RimFire007
asked on
Open Relay / SPAM / Default SMTP Virtual Server Access
Hi
A new SBS 2003 R2 (Exchange 2003 SP1) installation. The ISP routes mails directly to the server
I have several thousands of MAILS IN QUEYE and the tests says that the server is Open Relay. Currently I'm freezing the mails in ESM and planning to delete them. The process seems to take awhile (30 mins so far) and I would love to finish it (or is there any quicker way to get rid of those spams?).
I have few end users on the Site using Outlook 2000 - 2007 and couple RPC over HTTPS Outlook users Off Site. I have read "SMTP server failed open relay test"
http://technet.microsoft.com/en-us/library/aa996901(EXCHG.80).aspx
Following above instructions I have done this:
In SMTP Virtual Server / Properties / Access / Relay Restrictions:
clear the Allow all computers which successfully authenticate to relay, regardless of the list below check box, and then click Users to specify a subset of users that you want to grant relay permissions on this SMTP virtual server.
I have granted Submit permissions for AUtenticated Users
I have granted Submit and Relay permissions for selected users (to those who use Outlook)
The Tarpit time is 5 seconds
What can I do? I'm affraid that the ISP will block port 25 pretty soon. I have noticed that there were delays when sending or receiving mails apparently the server were busy processing spam.
Rgs,
Juha
A new SBS 2003 R2 (Exchange 2003 SP1) installation. The ISP routes mails directly to the server
I have several thousands of MAILS IN QUEYE and the tests says that the server is Open Relay. Currently I'm freezing the mails in ESM and planning to delete them. The process seems to take awhile (30 mins so far) and I would love to finish it (or is there any quicker way to get rid of those spams?).
I have few end users on the Site using Outlook 2000 - 2007 and couple RPC over HTTPS Outlook users Off Site. I have read "SMTP server failed open relay test"
http://technet.microsoft.com/en-us/library/aa996901(EXCHG.80).aspx
Following above instructions I have done this:
In SMTP Virtual Server / Properties / Access / Relay Restrictions:
clear the Allow all computers which successfully authenticate to relay, regardless of the list below check box, and then click Users to specify a subset of users that you want to grant relay permissions on this SMTP virtual server.
I have granted Submit permissions for AUtenticated Users
I have granted Submit and Relay permissions for selected users (to those who use Outlook)
The Tarpit time is 5 seconds
What can I do? I'm affraid that the ISP will block port 25 pretty soon. I have noticed that there were delays when sending or receiving mails apparently the server were busy processing spam.
Rgs,
Juha
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The success audits..are they from one account or multiple accounts. If you're getting many of them from a single account that is your cuplrit.
Also do a netstat to see if one of the machines is a spambot relaying through your exchange. You will notice a disproportionate amount of connections from this system
Also do a netstat to see if one of the machines is a spambot relaying through your exchange. You will notice a disproportionate amount of connections from this system
ASKER
Hi
Success audits mainly from administrator and I feel that it is not hijacked (at least anymore since I changed the PW.
Regarding netstat: nothing special
Below is my current Relay Restriction. Nothing to change there. Should it be OK?.
I will strat this procedure to empty the queye:
http://www.amset.info/exchange/spam-cleanup.asp
"Cleaning Up the Exchange Server's SMTP Queues
Warning: This process will delete all email that is due to go to external recipients. Internal messages are not affected, neither are new inbound messages from the Internet unless they are from the spammer continuing to try and abuse your server...."
Rgs,
Juha
RelayRestrictionsNow.doc
Success audits mainly from administrator and I feel that it is not hijacked (at least anymore since I changed the PW.
Regarding netstat: nothing special
Below is my current Relay Restriction. Nothing to change there. Should it be OK?.
I will strat this procedure to empty the queye:
http://www.amset.info/exchange/spam-cleanup.asp
"Cleaning Up the Exchange Server's SMTP Queues
Warning: This process will delete all email that is due to go to external recipients. Internal messages are not affected, neither are new inbound messages from the Internet unless they are from the spammer continuing to try and abuse your server...."
