Solved

windows sbs 2003 open relay?

Posted on 2008-09-29
20
1,397 Views
Last Modified: 2012-05-05
Okay, confusing situation here with a possible open-relay. Here's the situation:

I have a SBS 2003 server running Exchange 2003. All of our outgoing mail is sent through a smarthost (smtp connector is configured to send through our isp's mail server).

All of a sudden today our emails are getting bounced back and I called our ISP to figure out if we were blocked for some reason. They say that they think we're blocked due to sending out more than 1000 emails in a day or hour, whichever comes first. I say that's probably not possible, so I take a look at the usage logs on our SBS 2003 server. Administrator has sent over 7000 emails to external addresses in the past day.

So, I run the connect to the internet wizard to see if that fixes any possible open-relay issue. It completes successfully.

I check the following sites with the following results:

mxtoolbox.com: NOT an open relay
dnsgoodies.com: YES I am an open relay
http://verify.abuse.net/cgi-bin/relaytest: First 7 tests say NO, but the last test says YES I am an open-relay.
dnsstuff.com: NOT an open-relay

So what's going on. I need to get this resolved ASAP and I'm confused as to what's even going on.
0
Comment
Question by:tvacc
  • 10
  • 5
  • 2
  • +2
20 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 22600630
Have you looked at the settings on the smtp virtual server yet? What are the authentication settings and relay settings? Also, if you don't mind list your mail server.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 22600641
What emails is the administrator account sending - are they NDR bounces or actual spam?
0
 
LVL 6

Expert Comment

by:dathho
ID: 22600639
Add an Open Relay filter to your config.
Vamsoft ORF is one candidate.

0
 
LVL 3

Expert Comment

by:nlcafe
ID: 22600643
dnsgoodies.com: YES I am an open relay- MIne says the same but I am not an open relay.  Could you have a virus somewhere?

You have to test it from a different environment and using different email addresses.  Try this:

http://www.cyberciti.biz/tips/test-mail-server-for-an-open-relay.html

0
 

Author Comment

by:tvacc
ID: 22600775
My relay settings are set to allow the following: <ip address of the exchange server> and <localhost> (127.0.0.1). "Allow all computers that authenticate to relay, regardless of the above" IS checked.

Under "Connection Control", it is set to "Allow all except the list below" and there is nothing listed below.

Under "Authentication", the following are checked:
- Anonymous Access
- Basic Authentication (password is sent in clear text)
- Integrated Windows Authentication

Are NOT checked:
- Resolve Anonymous Email
- Require TLS encryption

Default domain textbox is left BLANK.

When I click the "Users" button in "Authentication", "Authenticated Users" are given "Submit" rights, not "Relay".
0
 

Author Comment

by:tvacc
ID: 22600800
How can I tell exactly what emails the Administrator is sending? There isn't anything in his sent folder. Is there a log somewhere to look through for sent messages? Must be huge if so...
0
 

Author Comment

by:tvacc
ID: 22600810
Also, if there is a virus, then wouldn't it need to reside on the server itself (since Administrator is sending out the emails)? If it were on one of the employee's machines, then their username would be sending out all the bad emails, correct?
0
 
LVL 3

Expert Comment

by:nlcafe
ID: 22600832
Not really.  try this

wireshark.org.  

run that for an hour and find the ip sending all the packets.  
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 22600897
If you have the smtp transport logs enabled you can parse through them and look for the offending messages.
0
 
LVL 25

Assisted Solution

by:kieran_b
kieran_b earned 500 total points
ID: 22600913
>>"Allow all computers that authenticate to relay, regardless of the above" IS checked

Untick that - and change the administrator password.

To check to see what the administrator account is sending, have a look in the queues
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 

Author Comment

by:tvacc
ID: 22601483
"Change the administrator password"

- Do you think it has been compromised?
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 22601514
I can't be sure til you check the queues
0
 

Author Comment

by:tvacc
ID: 22603218
Okay, I unchecked the above. Thanks.

This is what my queues window looks like (jpg attached)...what are the ones at the bottom?

In my Virtual SMTP sessions, I see a bunch of different ip addresses whenever I refresh it. Normal? Is this incoming mail or someone connecting to send?
queues.jpg
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 22603501
Right click on one with messages - find messages - find now - then post that in a screeny
0
 

Author Comment

by:tvacc
ID: 22631809
When I right click on a queue with messages, they are all coming from "Postmaster@<ourdomain>.com where <ourdomain> is obviously our domain name. No other info that looks important.

Another weird thing I found out today - one of our users (and only one user) said that they suddenly received a ridiculous amount of spam email today from "Administrator@<ourdomain>.com" with various "Undeliverable: <various spam messages>". There were so many of them coming in that she couldn't read her email.
0
 

Author Comment

by:tvacc
ID: 22631929
Also, I have a whole new list under the queue (similar to the above screen shot). All domains I don't recognize/trust. All sending to suspicious/vulgar email addresses. Subjects are "hidden" it says.

If I click "Current Sessions" under "Default SMTP Virtual Server", there are various sessions currently active from addresses that sound more than a little fishy. For instance, "ip-091-086-101-092.pools.atnet.ru" with ip address "92.101.86.91" has been connected for almost 600 seconds. There are various other ones, all foreign domain extensions (.fr, .it, etc).

What's going on...this is more than a little strange...
0
 

Author Comment

by:tvacc
ID: 22631948
I should also note that the user who is getting these near-constant "Administrator: Undeliverable <whatever>" messages seems to be getting them in response to the recipient not being available/does not exist.

I'm doing a virus scan on her computer now. Maybe something will turn up?
0
 

Author Comment

by:tvacc
ID: 22631971
Here is an example of an email she will get back. I removed the domain and replaced it with <domain>. She is the only one getting these and it definitely seems to be connected to my problem:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

  sasha@ipotekanow.ru
    retry time not reached for any host after a long failure period

------ This is a copy of the message, including all the headers. ------

Return-path: <customer.service@<domain>.com>
Received: from [92.113.210.248] (helo=248-210-113-92.pool.ukrtel.net)
      by h4.dreamsee.org with esmtp (Exim 4.69)
      (envelope-from <customer.service@<domain>.com>)
      id 1KlfgE-0004Gk-UJ
      for sasha@ipotekanow.ru; Fri, 03 Oct 2008 12:06:31 +0400
Message-ID: <000401c9252e$03c628b5$87fb9ab6@ltcabe>
From: "dalston huntley" <customer.service@<domain>.com>
To: <sasha@ipotekanow.ru>
Subject: 3
Date: Fri, 03 Oct 2008 06:17:40 +0000
MIME-Version: 1.0
Content-Type: text/plain;
      charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

3

--------------------------------------

Notice it says from: dalston huntley <customer.service@<domain>.com>

That's not the correct name, but it is the correct address that gets delivered to this mailbox.
0
 
LVL 25

Accepted Solution

by:
kieran_b earned 500 total points
ID: 22632694
You have two problems - you are an NDR bouncer, meaning those connections on SMTP are sending random crap to random addresses, pretending to be from external senders which you are bouncing out - fix that here -> http://www.amset.info/exchange/filter-unknown.asp

Other than that, the NDRs that you are RECEIVING (not sending like above) are not easy to stop - it is not caused by you, it is just the way it goes.

I doubt there is a virus on your network at all.
0
 

Author Comment

by:tvacc
ID: 22640045
Thanks. Points awarded.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video discusses moving either the default database or any database to a new volume.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now