Solved

Serious problem outgoing spam

Posted on 2006-06-13
7
746 Views
Last Modified: 2008-03-22
I've got a problem with a server of mine since i've converted it to SBS 2003 with Exchange 2003 SP2. It keeps sending out spam. I've tried to empty the Queues true Explorer and used the "find' option within Exchange to remove the mails. But they keep filling up the queue. But only when the Default SMTP server is active. When it's disabled the filling up stops. But my harddrive is also filling up very fast...some GB per hour or so...

We've got the following configuration > Domainname with MX record set to send to our server directly.

I've got the following Security settings;

- Guest Account disabled
- Under tab Access (Default SMTP server options) > Access Control - I have selected "Anonymous acces / Basic Authentication & Integrated windows authentication".
- Under tab Access (Default SMTP server options) > Connection Control - i've selected "all but the list below"
- Under tab Access (Default SMTP server options) > Relay restrictions - i've selected "all but the list below"

When I disable the Relay Restrictions, the filling up of the spam is stopped. But so it my regular email...the ones i would like to receive. Isn't it right that in order to receive emails from the outside world you have to have an open relay?

What can i do to prevent my server from sending spam???

Got a little overview of the servers who are connection to my server and sending mail...perhaps that's more clear..
link: http://www.mfaber.net/exchange.JPG

0
Comment
Question by:directsolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 11

Assisted Solution

by:elbereth21
elbereth21 earned 50 total points
ID: 16893518
Hi directsolutions,
you do not have to keep an open relay to receive mail from the outside world: instead, you seriously risk to be inserted into one of the many blacklists existing on the net, thus you won't be able to send mail at all.
Here you will find a clear explanation of the meaning of relaying and a walkthrough to what you have to do:
http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm
http://www.microsoft.com/technet/prodtechnol/exchange/exsecuritybp.mspx
Here you will find a guide to spamblocking:
http://www.petri.co.il/block_spam_with_exchange_2003.htm

Elbereth.
0
 
LVL 9

Expert Comment

by:Exchgen
ID: 16894929
You may want to run exchange best practice analyzer and follow recommandations provided.

Also enable sender, recipient filtering.

You can also enable IMF with a setting of 5 and 4 to reduce spam to a very large extent.

Raghu
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 104

Accepted Solution

by:
Sembee earned 450 total points
ID: 16897131
Let pick through this bit by bit.

First, get the machine off the internet. Block the firewall port or something like that. That will stop the message flow and allow you to make the required changes without causing problems. Inbound email for your domain will stop, but that will be delivered correctly once the problem is fixed.

Basics.
Make sure that the server is fully patched. Windows 2003 SP1 and Exchange 2003 SP2. It is important that the new Windows service pack is on as well.
Then configure recipient filtering and tarpit. http://www.amset.info/exchange/filter-unknown.asp
It is key that you do both the recipient filter and the tarpit, otherwise you make things much worse.

Next. Verify if you are an open relay or not.
This can be done without the server being visible from the Internet.
http://www.amset.info/exchange/smtp-openrelay.asp

Finally, clear the queues. There are a number of techniques for doing that. I have the most common ones on my web site at http://www.amset.info/exchange/spam-cleanup.asp

Now, if you have set everything correctly, but legitimate email doesn't come in, then that may indicate that you haven't setup the server correctly for your external email. I have seen all sorts of odd things done, such as configuring an SMTP Connector with the domain and then pointing at the server itself as a smart host.
As this is SBS, you need to run the Internet and Email wizard (or whatever its name is) to configure Exchange with the correct email address that external senders use. This could be different from your internal domain.

Simon.
0
 

Author Comment

by:directsolutions
ID: 16898397
Oke, tnx for the reply... I did the following;

Checked to see whether the server was patched. Got SBS 2003 SP1 and Exchange SP2 with all new patches. So no problems there

Next i've removed the SUA settings on the router so no incomming traffic is able to connect to my server. I've tested it and it looks like no servers are connecting anymore and there's no more mail queueing so that probably means i'm not infected a virus or so...

Then i've configured the recipient filtering (which was already on... must have hit it in my tries to defend ;) ) and ofcours did the part for the tar pit. Thing is that Microsoft stated that it should be something like 5 which is already was. So i've changed it to 10.... Just to be sure.

After that all, i've reactivated the port 25 in the SUA and tested the Relaying part. I'm now not relaying so that's the good part.

Next I stopped the SMTP Virtual Server and deleted the Queue by making a Connector (which I didn't had before btw) and emptied it out with the find function. Next I went to the directory (vsi 1\Queue) and removed all that was in there. Made it quite empty.

I've started up the SMTP Virtual Server again and looked at the results. Thing is that there are still a bunch of "weard" servers trying to connect but without any luck. The Queue line isn't filling up anymore so that's a good thing. But then, when i want to send a email to an user within the company (info@company.com) then i get a non delivery report at my home pc...Like this here under...

So what exactly am i supposed to do to be able to receive emails?

Within Authentication i've selected Anonymous access / Basic Authentication & Integrated Windows Authentication
Within Connection Control i've selected "All except the list below" which is empty
Within Relay Restrictions i've selected "Only the list below" and added domainname.local and domainname.com. Also checked the "Allow all computers which successfully authenticate to relay, regardless of the list below.
I've no connectors installed...

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hi. This is the qmail-send program at xx.servers.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<info@domain.com>:
xx.xxx.xxx.xx does not like recipient.
Remote host said: 550 5.7.1 Unable to relay for info@domain.com
Giving up on xx.xxx.xxx.xx.

--- Below this line is a copy of the message.

Return-Path: <info@sender.com>
Received: (qmail 25119 invoked from network); 13 Jun 2006 22:23:41 -0000
Received: from localhost (127.0.0.1)
  by localhost with SMTP; 13 Jun 2006 22:23:41 -0000
Received: from h72082.xxx.xxx.com (h72082.xxx.xxx.com [xx.xxx.xxx.xx])
        by webmail.sender.com (IMP) with HTTP
        for <info@mfaber.net@localhost>; Wed, 14 Jun 2006 00:23:41 +0200
Message-ID: <1150237421.448f3aed4f535@sender.com >
Date: Wed, 14 Jun 2006 00:23:41 +0200
From: info@sender.com
To: info@domain.com
Subject: test
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.2.2
X-Originating-IP: 62.194.72.82
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

0
 

Author Comment

by:directsolutions
ID: 16898470
Oke...tnx a lot. As I told you, i've made all the settings. But apparently something did went wrong on the way to run the wizard. I ran the Internet and Email wizard and it worked out fine. I'm capable of sending emails to my "good" recipients and my Queue isn't filling up any more.

Really Appreciate your support...
0
 

Author Comment

by:directsolutions
ID: 16898485
Also my thanks to elbereth21. It was helpfull but so much linking made me al dizzy sometimes ;)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Suggested Courses
Course of the Month9 days, 17 hours left to enroll

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question