Solved

How to Stop Relaying with Exchange Server 5.5

Posted on 2004-04-12
16
508 Views
Last Modified: 2010-08-05
We are getting an increase of spam and an increase of messages that have been sent from specific user accounts without the owner knowing.  It seems as though we have relaying enabled and that our e-mail server is allowing messages to be sent without the owners permission.

We are running Exchange Server 5.5 (SP4) with many of the latest exchange patches on a Windows 2000 Server (fully patched).  The environment is primarily Windows 2000 servers with a linux box acting as a Gateway/Firewall.  Our Exchange server is running Antigen 7.5 in order to filter virus's and content AND all client machines and the server have a local anti-virus program installed and updated for protection.

I have made the necessary changes in the IMS (e.g. Checkmark in the "Hosts and Clients with these IP addresses", while not listing an IP address) as suggested here:  http://www.winnetmag.com/MicrosoftExchangeOutlook/Article/ArticleID/7696/MicrosoftExchangeOutlook_7696.html but we still seem to be relaying.

I would like to answer the following questions.
1.  How can we tell if our server has relaying turned on?
I was unable to telnet into our Windows 2000 server in order to try the suggestions in the article above (e.g. telnet servername 25).  The telnet window hangs.  If someone can troubleshoot telnetting in I would appreciate that.  I have turned the telnet service on on the server AND even tried enabling the telnet port on our firewall but still no luck.  What else do I have to configure to make telnet work?

2.  Are there any other ways to disable relaying other than the common solution discussed in the article above.  We have already applied this solution and seem to be getting a lot of spam.

Anyone who can point me in the right direction would be much appreciated.

Thanks,
D. J.
0
Comment
Question by:djplante
  • 5
  • 5
  • 3
16 Comments
 
LVL 10

Accepted Solution

by:
dstoker509 earned 250 total points
Comment Utility
This article explains closing open-relay and testing it.  It should help clear things up: http://support.microsoft.com/default.aspx?scid=kb;en-us;836500
0
 
LVL 35

Assisted Solution

by:Bembi
Bembi earned 250 total points
Comment Utility
A lot of stuff to read. Within your Exchange server IMC, you have an option button "Forward mails for these domains" and "Do not forward emails" or similar. If you makr the "Do not forward...", your server will not relay messages. This has nothing to do with forwarding to your own recipients.

Nevertheless, some spamers uses some tricks, like faking sender addresses, so that your server interpret these mails as coming from internal users.

try telnet relay-test.mail-abuse.org at dos-promt

also check your server against spam-databases like
http://njabl.org/lookup.html
http://openrbl.org
http://ordb.org/

Note that the last one will test your server and add it to the database, if found as open relay, the first two will only check different databases, if you are listened. If all these tests are negative, your server will not relay. On the other hand, if your server is really open, a few of the databases will list you as these tools are also the tools used by the spamers, means that they have found your server.

The telnet tool will try to find out, if your server is vulnerable against some knows email tricks. These vulnerability can be closed by tools in front of the exchange server, like some virus scanners or "mail security" from www.gfi.com.
 

0
 

Author Comment

by:djplante
Comment Utility
When trying to telnet I get this:
C:\>telnet relay-test.mail-abuse.org
Connecting To relay-test.mail-abuse.org...Could not open a connection to host on
 port 23 : Connect failed

I checked my server against njabl.org and it was clean.
I check my server against openrbl.org and this is what returned...what does this mean?
***********************************************************
 Multi DNSBL Lookup 208.193.xxx.xxx http://openrbl.org/ip/208/193/xxx/xxx.htm
 Lookup 208.193.xxx.xxx (something.something.edu) in 21+11 Zones
 AS: 208.193.xxx.xxx/24 AS6062  NETPLEX Hartford/Connecticut
 Net 208.192-208.255 UUNET1996B  Fairfax, Virginia @uu.net
 Results: Positive=2, Negative=30 (2004-04-12 16:05:42 UTC)
@ISP/blackholes.us: 208.193/16: 553 ISP MCI - http://hatcheck.org/google?mci; http://hatcheck.org/sbl?mci; ISP UU - http://hatcheck.org/google?uu; http://hatcheck.org/sbl?uu [Blockparade]
BLARS/block.blars.org: INET 127.3.0.0
Negative 30: @COUNTRY @DYNAMIC @SPAM AHBL AUDNSBL BOGONS BONDED BOPM CBL DRBL DSBL FIVETEN INTERSIL JIPPGMA LNSG NJABL NOMORE ORDB PSBL PSS RFC_IPWH SBL SORBS SPAMBAG SPAMCOP SPAMRBL SPAMSITE SPEWS UCEPROT WPBL

--------------------------------------------------------------------------------
Hints for 208.193.xxx.xxx: (external, use BACK or ALT-LEFT when done)
Track "something.something.edu" at [Whois & Abuse|SpamCop*]
Search "208.193.xxx.xxx" at [Google|SpamCop*|SenderBase] [MAPS|Schlund]
CHECK: Nominate Relay-Test at: [ORDB] [Add Comment]
*********************************************************

I am in the process of trying http://ordb.org but it takes a while.

