Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Postmaster NDR Attack

Posted on 2006-11-14
12
Medium Priority
?
1,550 Views
Last Modified: 2008-01-09
Hi,

In recent weeks our Exchange Server has experienced what I believe a NDR attack.  We have subsequently followed the advice written in Microsoft Knowledge Base articles 886208 and 842851 but we still seem to be getting a lot of  messages in our smtp queues.

Does anybody know how I can find out what the source of these messages are so that I can work on stopping them?

Thanks

0
Comment
Question by:baileytibbs
12 Comments
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17942578
Hi baileytibbs,

What exchange version are we talking about here?

-red
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17942621
You probably need my spam cleanup article.
http://www.amset.info/exchange/spam-cleanup.asp

That will help identify where the problem is and clean up the mess.

Simon.
0
 

Author Comment

by:baileytibbs
ID: 17942672
Hi,

Our exchange version is Exchange 2003 SP2.

As regards the article mentioned, you referred me to this the other evening and it has helped me greatly in checking that our server wasn't acting as an open relay and to allow me to clean up the queues without any fuss.

However, even though I have set the MS Exchange Transport logging level to maximum, I do not get the message you describe and so I don't understand.  The messages I do get is similar to the one below (although I have replaced our IP address with **Our IP**)

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            14/11/2006
Time:            22:57:14
User:            N/A
Computer:      SERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #37561. The remote host "66.175.131.125", responded to the SMTP command "mail" with "451 IP: **OUR IP** temporary blocked due to high Spam ratio!  ". The full command sent was "MAIL FROM:<mnfxxxj@host**OUR IP**.in-addr.btopenworld.com>  ".  This may cause the connection to fail.

I have loads of messages from @host**OUR IP**.in-addr.btopenworld.com and a queue with that address listed where the messages inside are all from postmaster@ourdomain

Any ideas?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:baileytibbs
ID: 17942773
Hi,

In the last 10 minutes I have also had about 50 of these event messages on the server

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7010
Date:            14/11/2006
Time:            23:34:55
User:            N/A
Computer:      SERVER
Description:
This is an SMTP protocol log for virtual server ID 1, connection #37575. The client at "192.168.0.100" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for mqva@**OUR IP**.in-addr.btopenworld.com  ". The full command sent was "rcpt TO:<mqva@host**OUR IP**.in-addr.btopenworld.com>".  This will probably cause the connection to fail.

192.168.0.100 is our exchange server
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17942899
Did you ever get the queue clear?
After setting the recipient filter, did you set it on the SMTP virtual server as well? Did you then restart the SMTP Service?

Have you confirmed that this isn't an authenticated user relay? Turn off authenticated user relaying and then restart the SMTP Service again.

It would appear that Exchange is still sending the spam messages out, you need to try and spot which method is being used.

Simon.
0
 

Author Comment

by:baileytibbs
ID: 17943104
Hi Simon,

Thanks for taking an interest in this.  I was able to get the message queue clear.

Also, I believe I have followed the instructions in your article correctly and have set the recipient filter as you suggest along with the SMTP virtual server.

I have now unchecked "Allow all computers which successfully authenticate to relay, regardless of the list above" and the messages have stopped but with the selection "Only the computers below" selected and that list being empty then I can't see how anybody can relay any messages through this server.

There are only 6 PC's in this office.  Is there anyway, I can introduce them back into the relaying system one by one until I know which is causing the problem?  It is now 1am here and so nobody should be sending messages at the moment.

Thanks for your help
0
 

Author Comment

by:baileytibbs
ID: 17943147
Hi,

Since unchecking "Allow all computers which successfully authenticate to relay, regardless of the list above", my message queues have remained empty.

However, my event log is showing the following example event (I have about 50 in the last 15 mins)

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7010
Date:            15/11/2006
Time:            00:54:08
User:            N/A
Computer:      SERVER
Description:
This is an SMTP protocol log for virtual server ID 1, connection #37614. The client at "192.168.0.100" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for boricuafem@aol.com  ". The full command sent was "rcpt TO:<boricuafem@aol.com>".  This will probably cause the connection to fail.

I have no idea who boricuafem@aol.com is, along with the other addresses listed in the event messages.

I don't know if this helps
0
 
LVL 26

Expert Comment

by:Vahik
ID: 17945352
u have nothing to worry about....some one is trying authenticated relay and is failing.....nothing u can do to stop folks from trying to relay through ur server....this is routin for all exchange administrators...if u disable logging u wont see these messages....
0
 

Author Comment

by:baileytibbs
ID: 17946229
OK, Thanks for the reassurance.  However, what are the implications of unchecking "Allow all computers which successfully authenticate to relay, regardless of the list above".  I assume it is there for a reason even though staff are currently able to send emails without any problem or does it not matter because this is such a small office?

0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 17946299
If you do not have any users on Outlook Express or other POP3/SMTP server then there are no consequences. I turn that option off on all builds that I do as standard practise. It is only enabled again if required for a business reason.

Outlook connecting to Exchange as an Exchange client doesn't need that option.

Simon.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question