Rgs,
Juha
RelayRestrictionsNow.doc
Your screen dump is correct, what do you have in the Users (button on the bottom of the Relay Restrictions)?
Also make sure you have the following options selected, Global Settings > Message Delivery > Recipient Filtering tab 'Filter recipients who are not in the Directory' check box. It would alo be worth checking Sender Filtering tab 'Filter messages with a blank sender'. These will help you manage in-bound spam.
Also make sure you have the following options selected, Global Settings > Message Delivery > Recipient Filtering tab 'Filter recipients who are not in the Directory' check box. It would alo be worth checking Sender Filtering tab 'Filter messages with a blank sender'. These will help you manage in-bound spam.
ASKER
richclawson
"what do you have in the Users (button on the bottom of the Relay Restrictions)?"
The Authenticated users
And
Sahkopostin kayttajat Security Group (Members are users who need to use email)
"'Filter recipients who are not in the Directory' check box."
It was allready there
"'Filter messages with a blank sender'."
No such selection (Exchange SP1)
I'm currently doing the cleanup proces to queye.
Rgs,
Juha Rimmi
"what do you have in the Users (button on the bottom of the Relay Restrictions)?"
The Authenticated users
And
Sahkopostin kayttajat Security Group (Members are users who need to use email)
"'Filter recipients who are not in the Directory' check box."
It was allready there
"'Filter messages with a blank sender'."
No such selection (Exchange SP1)
I'm currently doing the cleanup proces to queye.
Rgs,
Juha Rimmi
ASKER
Btw
It seems that the server setup were basicly quite OK all ready (this server were setup on last friday).
Nothing special netstat results in the LAN.
Why is the server regognized to be an Open Relay (which it really seems to be)?
It is true that I changed the administrators pw 1 hrs ago.
I started to install winupdates 16 hrs ago and no it lasks only Exchange SP2
Have I missunderstand something here? In HW firewall I have forwarded all SMTP traffic to servers Internal address.
The smtp is currently blocked from Internet while i'm cleaning the spam. Surely I don't want to see they Queye fill up again so is there any further settings I can do? The Tarpit is set to 5 secs.
Rgs,
Juha
It seems that the server setup were basicly quite OK all ready (this server were setup on last friday).
Nothing special netstat results in the LAN.
Why is the server regognized to be an Open Relay (which it really seems to be)?
It is true that I changed the administrators pw 1 hrs ago.
I started to install winupdates 16 hrs ago and no it lasks only Exchange SP2
Have I missunderstand something here? In HW firewall I have forwarded all SMTP traffic to servers Internal address.
The smtp is currently blocked from Internet while i'm cleaning the spam. Surely I don't want to see they Queye fill up again so is there any further settings I can do? The Tarpit is set to 5 secs.
Rgs,
Juha
Hi Juha, your config settings seem to be ok. Do you have any spam filtering solution in place?
If not, you can update Exchange to SP2 and impliment IMF (details here http://www.petri.co.il/block_spam_with_exchange2003_imf.htm) its a fairly basic application but ive used it for many years and it is quite effective and free.
regards richard
If not, you can update Exchange to SP2 and impliment IMF (details here http://www.petri.co.il/block_spam_with_exchange2003_imf.htm) its a fairly basic application but ive used it for many years and it is quite effective and free.
regards richard
ASKER
Hi richard
I will defenetly install Exchange SP2 after I have cleaned spams (apx 150 000 in queye and keep growing). Unfortunatelly there is not any external spam filtering company to relay right now. I have had IMF in some places and some kind of understanding how to setup the security level.
Actually the server AV is pretty old so I will update it as well.
