Solved

Exchange 5.5: No Open Relay but Spams Moving through Queue

Posted on 2004-07-30
7
329 Views
Last Modified: 2008-03-06
Please Help......

I have an Exchange 5.5 Sp4 with 5/04 update rollup. Running on NT4. I have tested smtp open relay via telnet port 25. I do get 550 Relay Prohibited. However, recently I have noticed numerous spam coming in and out of the IMC queue. I have tried to change and test different relay settings (did not help).

I checked the app log for SMTP interface events. I do see events with ID 2000 and 2003 that shows connections made to/from various ip addresses. Some of these has a domain name attached and the domain names definitely look like something bad. I have checked for event id:2010 (as per MS knowledgebase) for User ID. However, 2010 does not exist and none of the 2000 or 2003 events have a id attached. The user column in the list view shows N/A.

Basically, I know our Exchange 5.5 IMC is being used to send out spam but don't know how it's done or how to shut it down.....

Thanks.....
0
Comment
Question by:rliu11122b
  • 2
7 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 11685696
Could be a NDR attack. This is where email messages are sent to your server with a wrong email address on purpose. The server bounces the message back as user unknown. The "From" line is the real target of the email address and that is who Exchange sends it to.

Disable the delivery of NDRs to the Internet in Exchange and see if that clears things up.

Simon.
0
 

Author Comment

by:rliu11122b
ID: 11690234
Sembee:
The messages in the outgoing queue has <> for the from field... would this be a characteristic of NDR's?
0
 

Author Comment

by:rliu11122b
ID: 11690369
I am using 5.5 sp4. I can't seem to turn off NDR's... based on other readings, I don't think I could in 5.5. So how do someone stop ndr attacks?
0
 
LVL 7

Assisted Solution

by:scdavis
scdavis earned 250 total points
ID: 11692826
rlui,

The real problem is - you can't stop them, really.  Not operationally, anyhow..  even if the tech will let you.  

The "NDR attack" Simon describes as also known in "spam fighting circles" as a "Joe-Job" attack.

I think Simon is advocating the "shuttin' off" of ALL NDR replies for a short period of time - to see if the NDR-theory is correct.

You don't really want to turn off all NDRs - "forever" -- because then when people mis-type your users names, then won't get..  (drum roll, please..)  an NDR letting them know it's been un-delivered...  

NDR joe-jobs aren't so bad.  the email content is generated by the "relaying" system, i.e., yours, in the case..  correct?  


So, it's not like an all out dDOS or spam-bomb or MTA dictionary attack..  



0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now