URGENT, PLEASE HELP (Full Version)

All Forums >> [Microsoft Exchange 2000] >> General



Message


jjd228 -> URGENT, PLEASE HELP (24.Feb.2004 5:11:00 PM)

i have been notified that my exchange server is being used to relay spam. i checked the smtp queues and there are thousands. the problem is that relaying is configured normally to only allow authenticated users. this leads me to believe that an account username and password are being used. how can i determine what account is being used to send all of this spam? please, any advice on what i should do will be appreciated




Randy Temple -> RE: URGENT, PLEASE HELP (24.Feb.2004 5:40:00 PM)

YOur username and password are not being used. There is a problem in your smtp Virtual sever

1.Go into you exchange system manager double click server and then expand the exchange computer that you want to configure

2.Expand protocols and then expand SMTP
3. Right click default SMTP virtual server and then click properties
4.Click the access tab to display the access control options
5.Click the relay button
6.In the relay restrictions dialog box make sure that the selection for which computers may relay is set to only the list below and that the list is blank (May not be blank if you have multiple exchange servers)
7. Unless you are using pop3 and impa4 clients with this virtual server, clear the allow all computers which successfully authenticate to realy, regardless of the list above box, and then click ok.

Once you complete these steps you queue will start to clear. If you have a thousand emails in there it may take a couple of hours to clear up. This will disable you being used as a realy. Let me know if you have anymore problems.




Guest -> RE: URGENT, PLEASE HELP (24.Feb.2004 5:42:00 PM)

I had this exact problem here last week!

What I did first was to disable relaying except for the IP address of our internet service provider who sends us e-mails. This diverted all the spam e-mails into the 'BadMail' folder which you need to find and monitor - it needs clearing out when it gets too big. But disabling relaying didn't stop the drain on our processing because the spam e-mails were still being processed before it didn't relay them, if you catch my drift.

In the end what we did was to configure our firewall so it blocked out all IP addresses except that of our ISP, so they were the only people that could send us mail. With our relay attack, the spammers must have been sending us mail directly, rather than going through our ISP (Demon) because the ISP had no knowledge of the attack.

I didn't have any success with disabling users, so I'd abandon this line of query if I were you. I think they found a way in by coming accross our IP address somehow and attacking us directly.

I would:

(a) Make sure that the only users that can use you to relay messages is your ISP or mail provider. Do this by right-clicking 'Properties' on your Default Virtual SMTP Server in the Exchange Manager and selecting the 'Relay' option on the Advanced tab. Find out your ISP's IP address and make sure it's the only one allowed. You mustn't disable relaying completely or your ISP won't be able to send you e-mail

(b) Monitor and check your 'Badmail' folder. Ours is in C:\Program Files\Exchsvr\Mailroot\vs 1\Badmail. Yours might be somewhere similar. Once you've got relaying sussed, all the bad e-mails should flow to here and your good ones will follow the right path. Clear this folder out reguarly.

(c) Look into how your firewall software works and see if you can see what the invading IP address is. If you identify it, deny them access and inform your ISP of the location the spam e-mails are coming from.

Hope this helps,

Si.




jjd228 -> RE: URGENT, PLEASE HELP (24.Feb.2004 5:49:00 PM)

Randy: my SMTP server is setup properly as i indicated in my original post. relaying is set to "Only the list below" and the list is blank. this, again, leads to to believe strongly that someone MUST be using a valid account name to relay their mail. wouldnt this only make sense? please advise




Randy Temple -> RE: URGENT, PLEASE HELP (24.Feb.2004 5:59:00 PM)

Do you have allow computerts which successfully authenticate to relay, regaurdless of the list below.




Randy Temple -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:00:00 PM)

from before.....checked. If you have this checked you will be relayed. It is on the same page as "only the list below" YOu must uncheck the "allow all computers which......"




Randy Temple -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:00:00 PM)

Kb article 319356




jjd228 -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:06:00 PM)

yes, this IS checked. but again, that means that someone IS authenticating. and i need this because i have remote users that need to relay. so what do i do now? im about to be blacklisted by my own ISP




Randy Temple -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:13:00 PM)

The reason you were relayed i am willing to bet money is when you click on the properties of the smtp virtual server go to the access tab. there are a couple of options click the authentication option. I bet you have annoymous acces check. This requires no password. Now that you have "allow all computers..." unchecked this will not be a problem. But when you had that checked anyone could connecte to your server and use you as a relay because your security was setup for annoymous access. The only reason to have Allow all computers checked is if you have imap4 and pop3 clients. I am betting you dont.




Randy Temple -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:19:00 PM)

So a break down....
Allow all computers which successfully authenticate to relay, regardless of the list above , will open your server up for relaying.

The above option should only be used for clients who rely on pop3 and impa4 for SMTp delvery and have legitimate reason for sending mail to external domains.

As to the password problem. With having your machine setup for open relay i am assuming you didnt have the correct security setup. In the authentication option if annoymous access was checked this would allow anyone to connnect and relay though your server.

Best practice.

Just un check Allow all comptuers which successfully authenticate to relay, regardless of the list above.

