Solved

Spam send by Exchange 2000, not open relay

Posted on 2004-08-09
8
491 Views
Last Modified: 2012-08-14
Hi,
I've read so much posts about spam and open relay problem with Exchange servers, about deleting badmail & queues... also checked posts in MS knowledgebase.
One thing i did not do because is was never mentioned :
In the Acces tab of SMTP Virtual Server properties, most post refers to the relay restrictions to be set on "Only the list below" checked + empty list and "Allow all computers which succesfully authenticate to relay, regardless of the list above" to be also checked! BUT, my queue was still growing and growing!!
So, I've read a MS posting where they told to UNCHECK "Allow all computers which succesfully authenticate to relay, regardless of the list above" if you do not need the POP3/IMAP connection. I did this ( i am the only user with pop3 in our domain, and this is not needed especially), stopped SMTP service & Exchange Information Store , deleted files in badmail & queue folder, restard the services and : no spam relay anymore !!!!

Now I am very happy that my server works again like it should be, but i do not understand my own solution!!
Can someone explain why my queue stop growing whith spam  after unchecking  "Allow all computers which succesfully authenticate to relay, regardless of the list above"

MS: 319267 HOW TO: Secure Simple Message Transfer Protocol Client Message Delivery in Exchange 2000

   1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
   2. In the left pane of Exchange System Manager, double-click Servers, and then expand the Exchange Server computer that you want to configure.
   3. Expand Protocols, and then expand SMTP.
   4. Right-click Default SMTP Virtual Server, and then click Properties.
   5. Click the Access tab to display the Access Control options.
   6. Click the Relay button.
   7. In the Relay Restrictions dialog box, make sure that the selection for which computers may relay is set to Only the list below and that the list is blank.
   8. Unless you are using POP3 and IMAP4 clients with this virtual server, clear the Allow all computers which successfully authenticate to relay, regardless of the list above box, and then click OK.
   9. In the SMTP Virtual Server Properties dialog box, click OK.


Thx
Skwajee
0
Comment
Question by:skwajee
  • 4
  • 4
8 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
Comment Utility
What it means is that one of your accounts has been comprimised.
Spammers have started looking on the Internet for Exchange servers, then hammering the SMTP with username and password combinations to try and find one that works.
Once they have one they can relay email through your server quite happilly as they are an authenticated user.
You should ask all of your users to change their password immediately, and change the administrators password as well.

Simon.
0
 
LVL 1

Author Comment

by:skwajee
Comment Utility
Hi Simon,

You could be right. But how comes that spammers stop using my server when unchecking this option, and all the internal users still can connect and use my Exchange 2000. If they can use their accounts, spammers should still connect, not?

Grtz
Skwajee
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
The spammers cannot connect because you have disabled the option to use the SMTP service.

Users can continue to connect to the Exchange server because user access doesn't use SMTP. In the configuration you have SMTP is only being used for sending email from your server and receiving email for your server - not a relay.

Go through your event logs on the server and domain controller to see if you can spot the authentication failure messages.
You might also want to turn up the logging on SMTP virtual server then look at those to see which account is being used.

Simon.
0
 
LVL 1

Author Comment

by:skwajee
Comment Utility
Last question Sembee, where can i turn on logging smtp?
I hope to find which account has been used, because i prefer to not (let) change all users passwords if not needed

Thx
Skwajee
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 104

Expert Comment

by:Sembee
Comment Utility
ESM, Admin Groups, <your admin group>, Servers, <your server>, Protocols, SMTP. Right click on the virtual SMTP server and the option is on the first tab.

Simon
0
 
LVL 1

Author Comment

by:skwajee
Comment Utility
Hi Sembee,
I enabled logging but i cannot detect which account is used. As you can see i enabled the username logging
Any suggestion?

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2004-08-12 07:59:51
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port
2004-08-12 07:59:51 81.188.94.80 webby.pluto.be SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 07:59:51 81.188.94.80 webby.pluto.be SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 07:59:51 81.188.94.80 webby.pluto.be SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 07:59:51 81.188.94.80 webby.pluto.be SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 07:59:51 81.188.94.80 webby.pluto.be SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:03 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:04 217.72.192.149 OutboundConnectionResponse SMTPSVC1 GOOFY - 25
2004-08-12 08:02:04 217.72.192.149 OutboundConnectionCommand SMTPSVC1 GOOFY - 25
2004-08-12 08:02:04 217.72.192.149 OutboundConnectionResponse SMTPSVC1 GOOFY - 25
2004-08-12 08:02:04 217.72.192.149 OutboundConnectionCommand SMTPSVC1 GOOFY - 25
2004-08-12 08:02:04 217.72.192.149 OutboundConnectionResponse SMTPSVC1 GOOFY - 25
2004-08-12 08:02:04 217.72.192.149 OutboundConnectionCommand SMTPSVC1 GOOFY - 25
2004-08-12 08:02:05 217.72.192.149 OutboundConnectionResponse SMTPSVC1 GOOFY - 25
2004-08-12 08:02:05 217.72.192.149 OutboundConnectionCommand SMTPSVC1 GOOFY - 25
2004-08-12 08:02:05 217.72.192.149 OutboundConnectionResponse SMTPSVC1 GOOFY - 25
2004-08-12 08:02:05 217.72.192.149 OutboundConnectionCommand SMTPSVC1 GOOFY - 25
2004-08-12 08:08:00 213.201.216.52 novisad.hostingworx.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:08:00 213.201.216.52 novisad.hostingworx.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:08:00 213.201.216.52 novisad.hostingworx.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:08:00 213.201.216.52 novisad.hostingworx.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:08:00 213.201.216.52 novisad.hostingworx.net SMTPSVC1 GOOFY 10.0.0.5 0
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
The spammer may have noticed that you are no longer allowing him access and given up. Those logs look like regular logs for email. You will get lots of those - for each message you receive.

Simon.
0
 
LVL 1

Author Comment

by:skwajee
Comment Utility
Seems to be OK now
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Easy CSR creation in Exchange 2007,2010 and 2013
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now