JKevinWard
asked on
Emails filling up GFI whitelist - Exchange 2000
I'm running Exchange 2000 as part of SBS 2000 plus GFI MailEssentials to filter spam. A couple of weeks ago I noticed the GFI whitelist was filling up with nearly 2000 new addresses added daily. I tracked a couple of address that had been added in System Manager and the from address on these email was *@yahoo.com. I turned on SMTP logging and see a ton of emails that appear to be coming from inside with a yahoo.com from address. I've ran virus checks on all of our computers and all are clean. Any suggestions on how to track where these emails are coming from?
ASKER
I had Message Tracking enabled. I looked at a couple of the emails from yahoo.com addresses and here are the tracking messages for both:
SMTP: Started Outbound Transfer of Message
Message transferred to smtp through SMTP
I also found a yahoo.com email to suwhitneyg@email.com.cn that had these messages:
SMTP: Started Outbound Transfer of Message
Message transferred to mx.email.com.cn through SMTP
Are these coming from inside our system?
SMTP: Started Outbound Transfer of Message
Message transferred to smtp through SMTP
I also found a yahoo.com email to suwhitneyg@email.com.cn that had these messages:
SMTP: Started Outbound Transfer of Message
Message transferred to mx.email.com.cn through SMTP
Are these coming from inside our system?
Was that all there was in the Message Tracking log?
This is starting to look like your server is relaying email.
You haven't enabled relaying for Yahoo.com email addresses in error by any chance?
Chinese email addresses always look suspicious. If you have no dealings with China then there has to be some concern.
Is authenticated relaying enabled on the Exchange server? It is by default. If you have no users on Outlook Express or other SMTP clients then you can disable the feature.
If you do have external SMTP clients, then you should restrict who can relay through your server: http://www.amset.info/exchange/smtp-relaysecure.asp
I would also suggest that you change your administrator password.
Simon.
This is starting to look like your server is relaying email.
You haven't enabled relaying for Yahoo.com email addresses in error by any chance?
Chinese email addresses always look suspicious. If you have no dealings with China then there has to be some concern.
Is authenticated relaying enabled on the Exchange server? It is by default. If you have no users on Outlook Express or other SMTP clients then you can disable the feature.
If you do have external SMTP clients, then you should restrict who can relay through your server: http://www.amset.info/exchange/smtp-relaysecure.asp
I would also suggest that you change your administrator password.
Simon.
ASKER
We have three Mac's that access their email on our server using Outlook Express. I also have Outlook Web Access enabled which can be accessed after a VPN connection is made. I checked the relay settings on the default SMTP virtual server and there are two ip addresses that have been granted relay. One is the ip address of our server and the other is the ip address for a frame relay that we no longer use (wonder if I can remove this without any problems; we've since moved to a DSL). The allow all computers which ... is checked.
While I was looking at these I noticed dozens of SmallBusiness SMTP connector entries under the Queues section. They have a domain name and then (SMTP Connector - Remote Delivery). When I enumerate messages under one of these entries I see all of these emails from yahoo.com addresses. What exactly are these entries?
While I was looking at these I noticed dozens of SmallBusiness SMTP connector entries under the Queues section. They have a domain name and then (SMTP Connector - Remote Delivery). When I enumerate messages under one of these entries I see all of these emails from yahoo.com addresses. What exactly are these entries?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am using a separate router. Can I still delete the internal ip address of our server Exchange rests on without messing up our email? Or do I need to leave it since we have three Macs using POP3 to access their emails?
It will have no effect on the users collecting their emails. It is for relaying only. Anyone who needs to relay through your server should be doing so as authenticated users.
Simon.
Simon.
http://www.amset.info/exchange/message-tracking.asp
I would be surprised if it was a compromised machine - normally they use their own SMTP engine - they don't like to use another server as that signifies their presence.
Simon.