After Relay Messages Blocked We're Still Getting Bogus E-mails (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Message Routing



Message


GeoffShop -> After Relay Messages Blocked We're Still Getting Bogus E-mails (27.Sep.2007 4:23:32 PM)

    Hello,

We have recently blocked Relay messages on Microsoft Exchange server due to having spam e-mails left and right (our ISP cut us off due to sending bogus emails out from our domain). It worked for a few days it seems but now we're getting a ton again and they're actually forcing some users in our Active Directory to send out e-mail.

Is there a way to find out what the problem is exactly? And how to solve it?

For example of our logs:

#Version: 1.0

#Date: 2007-09-26 00:00:57

#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)

2007-09-26 00:00:57 83.98.189.158 melissasdandylittlecandys.com SMTPSVC1 OurServer  OurIP 0 HELO - +melissasdandylittlecandys.com 250 0 46 34 0 SMTP - - - -

2007-09-26 00:00:57 83.98.189.158 melissasdandylittlecandys.com SMTPSVC1 OurServer OurIP 0 MAIL - +FROM:+<ret@melissasdandylittlecandys.com> 250 0 58 46 0 SMTP - - - -

2007-09-26 00:00:57 83.98.189.158 melissasdandylittlecandys.com SMTPSVC1 OurServer OurIP 0 RCPT - +TO:+<OneOfOurWorkers@work.com> 250 0 0 27 0 SMTP - - - -

2007-09-26 00:00:57 83.98.189.158 melissasdandylittlecandys.com SMTPSVC1 OurServer OurIP 0 DATA - +<1190749784.2224@melissasdandylittlecandys.com> 250 0 131 1596 156 SMTP - - - -

2007-09-26 00:00:57 83.98.189.158 melissasdandylittlecandys.com SMTPSVC1 OurServer OurIP 0 QUIT - melissasdandylittlecandys.com 240 906 131 1596 312 SMTP - - - -

2007-09-26 00:05:27 216.66.235.83 83.srv.static.versans1.com SMTPSVC1 OurServer OurIP 0 HELO - +83.srv.static.versans1.com 250 0 46 31 0 SMTP - - - -

2007-09-26 00:05:27 216.66.235.83 83.srv.static.versans1.com SMTPSVC1 OurServer OurIP 0 MAIL - +FROM:+<ManualCompton@$domain> 501 0 27 34 0 SMTP - - - -

2007-09-26 00:05:27 216.66.235.83 83.srv.static.versans1.com SMTPSVC1 OurServer OurIP 0 QUIT - 83.srv.static.versans1.com 240 328 67 4 0 SMTP - - - -




uemurad -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (27.Sep.2007 4:34:52 PM)

If the messages are from an external address, and to an external address, you have a relay problem or possibly a virus/worm-infected internal system sending out mail.

If the messages are from an administrative address in your domain (e.g. postmaster) and to external addresses, you are getting hit with spoofed spam and your system is busy sending out NDRs.

If the messages are from a real internal address, check for sent items in that mailbox to see if that person is actually sending them.




GeoffShop -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (27.Sep.2007 4:52:40 PM)

I have a picture of our queue; take a look:

http://img511.imageshack.us/img511/6481/exchangegm7.jpg

I am pretty sure that it's got to be something along the lines of a virus internally.

I looked and our user did not have any of those messages in his sent box. What does this mean?




uemurad -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (27.Sep.2007 5:08:43 PM)

Bear with this - lots to say and it's sort of a stream-of-consciousness blurb...

So you opened up some of those and saw it was addressed from a single user?  Search for them in Message Tracking.  Any insights there?  Anyone have "send as" permissions for that user?  If not, and the messages don't appear in his Sent Items, then it's probable that the messages aren't coming from Outlook.  If that's the case, then it's likely the messages are coming from an SMTP connection to your Exchange server - in which case I'd look at the SMTP log to see if you can spot what machine is making that connection.




GeoffShop -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (27.Sep.2007 5:31:31 PM)

Thank you for the quickl replies.

Could you explain in detail of what I should be doing? I'm rather new to exchange server and have been only futzing around with it for about a week, and that's not even at a full-time position, so still fairly new.

When I opened those, it says it was coming from only one user in our active directory

We run two sets of e-mail hosts, let's call them @abx.com and @tjl.com. We really no longer use the @tjl.com, and that is where these messages are being addressed from, not our @abx.com, the address we normally use.

quote:

Anyone have "send as" permissions for that user?

How do I check this?

And I didn't check his @tjl.com address, just his @abx.com address. So, there very well could be something there, which will have to wait till tomorrow morning as no one is here! :(

Few questions:

1. If they're in the Sent folder of this single user's e-mail, what does that mean and how do I fix it?

2. If they're not there in that e-mail sent folder, I find the IP of the machine the SMTP log will give me and do what with this machine? Also, how abouts do I go about doing this the right way? (Maybe an easier way you've noticed?)

3. Since it's coming from only one machine, does this seem more suspucious that it could be a virus on this person's machine?

Thanks again,

Geoff




GeoffShop -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (27.Sep.2007 5:39:21 PM)

Also,

I froze those messages; however, I unfroze a couple of them and they're saying "retry" under State. So, I take it they're not actually being sent out... But why are they in the queue in the first place? And are they not being sent due to having the Relay turned off?

Thanks,

Geoff




uemurad -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (27.Sep.2007 6:30:30 PM)

Let's start with your questions:
quote:

If they're in the Sent folder of this single user's e-mail, what does that mean and how do I fix it?
If they are there, it means the user sent them.  This can only happen if the messages were sent using client software (e.g. Outlook) that uses that account as its primary connection (e.g. Outlook profile).  This will not happen if the mail is created with a virus or worm.
quote:

If they're not there in that e-mail sent folder, I find the IP of the machine the SMTP log will give me and do what with this machine?
If you discover the source, then I'd scan it for viruses or investigate who has access that could be sending out messages.
quote:

Since it's coming from only one machine, does this seem more suspucious that it could be a virus on this person's machine?
Possibly.
quote:

I froze those messages; however, I unfroze a couple of them and they're saying "retry" under State. So, I take it they're not actually being sent out
If they are frozen, then they are not going out.
quote:

But why are they in the queue in the first place?
Messages always go to a queue to be delivered.  If they remain in the queue, it's typically because there is a transmission problem that prevents its delivery.  It's likely that there is no such domain or user at that domain.  Your Exchange server will dutifully retry every six hours for 48 hours before giving up.
quote:

And are they not being sent due to having the Relay turned off?
Disabling relaying prevents the messages from getting into the queue.  It does not do anything to messages already there.  Once in a queue, Exchange will retry until it succeeds or times out.
quote:

Anyone have "send as" permissions for that user?  How do I check this?
Open AD Users & Computers (ADUC).  Under the View menu make sure that "Advanced Features" is checked.  Open the properties of the user in question.  You'll now see a Security tab.  Go to it, and for each of the objects in the list, click on it and look in the properties for "Send as".  Any object with a check mark has the permission.




GeoffShop -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (27.Sep.2007 8:04:30 PM)

Okay I checked the user and under Group or User Names this is where I found that Send As was checked for "Allow":

Administrators (TDCO\Administrators)
Domain Admins (TDCO\Domain Admins)
Enterprise Admins (TDCO\Enterprise Admins)
System

What does this mean? :)

Geoff




uemurad -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (28.Sep.2007 12:02:35 AM)

Hopefully it means that no one is maliciously using "Send as" because members of those groups are trustworthy[;)].

Are you sure those outbound messages aren't NDRs?  Do the subject lines indicate they are actually messages, or automatic responses to messages?




GeoffShop -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (28.Sep.2007 7:02:34 AM)

http://img229.imageshack.us/img229/6366/emailsyr5.jpg

There's a screenshot of the 'properties' of the e-mail.

It says "Subject is Hidden"

I read that there is a way to reverse NDR or turn them off. Would this fix the problem perhaps?

I think this is the link:
http://www.cmsconnect.com/praetor/rndr/prrndr.htm

Let me know what you would like me to do. I would like to get this problem resolved sometime in the near future. :)

Thanks again,

Geoff

Edit: Also, they're frozen at the moment, with the exception of the top two in which I unfroze to see if they would actually send. They're not sending and will eventually fail out, hopefully.




