Solved

Exchange 5.5: No Open Relay but Spams Moving through Queue

Posted on 2004-07-30
7
331 Views
Last Modified: 2008-03-06
Please Help......

I have an Exchange 5.5 Sp4 with 5/04 update rollup. Running on NT4. I have tested smtp open relay via telnet port 25. I do get 550 Relay Prohibited. However, recently I have noticed numerous spam coming in and out of the IMC queue. I have tried to change and test different relay settings (did not help).

I checked the app log for SMTP interface events. I do see events with ID 2000 and 2003 that shows connections made to/from various ip addresses. Some of these has a domain name attached and the domain names definitely look like something bad. I have checked for event id:2010 (as per MS knowledgebase) for User ID. However, 2010 does not exist and none of the 2000 or 2003 events have a id attached. The user column in the list view shows N/A.

Basically, I know our Exchange 5.5 IMC is being used to send out spam but don't know how it's done or how to shut it down.....

Thanks.....
0
Comment
Question by:rliu11122b
  • 2
7 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 11685696
Could be a NDR attack. This is where email messages are sent to your server with a wrong email address on purpose. The server bounces the message back as user unknown. The "From" line is the real target of the email address and that is who Exchange sends it to.

Disable the delivery of NDRs to the Internet in Exchange and see if that clears things up.

Simon.
0
 

Author Comment

by:rliu11122b
ID: 11690234
Sembee:
The messages in the outgoing queue has <> for the from field... would this be a characteristic of NDR's?
0
 

Author Comment

by:rliu11122b
ID: 11690369
I am using 5.5 sp4. I can't seem to turn off NDR's... based on other readings, I don't think I could in 5.5. So how do someone stop ndr attacks?
0
 
LVL 7

Assisted Solution

by:scdavis
scdavis earned 250 total points
ID: 11692826
rlui,

The real problem is - you can't stop them, really.  Not operationally, anyhow..  even if the tech will let you.  

The "NDR attack" Simon describes as also known in "spam fighting circles" as a "Joe-Job" attack.

I think Simon is advocating the "shuttin' off" of ALL NDR replies for a short period of time - to see if the NDR-theory is correct.

You don't really want to turn off all NDRs - "forever" -- because then when people mis-type your users names, then won't get..  (drum roll, please..)  an NDR letting them know it's been un-delivered...  

NDR joe-jobs aren't so bad.  the email content is generated by the "relaying" system, i.e., yours, in the case..  correct?  


So, it's not like an all out dDOS or spam-bomb or MTA dictionary attack..  



0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question