Solved

Postmaster NDR Attack

Posted on 2006-11-14
12
1,527 Views
Last Modified: 2008-01-09
Hi,

In recent weeks our Exchange Server has experienced what I believe a NDR attack.  We have subsequently followed the advice written in Microsoft Knowledge Base articles 886208 and 842851 but we still seem to be getting a lot of  messages in our smtp queues.

Does anybody know how I can find out what the source of these messages are so that I can work on stopping them?

Thanks

0
Comment
Question by:baileytibbs
12 Comments
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17942578
Hi baileytibbs,

What exchange version are we talking about here?

-red
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17942621
You probably need my spam cleanup article.
http://www.amset.info/exchange/spam-cleanup.asp

That will help identify where the problem is and clean up the mess.

Simon.
0
 

Author Comment

by:baileytibbs
ID: 17942672
Hi,

Our exchange version is Exchange 2003 SP2.

As regards the article mentioned, you referred me to this the other evening and it has helped me greatly in checking that our server wasn't acting as an open relay and to allow me to clean up the queues without any fuss.

However, even though I have set the MS Exchange Transport logging level to maximum, I do not get the message you describe and so I don't understand.  The messages I do get is similar to the one below (although I have replaced our IP address with **Our IP**)

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            14/11/2006
Time:            22:57:14
User:            N/A
Computer:      SERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #37561. The remote host "66.175.131.125", responded to the SMTP command "mail" with "451 IP: **OUR IP** temporary blocked due to high Spam ratio!  ". The full command sent was "MAIL FROM:<mnfxxxj@host**OUR IP**.in-addr.btopenworld.com>  ".  This may cause the connection to fail.

I have loads of messages from @host**OUR IP**.in-addr.btopenworld.com and a queue with that address listed where the messages inside are all from postmaster@ourdomain

Any ideas?
0
 

Author Comment

by:baileytibbs
ID: 17942773
Hi,

In the last 10 minutes I have also had about 50 of these event messages on the server

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7010
Date:            14/11/2006
Time:            23:34:55
User:            N/A
Computer:      SERVER
Description:
This is an SMTP protocol log for virtual server ID 1, connection #37575. The client at "192.168.0.100" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for mqva@**OUR IP**.in-addr.btopenworld.com  ". The full command sent was "rcpt TO:<mqva@host**OUR IP**.in-addr.btopenworld.com>".  This will probably cause the connection to fail.

192.168.0.100 is our exchange server
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17942899
Did you ever get the queue clear?
After setting the recipient filter, did you set it on the SMTP virtual server as well? Did you then restart the SMTP Service?

Have you confirmed that this isn't an authenticated user relay? Turn off authenticated user relaying and then restart the SMTP Service again.

It would appear that Exchange is still sending the spam messages out, you need to try and spot which method is being used.

Simon.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:baileytibbs
ID: 17943104
Hi Simon,

Thanks for taking an interest in this.  I was able to get the message queue clear.

Also, I believe I have followed the instructions in your article correctly and have set the recipient filter as you suggest along with the SMTP virtual server.

I have now unchecked "Allow all computers which successfully authenticate to relay, regardless of the list above" and the messages have stopped but with the selection "Only the computers below" selected and that list being empty then I can't see how anybody can relay any messages through this server.

There are only 6 PC's in this office.  Is there anyway, I can introduce them back into the relaying system one by one until I know which is causing the problem?  It is now 1am here and so nobody should be sending messages at the moment.

Thanks for your help
0
 

Author Comment

by:baileytibbs
ID: 17943147
Hi,

Since unchecking "Allow all computers which successfully authenticate to relay, regardless of the list above", my message queues have remained empty.

However, my event log is showing the following example event (I have about 50 in the last 15 mins)

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7010
Date:            15/11/2006
Time:            00:54:08
User:            N/A
Computer:      SERVER
Description:
This is an SMTP protocol log for virtual server ID 1, connection #37614. The client at "192.168.0.100" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for boricuafem@aol.com  ". The full command sent was "rcpt TO:<boricuafem@aol.com>".  This will probably cause the connection to fail.

I have no idea who boricuafem@aol.com is, along with the other addresses listed in the event messages.

I don't know if this helps
0
 
LVL 26

Expert Comment

by:Vahik
ID: 17945352
u have nothing to worry about....some one is trying authenticated relay and is failing.....nothing u can do to stop folks from trying to relay through ur server....this is routin for all exchange administrators...if u disable logging u wont see these messages....
0
 

Author Comment

by:baileytibbs
ID: 17946229
OK, Thanks for the reassurance.  However, what are the implications of unchecking "Allow all computers which successfully authenticate to relay, regardless of the list above".  I assume it is there for a reason even though staff are currently able to send emails without any problem or does it not matter because this is such a small office?

0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 17946299
If you do not have any users on Outlook Express or other POP3/SMTP server then there are no consequences. I turn that option off on all builds that I do as standard practise. It is only enabled again if required for a business reason.

Outlook connecting to Exchange as an Exchange client doesn't need that option.

Simon.
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now