Solved

Exchange server 5.5 abuse !

Posted on 2002-06-20
9
204 Views
Last Modified: 2010-03-05
we use exchange 5.5 with SP4 apllied. Although relaying is disabled, still somebody is using our server to send spam mails.

our domain is: groupcheyns.be
it looks like that he was able to create a distribution list or something in our server because he uses a account test1@groupcheyns.be as recipient.

2 examples:

1/17/02 12:12:36 PM : A connection was accepted from cc20.optinmail.cc.
1/17/02 12:12:36 PM : <<< HELO cc20.optinmail.cc
1/17/02 12:12:36 PM : >>> 250 OK

1/17/02 12:12:36 PM : <<< MAIL FROM:<editor@newsletter.join4free.com>
1/17/02 12:12:36 PM : >>> 250 OK - mail from <editor@newsletter.join4free.com>

1/17/02 12:12:36 PM : <<< RCPT TO:<test1@groupcheyns.be>
1/17/02 12:12:37 PM : >>> 250 OK - Recipient <test1@groupcheyns.be>

1/17/02 12:12:37 PM : <<< DATA
1/17/02 12:12:37 PM : >>> 354 Send data.  End with CRLF.CRLF

1/17/02 12:12:40 PM : >>> 250 OK

1/17/02 12:12:40 PM : <<< QUIT
1/17/02 12:12:40 PM : >>> 221 closing connection

second example:

3/12/02 3:32:24 AM : A connection was accepted from cm05.mailerbee.com.
3/12/02 3:32:24 AM : <<< HELO cm05.mailerbee.com
3/12/02 3:32:24 AM : >>> 250 OK

3/12/02 3:32:24 AM : <<< MAIL FROM:<info@optinmail.cc>
3/12/02 3:32:24 AM : >>> 250 OK - mail from <info@optinmail.cc>

3/12/02 3:32:25 AM : <<< RCPT TO:<test1@groupcheyns.be>
3/12/02 3:32:25 AM : >>> 250 OK - Recipient <test1@groupcheyns.be>

3/12/02 3:32:25 AM : <<< DATA
3/12/02 3:32:25 AM : >>> 354 Send data.  End with CRLF.CRLF

3/12/02 3:32:26 AM : >>> 250 OK

3/12/02 3:32:26 AM : <<< QUIT
3/12/02 3:32:26 AM : >>> 221 closing connection


Does somebody know of a webscanner that can check the vulnerabilities in our mailserver ?

Marc
0
Comment
Question by:marc_dumortier
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 3

Expert Comment

by:jpmarten
ID: 7095994
When you say you have relaying disabled, how do you have your IMS configured?

Did you follow Q196626.

If someone is relaying off of you using a DL sent from an invalid smtp address, then you do not have the setting of "Accept connections from clients that SUCCESSFULLY autheniticate"  Verify that.

Open Exchange Admin
Bring up the properties of the IMC
Go to the routing tab
Click on the routing restrictions at the bottom
Make sure there is a check mark in the top box.
0
 

Author Comment

by:marc_dumortier
ID: 7097203
i don't work tomorrow, i'll let you know on monday
0
 
LVL 4

Expert Comment

by:Ronin
ID: 7103203
What you have just told it's NOT relaying.
It's a ligitimate behavior.
You server will ALWAYS receive a messages which are sent to @groupcheyns.be domain.
 
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:marc_dumortier
ID: 7103258
to jp marten:

i checked what you asked and it is the case: the check mark is there in the top box.


to ronin:

yes, you're right but I don't understand then what is going on: look below what I as postmaster receive:

A mail message was not sent because the maximum time for delivery has expired.  The message was not delivered to the following addresses:

The message that caused this notification was:


      To:       <Ashley@j4femail.com>
      From:     <>
      Subject:  Undeliverable: Nude Celebs - Amateur Cams - FREE Pics!=> test1@groupcheyns.be


this is an outbound mail failure !

any ideas ?
0
 
LVL 4

Expert Comment

by:Ronin
ID: 7103633
Ofcause it is !!!!
The sender is test1@groupcheyns.be but the user DOESN'T EXISTS so where do you expect that the service account will forward the message ?????

0
 

Expert Comment

by:NetNemo
ID: 7104395
This situation described in Q200059 letter on the Microsoft knolege base. That's RFC's feature.
See  in http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q200059

You need configure IMC, to match address with GAL when it entred in "RCPT TO:<test1@groupcheyns.be>" SMTP handshake.
Unfortunately, I have not link to right configuration description.
0
 

Author Comment

by:marc_dumortier
ID: 7104548
ronin,

I think now my first posting has nothing to do with the abuse. it's just two incoming mails for which the user doesn't exist. you're right but how do you explain the OUTGOING MAIL FAILURE message ?
we have no user or mailbox named 'test1', also the subject of the mail 'live webcams etc etc' makes me think someone is abusing our system. Look at the From-field, it says '<>' as sender. i assume it is the abuser who filled this <> in as sender. not ?
0
 
LVL 16

Accepted Solution

by:
Postmaster earned 300 total points
ID: 7106355
Hi Marc,
What you have is an attempt to deliver to a non-existant address. Your IMS is bouncing the message back to the sender address (which with most SPAM, does not exist).
So the unsuccessful bounce message goes to your Postmaster account as non-delivery.
The message is from the system <> as it is a bounce msg.

This does waste some of your link bandwidth, but no more than any other non-delivery message.
Your mail system is doing its job correctly.

The subject line can be anything at all - I would not be worried about this.

Regards,
Postmaster
0
 
LVL 4

Expert Comment

by:Ronin
ID: 7107245
<> is the sender.
Today is a lot of smap programs which can enable this feature.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month3 days, 11 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question