URGENT: Exchange Server Open Relay situation
Posted on 2006-05-09
Gateway 9220-T server
ISP is PaeTec Comm.
Domain HOST is GoDaddy with the MX pointing to our server here in lovely Van Nuys, CA
Exchange is handling in/out mail, NOT using POP3 connector.
As of a few hours ago, server was targeted by the bad guys.
- Server was slow to send mail; checked event logs and got the 2012 error. Added ISP DNS to SMTP Virt Svr Ext DNS list.
- Server kept getting slower, overall, at the console.
- T/S a bit more and found:
550+ queues in the Exchange System Manager, all identified as "SmallBusiness SMTP Connector"
All of the queues were to mostly unknown domains, things like "80.com"
Queues to domains like "yahoo.com" had the most messages waiting to be sent
6600+ message in the "C:\Program Files\ExchSvr\Mailroot\vsi 1\Queue" folder
Tried to Freeze queues and delete messages inside the queues, but they multiply faster than .... (pick an analogy)
OK, so I know that I have allowed the server to become an open relay, I am a bad person, althought I'd like to blame this on Microsoft a bit, but whatever...
I thought that by forcing authentication to AD users only, I had solved the problem. Wrong, hunh?
Sad to say, I am an IT consultant and a little green at the security thing, so...
How do I fix it?
How do I stop the Open Relay situation?
How do I delete the queues and messages all at once?
I've downloaded the IMF tool and don't know if it'll solve things for the moment, so it's not installed.
Oh yeah, I've stopped all Microsoft Exchange... services in the meantime. I do NOT want to be blacklisted with this domain.