?
Solved

windows sbs 2003 open relay?

Posted on 2008-09-29
20
Medium Priority
?
1,407 Views
Last Modified: 2012-05-05
Okay, confusing situation here with a possible open-relay. Here's the situation:

I have a SBS 2003 server running Exchange 2003. All of our outgoing mail is sent through a smarthost (smtp connector is configured to send through our isp's mail server).

All of a sudden today our emails are getting bounced back and I called our ISP to figure out if we were blocked for some reason. They say that they think we're blocked due to sending out more than 1000 emails in a day or hour, whichever comes first. I say that's probably not possible, so I take a look at the usage logs on our SBS 2003 server. Administrator has sent over 7000 emails to external addresses in the past day.

So, I run the connect to the internet wizard to see if that fixes any possible open-relay issue. It completes successfully.

I check the following sites with the following results:

mxtoolbox.com: NOT an open relay
dnsgoodies.com: YES I am an open relay
http://verify.abuse.net/cgi-bin/relaytest: First 7 tests say NO, but the last test says YES I am an open-relay.
dnsstuff.com: NOT an open-relay

So what's going on. I need to get this resolved ASAP and I'm confused as to what's even going on.
0
Comment
Question by:tvacc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
  • 2
  • +2
20 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 22600630
Have you looked at the settings on the smtp virtual server yet? What are the authentication settings and relay settings? Also, if you don't mind list your mail server.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 22600641
What emails is the administrator account sending - are they NDR bounces or actual spam?
0
 
LVL 6

Expert Comment

by:dathho
ID: 22600639
Add an Open Relay filter to your config.
Vamsoft ORF is one candidate.

0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 3

Expert Comment

by:nlcafe
ID: 22600643
dnsgoodies.com: YES I am an open relay- MIne says the same but I am not an open relay.  Could you have a virus somewhere?

You have to test it from a different environment and using different email addresses.  Try this:

http://www.cyberciti.biz/tips/test-mail-server-for-an-open-relay.html

0
 

Author Comment

by:tvacc
ID: 22600775
My relay settings are set to allow the following: <ip address of the exchange server> and <localhost> (127.0.0.1). "Allow all computers that authenticate to relay, regardless of the above" IS checked.

Under "Connection Control", it is set to "Allow all except the list below" and there is nothing listed below.

Under "Authentication", the following are checked:
- Anonymous Access
- Basic Authentication (password is sent in clear text)
- Integrated Windows Authentication

Are NOT checked:
- Resolve Anonymous Email
- Require TLS encryption

Default domain textbox is left BLANK.

When I click the "Users" button in "Authentication", "Authenticated Users" are given "Submit" rights, not "Relay".
0
 

Author Comment

by:tvacc
ID: 22600800
How can I tell exactly what emails the Administrator is sending? There isn't anything in his sent folder. Is there a log somewhere to look through for sent messages? Must be huge if so...
0
 

Author Comment

by:tvacc
ID: 22600810
Also, if there is a virus, then wouldn't it need to reside on the server itself (since Administrator is sending out the emails)? If it were on one of the employee's machines, then their username would be sending out all the bad emails, correct?
0
 
LVL 3

Expert Comment

by:nlcafe
ID: 22600832
Not really.  try this

wireshark.org.  

run that for an hour and find the ip sending all the packets.  
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 22600897
If you have the smtp transport logs enabled you can parse through them and look for the offending messages.
0
 
LVL 25

Assisted Solution

by:kieran_b
kieran_b earned 2000 total points
ID: 22600913
>>"Allow all computers that authenticate to relay, regardless of the above" IS checked

Untick that - and change the administrator password.

To check to see what the administrator account is sending, have a look in the queues
0
 

Author Comment

by:tvacc
ID: 22601483
"Change the administrator password"

- Do you think it has been compromised?
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 22601514
I can't be sure til you check the queues
0
 

Author Comment

by:tvacc
ID: 22603218
Okay, I unchecked the above. Thanks.

This is what my queues window looks like (jpg attached)...what are the ones at the bottom?

In my Virtual SMTP sessions, I see a bunch of different ip addresses whenever I refresh it. Normal? Is this incoming mail or someone connecting to send?
queues.jpg
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 22603501
Right click on one with messages - find messages - find now - then post that in a screeny
0
 

Author Comment

by:tvacc
ID: 22631809
When I right click on a queue with messages, they are all coming from "Postmaster@<ourdomain>.com where <ourdomain> is obviously our domain name. No other info that looks important.

Another weird thing I found out today - one of our users (and only one user) said that they suddenly received a ridiculous amount of spam email today from "Administrator@<ourdomain>.com" with various "Undeliverable: <various spam messages>". There were so many of them coming in that she couldn't read her email.
0
 

Author Comment

by:tvacc
ID: 22631929
Also, I have a whole new list under the queue (similar to the above screen shot). All domains I don't recognize/trust. All sending to suspicious/vulgar email addresses. Subjects are "hidden" it says.

If I click "Current Sessions" under "Default SMTP Virtual Server", there are various sessions currently active from addresses that sound more than a little fishy. For instance, "ip-091-086-101-092.pools.atnet.ru" with ip address "92.101.86.91" has been connected for almost 600 seconds. There are various other ones, all foreign domain extensions (.fr, .it, etc).

What's going on...this is more than a little strange...
0
 

Author Comment

by:tvacc
ID: 22631948
I should also note that the user who is getting these near-constant "Administrator: Undeliverable <whatever>" messages seems to be getting them in response to the recipient not being available/does not exist.

I'm doing a virus scan on her computer now. Maybe something will turn up?
0
 

Author Comment

by:tvacc
ID: 22631971
Here is an example of an email she will get back. I removed the domain and replaced it with <domain>. She is the only one getting these and it definitely seems to be connected to my problem:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

  sasha@ipotekanow.ru
    retry time not reached for any host after a long failure period

------ This is a copy of the message, including all the headers. ------

Return-path: <customer.service@<domain>.com>
Received: from [92.113.210.248] (helo=248-210-113-92.pool.ukrtel.net)
      by h4.dreamsee.org with esmtp (Exim 4.69)
      (envelope-from <customer.service@<domain>.com>)
      id 1KlfgE-0004Gk-UJ
      for sasha@ipotekanow.ru; Fri, 03 Oct 2008 12:06:31 +0400
Message-ID: <000401c9252e$03c628b5$87fb9ab6@ltcabe>
From: "dalston huntley" <customer.service@<domain>.com>
To: <sasha@ipotekanow.ru>
Subject: 3
Date: Fri, 03 Oct 2008 06:17:40 +0000
MIME-Version: 1.0
Content-Type: text/plain;
      charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

3

--------------------------------------

Notice it says from: dalston huntley <customer.service@<domain>.com>

That's not the correct name, but it is the correct address that gets delivered to this mailbox.
0
 
LVL 25

Accepted Solution

by:
kieran_b earned 2000 total points
ID: 22632694
You have two problems - you are an NDR bouncer, meaning those connections on SMTP are sending random crap to random addresses, pretending to be from external senders which you are bouncing out - fix that here -> http://www.amset.info/exchange/filter-unknown.asp

Other than that, the NDRs that you are RECEIVING (not sending like above) are not easy to stop - it is not caused by you, it is just the way it goes.

I doubt there is a virus on your network at all.
0
 

Author Comment

by:tvacc
ID: 22640045
Thanks. Points awarded.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question