Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 518
  • Last Modified:

Spammers trying to relay through my Exchange Server

My exchange server is getting flooded by a few IPs with spam. Now, relay is only open to a couple select IPs so Im not sending these emails out, however the server is crashing because its keeping the emails in the queue and also trying to send NDRs to the sender. I had 100k of junk in the queue in a few hours. How can I get the server to totally drop or not receive anything that is (from an outside domain TO an outside domain)?
0
Mmats
Asked:
Mmats
  • 13
  • 8
3 Solutions
 
munichpostmanCommented:
You should relay install an additonal system in front of your Exchange Server to handle Internet mail relaying. This way you can configure the Exchange Server to only accept mails from this system. There are lots of good mail relays out there, from freeware such as Postfix or commerical solutions such as Clearswift Mailsweeper, or Ironport which is an appliance.

If this is not an option and you are using Exchange 2003, consider the "Filter recipients who are not in the Directory" option, not enabled by default, this feature allows you to silently drop mails which are sent to objects which do not exist in Active Directory.  

http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html


0
 
MmatsAuthor Commented:
Forgot to mention yes it is exchange 2003 and I set it to filter objects not in AD and activated it for smtp and Im still getting the undeliverable spam emails in my queue.
0
 
SembeeCommented:
ESM isn't very good at showing what is really in your queues when it comes to very large numbers of messages. Even though you have made the changes it could still be processing the messages and then they show in ESM.

You need to get the messages flushed out. Once they are flushed and you are confident they are clear, if the messages continue to come in then you can start looking for other reasons.

I have written some techniques that you can use for this process on my web site. http://www.amset.info/exchange/spam-cleanup.asp
It is a bit long so I will not repeat them here.

Simon.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
MmatsAuthor Commented:
Im not using ESM to look at my queue, Im going straight to the directory. Right when I open the port on my firewall it starts piling up. This isnt a live server, so any messages at all are going to be spammers and people trying to crash my server. I need a way to make sure that people outside my lan/domain can only send mail to people inside my domain, but also allow for people in the lan to send outside.
0
 
MmatsAuthor Commented:
Im thinking microsoft didnt implement a way to do this without a third party solution
0
 
SembeeCommented:
It isn't always Microsoft's fault. A lot of the problems with email is due to the way that SMTP is designed and spammers taking advantage.
Exchange in the main will do what you want, you just need to be careful with the configuration not to leave holes that can be exploited.

What kind of spam messages are these?

Are they NDR spam, where the email is sent to a non-valid user on purpose to make your machine generate an NDR? The from line is usually faked and that is the real target. That is usually resolved by the filter unknown users trick which you say that you already have done. Have you tested that? If it is working and you send a message from another account (Yahoo, Hotmail etc) the bounce should come back very quickly as the SMTP connection is refused.

Are they being sent as if they are coming from another domain? If that is the case then you either have an open relay or you are a victim of an authenticated user relay - this means one of your accounts has been compromised.
If you don't have any users sending email via Outlook Express then you can disable authenticated user relay as it isn't required for Exchange to operate correctly.

Simon.
0
 
MmatsAuthor Commented:
Well the real problem is the NDR spam. I cant use the unknown users filter because people in my domain wouldnt be able to send outside. Is there any way to limit which IPs are allowed to get NDRs or something similar? Or even turn off NDRs all together?
0
 
MmatsAuthor Commented:
Is there a reg hack where I can delete any NDRs if they fail to deliver on the first try?
0
 
SembeeCommented:
What do you mean by this:
"I cant use the unknown users filter because people in my domain wouldnt be able to send outside"
That filter has nothing to do with outbound email. Unless your users are sending messages from addresses that don't exist on your email server (which is very suspicious activity) then this filter will not affect your users ability to send email. It only filters inbound.

Disabling NDRs, while it can be done isn't really a good idea. How do you explain to the manager that a massive sales order or query was lost because it was sent to slaes@yourdomain instead of sales@yourdomain and the sender didn't get an NDR?

