[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

URGENT: Exchange Server Open Relay situation

Posted on 2006-05-09
8
Medium Priority
?
298 Views
Last Modified: 2008-08-04
HELP!

Details:
Gateway 9220-T server
SBS2003 SP1
ISP is PaeTec Comm.
Domain HOST is GoDaddy with the MX pointing to our server here in lovely Van Nuys, CA
Exchange is handling in/out mail, NOT using POP3 connector.

As of a few hours ago, server was targeted by the bad guys.

Symptoms:
- Server was slow to send mail; checked event logs and got the 2012 error.  Added ISP DNS to SMTP Virt Svr Ext DNS list.
- Server kept getting slower, overall, at the console.
- T/S a bit more and found:
      550+ queues in the Exchange System Manager, all identified as "SmallBusiness SMTP Connector"
      All of the queues were to mostly unknown domains, things like "80.com"
      Queues to domains like "yahoo.com" had the most messages waiting to be sent
      6600+ message in the "C:\Program Files\ExchSvr\Mailroot\vsi 1\Queue" folder
     Tried to Freeze queues and delete messages inside the queues, but they multiply faster than .... (pick an analogy)

OK, so I know that I have allowed the server to become an open relay, I am a bad person, althought I'd like to blame this on Microsoft a bit, but whatever...

I thought that by forcing authentication to AD users only, I had solved the problem.  Wrong, hunh?
Sad to say, I am an IT consultant and a little green at the security thing, so...

How do I fix it?
     How do I stop the Open Relay situation?
     How do I delete the queues and messages all at once?

I've downloaded the IMF tool and don't know if it'll solve things for the moment, so it's not installed.
Oh yeah, I've stopped all Microsoft Exchange... services in the meantime.  I do NOT want to be blacklisted with this domain.


Thanks !!
0
Comment
Question by:zoon06
8 Comments
 
LVL 27

Accepted Solution

by:
Exchange_Admin earned 1700 total points
ID: 16644837
A very knowledgable person on this forum, Sembee, created this webpage that may help you:
http://www.amset.info/exchange/spam-cleanup.asp
0
 
LVL 32

Expert Comment

by:r-k
ID: 16645273
Yes, that is a great link. Here is another link that may prove helpful once things are cleaned up:

  http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/b218d8a9-8d3a-4c7d-b0a9-c969ee1232f6.mspx?mfr=true

0
 

Author Comment

by:zoon06
ID: 16646401
Thanx for the links.

It's late now.  I tried RemDesk to the server, not accepting connections.  Will be checking this tommorrow and post my results.

0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 31

Assisted Solution

by:LeeDerbyshire
LeeDerbyshire earned 300 total points
ID: 16646455
Actually, you may not be an open relay - those messages may be NDRs.  See if the sender is show as <> .  If it is, then your domain has received a lot of spam to non-existent addresses, and is no sending back NDRs to the (fictitious) sending addresses.  Since the addresses are generally false, they can't be delivered straight away, and sit in the queue for days.  If you are getting lots of spam, try turning off NDRs altogether.  Did you also apply the checkbox that says 'Filter recipients that are not in the directory'?

Of course, if the sender is not displayed as <>, and the recipient is an external address, then you have a relay problem.
0
 

Author Comment

by:zoon06
ID: 16654938
Hmmmm...

OK. Poked around a lot today on the SBS/Exchg server.

To Exchange_Admin:

It seems the Open Relay condition was present because the Default SMTP Virtual Server > Access > Relay > Relay Restrictions were not configure according to the link I was referred to.  The Relay Restriction was set to "Allow all except the list below" - the list was empty.  The "...successfully authenticate..." option on the same window was checked.  Am I correct in saying Open Relay was....Open?

To All:
And the NDR condition may also have been present, or they work in conjunction to mess things up?  Not sure, but it seems like the relaying thing CAUSED the NDR condition.  Am I right?

To LeeDerbyshire:
None of my senders showed as <>.  The Filter recipients option was checked by default.
The recipient names were:
     mostly randomly generated character names to well-formed and some well-known domains.
     sender was postmaster@mydomain.tld most of the time, other times it was some random sender.
How can I turn off NDRs altogether?  Is that an option in SBS or a roundabout way of configuring things?

To All, again:
I would like more clarification on this NDR issue to make sure I understand it correctly.  Does relaying cause NDRs or is that just one way of bogging things down when relaying is left open but authentication is enforced?

Overall, though, things are going well.  I followed Sembee's instructions and the messages are piling up into a queue that will go nowhere.  Then I will take out the garbage and recreate the default SMTP connector.  Current message count: 3523...

Thanx again.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16655885
Yes, allowing 'All except the list below' is bad.  It should be 'Only the list below', and then add any IPs that you know you want to relay (like external Outlook Express clients with fixed IPs).  You can also enable the 'Allow all computers which successfully authenticate', too, if you like (although some people don't like even that).  But you should definitely not have 'All all except'.  I would turn that off right now.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16655909
Oh, BTW, you can turn off NDRs by clicking on Internet Message Formats, and looking at the properties of the Default format.  It's on the Advanced page.  Anything with sender postmaster@yourdomain.tld could be an NDR, too, but aimed back inside at your users.  I'm pretty sure that external NDRs should have an empty sender, to prevent message loops.
0
 

Author Comment

by:zoon06
ID: 16659172
Sorry, didn't find Advanced on Internet Message Formats.

Thanx to all, the problem is fixed.  I'm wrapping this up.

0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question