Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 581
  • Last Modified:

Exchange 5.5 Spam/Relay/NDR issues

I was hoping to get some feedback on a critical problem I've been having for the last couple of weeks.  I'm running NT 4.0 and Exchange 5.5.  A couple of weeks ago users began complaining about long delivery times on outbound emails.  When I checked the server, the outbound queue was filled with tons of NDRs resulting from spam messages.  After some testing, I figured it was an open relay and the spam was been relayed through the system and not created internally from a trojan or virus (a few different scans seemed to verify this).  After installing some of the latest service packs for Exchange and performing other tasks (some of which I read here - thanks!) I still couldn't get the NDRs to stop clogging the outbound queue.  Here's a run down of everything I've done so far:

Disabled the Guest account
Deleted any unused accounts and disabled and accounts that are not in use.
Changed all passwords to difficult ones
Changed the Exchange Service Account - used a difficult password.
REINSTALLED EXCHANGE SERVER 5.5
Installed ALL the service packs for Exchange 5.5
Re-closed the relay (IMS Properties - Routing - Routing Restrictions - checked "Hosts and Clients With These IP Addresses" and did not enter any addresses)

The NDRs are still being created.  Sometimes it slows down, sometimes it's thousands per hour.  For a day, I thought it was fixed, but over the weekend, there were 20,000 NDRs in the outbound queue by Monday morning.  The logs seem to point to a bunch of inbound SMTP connections being accepted from various hosts whenever the IMS service is started.  Where and how can I stop these IPs from connecting?  There's dozens, maybe hundreds of connections being received and stopping those IP addresses at the firewall could take weeks.  If I only allow SMTP connections to/from my ISPs IP addresses, would that work, since the mail is directed through their DNS servers?  I'm at a complete loss for ideas.  I'm not the most experienced tech when it comes to this stuff, but I'm the only one at my office with enough experience to work on it.  Thanks for any help!

0
MelvinSE
Asked:
MelvinSE
  • 2
1 Solution
 
peter_fleurCommented:
Maybe you can uncheck the "users that succesfully authenticate" in the IMS Properties - Routing - Routing Restrictions.
Maybe there is a script running who hacked even you difficult passwords.

Peter
0
 
MelvinSEAuthor Commented:
Will that cause a problem with any local or remote users who can successfully authenticate?
0
 
peter_fleurCommented:
It will only be a problem if you send directly through the smtp connector. So if you use pop accounts to access the mailboxes and set the send server on your exchange server port 25. If you use Outlook in the corporate/workgroup setting it will have no affect as Outlook uses the x400 protocol and sends mail internaly through the dns server.

So in a "normal" situation (90% of the cases) it will not give any problems.

Peter
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now