.  See if that tells you anything.

Also, check the SMTP log to see if you can spot the Mail From with that sending address.  See if you can determine where the message is coming from.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to GeoffShop)
Post #: 12
RE: After Relay Messages Blocked We're Still Getting Bo... - 28.Sep.2007 2:25:28 PM   
GeoffShop

 

Posts: 11
Joined: 27.Sep.2007
Status: offline
quote:

ORIGINAL: uemurad

If the sender in your screenshot is not a member of your domain, then it would appear you might have a relaying issue.  Let's try to determine where the message is coming from.  Use Message Tracking to look for anything sent to that recipient address.  See if that tells you anything.


He is a member of our domain. We have two sets of email accounts we run since we combined two companies together.

quote:

ORIGINAL: uemurad
Also, check the SMTP log to see if you can spot the Mail From with that sending address.  See if you can determine where the message is coming from.


So I should log SMTP for a day? I have the logs set off at the moment.

I have logs from previous days, should I take a look at them or start from scratch (today)?

(in reply to uemurad)
Post #: 13
RE: After Relay Messages Blocked We're Still Getting Bo... - 28.Sep.2007 2:42:02 PM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
quote:

He is a member of our domain. We have two sets of email accounts we run since we combined two companies together.
That complicates matters slightly.  It is easier to relay messages through your server if the sending address is part of your domain.  The way to counteract this is by restricting what systems can send SMTP messages through your server.
quote:

So I should log SMTP for a day? I have the logs set off at the moment.
I have logs from previous days, should I take a look at them or start from scratch (today)?
You can look at the previous logs if you can tell which of them are the messages you want to block.  What you are trying to determine is the address from where these messages are originating.  This will only work if the messages are coming in as SMTP.  If they are coming in through a client, it should show up in Message Tracking.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to GeoffShop)
Post #: 14
RE: After Relay Messages Blocked We're Still Getting Bo... - 28.Sep.2007 4:33:23 PM   
GeoffShop

 

Posts: 11
Joined: 27.Sep.2007
Status: offline
quote:

That complicates matters slightly.  It is easier to relay messages through your server if the sending address is part of your domain.  The way to counteract this is by restricting what systems can send SMTP messages through your server.


How abouts do I restrict  the systems, and how to I choose which systems to restrict?

quote:


You can look at the previous logs if you can tell which of them are the messages you want to block.  What you are trying to determine is the address from where these messages are originating.  This will only work if the messages are coming in as SMTP.  If they are coming in through a client, it should show up in Message Tracking.


There are a lot of bogusly odd e-mails; I will look into this in a little more detail over the weekend. Also, I could send you the log I will be looking through to ensure I am looking at the right stuff.

Thanks again, you're a big help and I apprecaite your time and effort in this matter.

Geoff

(in reply to uemurad)
Post #: 15
RE: After Relay Messages Blocked We're Still Getting Bo... - 28.Sep.2007 5:22:02 PM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
quote:

How abouts do I restrict  the systems, and how to I choose which systems to restrict?
First, you need to determine which systems need the ability to relay.  If you have applications servers or monitoring servers that send SMTP traffic to your Exchange server to get messages out, that's what you need to know.  You can check the SMTP logs searching for communications from your own servers.

After you determine which servers you wish to allow, open the ESM, expand to your server, then Protocols and SMTP.  Open the properties of the Default SMTP Virtual Server, go to the Access tab, click Relay.  Select "Only the list below" and add in the addresses of the systems you wish to allow.  Make sure you check "Allow all computers which successfully authenticate to relay, regardless of the list above", or you won't be able to send messages between Exchange servers in your organization.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to GeoffShop)
Post #: 16
RE: After Relay Messages Blocked We're Still Getting Bo... - 28.Sep.2007 6:21:23 PM   
GeoffShop

 

Posts: 11
Joined: 27.Sep.2007
Status: offline
quote:

First, you need to determine which systems need the ability to relay.  If you have applications servers or monitoring servers that send SMTP traffic to your Exchange server to get messages out, that's what you need to know.  You can check the SMTP logs searching for communications from your own servers


I have PMed you the logs I have. I'm not sure if it is the same log you're wanting me to look for; however, I am pretty sure it could be :-) If it's not, let me know how to check this (again, I'm very basica with this program...lived off of the Microsoft websites :-/ )

(in reply to uemurad)
Post #: 17

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Message Routing >> After Relay Messages Blocked We're Still Getting Bogus E-mails Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter