The system administrator's account is getting swamped by mail with the subject Undeliverable: Returned mail: User unknown on mail that (we think) no one in our organization has ever sent.
Here is the message body:
quote: -----Original Message----- From: System Administrator Sent: Tuesday, September 16, 2003 12:01 PM To: cuttie1203@aol.com; ddentrpris@aol.com Subject: Undeliverable: Returned mail: User unknown
Your message did not reach some or all of the intended recipients.
Subject: Re: get prescription meds to your door - no prior prescription needed ulr sgi iryubprg po pm llyamruqvgyldt qbjwksleuxuv htlfm r gjzh hltenwnmobdmgkn udxxw wzck Sent: 9/16/2003 11:03 AM
The following recipient(s) could not be reached:
cuttie1203@aol.com on 9/16/2003 11:19 AM The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address. < str-d10.mail.aol.com #5.1.1 SMTP; 550 MAILBOX NOT FOUND>
ddentrpris@aol.com on 9/16/2003 11:19 AM The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address. < str-d10.mail.aol.com #5.1.1 SMTP; 550 MAILBOX NOT FOUND>
How can I be sure that someone, or something is sending the message within the orgainzation?
I am worried that someone is using our Exchange Server as a spam server. So I checked our relay settings and all seems to be well. Here are the settings:
Only the List Below: Server's internal ip address. Server's external ip address. Allow all computer which successfully authenticate to relay, regardless of the settings above.
How can I find who is sending these messages and block them?
Any help on this topic would be greatly appreciated! Thanks,
Here is one thing I over looked when I first setup my exchange server.
On the address tab of the SMTP connector... Make sure you do not have the ôAllow messages to be relayed to these domainsö checked, as this will override the settings on your SMTP Virtual server and you will be an ôOpenö Relay.
That article has a few links to some testing website that will test your server for an open relay. There is also a manual test in the article.
Also make sure SMTP loggin is enabled if you are wanting to track access
Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline
If you made sure your setup is identical to the link I posted then I can only assume you are having trouble cause of the setting below.
"Allow all computers which successfully authenticate to relay, regardless of the settings above."
Either someone inside is generating the SPAM or someone outside is connecting sending mail through your server with a valid username/password. I say that last part because I noticed you have your server's external IP in the granted list...curious, why are you doing this?
Also, do you have SMTP logging enabled? You need to to get a clear idea of who/what is coming and going through the mail server. Make sure and check the extended logging properties for what is being logged.
quote:Originally posted by Kevin S.: Either someone inside is generating the SPAM or someone outside is connecting sending mail through your server with a valid username/password. I say that last part because I noticed you have your server's external IP in the granted list...curious, why are you doing this?
I am not sure why I am doing this...becuase Small Business 2000 setup set it up like that...Should I remove it? Why is it on there now? What would happen if I removed it?
quote:Originally posted by Kevin S.: Also, do you have SMTP logging enabled? You need to to get a clear idea of who/what is coming and going through the mail server. Make sure and check the extended logging properties for what is being logged.
Logging was enabled, but only the default extended logging features were selected. I went ahead and selected them all.
Is there a log parser that would make reading these logs eaiser? Or like a software that would review them like some web log software does?
Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline
Well I would need to know more about your network setup to tell you if you needed that external IP or not. I would assume you don't. The reason it might be an issue is someone might be able to make it appear messages are being relayed from your external IP, externally
For example, In my small business network we have business class cable setup with a router doing NAT. Our exchange server is setup only with "Granted" premissions to the internal IP address. There is no need for me to put the external IP on the server. Memebers of the domain will be able to "relay" by default.
So a lot depends on your setup...
As far as the log parser goes... I would check out Log Parser 2.0 from MS. I think you will find it does just about everything you need.
Your settings appear to be fine. Without seeing the full header information you can't tell if the messages are originating from your network or not. Someone is probably spoofing your address, that was one of the annoyances with the sobig.f virus.
Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline
Steve, really sounds like you are experiencing a SMTP auth attack. Someone is using an account to gain access externally. Users using weak passwords make this a big risk. There is another post in the Security section talking about this.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [Microsoft Exchange 2000] >> General >> Getting Undeliverable: Returned mail: User unknown on Mail We Never Sent 
Getting Undeliverable: Returned mail: User unknown on M... - !["[Smile]"](/image/smiles/smile.gif "\"\"")
RE: Getting Undeliverable: Returned mail: User unknown ... - ![[Confused]](/image/smiles/confused.gif)
We really get alot of them.
![[Big Grin]](/image/smiles/biggrin.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread
