• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 489
  • Last Modified:

Exchange 2003 Current Sessions

On an Exchange server under Protocols-> SMTP -> Default SMTP Virtual Server -> Current Sessions ; I occasionaly see users with external IP addresses that have been connected for quite a long time,  does this mean that they are using our SMTP server for spam? How can I test if somene is using an SMTP  server to relay?

comments would be appreciated'

thanks

antonio
0
An_toni_o
Asked:
An_toni_o
  • 2
  • 2
1 Solution
 
SembeeCommented:
It could be spam.
It may also be legitimate email where the session hasn't closed down properly.

Exchange is relay secure by default. If you server is being used as a relay for spam there are usual signs - the biggest being that there are a large number of undeliverable messages in the queues.

There are various open relay test web sites on the Internet - you could run your server through one of those to see if you are an open relay.

Simon.
Exchange MVP.
0
 
An_toni_oAuthor Commented:

Hi Simon,

We currently have that server to only allow email relay from a range of Ip addresses, so should I still be able to see external email addresses not within that range in the sessions? Are the IP addresses shown the address it is going to or the address it is being sent from?

thanks for your help,

antonio
0
 
SembeeCommented:
If you are using Exchange in the way that it was designed to be used (all email is sent via SMTP) then you will have three types of SMTP Sessions that could be shown.

Inbound (email coming in to your server from other people)
Outbound (Your server sending email out to other people)
Relay (which you don't want).

Therefore the sessions that you are seeing could be legitimate messages that fall in to one of the two categories that you want to accept.

With regards to the relay allowed by IP address range - you should be very careful with that feature. It is very easy to make yourself an open relay.
Ensure that the firewall or gateway device is not included in the range. A common mistake is for people to put the entire subnet in - and as the firewall/gateway is on the same subnet, Exchange allows external traffic to relay because it is coming from an internal IP address.
If you must allow relaying, then my preference is to use authenticated relaying. This makes the sending device ask for permission rather than Exchange just presuming permission. If you do go down that route, don't use the administrator account as this is attacked heavily for authenticated relaying.

Simon
0
 
An_toni_oAuthor Commented:
Simon,

Thanks for your help that is what I wanted to know.

antonio

0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now