Someone is relaying off this server but it is set up correctly to block relaying -??? (Full Version)

All Forums >> [Microsoft Exchange 2000] >> Server Security



Message


dlavely -> Someone is relaying off this server but it is set up correctly to block relaying -??? (3.Sep.2003 1:54:00 AM)

Hi, all. This is really weird. My client has Exchange 2000. By default relaying is disabled. I have checked the settings 20 times and they are correct. But the message queues are full of relay messages! Is there some hack that can get past these settings? I have been through relaying problems before and fixed them, so I am confident my settings are correct. They do match up with the setup doc on this site, which are all default settings anyway.

This is getting serious because their ISP is shutting them down, and I can't figure out how to stop it! Any suggestions?

Thanks!
Dan




mfugatt -> RE: Someone is relaying off this server but it is set up correctly to block relaying -??? (3.Sep.2003 5:39:00 AM)

Is the guest account enabled?, maybe one of the users account information has been compromised?, are there any SMTP Connectors and how are they configured?

Are you sure that the messages in the q are not just NDR's




dlavely -> RE: Someone is relaying off this server but it is set up correctly to block relaying -??? (3.Sep.2003 3:18:00 PM)

Thanks for the reply. The guest account is not enabled. I don't think the messages are ndr's/. When I check the poperties of a message in one of the queues they all have different addresses in the From and To fields. There are no SMTP connectors. This is a simple domain with 1 AD/Exchange server and 1 Citrix server, going through DSL to the Internet.

I'm stumped right now.




Henrik Walther -> RE: Someone is relaying off this server but it is set up correctly to block relaying -??? (3.Sep.2003 8:15:00 PM)

Hello dlavely,

As Mark mentions it could very well be a SMTP AUTH relay attack, which are quite common these days. They are as well quite easy to fullfill, cause of the users, way too often, use weak passwords.

Take a look at below article from Vamsoft to read more about these types of attacks:

http://www.vamsoft.com/orf/authattack.asp

Regards

[ September 04, 2003, 03:56 PM: Message edited by: Henrik Walther ]




Guest -> RE: Someone is relaying off this server but it is set up correctly to block relaying -??? (3.Sep.2003 8:56:00 PM)

I will enable auditing to find out if one of our user's accounts is being used. Some of them do have weak passwords. Also, can you tell me where I disable the server's option to send NDRs? Thanks!




Henrik Walther -> RE: Someone is relaying off this server but it is set up correctly to block relaying -??? (4.Sep.2003 4:13:00 PM)

You can disable NDR's by doing the following in ESM:

- Expand Global Settings
- Leftclick Internet Message Formats
- Rightclick Default in right pane
- Click Advanced
- Disable Allow non-delivery reports

Regards




Guest -> RE: Someone is relaying off this server but it is set up correctly to block relaying -??? (8.Sep.2003 1:49:00 AM)

Mark and Henrik,

I disabled the "allow authenticated to relay" checkbox and told them to changed everyone's password. The evil spammer has been defeated! I shouldn't gloat, though, because I don't know what actually solved the problem. My best guess is that the account that was compromised changed the password. I turned on security auditing but haven't gone through the logs yet.

Thanks to you both for your help! You are greatly appreciated out here!

Dan




Guest -> RE: Someone is relaying off this server but it is set up correctly to block relaying -??? (10.Sep.2003 4:13:00 PM)

I have the same problem but when I turn on the audit feature I do not see anything in the eventvwr. What gives?




Henrik Walther -> RE: Someone is relaying off this server but it is set up correctly to block relaying -??? (10.Sep.2003 9:23:00 PM)

Hello <jimp>,

Inform your users to change their password.

Regards




new435 -> RE: Someone is relaying off this server but it is set up correctly to block relaying -??? (19.Nov.2003 10:06:00 PM)

I have a similar issue....191 domains listed in the queues folder. When I enumerate the messages, most say they are from postmaster@xxxx.com where xxxx is my clients smtp domain name, so it looks like it's just NDR's. But I have another problem....there are some legitimate usernames and domains....the most well known being verizon.net, where the exchange server, within an hour of receiving the item from the user, sends a delay message...."delivery to the following recipients has been delayed". These items DO show up in the queues, and are know good email addresses. We've been able to send to these users thru a yahoo or aol mail account but the exchange server won't.




dariley -> RE: Someone is relaying off this server but it is set up correctly to block relaying -??? (22.Nov.2003 3:56:00 AM)

I've tried everything else and this was the only one that actually worked! Thanks!

According to ORDB, my server wasn't an open relay. But, it was trying to send thousands of NDR's to addresses that didn't exist. With NDR's turned off, the queues finally cleaned out.

Thanks Again!
Dave

quote:
Originally posted by Henrik Walther:
You can disable NDR's by doing the following in ESM:

- Expand Global Settings
- Leftclick Internet Message Formats
- Rightclick Default in right pane
- Click Advanced
- Disable Allow non-delivery reports

Regards



[ November 22, 2003, 03:58 AM: Message edited by: dariley ]




Page: [1]