Solved

Exchange server 5.5 abuse !

Posted on 2002-06-20
9
202 Views
Last Modified: 2010-03-05
we use exchange 5.5 with SP4 apllied. Although relaying is disabled, still somebody is using our server to send spam mails.

our domain is: groupcheyns.be
it looks like that he was able to create a distribution list or something in our server because he uses a account test1@groupcheyns.be as recipient.

2 examples:

1/17/02 12:12:36 PM : A connection was accepted from cc20.optinmail.cc.
1/17/02 12:12:36 PM : <<< HELO cc20.optinmail.cc
1/17/02 12:12:36 PM : >>> 250 OK

1/17/02 12:12:36 PM : <<< MAIL FROM:<editor@newsletter.join4free.com>
1/17/02 12:12:36 PM : >>> 250 OK - mail from <editor@newsletter.join4free.com>

1/17/02 12:12:36 PM : <<< RCPT TO:<test1@groupcheyns.be>
1/17/02 12:12:37 PM : >>> 250 OK - Recipient <test1@groupcheyns.be>

1/17/02 12:12:37 PM : <<< DATA
1/17/02 12:12:37 PM : >>> 354 Send data.  End with CRLF.CRLF

1/17/02 12:12:40 PM : >>> 250 OK

1/17/02 12:12:40 PM : <<< QUIT
1/17/02 12:12:40 PM : >>> 221 closing connection

second example:

3/12/02 3:32:24 AM : A connection was accepted from cm05.mailerbee.com.
3/12/02 3:32:24 AM : <<< HELO cm05.mailerbee.com
3/12/02 3:32:24 AM : >>> 250 OK

3/12/02 3:32:24 AM : <<< MAIL FROM:<info@optinmail.cc>
3/12/02 3:32:24 AM : >>> 250 OK - mail from <info@optinmail.cc>

3/12/02 3:32:25 AM : <<< RCPT TO:<test1@groupcheyns.be>
3/12/02 3:32:25 AM : >>> 250 OK - Recipient <test1@groupcheyns.be>

3/12/02 3:32:25 AM : <<< DATA
3/12/02 3:32:25 AM : >>> 354 Send data.  End with CRLF.CRLF

3/12/02 3:32:26 AM : >>> 250 OK

3/12/02 3:32:26 AM : <<< QUIT
3/12/02 3:32:26 AM : >>> 221 closing connection


Does somebody know of a webscanner that can check the vulnerabilities in our mailserver ?

Marc
0
Comment
Question by:marc_dumortier
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 3

Expert Comment

by:jpmarten
ID: 7095994
When you say you have relaying disabled, how do you have your IMS configured?

Did you follow Q196626.

If someone is relaying off of you using a DL sent from an invalid smtp address, then you do not have the setting of "Accept connections from clients that SUCCESSFULLY autheniticate"  Verify that.

Open Exchange Admin
Bring up the properties of the IMC
Go to the routing tab
Click on the routing restrictions at the bottom
Make sure there is a check mark in the top box.
0
 

Author Comment

by:marc_dumortier
ID: 7097203
i don't work tomorrow, i'll let you know on monday
0
 
LVL 4

Expert Comment

by:Ronin
ID: 7103203
What you have just told it's NOT relaying.
It's a ligitimate behavior.
You server will ALWAYS receive a messages which are sent to @groupcheyns.be domain.
 
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 

Author Comment

by:marc_dumortier
ID: 7103258
to jp marten:

i checked what you asked and it is the case: the check mark is there in the top box.


to ronin:

yes, you're right but I don't understand then what is going on: look below what I as postmaster receive:

A mail message was not sent because the maximum time for delivery has expired.  The message was not delivered to the following addresses:

The message that caused this notification was:


      To:       <Ashley@j4femail.com>
      From:     <>
      Subject:  Undeliverable: Nude Celebs - Amateur Cams - FREE Pics!=> test1@groupcheyns.be


this is an outbound mail failure !

any ideas ?
0
 
LVL 4

Expert Comment

by:Ronin
ID: 7103633
Ofcause it is !!!!
The sender is test1@groupcheyns.be but the user DOESN'T EXISTS so where do you expect that the service account will forward the message ?????

0
 

Expert Comment

by:NetNemo
ID: 7104395
This situation described in Q200059 letter on the Microsoft knolege base. That's RFC's feature.
See  in http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q200059

You need configure IMC, to match address with GAL when it entred in "RCPT TO:<test1@groupcheyns.be>" SMTP handshake.
Unfortunately, I have not link to right configuration description.
0
 

Author Comment

by:marc_dumortier
ID: 7104548
ronin,

I think now my first posting has nothing to do with the abuse. it's just two incoming mails for which the user doesn't exist. you're right but how do you explain the OUTGOING MAIL FAILURE message ?
we have no user or mailbox named 'test1', also the subject of the mail 'live webcams etc etc' makes me think someone is abusing our system. Look at the From-field, it says '<>' as sender. i assume it is the abuser who filled this <> in as sender. not ?
0
 
LVL 16

Accepted Solution

by:
Postmaster earned 300 total points
ID: 7106355
Hi Marc,
What you have is an attempt to deliver to a non-existant address. Your IMS is bouncing the message back to the sender address (which with most SPAM, does not exist).
So the unsuccessful bounce message goes to your Postmaster account as non-delivery.
The message is from the system <> as it is a bounce msg.

This does waste some of your link bandwidth, but no more than any other non-delivery message.
Your mail system is doing its job correctly.

The subject line can be anything at all - I would not be worried about this.

Regards,
Postmaster
0
 
LVL 4

Expert Comment

by:Ronin
ID: 7107245
<> is the sender.
Today is a lot of smap programs which can enable this feature.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrating from Exchange 2010 to 2013 2 72
SBS 2008 active sync issue 2 53
Exchange 2016 CU5 10 35
Process to let ex-employee have company laptop 5 28
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question