ericmalone
asked on
Strange message in Exchange SMTP server logs.....
I have seeing a strange entry in my Exchange SMTP Virtual server logs.
Every 15 minutes or so, I see this entry:
2003-11-18 23:41:13 204.97.230.37 OutboundConnectionResponse
I have checked every black list in the world that I can find, and we are not listed in any, nor are we an open relay, nor are we spamming. the strange thing is that this entry is always all by itself. There is no other connection related data accompaying it, and no evidence that my mail server is attempting to send messages to this "Gawab.com" domain or the IP address listed.
Someone help!
Eric
Every 15 minutes or so, I see this entry:
2003-11-18 23:41:13 204.97.230.37 OutboundConnectionResponse
I have checked every black list in the world that I can find, and we are not listed in any, nor are we an open relay, nor are we spamming. the strange thing is that this entry is always all by itself. There is no other connection related data accompaying it, and no evidence that my mail server is attempting to send messages to this "Gawab.com" domain or the IP address listed.
Someone help!
Eric
What version is Exchange?
Doen't matter what version of exchange, sombody doesn't want your mail.
You'd have to check the MX records for the destination of the mail that's queued up and see if any point to
gawab.com
alex4all.com or
alexandria.cc
(the free email domains that gawab offers)
in addition, the mail could be destined for any of the paid domains gawab hosts.
If somebody spammed you with a gawab hosted return address, the flurry of replies could have tripped their spam-o-nator.
You'd have to check the MX records for the destination of the mail that's queued up and see if any point to
gawab.com
alex4all.com or
alexandria.cc
(the free email domains that gawab offers)
in addition, the mail could be destined for any of the paid domains gawab hosts.
If somebody spammed you with a gawab hosted return address, the flurry of replies could have tripped their spam-o-nator.
Does your server have its own dns record? If not then you need to specify your isps mail server as a relay. Some servers do reverse dns lookups and if your server does not appear they regard you as a spammer.
ASKER
We are running Exchange 2K on Win2K server.
Looking at our queue, we always have roughly 50-75 NDRs going out all the time. They do in fact look like NDRs sent in response to spam being sent our way.
Is it wise to turn off the sending of all NDRs, or is there other steps I can take to battle this?
Looking at our queue, we always have roughly 50-75 NDRs going out all the time. They do in fact look like NDRs sent in response to spam being sent our way.
Is it wise to turn off the sending of all NDRs, or is there other steps I can take to battle this?
owensleftfoot's comment about relaying through your ISP's mail exchanger is valid, they're a lor less likely to be blackholed and you get the mailout of your queue on the first pass
ASKER
Yes, our mail server does have its own mx record (which has priority over the ISP's mail server).
Also, the mail server does have a reverse lookup (PTR) record as well, so there are no issues with that. I have checked at www.dnsstuff.com and numerous other blacklist lookups, and we are not listed.
I guess my question isn't so much how can I get off "gawab.com's" supposed blacklist.. We are not an open relay, and I am positive that spam is not originating from my network.....rather, I am now seeing how many NDRs are going out from my "postmaster@domain.com" account as a response to spam we receive that is sent to users that don't exist in my organization.
What can/should I do about this?
Also, the mail server does have a reverse lookup (PTR) record as well, so there are no issues with that. I have checked at www.dnsstuff.com and numerous other blacklist lookups, and we are not listed.
I guess my question isn't so much how can I get off "gawab.com's" supposed blacklist.. We are not an open relay, and I am positive that spam is not originating from my network.....rather, I am now seeing how many NDRs are going out from my "postmaster@domain.com" account as a response to spam we receive that is sent to users that don't exist in my organization.
What can/should I do about this?
The MX and PTR records are examined by some anti-spam schemes and having them is proper protocol.
gawab probably examines incoming mail for content or watches volume and zapped you for returning mail, the reply to address of which could have been spoofed.
You'd have to contact gawab as described in the message (from some other mail account, apparently) and ask to get off their list.
ASKER
We are obviously receiving spam from many sources, and Exchange automatically sends back the NDR. What can I do about the high volume of NDRs going out from my server?
Or is there anything I can even do about it?
Or is there anything I can even do about it?
ASKER
chicagoan, Is there a convenient way to, as you said: "check the MX records for the destination of the mail that's queued up" ....other than looking in each queue one at a time? There must be 30-40 different queues set up in my SMTP server queue, all trying to send out NDRs.
But, too, I am still looking for a solution as to what can be done to minimize all the NDRs going out in the first place.
the server shown in the transient error would be the MX record (or the A record if ther is no MX record)
The only way you can stop the bounces is to null route the spam in the first place.
The only way you can stop the bounces is to null route the spam in the first place.
ASKER
Sorry, not familiar with what you mean by "null route the spam".
do something to detect incoming spam and do not attempt to deliver or return it
send it to the bit bucket
send it to the bit bucket
ASKER
chicagoan,
Sorry to keep asking, but this is really my first venture into spam/NDR blocking, so perhaps you can explain further or point me to a more detailed reference.
For instance, I wouldn't know where to begin in order to "detect incoming spam" or send it to a "?bit bucket?"
thx....eric
Sorry to keep asking, but this is really my first venture into spam/NDR blocking, so perhaps you can explain further or point me to a more detailed reference.
For instance, I wouldn't know where to begin in order to "detect incoming spam" or send it to a "?bit bucket?"
thx....eric
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Would you reccommend turning off outgoing NDRs in MS Exchange 2K?
well, what happens when the consulting company that HR contracted to supply them with IT salary ranges for this year's reviews send it to HT@yourdomain.com and, not getting the information, use last year's numbers?
your mom doesn't type too well... you never get her dutch pecan apple pie recipe for thanksgiving dinner and end up serving tiramisu hastily concocted with twinkies instant coffee and dream whip since the gas station was the only thing open - your boss is appalled and instructs HR to drop your eval a point and as they're using old data, you end up making less than you did last year
another guest is impressed with your three hour monolgue on the merits of color coding patch cables after dinner and emails you an offer to be CIO of his new internet startup, unfortunately he sends the email to ericbaloney@yourdomain.com
bounces are a part of email, spam control initiatives can usually garner some support for funding as not only is a nuisance but employees spend paid hours dealing with it... go ask for some money!
your mom doesn't type too well... you never get her dutch pecan apple pie recipe for thanksgiving dinner and end up serving tiramisu hastily concocted with twinkies instant coffee and dream whip since the gas station was the only thing open - your boss is appalled and instructs HR to drop your eval a point and as they're using old data, you end up making less than you did last year
another guest is impressed with your three hour monolgue on the merits of color coding patch cables after dinner and emails you an offer to be CIO of his new internet startup, unfortunately he sends the email to ericbaloney@yourdomain.com
bounces are a part of email, spam control initiatives can usually garner some support for funding as not only is a nuisance but employees spend paid hours dealing with it... go ask for some money!
ASKER
Interesting "examples".........yikes. I'm not sure whether to be offended or laugh myself silly.
I'll go ask for some money I guess.
OMG!! no insult intended!
just a worse-case scenario ;-)
just a worse-case scenario ;-)
ASKER
No worries.....thank for the help!
http://support.microsoft.com/default.aspx?scid=kb;[LN];324059
Error 5.7.1 is a Relaying Denied error for Non-Deliver Report.
It's possible a spammer is sending you email that it to a bogus account and your server is accepting it - and then issuing a NDR to the originator which gets flagged at the ISP.