GeoffShop -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (28.Sep.2007 12:33:12 PM)

I thought I would mention that I unfroze the frozen queries this morning and none of them have went through as far as I know. It looks like they'll fail out and delete themselves within 48 hours.

Any other tips/pointers?




uemurad -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (28.Sep.2007 2:05:43 PM)

If the sender in your screenshot is not a member of your domain, then it would appear you might have a relaying issue.  Let's try to determine where the message is coming from.  Use Message Tracking to look for anything sent to that recipient address.  See if that tells you anything.

Also, check the SMTP log to see if you can spot the Mail From with that sending address.  See if you can determine where the message is coming from.




GeoffShop -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (28.Sep.2007 2:25:28 PM)

quote:

ORIGINAL: uemurad

If the sender in your screenshot is not a member of your domain, then it would appear you might have a relaying issue.  Let's try to determine where the message is coming from.  Use Message Tracking to look for anything sent to that recipient address.  See if that tells you anything.


He is a member of our domain. We have two sets of email accounts we run since we combined two companies together.

quote:

ORIGINAL: uemurad
Also, check the SMTP log to see if you can spot the Mail From with that sending address.  See if you can determine where the message is coming from.


So I should log SMTP for a day? I have the logs set off at the moment.

I have logs from previous days, should I take a look at them or start from scratch (today)?




uemurad -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (28.Sep.2007 2:42:02 PM)

quote:

He is a member of our domain. We have two sets of email accounts we run since we combined two companies together.
That complicates matters slightly.  It is easier to relay messages through your server if the sending address is part of your domain.  The way to counteract this is by restricting what systems can send SMTP messages through your server.
quote:

So I should log SMTP for a day? I have the logs set off at the moment.
I have logs from previous days, should I take a look at them or start from scratch (today)?
You can look at the previous logs if you can tell which of them are the messages you want to block.  What you are trying to determine is the address from where these messages are originating.  This will only work if the messages are coming in as SMTP.  If they are coming in through a client, it should show up in Message Tracking.




GeoffShop -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (28.Sep.2007 4:33:23 PM)

quote:

That complicates matters slightly.  It is easier to relay messages through your server if the sending address is part of your domain.  The way to counteract this is by restricting what systems can send SMTP messages through your server.


How abouts do I restrict  the systems, and how to I choose which systems to restrict?

quote:


You can look at the previous logs if you can tell which of them are the messages you want to block.  What you are trying to determine is the address from where these messages are originating.  This will only work if the messages are coming in as SMTP.  If they are coming in through a client, it should show up in Message Tracking.


There are a lot of bogusly odd e-mails; I will look into this in a little more detail over the weekend. Also, I could send you the log I will be looking through to ensure I am looking at the right stuff.

Thanks again, you're a big help and I apprecaite your time and effort in this matter.

Geoff




uemurad -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (28.Sep.2007 5:22:02 PM)

quote:

How abouts do I restrict  the systems, and how to I choose which systems to restrict?
First, you need to determine which systems need the ability to relay.  If you have applications servers or monitoring servers that send SMTP traffic to your Exchange server to get messages out, that's what you need to know.  You can check the SMTP logs searching for communications from your own servers.

After you determine which servers you wish to allow, open the ESM, expand to your server, then Protocols and SMTP.  Open the properties of the Default SMTP Virtual Server, go to the Access tab, click Relay.  Select "Only the list below" and add in the addresses of the systems you wish to allow.  Make sure you check "Allow all computers which successfully authenticate to relay, regardless of the list above", or you won't be able to send messages between Exchange servers in your organization.




GeoffShop -> RE: After Relay Messages Blocked We're Still Getting Bogus E-mails (28.Sep.2007 6:21:23 PM)

quote:

First, you need to determine which systems need the ability to relay.  If you have applications servers or monitoring servers that send SMTP traffic to your Exchange server to get messages out, that's what you need to know.  You can check the SMTP logs searching for communications from your own servers


I have PMed you the logs I have. I'm not sure if it is the same log you're wanting me to look for; however, I am pretty sure it could be :-) If it's not, let me know how to check this (again, I'm very basica with this program...lived off of the Microsoft websites :-/ )




Page: [1]