?
Solved

SPAM relay problem in ES 5.5: how to stop bounced emails

Posted on 2006-03-28
9
Medium Priority
?
331 Views
Last Modified: 2008-03-10
We still have an old Exchange Server 5.5 running on NT4. It has now been targeted by a number of spammers for transmission of their spam. I am NOT an expert on this, but my understanding is that when someone attempts to send an email to a non-existent address on the server (nojoe@mydomain.com) ES 5.5 will not deliver it, of course, but will allow the server to send it onward to any other recipients that are not in one of our domains. As a result, I think, there are now huge numbers of spam messages being forwarded from our server. We have now been black-listed by Comcast, for example. Since we host mail for about 25 domains, with many of the users off-site, does anyone know of a way to stop this from happening? I set up a new user for the notifications for the admin and now am receiving hundreds of notices of failed inbound emails. I gave up on trying to enter domains in the routing tab of the IMC, as there are just too many and they constantly change. (yes, I know we need to move off of this beast, but that is still a few months away.) Any help is sincerely appreciated.
0
Comment
Question by:sys-stat
  • 4
  • 3
  • 2
9 Comments
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 16316574
Hi!
Did you disable Open Relay in your Exchange 5.5 server?
Here is how your IMC should be configured:

http://www.netometer.net/video/indexkey.html?tutorials/e55relay/index.php

Dean
0
 

Author Comment

by:sys-stat
ID: 16317168
NetoMeter,

First, thanks for the pointer to the video. Nice. As to the question of Open Relay, yes, sort of. I had selected the second item, Reroute, a long time ago. That seemed to stop the issues we had then. I did not select the "Hosts and Clients that authenticate," as that seemed to stop all connections to the outside world. If I understand that point, it menas that a host, like yahoo, must authenticate to send an email to my server and that didn't seem possible. Did I miss something here?

On the Connections tab, there are two check boxes at the bottom relating to authentication for clients. We once tried to enable these, but again, it seemed to shut down the connections to the outside world.

I guess my question now is, if we select one of these, do you think it will work for us? And if so, will it stop the spam from getting "bounced" by ES and thus relayed onward?
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 16317343
Well,
If "Hosts and Clients that authenticate” is checked this means that anybody (including Yahoo) can send e-mails to email addresses which belong to one of the 25 <inbound> domains listed in the routing box.
It also means that anybody who tries to send an e-mail to an external email domain (not listed in the routing box) has to authenticate before sending the e-mail. Effectively this means that IMAP or POP3 clients should check the box “my outgoing server requires authentication” in their e-mail client configuration.
If you are using a MAPI client (like MS Outlook configures for Exchange) you don’t have to change anything.

If "Hosts and Clients that authenticate” is not checked this means that your Exchange server is Open Relay and anybody can use it to send SPAM.

Dean
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:sys-stat
ID: 16317827
OK, so I set the "Hosts and Clients that authenticate” to be checked. I can apparently send and receive mail for my account, for instance, but I am still getting huge numbers of inbound mail failure notices. Typical is:

<adisa@federculture.it> adisa@federculture.it
      MSEXCH:IMS:Mydomain:Mylocation:Myserver 3550 (000B09B6) 550 <adisa@federculture.it>: User unknown in virtual alias table

or this one to a non-existent user on our domain:

<LILLIANLESLIEMARTEN@MYDOMAIN.COM> LILLIANLESLIEMARTEN@MYDOMAIN.COM
      MSEXCH:IMS:Mydomain:Mylocation:Myserver 0 (000C05A6) Unknown Recipient


In checking the logs, I see that some of the bad emails are getting through to the queues. Most of them are without an originator. Is there a way to stop these emails from getting to the server and do we know if they are getting re-sent from our server when we reject them?

Sorry to be so dense on this stuff, but I sincerely appreciate the help!
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16327313
You can't stop the NDR spam with Exchange 5.5 natively. Recipient filtering wasn't introduced until Exchange 2003, and to use it safely you need to have Exchange 2003 on Windows 2003 SP1.

Therefore you will have to look to a third party tool that can do recipient filtering. GFI Mail Essentials can do it, as can some others. There are also antispam appliances that will sit in front of your Exchange server than can do the recipient filtering.

Simon.
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 16329524
I would not agree with Sembee:
“You can't stop the NDR spam with Exchange 5.5 natively.”

Obviously, he is not aware of this hotfix:
http://support.microsoft.com/?kbid=837794

Dean

0
 
LVL 104

Expert Comment

by:Sembee
ID: 16329982
That doesn't really stop it. All it does is suppress the NDRs. Personally I don't call that stopping the NDR spam - it just hides. The server still has to process the messages and legitimate NDRs are not delivered.

The biggest customer sends an email to their account manager with an order for $10k of stuff. Except he gets one letter wrong and the message should bounce. It doesn't - the message just disappears. The client doesn't get their stuff because the recipient never got the message. The sender didn't get an NDR, so presumed that the message was delivered correctly.

I don't advocate disabling NDRs on any version of Exchange.

Simon.
0
 
LVL 11

Accepted Solution

by:
NetoMeter Screencasts earned 1000 total points
ID: 16334605
There are three options for this hotfix:

1.      DWORD value “1” - Internet Mail Service does not deliver NDRs
2.      DWORD value “10” - Internet Mail Service does not generate NDRs
3.      DWORD value “100” - Internet Mail Service does not deliver any NDRs if an SMTP address is missing in the return address field

Based on what you say sys-stat, I recommend you option 3.

Dean
0
 

Author Comment

by:sys-stat
ID: 16338114
NetoMeter,

Thank you for all of the help with this. Obviously, we have some other major issues to deal with, too. But your answer did get us sorted out to the extent that ES 5.5 can deal with it.

Thanks,

Michael
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question