Postmaster NDR Attack

Hi,

In recent weeks our Exchange Server has experienced what I believe a NDR attack.  We have subsequently followed the advice written in Microsoft Knowledge Base articles 886208 and 842851 but we still seem to be getting a lot of  messages in our smtp queues.

Does anybody know how I can find out what the source of these messages are so that I can work on stopping them?

Thanks

baileytibbsAsked:
Who is Participating?
 
SembeeConnect With a Mentor Commented:
If you do not have any users on Outlook Express or other POP3/SMTP server then there are no consequences. I turn that option off on all builds that I do as standard practise. It is only enabled again if required for a business reason.

Outlook connecting to Exchange as an Exchange client doesn't need that option.

Simon.
0
 
redseatechnologiesCommented:
Hi baileytibbs,

What exchange version are we talking about here?

-red
0
 
SembeeCommented:
You probably need my spam cleanup article.
http://www.amset.info/exchange/spam-cleanup.asp

That will help identify where the problem is and clean up the mess.

Simon.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
baileytibbsAuthor Commented:
Hi,

Our exchange version is Exchange 2003 SP2.

As regards the article mentioned, you referred me to this the other evening and it has helped me greatly in checking that our server wasn't acting as an open relay and to allow me to clean up the queues without any fuss.

However, even though I have set the MS Exchange Transport logging level to maximum, I do not get the message you describe and so I don't understand.  The messages I do get is similar to the one below (although I have replaced our IP address with **Our IP**)

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            14/11/2006
Time:            22:57:14
User:            N/A
Computer:      SERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #37561. The remote host "66.175.131.125", responded to the SMTP command "mail" with "451 IP: **OUR IP** temporary blocked due to high Spam ratio!  ". The full command sent was "MAIL FROM:<mnfxxxj@host**OUR IP**.in-addr.btopenworld.com>  ".  This may cause the connection to fail.

I have loads of messages from @host**OUR IP**.in-addr.btopenworld.com and a queue with that address listed where the messages inside are all from postmaster@ourdomain

Any ideas?
0
 
baileytibbsAuthor Commented:
Hi,

In the last 10 minutes I have also had about 50 of these event messages on the server

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7010
Date:            14/11/2006
Time:            23:34:55
User:            N/A
Computer:      SERVER
Description:
This is an SMTP protocol log for virtual server ID 1, connection #37575. The client at "192.168.0.100" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for mqva@**OUR IP**.in-addr.btopenworld.com  ". The full command sent was "rcpt TO:<mqva@host**OUR IP**.in-addr.btopenworld.com>".  This will probably cause the connection to fail.

192.168.0.100 is our exchange server
0
 
SembeeCommented:
Did you ever get the queue clear?
After setting the recipient filter, did you set it on the SMTP virtual server as well? Did you then restart the SMTP Service?

Have you confirmed that this isn't an authenticated user relay? Turn off authenticated user relaying and then restart the SMTP Service again.

It would appear that Exchange is still sending the spam messages out, you need to try and spot which method is being used.

Simon.
0
 
baileytibbsAuthor Commented:
Hi Simon,

Thanks for taking an interest in this.  I was able to get the message queue clear.

Also, I believe I have followed the instructions in your article correctly and have set the recipient filter as you suggest along with the SMTP virtual server.

I have now unchecked "Allow all computers which successfully authenticate to relay, regardless of the list above" and the messages have stopped but with the selection "Only the computers below" selected and that list being empty then I can't see how anybody can relay any messages through this server.

There are only 6 PC's in this office.  Is there anyway, I can introduce them back into the relaying system one by one until I know which is causing the problem?  It is now 1am here and so nobody should be sending messages at the moment.

Thanks for your help
0
 
baileytibbsAuthor Commented:
Hi,

Since unchecking "Allow all computers which successfully authenticate to relay, regardless of the list above", my message queues have remained empty.

However, my event log is showing the following example event (I have about 50 in the last 15 mins)

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7010
Date:            15/11/2006
Time:            00:54:08
User:            N/A
Computer:      SERVER
Description:
This is an SMTP protocol log for virtual server ID 1, connection #37614. The client at "192.168.0.100" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for boricuafem@aol.com  ". The full command sent was "rcpt TO:<boricuafem@aol.com>".  This will probably cause the connection to fail.

I have no idea who boricuafem@aol.com is, along with the other addresses listed in the event messages.

I don't know if this helps
0
 
VahikCommented:
u have nothing to worry about....some one is trying authenticated relay and is failing.....nothing u can do to stop folks from trying to relay through ur server....this is routin for all exchange administrators...if u disable logging u wont see these messages....
0
 
baileytibbsAuthor Commented:
OK, Thanks for the reassurance.  However, what are the implications of unchecking "Allow all computers which successfully authenticate to relay, regardless of the list above".  I assume it is there for a reason even though staff are currently able to send emails without any problem or does it not matter because this is such a small office?

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.