Exchange 5.5: No Open Relay but Spams Moving through Queue

Please Help......

I have an Exchange 5.5 Sp4 with 5/04 update rollup. Running on NT4. I have tested smtp open relay via telnet port 25. I do get 550 Relay Prohibited. However, recently I have noticed numerous spam coming in and out of the IMC queue. I have tried to change and test different relay settings (did not help).

I checked the app log for SMTP interface events. I do see events with ID 2000 and 2003 that shows connections made to/from various ip addresses. Some of these has a domain name attached and the domain names definitely look like something bad. I have checked for event id:2010 (as per MS knowledgebase) for User ID. However, 2010 does not exist and none of the 2000 or 2003 events have a id attached. The user column in the list view shows N/A.

Basically, I know our Exchange 5.5 IMC is being used to send out spam but don't know how it's done or how to shut it down.....

Thanks.....
rliu11122bAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SembeeConnect With a Mentor Commented:
Could be a NDR attack. This is where email messages are sent to your server with a wrong email address on purpose. The server bounces the message back as user unknown. The "From" line is the real target of the email address and that is who Exchange sends it to.

Disable the delivery of NDRs to the Internet in Exchange and see if that clears things up.

Simon.
0
 
rliu11122bAuthor Commented:
Sembee:
The messages in the outgoing queue has <> for the from field... would this be a characteristic of NDR's?
0
 
rliu11122bAuthor Commented:
I am using 5.5 sp4. I can't seem to turn off NDR's... based on other readings, I don't think I could in 5.5. So how do someone stop ndr attacks?
0
 
scdavisConnect With a Mentor Commented:
rlui,

The real problem is - you can't stop them, really.  Not operationally, anyhow..  even if the tech will let you.  

The "NDR attack" Simon describes as also known in "spam fighting circles" as a "Joe-Job" attack.

I think Simon is advocating the "shuttin' off" of ALL NDR replies for a short period of time - to see if the NDR-theory is correct.

You don't really want to turn off all NDRs - "forever" -- because then when people mis-type your users names, then won't get..  (drum roll, please..)  an NDR letting them know it's been un-delivered...  

NDR joe-jobs aren't so bad.  the email content is generated by the "relaying" system, i.e., yours, in the case..  correct?  


So, it's not like an all out dDOS or spam-bomb or MTA dictionary attack..  



0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.