Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1418
  • Last Modified:

windows sbs 2003 open relay?

Okay, confusing situation here with a possible open-relay. Here's the situation:

I have a SBS 2003 server running Exchange 2003. All of our outgoing mail is sent through a smarthost (smtp connector is configured to send through our isp's mail server).

All of a sudden today our emails are getting bounced back and I called our ISP to figure out if we were blocked for some reason. They say that they think we're blocked due to sending out more than 1000 emails in a day or hour, whichever comes first. I say that's probably not possible, so I take a look at the usage logs on our SBS 2003 server. Administrator has sent over 7000 emails to external addresses in the past day.

So, I run the connect to the internet wizard to see if that fixes any possible open-relay issue. It completes successfully.

I check the following sites with the following results:

mxtoolbox.com: NOT an open relay
dnsgoodies.com: YES I am an open relay
http://verify.abuse.net/cgi-bin/relaytest: First 7 tests say NO, but the last test says YES I am an open-relay.
dnsstuff.com: NOT an open-relay

So what's going on. I need to get this resolved ASAP and I'm confused as to what's even going on.
0
tvacc
Asked:
tvacc
  • 10
  • 5
  • 2
  • +2
2 Solutions
 
bhnmiCommented:
Have you looked at the settings on the smtp virtual server yet? What are the authentication settings and relay settings? Also, if you don't mind list your mail server.
0
 
kieran_bCommented:
What emails is the administrator account sending - are they NDR bounces or actual spam?
0
 
dathhoCommented:
Add an Open Relay filter to your config.
Vamsoft ORF is one candidate.

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
nlcafeCommented:
dnsgoodies.com: YES I am an open relay- MIne says the same but I am not an open relay.  Could you have a virus somewhere?

You have to test it from a different environment and using different email addresses.  Try this:

http://www.cyberciti.biz/tips/test-mail-server-for-an-open-relay.html

0
 
tvaccAuthor Commented:
My relay settings are set to allow the following: <ip address of the exchange server> and <localhost> (127.0.0.1). "Allow all computers that authenticate to relay, regardless of the above" IS checked.

Under "Connection Control", it is set to "Allow all except the list below" and there is nothing listed below.

Under "Authentication", the following are checked:
- Anonymous Access
- Basic Authentication (password is sent in clear text)
- Integrated Windows Authentication

Are NOT checked:
- Resolve Anonymous Email
- Require TLS encryption

Default domain textbox is left BLANK.

When I click the "Users" button in "Authentication", "Authenticated Users" are given "Submit" rights, not "Relay".
0
 
tvaccAuthor Commented:
How can I tell exactly what emails the Administrator is sending? There isn't anything in his sent folder. Is there a log somewhere to look through for sent messages? Must be huge if so...
0
 
tvaccAuthor Commented:
Also, if there is a virus, then wouldn't it need to reside on the server itself (since Administrator is sending out the emails)? If it were on one of the employee's machines, then their username would be sending out all the bad emails, correct?
0
 
nlcafeCommented:
Not really.  try this

wireshark.org.  

run that for an hour and find the ip sending all the packets.  
0
 
bhnmiCommented:
If you have the smtp transport logs enabled you can parse through them and look for the offending messages.
0
 
kieran_bCommented:
>>"Allow all computers that authenticate to relay, regardless of the above" IS checked

Untick that - and change the administrator password.

To check to see what the administrator account is sending, have a look in the queues
0
 
tvaccAuthor Commented:
"Change the administrator password"

- Do you think it has been compromised?
0
 
kieran_bCommented:
I can't be sure til you check the queues
0
 
tvaccAuthor Commented:
Okay, I unchecked the above. Thanks.

This is what my queues window looks like (jpg attached)...what are the ones at the bottom?

In my Virtual SMTP sessions, I see a bunch of different ip addresses whenever I refresh it. Normal? Is this incoming mail or someone connecting to send?
queues.jpg
0
 
kieran_bCommented:
Right click on one with messages - find messages - find now - then post that in a screeny
0
 
tvaccAuthor Commented:
When I right click on a queue with messages, they are all coming from "Postmaster@<ourdomain>.com where <ourdomain> is obviously our domain name. No other info that looks important.

Another weird thing I found out today - one of our users (and only one user) said that they suddenly received a ridiculous amount of spam email today from "Administrator@<ourdomain>.com" with various "Undeliverable: <various spam messages>". There were so many of them coming in that she couldn't read her email.
0
 
tvaccAuthor Commented:
Also, I have a whole new list under the queue (similar to the above screen shot). All domains I don't recognize/trust. All sending to suspicious/vulgar email addresses. Subjects are "hidden" it says.

If I click "Current Sessions" under "Default SMTP Virtual Server", there are various sessions currently active from addresses that sound more than a little fishy. For instance, "ip-091-086-101-092.pools.atnet.ru" with ip address "92.101.86.91" has been connected for almost 600 seconds. There are various other ones, all foreign domain extensions (.fr, .it, etc).

What's going on...this is more than a little strange...
0
 
tvaccAuthor Commented:
I should also note that the user who is getting these near-constant "Administrator: Undeliverable <whatever>" messages seems to be getting them in response to the recipient not being available/does not exist.

I'm doing a virus scan on her computer now. Maybe something will turn up?
0
 
tvaccAuthor Commented:
Here is an example of an email she will get back. I removed the domain and replaced it with <domain>. She is the only one getting these and it definitely seems to be connected to my problem:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

  sasha@ipotekanow.ru
    retry time not reached for any host after a long failure period

------ This is a copy of the message, including all the headers. ------

Return-path: <customer.service@<domain>.com>
Received: from [92.113.210.248] (helo=248-210-113-92.pool.ukrtel.net)
      by h4.dreamsee.org with esmtp (Exim 4.69)
      (envelope-from <customer.service@<domain>.com>)
      id 1KlfgE-0004Gk-UJ
      for sasha@ipotekanow.ru; Fri, 03 Oct 2008 12:06:31 +0400
Message-ID: <000401c9252e$03c628b5$87fb9ab6@ltcabe>
From: "dalston huntley" <customer.service@<domain>.com>
To: <sasha@ipotekanow.ru>
Subject: 3
Date: Fri, 03 Oct 2008 06:17:40 +0000
MIME-Version: 1.0
Content-Type: text/plain;
      charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

3

--------------------------------------

Notice it says from: dalston huntley <customer.service@<domain>.com>

That's not the correct name, but it is the correct address that gets delivered to this mailbox.
0
 
kieran_bCommented:
You have two problems - you are an NDR bouncer, meaning those connections on SMTP are sending random crap to random addresses, pretending to be from external senders which you are bouncing out - fix that here -> http://www.amset.info/exchange/filter-unknown.asp

Other than that, the NDRs that you are RECEIVING (not sending like above) are not easy to stop - it is not caused by you, it is just the way it goes.

I doubt there is a virus on your network at all.
0
 
tvaccAuthor Commented:
Thanks. Points awarded.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 10
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now