?
Solved

Emails filling up GFI whitelist - Exchange 2000

Posted on 2006-04-12
9
Medium Priority
?
1,292 Views
Last Modified: 2011-09-20
I'm running Exchange 2000 as part of SBS 2000 plus GFI MailEssentials to filter spam.  A couple of weeks ago I noticed the GFI whitelist was filling up with nearly 2000 new addresses added daily.  I tracked a couple of address that had been added in System Manager and the from address on these email was *@yahoo.com.  I turned on SMTP logging and see a ton of emails that appear to be coming from inside with a yahoo.com from address.  I've ran virus checks on all of our computers and all are clean.  Any suggestions on how to track where these emails are coming from?
0
Comment
Question by:JKevinWard
  • 4
  • 3
7 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16441091
Message Tracking is the obvious answer to find out what is happening with the messages.
http://www.amset.info/exchange/message-tracking.asp

I would be surprised if it was a compromised machine - normally they use their own SMTP engine - they don't like to use another server as that signifies their presence.

Simon.
0
 

Author Comment

by:JKevinWard
ID: 16444758
I had Message Tracking enabled.  I looked at a couple of the emails from yahoo.com addresses and here are the tracking messages for both:

SMTP:  Started Outbound Transfer of Message
Message transferred to smtp through SMTP

I also found a yahoo.com email to suwhitneyg@email.com.cn that had these messages:

SMTP:  Started Outbound Transfer of Message
Message transferred to mx.email.com.cn through SMTP

Are these coming from inside our system?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16446418
Was that all there was in the Message Tracking log?

This is starting to look like your server is relaying email.

You haven't enabled relaying for Yahoo.com email addresses in error by any chance?
Chinese email addresses always look suspicious. If you have no dealings with China then there has to be some concern.

Is authenticated relaying enabled on the Exchange server? It is by default. If you have no users on Outlook Express or other SMTP clients then you can disable the feature.
If you do have external SMTP clients, then you should restrict who can relay through your server: http://www.amset.info/exchange/smtp-relaysecure.asp

I would also suggest that you change your administrator password.

Simon.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:JKevinWard
ID: 16449399
We have three Mac's that access their email on our server using Outlook Express.  I also have Outlook Web Access enabled which can be accessed after a VPN connection is made.  I checked the relay settings on the default SMTP virtual server and there are two ip addresses that have been granted relay.  One is the ip address of our server and the other is the ip address for a frame relay that we no longer use (wonder if I can remove this without any problems; we've since moved to a DSL).  The allow all computers which ... is checked.

While I was looking at these I noticed dozens of SmallBusiness SMTP connector entries under the Queues section.  They have a domain name and then (SMTP Connector - Remote Delivery).  When I enumerate messages under one of these entries I see all of these emails from yahoo.com addresses.  What exactly are these entries?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 1000 total points
ID: 16449806
I would start by removing both IP addresses from the relay settings. The server itself does not have to be in the relay settings. Are you using a router of some kind, or is the "router" the server?If so, the IP address of the server being in the relay settings might be the cause.

The SMTP connectors are classic signs of your server being used as a relay. Whichever spammer is targeting yahoo.com at the moment.

Go through the SMTP connector configuration very carefully. Make sure that you haven't got "allow relaying to these domains" enabled and the * in the address space.

You might also want to look at my spam cleanup page: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 

Author Comment

by:JKevinWard
ID: 16470501
I am using a separate router.  Can I still delete the internal ip address of our server Exchange rests on without messing up our email?  Or do I need to leave it since we have three Macs using POP3 to access their emails?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16470623
It will have no effect on the users collecting their emails. It is for relaying only. Anyone who needs to relay through your server should be doing so as authenticated users.

Simon.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses
Course of the Month13 days, 12 hours left to enroll

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question