I hope this helped you out. You queue will take awhile to clear up.




jjd228 -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:22:00 PM)

oh boy. thank you for your help but you are very misinformed. first of all "Enable anonymous authentication" on the authentication tab specifies how OTHER SMTP SERVERS will connect to your server. this almost ALWAYS has to allow anonymous connections or you wont get any mail unless you use your isp's server and have configured authentication. as far as pop3 clients, why do you feel that i dont know if i have any? as a matter of fact, i am one myself. the server is in a completely dufferent state than me and I USE POP3 to with the server. so once again, my settings and configuration are all correct. ive been doing this for quite sometime and am an MCSE, please trust my knowledge. the simple fact is that someone has a username and password on my system. do you have any idea how to find out which one is being used?




jjd228 -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:26:00 PM)

please, read this to better educate yourself:

http://www.msexchange.org/pages/article.asp?id=54




Randy Temple -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:29:00 PM)

i agree with the anonymouse access. Listeni am only trying to help you I have been relayed. And there was no metion of Pop3 clients or IMap4 clients in your previous posts. You must be more clear in explaining your issues this changes your whole scheme. I really could careless of your credentials. I was relayed and unchecking allow worked. Being an mcse seems you have a problem with password security. Enjoy the spam.




jjd228 -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:31:00 PM)

you only "agree with anonymous access" because i just taught you what its true meaning is. in your previous post you had no idea.

but again, thank you for your time




Randy Temple -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:32:00 PM)

I am actually on my lunch hour at work and writing these during questions from users sorry about hte anonymous accces. To better educate youAuthentication provides the abiltiy for external host or clents to present a username and password to log on to the smtp virtual server. However, similar to ip restrictions, confi authentication is possible only of your isp is acting as a message relay for your or, and can provide authenticated connections to your smtp virtual server. YOur isp must also suppor TLS which encryts the whole authentication and message transefer session.




jjd228 -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:35:00 PM)

uh, yeah? thats word for word whats in the article i just sent you, whats the point? in your other post you said that enabling anonymous authentication would "allow anyone to relay". you were wrong. take it as a lesson learned and enjoy your new knowledge




Randy Temple -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:37:00 PM)

Since we are getting technical you really have me going today i will give you a crash course in relaying. Relaying is the action of an inbound connection to your SMTP server being used to send e-mail messages to external domains. With unsolicited commercial e-mail messages, sending a single e-mail message to your SMTP server with multiple recipients in domains external to your organization does this. Because the default setting for SMTP servers is to use anonymous authentication, the system being used to propagate the unsolicited commercial e-mail messages accepts the inbound message as typical. After the message is accepted, the SMTP server recognizes that the message recipients belong to external domains, and then the SMTP server delivers the messages. Therefore, the unauthorized users who send unsolicited commercial e-mail messages only have to send one inbound message to your SMTP server so that it can then be delivered to thousands of recipients, which slows down your Exchange Server computer's responsiveness, congests queues, and causes irritation and annoyance to the recipients when the messages arrive in their Inboxes.

The primary means of controlling relaying is by not granting relay permissions to any other hosts. However, there are times when relaying is required. For example, if you have Post Office Protocol (POP3) and Internet Message Access Protocol (IMAP4) clients who rely on SMTP for message delivery and have legitimate reasons for sending e-mail messages to external domains. You can work around this issue by creating a second SMTP virtual server that is dedicated to receiving e-mail messages from POP3 and IMAP4 clients. This additional SMTP virtual server can use authentication combined with Secure Sockets Layer (SSL) based encryption and can be configured to allow relaying for authenticated clients.

I hope i have infored you better.




jjd228 -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:40:00 PM)

youre comical. copying and pasting articles isnt helping anything. you made a mistake, you thought you knew what you were talking about but you were WRONG. would you like me to copy and paste your previous post? LOL... the question never was about what spam or relaying is. thats SMTP 101. my question was how might i find out what username is being used to authenticate. you need to admit when youre wrong. its the only way to learn.




Randy Temple -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:47:00 PM)

Yes but if you wold take time to read the copy and paste you would have your answer..... Sening a single email message to an smtp server with multiple recipients in domains external to your org does this. Because the default setting for smpt servers is to use anonymous authentication, the system bing used to propagate the commercial email messages accpts the inbound message as typical. After themessage is accepted, the smtp server the smtp server recognizes that the message rcipients belong to exteral domain.

how was a wrong about the annoymous access? I never said to uncheck this. I said with it being checked anyone can connnect to your server. By having allow all computer which successfully authenticate to realy checked anyone can send a mail message in with multiple recipients and use your mail server as a realy.




jjd228 -> RE: URGENT, PLEASE HELP (24.Feb.2004 6:55:00 PM)

im at a loss for words here. please, listen close... this is how it works: anonymous authentication will indeed allow any other entity to "connect" to the server. THIS IS WHAT YOU WANT!... after that, when your server sees that the message is destined for an external domain, that means it will be RELAYED to those domains. if RELAYING is configured to ONLY ALLOW RELAYING FOR AUTHENTICATED USERS, the messages will NOT be relayed unless the sender provided a username and passowrd, get it? so YES, anyone can SEND a message with multiple recipients... BUT IT WILL NOT BE RELAYED! do you understand this now?




Page: [1] 2   next >   >>