Rgs, Juha
I will defenetly install Exchange SP2 after I have cleaned spams (apx 150 000 in queye and keep growing). Unfortunatelly there is not any external spam filtering company to relay right now. I have had IMF in some places and some kind of understanding how to setup the security level.
Actually the server AV is pretty old so I will update it as well.
Rgs, Juha
ASKER
Aha
No I have more information. Ín queyed mails the sender is postmaster@mydomain.fi (at least first 10 000). According my Google research that indicates NDR attack.
Hopefully WinUpdates + Exchange SP2 helps with that + what I find regarding NDR attac.
Rgs,
Juha
No I have more information. Ín queyed mails the sender is postmaster@mydomain.fi (at least first 10 000). According my Google research that indicates NDR attack.
Hopefully WinUpdates + Exchange SP2 helps with that + what I find regarding NDR attac.
Rgs,
Juha
I recommend also using mxtoolbox.com to test your server. It will also provide some help.
You could disable NDRs, listed instuctions below. Yoy may not be spamming just your queues are getting hijacked by NDRs
To disable NDRs, follow these steps:
Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
Expand the Global Settings container in the left pane, click Internet Message Formats, right-click the Default object, and then click Properties.
Click the Advanced tab.
Click to clear the Allow non-delivery reports check box, and then click OK.
To specify who can receive copies of NDRs, follow these steps:
Under Administrative Groups, expand First Administrative Group, expand Servers, expand servername, expand Protocols, expand SMTP, and then open the Default SMTP Virtual Server properties.
Click the Messages tab, and then add an address to the Send copy of non-delivery report to field.
Stop, and then restart the MS Exchange Routing Engine and SMTP services.
Microsoft recommends that you also create a postmaster e-mail address for NDRs that come from other servers. This can be a secondary SMTP address for a user or a mail-enabled User account. Use Active Directory Users and Computers to add the e-mail address or mail-enabled account.
The user will not receive the actual message that caused the NDR. However, if the notice is opened and Send Again is selected, the actual message appears and can be forwarded if you want.
To disable NDRs, follow these steps:
Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
Expand the Global Settings container in the left pane, click Internet Message Formats, right-click the Default object, and then click Properties.
Click the Advanced tab.
Click to clear the Allow non-delivery reports check box, and then click OK.
To specify who can receive copies of NDRs, follow these steps:
Under Administrative Groups, expand First Administrative Group, expand Servers, expand servername, expand Protocols, expand SMTP, and then open the Default SMTP Virtual Server properties.
Click the Messages tab, and then add an address to the Send copy of non-delivery report to field.
Stop, and then restart the MS Exchange Routing Engine and SMTP services.
Microsoft recommends that you also create a postmaster e-mail address for NDRs that come from other servers. This can be a secondary SMTP address for a user or a mail-enabled User account. Use Active Directory Users and Computers to add the e-mail address or mail-enabled account.
The user will not receive the actual message that caused the NDR. However, if the notice is opened and Send Again is selected, the actual message appears and can be forwarded if you want.
Go to mxtoolbox and test your server again when mail is enabled. If it still is testing as an open relay then you have more than just NDR issues. You have a compromised password or a deep-seeded misconfiguration somewhere.
ASKER
Thanks cgaliher
I'm almost falling in sleep here. I have opened an another conversation. I magaded to get rid Open Relay but now i'm again on ot. Sunny is working with this with me and he is about to go on. II update here soon.
Rgs, Juha
I'm almost falling in sleep here. I have opened an another conversation. I magaded to get rid Open Relay but now i'm again on ot. Sunny is working with this with me and he is about to go on. II update here soon.
Rgs, Juha
ASKER
Hi
This case seem to be closed. I really took awile to solve all issues. I'll grant point laiter on and explain what has happened. I need to have some rest now.
Thank you all and specially for helping me.
Involved open questions / same server:
"Outlook Clients lost Exchange. LDAP Bind was unsuccessful on directory FQDN 0x31 Invalid Credentials."