Simon.
0
 
MmatsAuthor Commented:
Point taken about the NDRs. But I tried using the filter for unknown users and Im still getting emails in my queue that are for users in yahoo.com domain etc. And I had the filter activated for the smtp connection.
0
 
SembeeCommented:
Are you sure that they aren't being sent from your users? How many messages are we talking about?

It might be authenticated user spam, where one of your accounts has been compromised. If that is the case then you will need to turn up logging to see which account is being attacked.

Simon.
0
 
MmatsAuthor Commented:
No its not any user accounts its all anonymous accounts, I checked the logs. Upwards of 20k messages a day
0
 
SembeeCommented:
Have you checked that you aren't an open relay? 20k messages a day isn't right.

There are limited ways that messages can relay through:

- open relay
- authenticated relay
- NDR attack

If the emails are not coming from postmaster@ or <> then it isn't NDR, then it must be one of the other two.

Simon.
0
 
MmatsAuthor Commented:
Im only allowing relay for 2 IPs on the smtp connection and these arent NDRs. The only authentication Im using for the smtp is anonymous access. Its like the server isnt deleting the emails faster than they come in, because I noticed it is deleting them(likely because of the filter unknown users). The one weird thing I noticed is that when I look at current sessions for the smtp, for most sessions it lists my servers outside IP as the 'User' and the spammers IP as the 'From'.
0
 
SembeeCommented:
The filter on known users stops the messages from even being deleted. You will not see them queue as the messages aren't even hitting the server.
The messages are probably being deleted when the time out.

What happens if you remove the two IPs that you are allowing relaying for? That isn't always a good idea to do it by IP address, I personally prefer to do it by authentication.
Remember that you don't need your server's own IP address in that list.

Simon.
0
 
MmatsAuthor Commented:
Well Im not at work right now to try removing the IPs but I will try that. Im allowing relay for the 192.168.0.0 domain as well as one other outside IP.
0
 
SembeeCommented:
Ah ha. Is your firewall on that same IP range? If so that is the problem. Exchange sees the traffic coming from the firewall IP address which is in its relay range and allows it to relay. You need to remove the firewall from the list, or better still restrict the list even further.

I don't like granting relay rights to IP address ranges, I prefer to do it via authentication. Gives me more control over who and what can relay. If you go down that path, create a group for the users who need to relay, and gives the rights to the group. Makes management of the facility so much easier.

Simon.
0
 
MmatsAuthor Commented:
I dont think that is the problem because only the inside IP is granted access with the 192.168.0.0 range. But I tried removing every IP from relaying and I still get messages in the queue, however Im beginning to think this is a non issue, because the messages are being deleted and I think they are just put in the queue until they are filtered by the active directory filter.
0
 
MmatsAuthor Commented:
Or maybe the problem has something to do with the fact that Im getting an undeliverable reply when trying to send emails outside. The message it gives me is:

Your message did not reach some or all of the intended recipients.

Subject: test
Sent: 12/7/2004 11:16 AM

The following recipient(s) could not be reached:

*@bellsouth.net on 12/7/2004 11:17 AM
A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients. Contact your administrator.

------
I can email to other inside addresses though. I dont think this has anything to do with bellsouth doing reverse dns because I watched the traffic on the firewall and the email server didnt never sent anything outside. All IPs on the LAN have permission to relay and outbound security is set to anonymous access. So maybe the messages are being deleted after they time out, in essence Im an open relay that cant actually relay because of something blocking anything from getting out?
0
 
MmatsAuthor Commented:
I removed the 192.168.0.0 range from my list of IPs allowed to relay and now I can send email to the outside. How does that make any sense?
0
 
SembeeCommented:
Very odd behaviour. You need to look through the configuration of the server carefully to see if there is anything that could be causing the message to bounce. A common example is using an SMTP connector and configuring the server as its own smart host. The email will just bounce between itself, or at least it would if Exchange didn't notice it and reject the message.

Simon.
0
 
MmatsAuthor Commented:
Yea I got rid of an smtp connector and got rid of that range of IPs which it will apparently allow relaying for by default. Now Im receiving no more messages in my queue and I can send to the outside=). Thanks
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 13
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now