Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 5.5: No Open Relay but Spams Moving through Queue

Posted on 2004-07-30
7
Medium Priority
?
335 Views
Last Modified: 2008-03-06
Please Help......

I have an Exchange 5.5 Sp4 with 5/04 update rollup. Running on NT4. I have tested smtp open relay via telnet port 25. I do get 550 Relay Prohibited. However, recently I have noticed numerous spam coming in and out of the IMC queue. I have tried to change and test different relay settings (did not help).

I checked the app log for SMTP interface events. I do see events with ID 2000 and 2003 that shows connections made to/from various ip addresses. Some of these has a domain name attached and the domain names definitely look like something bad. I have checked for event id:2010 (as per MS knowledgebase) for User ID. However, 2010 does not exist and none of the 2000 or 2003 events have a id attached. The user column in the list view shows N/A.

Basically, I know our Exchange 5.5 IMC is being used to send out spam but don't know how it's done or how to shut it down.....

Thanks.....
0
Comment
Question by:rliu11122b
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
7 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 1000 total points
ID: 11685696
Could be a NDR attack. This is where email messages are sent to your server with a wrong email address on purpose. The server bounces the message back as user unknown. The "From" line is the real target of the email address and that is who Exchange sends it to.

Disable the delivery of NDRs to the Internet in Exchange and see if that clears things up.

Simon.
0
 

Author Comment

by:rliu11122b
ID: 11690234
Sembee:
The messages in the outgoing queue has <> for the from field... would this be a characteristic of NDR's?
0
 

Author Comment

by:rliu11122b
ID: 11690369
I am using 5.5 sp4. I can't seem to turn off NDR's... based on other readings, I don't think I could in 5.5. So how do someone stop ndr attacks?
0
 
LVL 7

Assisted Solution

by:scdavis
scdavis earned 1000 total points
ID: 11692826
rlui,

The real problem is - you can't stop them, really.  Not operationally, anyhow..  even if the tech will let you.  

The "NDR attack" Simon describes as also known in "spam fighting circles" as a "Joe-Job" attack.

I think Simon is advocating the "shuttin' off" of ALL NDR replies for a short period of time - to see if the NDR-theory is correct.

You don't really want to turn off all NDRs - "forever" -- because then when people mis-type your users names, then won't get..  (drum roll, please..)  an NDR letting them know it's been un-delivered...  

NDR joe-jobs aren't so bad.  the email content is generated by the "relaying" system, i.e., yours, in the case..  correct?  


So, it's not like an all out dDOS or spam-bomb or MTA dictionary attack..  



0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question