"Problems deleting Spam from SMTP Queye"
"Open Relay / SPAM / Default SMTP Virtual Server Access"
"OWA DNS Internally + OWA DNS Externally"
Rgs,
Juha
This case seem to be closed. I really took awile to solve all issues. I'll grant point laiter on and explain what has happened. I need to have some rest now.
Thank you all and specially for helping me.
Involved open questions / same server:
"Outlook Clients lost Exchange. LDAP Bind was unsuccessful on directory FQDN 0x31 Invalid Credentials."
"Problems deleting Spam from SMTP Queye"
"Open Relay / SPAM / Default SMTP Virtual Server Access"
"OWA DNS Internally + OWA DNS Externally"
Rgs,
Juha
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can close the case now.
The attact came probably from Taiwan. Additionally what Sunny says above (which is the fact) the customer decided to use D-Fence service. Their servers filters the spam and in the HW FW I'll forward SMTP only from their IP addresses. ISP noticed the SPam situation and asked explanation. I admit the spam but in that time the spamming has stopped cause the server were fixed. I'll also let them know that we hired D-Fence to filter spam in the future. The ISP sayd OK but we will monitor the behavior of the internet taraffic of that Internet Connection awhile.
The domain is balcklisted at Barracuda and Tiopan. I'll try to contact them today. Now when the D-Fence filters spam the the test mxtoolbox blacklist says that the domain is Ok but I believe that I have to contakt them anyway.
Very special thanks to Sunny who helped me out from this nightmare! Without that direct help I don't know how I could guide out from the terrible situation.
Also great thanks to all you other. Exchange-Experts can save lives.
In the future I won't setup a Exchange as carelesly. The good thing that I learned in the hard way to take care immdiently the Open Relay situation! I also believe that I can now fix the SMTP Banner problem perhaps by my self.
Again thank you all for helping me solve the multiple problems i had. Have a Great Summer!
With Best Regards,
Juha
The attact came probably from Taiwan. Additionally what Sunny says above (which is the fact) the customer decided to use D-Fence service. Their servers filters the spam and in the HW FW I'll forward SMTP only from their IP addresses. ISP noticed the SPam situation and asked explanation. I admit the spam but in that time the spamming has stopped cause the server were fixed. I'll also let them know that we hired D-Fence to filter spam in the future. The ISP sayd OK but we will monitor the behavior of the internet taraffic of that Internet Connection awhile.
The domain is balcklisted at Barracuda and Tiopan. I'll try to contact them today. Now when the D-Fence filters spam the the test mxtoolbox blacklist says that the domain is Ok but I believe that I have to contakt them anyway.
Very special thanks to Sunny who helped me out from this nightmare! Without that direct help I don't know how I could guide out from the terrible situation.
Also great thanks to all you other. Exchange-Experts can save lives.
In the future I won't setup a Exchange as carelesly. The good thing that I learned in the hard way to take care immdiently the Open Relay situation! I also believe that I can now fix the SMTP Banner problem perhaps by my self.
Again thank you all for helping me solve the multiple problems i had. Have a Great Summer!
With Best Regards,
Juha
ASKER
With honor I grade 400 to Sunny for excelent job and direct hands on work. Unfortunatelly I have only 100 points left to grade all other.
I grant the left 100 points to paulsolov due to guiding me intoright place SMTP Virtual Server / realy option.
Thank you very much all for exelent support. Have a Great Summer"
With Best Regards,
Juha
I grant the left 100 points to paulsolov due to guiding me intoright place SMTP Virtual Server / realy option.
Thank you very much all for exelent support. Have a Great Summer"
With Best Regards,
Juha
ASKER
Thanks you for your reply.
Regarding security logs I can't say - basicly Success Audits for System and Administrator. I saw a article somewhere how to setup Audit for this situation. I also change administarators passwor now.
For some reason the relay setting has bounched back as illustrated in image
Rgs,
Juha
Capture1.JPG