zoon06
asked on
URGENT: Exchange Server Open Relay situation
HELP!
Details:
Gateway 9220-T server
SBS2003 SP1
ISP is PaeTec Comm.
Domain HOST is GoDaddy with the MX pointing to our server here in lovely Van Nuys, CA
Exchange is handling in/out mail, NOT using POP3 connector.
As of a few hours ago, server was targeted by the bad guys.
Symptoms:
- Server was slow to send mail; checked event logs and got the 2012 error. Added ISP DNS to SMTP Virt Svr Ext DNS list.
- Server kept getting slower, overall, at the console.
- T/S a bit more and found:
550+ queues in the Exchange System Manager, all identified as "SmallBusiness SMTP Connector"
All of the queues were to mostly unknown domains, things like "80.com"
Queues to domains like "yahoo.com" had the most messages waiting to be sent
6600+ message in the "C:\Program Files\ExchSvr\Mailroot\vsi
Tried to Freeze queues and delete messages inside the queues, but they multiply faster than .... (pick an analogy)
OK, so I know that I have allowed the server to become an open relay, I am a bad person, althought I'd like to blame this on Microsoft a bit, but whatever...
I thought that by forcing authentication to AD users only, I had solved the problem. Wrong, hunh?
Sad to say, I am an IT consultant and a little green at the security thing, so...
How do I fix it?
How do I stop the Open Relay situation?
How do I delete the queues and messages all at once?
I've downloaded the IMF tool and don't know if it'll solve things for the moment, so it's not installed.
Oh yeah, I've stopped all Microsoft Exchange... services in the meantime. I do NOT want to be blacklisted with this domain.
Thanks !!
Details:
Gateway 9220-T server
SBS2003 SP1
ISP is PaeTec Comm.
Domain HOST is GoDaddy with the MX pointing to our server here in lovely Van Nuys, CA
Exchange is handling in/out mail, NOT using POP3 connector.
As of a few hours ago, server was targeted by the bad guys.
Symptoms:
- Server was slow to send mail; checked event logs and got the 2012 error. Added ISP DNS to SMTP Virt Svr Ext DNS list.
- Server kept getting slower, overall, at the console.
- T/S a bit more and found:
550+ queues in the Exchange System Manager, all identified as "SmallBusiness SMTP Connector"
All of the queues were to mostly unknown domains, things like "80.com"
Queues to domains like "yahoo.com" had the most messages waiting to be sent
6600+ message in the "C:\Program Files\ExchSvr\Mailroot\vsi
Tried to Freeze queues and delete messages inside the queues, but they multiply faster than .... (pick an analogy)
OK, so I know that I have allowed the server to become an open relay, I am a bad person, althought I'd like to blame this on Microsoft a bit, but whatever...
I thought that by forcing authentication to AD users only, I had solved the problem. Wrong, hunh?
Sad to say, I am an IT consultant and a little green at the security thing, so...
How do I fix it?
How do I stop the Open Relay situation?
How do I delete the queues and messages all at once?
I've downloaded the IMF tool and don't know if it'll solve things for the moment, so it's not installed.
Oh yeah, I've stopped all Microsoft Exchange... services in the meantime. I do NOT want to be blacklisted with this domain.
Thanks !!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanx for the links.
It's late now. I tried RemDesk to the server, not accepting connections. Will be checking this tommorrow and post my results.
It's late now. I tried RemDesk to the server, not accepting connections. Will be checking this tommorrow and post my results.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hmmmm...
OK. Poked around a lot today on the SBS/Exchg server.
To Exchange_Admin:
It seems the Open Relay condition was present because the Default SMTP Virtual Server > Access > Relay > Relay Restrictions were not configure according to the link I was referred to. The Relay Restriction was set to "Allow all except the list below" - the list was empty. The "...successfully authenticate..." option on the same window was checked. Am I correct in saying Open Relay was....Open?
To All:
And the NDR condition may also have been present, or they work in conjunction to mess things up? Not sure, but it seems like the relaying thing CAUSED the NDR condition. Am I right?
To LeeDerbyshire:
None of my senders showed as <>. The Filter recipients option was checked by default.
The recipient names were:
mostly randomly generated character names to well-formed and some well-known domains.
sender was postmaster@mydomain.tld most of the time, other times it was some random sender.
How can I turn off NDRs altogether? Is that an option in SBS or a roundabout way of configuring things?
To All, again:
I would like more clarification on this NDR issue to make sure I understand it correctly. Does relaying cause NDRs or is that just one way of bogging things down when relaying is left open but authentication is enforced?
Overall, though, things are going well. I followed Sembee's instructions and the messages are piling up into a queue that will go nowhere. Then I will take out the garbage and recreate the default SMTP connector. Current message count: 3523...
Thanx again.
OK. Poked around a lot today on the SBS/Exchg server.
To Exchange_Admin:
It seems the Open Relay condition was present because the Default SMTP Virtual Server > Access > Relay > Relay Restrictions were not configure according to the link I was referred to. The Relay Restriction was set to "Allow all except the list below" - the list was empty. The "...successfully authenticate..." option on the same window was checked. Am I correct in saying Open Relay was....Open?
To All:
And the NDR condition may also have been present, or they work in conjunction to mess things up? Not sure, but it seems like the relaying thing CAUSED the NDR condition. Am I right?
To LeeDerbyshire:
None of my senders showed as <>. The Filter recipients option was checked by default.
The recipient names were:
mostly randomly generated character names to well-formed and some well-known domains.
sender was postmaster@mydomain.tld most of the time, other times it was some random sender.
How can I turn off NDRs altogether? Is that an option in SBS or a roundabout way of configuring things?
To All, again:
I would like more clarification on this NDR issue to make sure I understand it correctly. Does relaying cause NDRs or is that just one way of bogging things down when relaying is left open but authentication is enforced?
Overall, though, things are going well. I followed Sembee's instructions and the messages are piling up into a queue that will go nowhere. Then I will take out the garbage and recreate the default SMTP connector. Current message count: 3523...
Thanx again.
Yes, allowing 'All except the list below' is bad. It should be 'Only the list below', and then add any IPs that you know you want to relay (like external Outlook Express clients with fixed IPs). You can also enable the 'Allow all computers which successfully authenticate', too, if you like (although some people don't like even that). But you should definitely not have 'All all except'. I would turn that off right now.
Oh, BTW, you can turn off NDRs by clicking on Internet Message Formats, and looking at the properties of the Default format. It's on the Advanced page. Anything with sender postmaster@yourdomain.tld could be an NDR, too, but aimed back inside at your users. I'm pretty sure that external NDRs should have an empty sender, to prevent message loops.
ASKER
Sorry, didn't find Advanced on Internet Message Formats.
Thanx to all, the problem is fixed. I'm wrapping this up.
Thanx to all, the problem is fixed. I'm wrapping this up.
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/b218d8a9-8d3a-4c7d-b0a9-c969ee1232f6.mspx?mfr=true