Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 209
  • Last Modified:

Exchange server 5.5 abuse !

we use exchange 5.5 with SP4 apllied. Although relaying is disabled, still somebody is using our server to send spam mails.

our domain is: groupcheyns.be
it looks like that he was able to create a distribution list or something in our server because he uses a account test1@groupcheyns.be as recipient.

2 examples:

1/17/02 12:12:36 PM : A connection was accepted from cc20.optinmail.cc.
1/17/02 12:12:36 PM : <<< HELO cc20.optinmail.cc
1/17/02 12:12:36 PM : >>> 250 OK

1/17/02 12:12:36 PM : <<< MAIL FROM:<editor@newsletter.join4free.com>
1/17/02 12:12:36 PM : >>> 250 OK - mail from <editor@newsletter.join4free.com>

1/17/02 12:12:36 PM : <<< RCPT TO:<test1@groupcheyns.be>
1/17/02 12:12:37 PM : >>> 250 OK - Recipient <test1@groupcheyns.be>

1/17/02 12:12:37 PM : <<< DATA
1/17/02 12:12:37 PM : >>> 354 Send data.  End with CRLF.CRLF

1/17/02 12:12:40 PM : >>> 250 OK

1/17/02 12:12:40 PM : <<< QUIT
1/17/02 12:12:40 PM : >>> 221 closing connection

second example:

3/12/02 3:32:24 AM : A connection was accepted from cm05.mailerbee.com.
3/12/02 3:32:24 AM : <<< HELO cm05.mailerbee.com
3/12/02 3:32:24 AM : >>> 250 OK

3/12/02 3:32:24 AM : <<< MAIL FROM:<info@optinmail.cc>
3/12/02 3:32:24 AM : >>> 250 OK - mail from <info@optinmail.cc>

3/12/02 3:32:25 AM : <<< RCPT TO:<test1@groupcheyns.be>
3/12/02 3:32:25 AM : >>> 250 OK - Recipient <test1@groupcheyns.be>

3/12/02 3:32:25 AM : <<< DATA
3/12/02 3:32:25 AM : >>> 354 Send data.  End with CRLF.CRLF

3/12/02 3:32:26 AM : >>> 250 OK

3/12/02 3:32:26 AM : <<< QUIT
3/12/02 3:32:26 AM : >>> 221 closing connection

Does somebody know of a webscanner that can check the vulnerabilities in our mailserver ?

1 Solution
When you say you have relaying disabled, how do you have your IMS configured?

Did you follow Q196626.

If someone is relaying off of you using a DL sent from an invalid smtp address, then you do not have the setting of "Accept connections from clients that SUCCESSFULLY autheniticate"  Verify that.

Open Exchange Admin
Bring up the properties of the IMC
Go to the routing tab
Click on the routing restrictions at the bottom
Make sure there is a check mark in the top box.
marc_dumortierAuthor Commented:
i don't work tomorrow, i'll let you know on monday
What you have just told it's NOT relaying.
It's a ligitimate behavior.
You server will ALWAYS receive a messages which are sent to @groupcheyns.be domain.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

marc_dumortierAuthor Commented:
to jp marten:

i checked what you asked and it is the case: the check mark is there in the top box.

to ronin:

yes, you're right but I don't understand then what is going on: look below what I as postmaster receive:

A mail message was not sent because the maximum time for delivery has expired.  The message was not delivered to the following addresses:

The message that caused this notification was:

      To:       <Ashley@j4femail.com>
      From:     <>
      Subject:  Undeliverable: Nude Celebs - Amateur Cams - FREE Pics!=> test1@groupcheyns.be

this is an outbound mail failure !

any ideas ?
Ofcause it is !!!!
The sender is test1@groupcheyns.be but the user DOESN'T EXISTS so where do you expect that the service account will forward the message ?????

This situation described in Q200059 letter on the Microsoft knolege base. That's RFC's feature.
See  in http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q200059

You need configure IMC, to match address with GAL when it entred in "RCPT TO:<test1@groupcheyns.be>" SMTP handshake.
Unfortunately, I have not link to right configuration description.
marc_dumortierAuthor Commented:

I think now my first posting has nothing to do with the abuse. it's just two incoming mails for which the user doesn't exist. you're right but how do you explain the OUTGOING MAIL FAILURE message ?
we have no user or mailbox named 'test1', also the subject of the mail 'live webcams etc etc' makes me think someone is abusing our system. Look at the From-field, it says '<>' as sender. i assume it is the abuser who filled this <> in as sender. not ?
Hi Marc,
What you have is an attempt to deliver to a non-existant address. Your IMS is bouncing the message back to the sender address (which with most SPAM, does not exist).
So the unsuccessful bounce message goes to your Postmaster account as non-delivery.
The message is from the system <> as it is a bounce msg.

This does waste some of your link bandwidth, but no more than any other non-delivery message.
Your mail system is doing its job correctly.

The subject line can be anything at all - I would not be worried about this.

<> is the sender.
Today is a lot of smap programs which can enable this feature.

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now