SPAM relay problem in ES 5.5: how to stop bounced emails

We still have an old Exchange Server 5.5 running on NT4. It has now been targeted by a number of spammers for transmission of their spam. I am NOT an expert on this, but my understanding is that when someone attempts to send an email to a non-existent address on the server (nojoe@mydomain.com) ES 5.5 will not deliver it, of course, but will allow the server to send it onward to any other recipients that are not in one of our domains. As a result, I think, there are now huge numbers of spam messages being forwarded from our server. We have now been black-listed by Comcast, for example. Since we host mail for about 25 domains, with many of the users off-site, does anyone know of a way to stop this from happening? I set up a new user for the notifications for the admin and now am receiving hundreds of notices of failed inbound emails. I gave up on trying to enter domains in the routing tab of the IMC, as there are just too many and they constantly change. (yes, I know we need to move off of this beast, but that is still a few months away.) Any help is sincerely appreciated.
sys-statAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetoMeter ScreencastsCommented:
Hi!
Did you disable Open Relay in your Exchange 5.5 server?
Here is how your IMC should be configured:

http://www.netometer.net/video/indexkey.html?tutorials/e55relay/index.php

Dean
0
sys-statAuthor Commented:
NetoMeter,

First, thanks for the pointer to the video. Nice. As to the question of Open Relay, yes, sort of. I had selected the second item, Reroute, a long time ago. That seemed to stop the issues we had then. I did not select the "Hosts and Clients that authenticate," as that seemed to stop all connections to the outside world. If I understand that point, it menas that a host, like yahoo, must authenticate to send an email to my server and that didn't seem possible. Did I miss something here?

On the Connections tab, there are two check boxes at the bottom relating to authentication for clients. We once tried to enable these, but again, it seemed to shut down the connections to the outside world.

I guess my question now is, if we select one of these, do you think it will work for us? And if so, will it stop the spam from getting "bounced" by ES and thus relayed onward?
0
NetoMeter ScreencastsCommented:
Well,
If "Hosts and Clients that authenticate” is checked this means that anybody (including Yahoo) can send e-mails to email addresses which belong to one of the 25 <inbound> domains listed in the routing box.
It also means that anybody who tries to send an e-mail to an external email domain (not listed in the routing box) has to authenticate before sending the e-mail. Effectively this means that IMAP or POP3 clients should check the box “my outgoing server requires authentication” in their e-mail client configuration.
If you are using a MAPI client (like MS Outlook configures for Exchange) you don’t have to change anything.

If "Hosts and Clients that authenticate” is not checked this means that your Exchange server is Open Relay and anybody can use it to send SPAM.

Dean
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

sys-statAuthor Commented:
OK, so I set the "Hosts and Clients that authenticate” to be checked. I can apparently send and receive mail for my account, for instance, but I am still getting huge numbers of inbound mail failure notices. Typical is:

<adisa@federculture.it> adisa@federculture.it
      MSEXCH:IMS:Mydomain:Mylocation:Myserver 3550 (000B09B6) 550 <adisa@federculture.it>: User unknown in virtual alias table

or this one to a non-existent user on our domain:

<LILLIANLESLIEMARTEN@MYDOMAIN.COM> LILLIANLESLIEMARTEN@MYDOMAIN.COM
      MSEXCH:IMS:Mydomain:Mylocation:Myserver 0 (000C05A6) Unknown Recipient


In checking the logs, I see that some of the bad emails are getting through to the queues. Most of them are without an originator. Is there a way to stop these emails from getting to the server and do we know if they are getting re-sent from our server when we reject them?

Sorry to be so dense on this stuff, but I sincerely appreciate the help!
0
SembeeCommented:
You can't stop the NDR spam with Exchange 5.5 natively. Recipient filtering wasn't introduced until Exchange 2003, and to use it safely you need to have Exchange 2003 on Windows 2003 SP1.

Therefore you will have to look to a third party tool that can do recipient filtering. GFI Mail Essentials can do it, as can some others. There are also antispam appliances that will sit in front of your Exchange server than can do the recipient filtering.

Simon.
0
NetoMeter ScreencastsCommented:
I would not agree with Sembee:
“You can't stop the NDR spam with Exchange 5.5 natively.”

Obviously, he is not aware of this hotfix:
http://support.microsoft.com/?kbid=837794

Dean

0
SembeeCommented:
That doesn't really stop it. All it does is suppress the NDRs. Personally I don't call that stopping the NDR spam - it just hides. The server still has to process the messages and legitimate NDRs are not delivered.

The biggest customer sends an email to their account manager with an order for $10k of stuff. Except he gets one letter wrong and the message should bounce. It doesn't - the message just disappears. The client doesn't get their stuff because the recipient never got the message. The sender didn't get an NDR, so presumed that the message was delivered correctly.

I don't advocate disabling NDRs on any version of Exchange.

Simon.
0
NetoMeter ScreencastsCommented:
There are three options for this hotfix:

1.      DWORD value “1” - Internet Mail Service does not deliver NDRs
2.      DWORD value “10” - Internet Mail Service does not generate NDRs
3.      DWORD value “100” - Internet Mail Service does not deliver any NDRs if an SMTP address is missing in the return address field

Based on what you say sys-stat, I recommend you option 3.

Dean
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sys-statAuthor Commented:
NetoMeter,

Thank you for all of the help with this. Obviously, we have some other major issues to deal with, too. But your answer did get us sorted out to the extent that ES 5.5 can deal with it.

Thanks,

Michael
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.