Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange server 5.5 abuse !

Posted on 2002-06-20
9
Medium Priority
?
205 Views
Last Modified: 2010-03-05
we use exchange 5.5 with SP4 apllied. Although relaying is disabled, still somebody is using our server to send spam mails.

our domain is: groupcheyns.be
it looks like that he was able to create a distribution list or something in our server because he uses a account test1@groupcheyns.be as recipient.

2 examples:

1/17/02 12:12:36 PM : A connection was accepted from cc20.optinmail.cc.
1/17/02 12:12:36 PM : <<< HELO cc20.optinmail.cc
1/17/02 12:12:36 PM : >>> 250 OK

1/17/02 12:12:36 PM : <<< MAIL FROM:<editor@newsletter.join4free.com>
1/17/02 12:12:36 PM : >>> 250 OK - mail from <editor@newsletter.join4free.com>

1/17/02 12:12:36 PM : <<< RCPT TO:<test1@groupcheyns.be>
1/17/02 12:12:37 PM : >>> 250 OK - Recipient <test1@groupcheyns.be>

1/17/02 12:12:37 PM : <<< DATA
1/17/02 12:12:37 PM : >>> 354 Send data.  End with CRLF.CRLF

1/17/02 12:12:40 PM : >>> 250 OK

1/17/02 12:12:40 PM : <<< QUIT
1/17/02 12:12:40 PM : >>> 221 closing connection

second example:

3/12/02 3:32:24 AM : A connection was accepted from cm05.mailerbee.com.
3/12/02 3:32:24 AM : <<< HELO cm05.mailerbee.com
3/12/02 3:32:24 AM : >>> 250 OK

3/12/02 3:32:24 AM : <<< MAIL FROM:<info@optinmail.cc>
3/12/02 3:32:24 AM : >>> 250 OK - mail from <info@optinmail.cc>

3/12/02 3:32:25 AM : <<< RCPT TO:<test1@groupcheyns.be>
3/12/02 3:32:25 AM : >>> 250 OK - Recipient <test1@groupcheyns.be>

3/12/02 3:32:25 AM : <<< DATA
3/12/02 3:32:25 AM : >>> 354 Send data.  End with CRLF.CRLF

3/12/02 3:32:26 AM : >>> 250 OK

3/12/02 3:32:26 AM : <<< QUIT
3/12/02 3:32:26 AM : >>> 221 closing connection


Does somebody know of a webscanner that can check the vulnerabilities in our mailserver ?

Marc
0
Comment
Question by:marc_dumortier
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 3

Expert Comment

by:jpmarten
ID: 7095994
When you say you have relaying disabled, how do you have your IMS configured?

Did you follow Q196626.

If someone is relaying off of you using a DL sent from an invalid smtp address, then you do not have the setting of "Accept connections from clients that SUCCESSFULLY autheniticate"  Verify that.

Open Exchange Admin
Bring up the properties of the IMC
Go to the routing tab
Click on the routing restrictions at the bottom
Make sure there is a check mark in the top box.
0
 

Author Comment

by:marc_dumortier
ID: 7097203
i don't work tomorrow, i'll let you know on monday
0
 
LVL 4

Expert Comment

by:Ronin
ID: 7103203
What you have just told it's NOT relaying.
It's a ligitimate behavior.
You server will ALWAYS receive a messages which are sent to @groupcheyns.be domain.
 
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:marc_dumortier
ID: 7103258
to jp marten:

i checked what you asked and it is the case: the check mark is there in the top box.


to ronin:

yes, you're right but I don't understand then what is going on: look below what I as postmaster receive:

A mail message was not sent because the maximum time for delivery has expired.  The message was not delivered to the following addresses:

The message that caused this notification was:


      To:       <Ashley@j4femail.com>
      From:     <>
      Subject:  Undeliverable: Nude Celebs - Amateur Cams - FREE Pics!=> test1@groupcheyns.be


this is an outbound mail failure !

any ideas ?
0
 
LVL 4

Expert Comment

by:Ronin
ID: 7103633
Ofcause it is !!!!
The sender is test1@groupcheyns.be but the user DOESN'T EXISTS so where do you expect that the service account will forward the message ?????

0
 

Expert Comment

by:NetNemo
ID: 7104395
This situation described in Q200059 letter on the Microsoft knolege base. That's RFC's feature.
See  in http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q200059

You need configure IMC, to match address with GAL when it entred in "RCPT TO:<test1@groupcheyns.be>" SMTP handshake.
Unfortunately, I have not link to right configuration description.
0
 

Author Comment

by:marc_dumortier
ID: 7104548
ronin,

I think now my first posting has nothing to do with the abuse. it's just two incoming mails for which the user doesn't exist. you're right but how do you explain the OUTGOING MAIL FAILURE message ?
we have no user or mailbox named 'test1', also the subject of the mail 'live webcams etc etc' makes me think someone is abusing our system. Look at the From-field, it says '<>' as sender. i assume it is the abuser who filled this <> in as sender. not ?
0
 
LVL 16

Accepted Solution

by:
Postmaster earned 900 total points
ID: 7106355
Hi Marc,
What you have is an attempt to deliver to a non-existant address. Your IMS is bouncing the message back to the sender address (which with most SPAM, does not exist).
So the unsuccessful bounce message goes to your Postmaster account as non-delivery.
The message is from the system <> as it is a bounce msg.

This does waste some of your link bandwidth, but no more than any other non-delivery message.
Your mail system is doing its job correctly.

The subject line can be anything at all - I would not be worried about this.

Regards,
Postmaster
0
 
LVL 4

Expert Comment

by:Ronin
ID: 7107245
<> is the sender.
Today is a lot of smap programs which can enable this feature.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question