Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Exchange 5.5: No Open Relay but Spams Moving through Queue

Posted on 2004-07-30
7
Medium Priority
?
338 Views
Last Modified: 2008-03-06
Please Help......

I have an Exchange 5.5 Sp4 with 5/04 update rollup. Running on NT4. I have tested smtp open relay via telnet port 25. I do get 550 Relay Prohibited. However, recently I have noticed numerous spam coming in and out of the IMC queue. I have tried to change and test different relay settings (did not help).

I checked the app log for SMTP interface events. I do see events with ID 2000 and 2003 that shows connections made to/from various ip addresses. Some of these has a domain name attached and the domain names definitely look like something bad. I have checked for event id:2010 (as per MS knowledgebase) for User ID. However, 2010 does not exist and none of the 2000 or 2003 events have a id attached. The user column in the list view shows N/A.

Basically, I know our Exchange 5.5 IMC is being used to send out spam but don't know how it's done or how to shut it down.....

Thanks.....
0
Comment
Question by:rliu11122b
  • 2
4 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 1000 total points
ID: 11685696
Could be a NDR attack. This is where email messages are sent to your server with a wrong email address on purpose. The server bounces the message back as user unknown. The "From" line is the real target of the email address and that is who Exchange sends it to.

Disable the delivery of NDRs to the Internet in Exchange and see if that clears things up.

Simon.
0
 

Author Comment

by:rliu11122b
ID: 11690234
Sembee:
The messages in the outgoing queue has <> for the from field... would this be a characteristic of NDR's?
0
 

Author Comment

by:rliu11122b
ID: 11690369
I am using 5.5 sp4. I can't seem to turn off NDR's... based on other readings, I don't think I could in 5.5. So how do someone stop ndr attacks?
0
 
LVL 7

Assisted Solution

by:scdavis
scdavis earned 1000 total points
ID: 11692826
rlui,

The real problem is - you can't stop them, really.  Not operationally, anyhow..  even if the tech will let you.  

The "NDR attack" Simon describes as also known in "spam fighting circles" as a "Joe-Job" attack.

I think Simon is advocating the "shuttin' off" of ALL NDR replies for a short period of time - to see if the NDR-theory is correct.

You don't really want to turn off all NDRs - "forever" -- because then when people mis-type your users names, then won't get..  (drum roll, please..)  an NDR letting them know it's been un-delivered...  

NDR joe-jobs aren't so bad.  the email content is generated by the "relaying" system, i.e., yours, in the case..  correct?  


So, it's not like an all out dDOS or spam-bomb or MTA dictionary attack..  



0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses
Course of the Month13 days, 5 hours left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question