Solved

Spam send by Exchange 2000, not open relay

Posted on 2004-08-09
8
493 Views
Last Modified: 2012-08-14
Hi,
I've read so much posts about spam and open relay problem with Exchange servers, about deleting badmail & queues... also checked posts in MS knowledgebase.
One thing i did not do because is was never mentioned :
In the Acces tab of SMTP Virtual Server properties, most post refers to the relay restrictions to be set on "Only the list below" checked + empty list and "Allow all computers which succesfully authenticate to relay, regardless of the list above" to be also checked! BUT, my queue was still growing and growing!!
So, I've read a MS posting where they told to UNCHECK "Allow all computers which succesfully authenticate to relay, regardless of the list above" if you do not need the POP3/IMAP connection. I did this ( i am the only user with pop3 in our domain, and this is not needed especially), stopped SMTP service & Exchange Information Store , deleted files in badmail & queue folder, restard the services and : no spam relay anymore !!!!

Now I am very happy that my server works again like it should be, but i do not understand my own solution!!
Can someone explain why my queue stop growing whith spam  after unchecking  "Allow all computers which succesfully authenticate to relay, regardless of the list above"

MS: 319267 HOW TO: Secure Simple Message Transfer Protocol Client Message Delivery in Exchange 2000

   1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
   2. In the left pane of Exchange System Manager, double-click Servers, and then expand the Exchange Server computer that you want to configure.
   3. Expand Protocols, and then expand SMTP.
   4. Right-click Default SMTP Virtual Server, and then click Properties.
   5. Click the Access tab to display the Access Control options.
   6. Click the Relay button.
   7. In the Relay Restrictions dialog box, make sure that the selection for which computers may relay is set to Only the list below and that the list is blank.
   8. Unless you are using POP3 and IMAP4 clients with this virtual server, clear the Allow all computers which successfully authenticate to relay, regardless of the list above box, and then click OK.
   9. In the SMTP Virtual Server Properties dialog box, click OK.


Thx
Skwajee
0
Comment
Question by:skwajee
  • 4
  • 4
8 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 11752115
What it means is that one of your accounts has been comprimised.
Spammers have started looking on the Internet for Exchange servers, then hammering the SMTP with username and password combinations to try and find one that works.
Once they have one they can relay email through your server quite happilly as they are an authenticated user.
You should ask all of your users to change their password immediately, and change the administrators password as well.

Simon.
0
 
LVL 1

Author Comment

by:skwajee
ID: 11752323
Hi Simon,

You could be right. But how comes that spammers stop using my server when unchecking this option, and all the internal users still can connect and use my Exchange 2000. If they can use their accounts, spammers should still connect, not?

Grtz
Skwajee
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11754614
The spammers cannot connect because you have disabled the option to use the SMTP service.

Users can continue to connect to the Exchange server because user access doesn't use SMTP. In the configuration you have SMTP is only being used for sending email from your server and receiving email for your server - not a relay.

Go through your event logs on the server and domain controller to see if you can spot the authentication failure messages.
You might also want to turn up the logging on SMTP virtual server then look at those to see which account is being used.

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:skwajee
ID: 11773993
Last question Sembee, where can i turn on logging smtp?
I hope to find which account has been used, because i prefer to not (let) change all users passwords if not needed

Thx
Skwajee
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11774942
ESM, Admin Groups, <your admin group>, Servers, <your server>, Protocols, SMTP. Right click on the virtual SMTP server and the option is on the first tab.

Simon
0
 
LVL 1

Author Comment

by:skwajee
ID: 11784305
Hi Sembee,
I enabled logging but i cannot detect which account is used. As you can see i enabled the username logging
Any suggestion?

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2004-08-12 07:59:51
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port
2004-08-12 07:59:51 81.188.94.80 webby.pluto.be SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 07:59:51 81.188.94.80 webby.pluto.be SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 07:59:51 81.188.94.80 webby.pluto.be SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 07:59:51 81.188.94.80 webby.pluto.be SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 07:59:51 81.188.94.80 webby.pluto.be SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:01 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:03 213.193.137.61 backup2.mail.be.easynet.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:02:04 217.72.192.149 OutboundConnectionResponse SMTPSVC1 GOOFY - 25
2004-08-12 08:02:04 217.72.192.149 OutboundConnectionCommand SMTPSVC1 GOOFY - 25
2004-08-12 08:02:04 217.72.192.149 OutboundConnectionResponse SMTPSVC1 GOOFY - 25
2004-08-12 08:02:04 217.72.192.149 OutboundConnectionCommand SMTPSVC1 GOOFY - 25
2004-08-12 08:02:04 217.72.192.149 OutboundConnectionResponse SMTPSVC1 GOOFY - 25
2004-08-12 08:02:04 217.72.192.149 OutboundConnectionCommand SMTPSVC1 GOOFY - 25
2004-08-12 08:02:05 217.72.192.149 OutboundConnectionResponse SMTPSVC1 GOOFY - 25
2004-08-12 08:02:05 217.72.192.149 OutboundConnectionCommand SMTPSVC1 GOOFY - 25
2004-08-12 08:02:05 217.72.192.149 OutboundConnectionResponse SMTPSVC1 GOOFY - 25
2004-08-12 08:02:05 217.72.192.149 OutboundConnectionCommand SMTPSVC1 GOOFY - 25
2004-08-12 08:08:00 213.201.216.52 novisad.hostingworx.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:08:00 213.201.216.52 novisad.hostingworx.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:08:00 213.201.216.52 novisad.hostingworx.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:08:00 213.201.216.52 novisad.hostingworx.net SMTPSVC1 GOOFY 10.0.0.5 0
2004-08-12 08:08:00 213.201.216.52 novisad.hostingworx.net SMTPSVC1 GOOFY 10.0.0.5 0
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11784383
The spammer may have noticed that you are no longer allowing him access and given up. Those logs look like regular logs for email. You will get lots of those - for each message you receive.

Simon.
0
 
LVL 1

Author Comment

by:skwajee
ID: 11930263
Seems to be OK now
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question