As far as the IMC.  There are two options I think you are referring to:  "Do not reroute incoming SMTP mail" AND "Reroute incoming SMTP mail (required for POP3/IMAP4 support).  Routing is sent to "something.edu" and the option "Email sent to this domain:" "should be accepted as inbound" is selected.  Are you saying I should disable this option and "Do not reroute incoming SMTP mail".  People only use Microsoft Outlook client while on campus and Outlook Web Access off campus.  No one telnet's in or configures their clients at home to download messages (POP3).

What should I try from here?

Thanks,
D. J.
0
 
LVL 10

Expert Comment

by:dstoker509
Comment Utility
When you telnet you need to use the following syntax: "telnet [domain] 25" to telnet on port 25.  Without the port 25 statement, it will attempt to connect on port 23 which will not work.  You do not need port 23 open on your firewall to your exchange server.

For exchange 5.5, you actually need to select "Reroute incoming SMTP mail" and do not select any domains to reroute.  This is a little know fact about Exchange 5.5. If you select "Do not reroute incoming SMTP mail," then it will still allow spammers access to an open-relay.
0
 

Author Comment

by:djplante
Comment Utility
When I try to telnet into my exchange server this is what I get...it just hangs here:

c:\telnet [servername or FQDN] 25
220 servername.domain-name.something.edu ESMTP Server (Microsoft Exchange Interne
t Mail Service 5.5.2657.72) ready

I have tried many combinations in order to telnet in and cannot do it with the following syntax:  telnet servername 25

Any other suggestions?
****************
We have "Reroute incoming SMTP mail" selected and we have specified a domain (something.edu).  Do you recommend we remove that domain?  If so, what are the possible outcomes of doing this?

Thanks for your help.
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
> Results: Positive=2, Negative=30
This seems to be OK, as there are a few heavy restrictive databases, the relevant daabases are closed.

> As far as the IMC.
One is to set is to "Do not reroute..", but as dstoker said, it will not open the server for relay but it may produce a lot of NDRs, if a spammer tries to use your server as relay.

Follow the intructions here to close your server, where the last one may be the easiest to understand:
http://support.microsoft.com/default.aspx?scid=kb;en-us;243045
http://www.msexchange.org/pages/article_p.asp?id=5

There is also a example for testing your own server with telnet.

The telnet (abuse.org) was ok, but you should run it on your mail server. Additionally, the default route should be the same than your mail server uses, as this tool tries to contact your server with the IP, you are going out.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:djplante
Comment Utility
I still cannot get Telnet to function properly.  After I open telnet and type in "open servername 25" it hangs.  How can I get telnet to function properly?  Oh, I already have made changes to the settings as described in the 2nd article:  http://www.msexchange.org/pages/article_p.asp?id=5
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Just the commands, telnet responses for every line. Note that you may not use backspace or other keys, just type the command and return, if you made an error, hit return and pepeat the hole line.
telnet myserver 25
helo
mail from: anymail@anyserver.com
rcpt to: anothermail@anotherserver.com
data
type your mail text here
.
quit
0
 

Author Comment

by:djplante
Comment Utility
I can't get to a prompt to be able to enter HELO or mail from: / rcpt to:  this is as far as I get:

220 servername.domain.domain.edu ESMTP Server (Microsoft Exchange Interne
t Mail Service 5.5.2657.72) ready

I know how to use telnet....it is just hanging and I am not able to login at all
0
 
LVL 10

Expert Comment

by:dstoker509
Comment Utility
After the "ready", you type HELO.  Then do you get a response.  You will not see standard Telnet prompts.  Think of it as telneting blind.
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
you must simply type it, if you get the banner from your server (as shown above), just type "helo" and hit return. You will not get any cursor or hint, what to do as the order doesn't matter. Type the whole line, including "mail from: xxx"
0
 

Author Comment

by:djplante
Comment Utility
ok....dstoker509....thanks.....I followed your directions and did get the response "550 relaying is prohibited"

Now that I've determined that relaying is prohibited, what recommendations do you have for limiting the amount of spam coming through.  What I'm mostly worried about are the messages that look like someone at the school has sent them out when in fact they haven't.  Any other ideas?

Could some client machines on the network have virus's and be acting as thier own SMTP service (using the Global Address List somehow)?
Could it be that our exchange server has somehow been compromised (i.e. virus, hacked, etc.)?

Thanks for your help,
D. J.
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Have a look at the mails headers, where you can see, from where the mail are really coming from. Within Outlook, mark the mail - right click - Options, there you can see the mail header. If the mail header field is empty, the mails are coming from your own clients, otherwise you will find the full routing protocol, ending with the originator of the mail like

Received: From ns5.experts-exchange.com ([64.156.132.253]) by anyOtherServer ....

As mostly the servername of spam emails are faked, the IP Address is correct. The last viruses have the feature, that they try to fake the sender addresses in that way, that it seems to be, that they are coming from a known sender's address.

Now goto dos promt and type

nslookup 64.156.132.253 (where this is the IP, you find in the mail header)
the response is ns5.experts-exchange.com (in this example)
but this is the real name of the sender's server.

Doing so, you can find out, if you have an internal problem or if they are coming from outside. For SPAM from outside, you can not really do a lot within exchange, you need a spam-filter, which is able to filter the incoming traffic. A few virus scanner also have a simple filter function, but this is not really a solution.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now