• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Someone is relaying off this server but it is set up correctly to block relaying -???

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2000] >> Server Security >> Someone is relaying off this server but it is set up correctly to block relaying -??? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Someone is relaying off this server but it is set up co... - 3.Sep.2003 1:54:00 AM   
dlavely

 

Posts: 13
Joined: 3.Sep.2003
From: Akron, OH
Status: offline
Hi, all. This is really weird. My client has Exchange 2000. By default relaying is disabled. I have checked the settings 20 times and they are correct. But the message queues are full of relay messages! Is there some hack that can get past these settings? I have been through relaying problems before and fixed them, so I am confident my settings are correct. They do match up with the setup doc on this site, which are all default settings anyway.

This is getting serious because their ISP is shutting them down, and I can't figure out how to stop it! Any suggestions?

Thanks!
Dan
Post #: 1
RE: Someone is relaying off this server but it is set u... - 3.Sep.2003 5:39:00 AM   
mfugatt

 

Posts: 479
Joined: 7.Apr.2002
From: United Kingdom
Status: offline
Is the guest account enabled?, maybe one of the users account information has been compromised?, are there any SMTP Connectors and how are they configured?

Are you sure that the messages in the q are not just NDR's

(in reply to dlavely)
Post #: 2
RE: Someone is relaying off this server but it is set u... - 3.Sep.2003 3:18:00 PM   
dlavely

 

Posts: 13
Joined: 3.Sep.2003
From: Akron, OH
Status: offline
Thanks for the reply. The guest account is not enabled. I don't think the messages are ndr's/. When I check the poperties of a message in one of the queues they all have different addresses in the From and To fields. There are no SMTP connectors. This is a simple domain with 1 AD/Exchange server and 1 Citrix server, going through DSL to the Internet.

I'm stumped right now.

(in reply to dlavely)
Post #: 3
RE: Someone is relaying off this server but it is set u... - 3.Sep.2003 8:15:00 PM   
Henrik Walther

 

Posts: 6928
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
Hello dlavely,

As Mark mentions it could very well be a SMTP AUTH relay attack, which are quite common these days. They are as well quite easy to fullfill, cause of the users, way too often, use weak passwords.

Take a look at below article from Vamsoft to read more about these types of attacks:

http://www.vamsoft.com/orf/authattack.asp

Regards

[ September 04, 2003, 03:56 PM: Message edited by: Henrik Walther ]

(in reply to dlavely)
Post #: 4
RE: Someone is relaying off this server but it is set u... - 3.Sep.2003 8:56:00 PM   
Guest
I will enable auditing to find out if one of our user's accounts is being used. Some of them do have weak passwords. Also, can you tell me where I disable the server's option to send NDRs? Thanks!

(in reply to dlavely)
  Post #: 5
RE: Someone is relaying off this server but it is set u... - 4.Sep.2003 4:13:00 PM   
Henrik Walther

 

Posts: 6928
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
You can disable NDR's by doing the following in ESM:

- Expand Global Settings
- Leftclick Internet Message Formats
- Rightclick Default in right pane
- Click Advanced
- Disable Allow non-delivery reports

Regards

(in reply to dlavely)
Post #: 6
RE: Someone is relaying off this server but it is set u... - 8.Sep.2003 1:49:00 AM   
Guest
Mark and Henrik,

I disabled the "allow authenticated to relay" checkbox and told them to changed everyone's password. The evil spammer has been defeated! I shouldn't gloat, though, because I don't know what actually solved the problem. My best guess is that the account that was compromised changed the password. I turned on security auditing but haven't gone through the logs yet.

Thanks to you both for your help! You are greatly appreciated out here!

Dan

(in reply to dlavely)
  Post #: 7
RE: Someone is relaying off this server but it is set u... - 10.Sep.2003 4:13:00 PM   
Guest
I have the same problem but when I turn on the audit feature I do not see anything in the eventvwr. What gives?

(in reply to dlavely)
  Post #: 8
RE: Someone is relaying off this server but it is set u... - 10.Sep.2003 9:23:00 PM   
Henrik Walther

 

Posts: 6928
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
Hello <jimp>,

Inform your users to change their password.

Regards

(in reply to dlavely)
Post #: 9
RE: Someone is relaying off this server but it is set u... - 19.Nov.2003 10:06:00 PM   
new435

 

Posts: 3
Joined: 19.Nov.2003
From: Hackensack, NJ
Status: offline
I have a similar issue....191 domains listed in the queues folder. When I enumerate the messages, most say they are from postmaster@xxxx.com where xxxx is my clients smtp domain name, so it looks like it's just NDR's. But I have another problem....there are some legitimate usernames and domains....the most well known being verizon.net, where the exchange server, within an hour of receiving the item from the user, sends a delay message...."delivery to the following recipients has been delayed". These items DO show up in the queues, and are know good email addresses. We've been able to send to these users thru a yahoo or aol mail account but the exchange server won't.

(in reply to dlavely)
Post #: 10
RE: Someone is relaying off this server but it is set u... - 22.Nov.2003 3:56:00 AM   
dariley

 

Posts: 13
Joined: 16.Jun.2002
From: Houston, TX
Status: offline
I've tried everything else and this was the only one that actually worked! Thanks!

According to ORDB, my server wasn't an open relay. But, it was trying to send thousands of NDR's to addresses that didn't exist. With NDR's turned off, the queues finally cleaned out.

Thanks Again!
Dave

quote:
Originally posted by Henrik Walther:
You can disable NDR's by doing the following in ESM:

- Expand Global Settings
- Leftclick Internet Message Formats
- Rightclick Default in right pane
- Click Advanced
- Disable Allow non-delivery reports

Regards



[ November 22, 2003, 03:58 AM: Message edited by: dariley ]

(in reply to dlavely)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2000] >> Server Security >> Someone is relaying off this server but it is set up correctly to block relaying -??? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter