Mmats
asked on
Spammers trying to relay through my Exchange Server
My exchange server is getting flooded by a few IPs with spam. Now, relay is only open to a couple select IPs so Im not sending these emails out, however the server is crashing because its keeping the emails in the queue and also trying to send NDRs to the sender. I had 100k of junk in the queue in a few hours. How can I get the server to totally drop or not receive anything that is (from an outside domain TO an outside domain)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Im not using ESM to look at my queue, Im going straight to the directory. Right when I open the port on my firewall it starts piling up. This isnt a live server, so any messages at all are going to be spammers and people trying to crash my server. I need a way to make sure that people outside my lan/domain can only send mail to people inside my domain, but also allow for people in the lan to send outside.
ASKER
Im thinking microsoft didnt implement a way to do this without a third party solution
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well the real problem is the NDR spam. I cant use the unknown users filter because people in my domain wouldnt be able to send outside. Is there any way to limit which IPs are allowed to get NDRs or something similar? Or even turn off NDRs all together?
ASKER
Is there a reg hack where I can delete any NDRs if they fail to deliver on the first try?
What do you mean by this:
"I cant use the unknown users filter because people in my domain wouldnt be able to send outside"
That filter has nothing to do with outbound email. Unless your users are sending messages from addresses that don't exist on your email server (which is very suspicious activity) then this filter will not affect your users ability to send email. It only filters inbound.
Disabling NDRs, while it can be done isn't really a good idea. How do you explain to the manager that a massive sales order or query was lost because it was sent to slaes@yourdomain instead of sales@yourdomain and the sender didn't get an NDR?
Simon.
"I cant use the unknown users filter because people in my domain wouldnt be able to send outside"
That filter has nothing to do with outbound email. Unless your users are sending messages from addresses that don't exist on your email server (which is very suspicious activity) then this filter will not affect your users ability to send email. It only filters inbound.
Disabling NDRs, while it can be done isn't really a good idea. How do you explain to the manager that a massive sales order or query was lost because it was sent to slaes@yourdomain instead of sales@yourdomain and the sender didn't get an NDR?
Simon.
ASKER
Point taken about the NDRs. But I tried using the filter for unknown users and Im still getting emails in my queue that are for users in yahoo.com domain etc. And I had the filter activated for the smtp connection.
Are you sure that they aren't being sent from your users? How many messages are we talking about?
It might be authenticated user spam, where one of your accounts has been compromised. If that is the case then you will need to turn up logging to see which account is being attacked.
Simon.
It might be authenticated user spam, where one of your accounts has been compromised. If that is the case then you will need to turn up logging to see which account is being attacked.
Simon.
ASKER
No its not any user accounts its all anonymous accounts, I checked the logs. Upwards of 20k messages a day
Have you checked that you aren't an open relay? 20k messages a day isn't right.
There are limited ways that messages can relay through:
- open relay
- authenticated relay
- NDR attack
If the emails are not coming from postmaster@ or <> then it isn't NDR, then it must be one of the other two.
Simon.
There are limited ways that messages can relay through:
- open relay
- authenticated relay
- NDR attack
If the emails are not coming from postmaster@ or <> then it isn't NDR, then it must be one of the other two.
Simon.
ASKER
Im only allowing relay for 2 IPs on the smtp connection and these arent NDRs. The only authentication Im using for the smtp is anonymous access. Its like the server isnt deleting the emails faster than they come in, because I noticed it is deleting them(likely because of the filter unknown users). The one weird thing I noticed is that when I look at current sessions for the smtp, for most sessions it lists my servers outside IP as the 'User' and the spammers IP as the 'From'.
The filter on known users stops the messages from even being deleted. You will not see them queue as the messages aren't even hitting the server.
The messages are probably being deleted when the time out.
What happens if you remove the two IPs that you are allowing relaying for? That isn't always a good idea to do it by IP address, I personally prefer to do it by authentication.
Remember that you don't need your server's own IP address in that list.
Simon.
The messages are probably being deleted when the time out.
What happens if you remove the two IPs that you are allowing relaying for? That isn't always a good idea to do it by IP address, I personally prefer to do it by authentication.
Remember that you don't need your server's own IP address in that list.
Simon.
ASKER
Well Im not at work right now to try removing the IPs but I will try that. Im allowing relay for the 192.168.0.0 domain as well as one other outside IP.
Ah ha. Is your firewall on that same IP range? If so that is the problem. Exchange sees the traffic coming from the firewall IP address which is in its relay range and allows it to relay. You need to remove the firewall from the list, or better still restrict the list even further.
I don't like granting relay rights to IP address ranges, I prefer to do it via authentication. Gives me more control over who and what can relay. If you go down that path, create a group for the users who need to relay, and gives the rights to the group. Makes management of the facility so much easier.
Simon.
I don't like granting relay rights to IP address ranges, I prefer to do it via authentication. Gives me more control over who and what can relay. If you go down that path, create a group for the users who need to relay, and gives the rights to the group. Makes management of the facility so much easier.
Simon.
ASKER
I dont think that is the problem because only the inside IP is granted access with the 192.168.0.0 range. But I tried removing every IP from relaying and I still get messages in the queue, however Im beginning to think this is a non issue, because the messages are being deleted and I think they are just put in the queue until they are filtered by the active directory filter.
ASKER
Or maybe the problem has something to do with the fact that Im getting an undeliverable reply when trying to send emails outside. The message it gives me is:
Your message did not reach some or all of the intended recipients.
Subject: test
Sent: 12/7/2004 11:16 AM
The following recipient(s) could not be reached:
*@bellsouth.net on 12/7/2004 11:17 AM
A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients. Contact your administrator.
------
I can email to other inside addresses though. I dont think this has anything to do with bellsouth doing reverse dns because I watched the traffic on the firewall and the email server didnt never sent anything outside. All IPs on the LAN have permission to relay and outbound security is set to anonymous access. So maybe the messages are being deleted after they time out, in essence Im an open relay that cant actually relay because of something blocking anything from getting out?
Your message did not reach some or all of the intended recipients.
Subject: test
Sent: 12/7/2004 11:16 AM
The following recipient(s) could not be reached:
*@bellsouth.net on 12/7/2004 11:17 AM
A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients. Contact your administrator.
------
I can email to other inside addresses though. I dont think this has anything to do with bellsouth doing reverse dns because I watched the traffic on the firewall and the email server didnt never sent anything outside. All IPs on the LAN have permission to relay and outbound security is set to anonymous access. So maybe the messages are being deleted after they time out, in essence Im an open relay that cant actually relay because of something blocking anything from getting out?
ASKER
I removed the 192.168.0.0 range from my list of IPs allowed to relay and now I can send email to the outside. How does that make any sense?
Very odd behaviour. You need to look through the configuration of the server carefully to see if there is anything that could be causing the message to bounce. A common example is using an SMTP connector and configuring the server as its own smart host. The email will just bounce between itself, or at least it would if Exchange didn't notice it and reject the message.
Simon.
Simon.
ASKER
Yea I got rid of an smtp connector and got rid of that range of IPs which it will apparently allow relaying for by default. Now Im receiving no more messages in my queue and I can send to the outside=). Thanks
ASKER