Solved

Exchange server 5.5 abuse !

Posted on 2002-06-20
9
199 Views
Last Modified: 2010-03-05
we use exchange 5.5 with SP4 apllied. Although relaying is disabled, still somebody is using our server to send spam mails.

our domain is: groupcheyns.be
it looks like that he was able to create a distribution list or something in our server because he uses a account test1@groupcheyns.be as recipient.

2 examples:

1/17/02 12:12:36 PM : A connection was accepted from cc20.optinmail.cc.
1/17/02 12:12:36 PM : <<< HELO cc20.optinmail.cc
1/17/02 12:12:36 PM : >>> 250 OK

1/17/02 12:12:36 PM : <<< MAIL FROM:<editor@newsletter.join4free.com>
1/17/02 12:12:36 PM : >>> 250 OK - mail from <editor@newsletter.join4free.com>

1/17/02 12:12:36 PM : <<< RCPT TO:<test1@groupcheyns.be>
1/17/02 12:12:37 PM : >>> 250 OK - Recipient <test1@groupcheyns.be>

1/17/02 12:12:37 PM : <<< DATA
1/17/02 12:12:37 PM : >>> 354 Send data.  End with CRLF.CRLF

1/17/02 12:12:40 PM : >>> 250 OK

1/17/02 12:12:40 PM : <<< QUIT
1/17/02 12:12:40 PM : >>> 221 closing connection

second example:

3/12/02 3:32:24 AM : A connection was accepted from cm05.mailerbee.com.
3/12/02 3:32:24 AM : <<< HELO cm05.mailerbee.com
3/12/02 3:32:24 AM : >>> 250 OK

3/12/02 3:32:24 AM : <<< MAIL FROM:<info@optinmail.cc>
3/12/02 3:32:24 AM : >>> 250 OK - mail from <info@optinmail.cc>

3/12/02 3:32:25 AM : <<< RCPT TO:<test1@groupcheyns.be>
3/12/02 3:32:25 AM : >>> 250 OK - Recipient <test1@groupcheyns.be>

3/12/02 3:32:25 AM : <<< DATA
3/12/02 3:32:25 AM : >>> 354 Send data.  End with CRLF.CRLF

3/12/02 3:32:26 AM : >>> 250 OK

3/12/02 3:32:26 AM : <<< QUIT
3/12/02 3:32:26 AM : >>> 221 closing connection


Does somebody know of a webscanner that can check the vulnerabilities in our mailserver ?

Marc
0
Comment
Question by:marc_dumortier
9 Comments
 
LVL 3

Expert Comment

by:jpmarten
ID: 7095994
When you say you have relaying disabled, how do you have your IMS configured?

Did you follow Q196626.

If someone is relaying off of you using a DL sent from an invalid smtp address, then you do not have the setting of "Accept connections from clients that SUCCESSFULLY autheniticate"  Verify that.

Open Exchange Admin
Bring up the properties of the IMC
Go to the routing tab
Click on the routing restrictions at the bottom
Make sure there is a check mark in the top box.
0
 

Author Comment

by:marc_dumortier
ID: 7097203
i don't work tomorrow, i'll let you know on monday
0
 
LVL 4

Expert Comment

by:Ronin
ID: 7103203
What you have just told it's NOT relaying.
It's a ligitimate behavior.
You server will ALWAYS receive a messages which are sent to @groupcheyns.be domain.
 
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:marc_dumortier
ID: 7103258
to jp marten:

i checked what you asked and it is the case: the check mark is there in the top box.


to ronin:

yes, you're right but I don't understand then what is going on: look below what I as postmaster receive:

A mail message was not sent because the maximum time for delivery has expired.  The message was not delivered to the following addresses:

The message that caused this notification was:


      To:       <Ashley@j4femail.com>
      From:     <>
      Subject:  Undeliverable: Nude Celebs - Amateur Cams - FREE Pics!=> test1@groupcheyns.be


this is an outbound mail failure !

any ideas ?
0
 
LVL 4

Expert Comment

by:Ronin
ID: 7103633
Ofcause it is !!!!
The sender is test1@groupcheyns.be but the user DOESN'T EXISTS so where do you expect that the service account will forward the message ?????

0
 

Expert Comment

by:NetNemo
ID: 7104395
This situation described in Q200059 letter on the Microsoft knolege base. That's RFC's feature.
See  in http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q200059

You need configure IMC, to match address with GAL when it entred in "RCPT TO:<test1@groupcheyns.be>" SMTP handshake.
Unfortunately, I have not link to right configuration description.
0
 

Author Comment

by:marc_dumortier
ID: 7104548
ronin,

I think now my first posting has nothing to do with the abuse. it's just two incoming mails for which the user doesn't exist. you're right but how do you explain the OUTGOING MAIL FAILURE message ?
we have no user or mailbox named 'test1', also the subject of the mail 'live webcams etc etc' makes me think someone is abusing our system. Look at the From-field, it says '<>' as sender. i assume it is the abuser who filled this <> in as sender. not ?
0
 
LVL 16

Accepted Solution

by:
Postmaster earned 300 total points
ID: 7106355
Hi Marc,
What you have is an attempt to deliver to a non-existant address. Your IMS is bouncing the message back to the sender address (which with most SPAM, does not exist).
So the unsuccessful bounce message goes to your Postmaster account as non-delivery.
The message is from the system <> as it is a bounce msg.

This does waste some of your link bandwidth, but no more than any other non-delivery message.
Your mail system is doing its job correctly.

The subject line can be anything at all - I would not be worried about this.

Regards,
Postmaster
0
 
LVL 4

Expert Comment

by:Ronin
ID: 7107245
<> is the sender.
Today is a lot of smap programs which can enable this feature.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question