tvacc
asked on
windows sbs 2003 open relay?
Okay, confusing situation here with a possible open-relay. Here's the situation:
I have a SBS 2003 server running Exchange 2003. All of our outgoing mail is sent through a smarthost (smtp connector is configured to send through our isp's mail server).
All of a sudden today our emails are getting bounced back and I called our ISP to figure out if we were blocked for some reason. They say that they think we're blocked due to sending out more than 1000 emails in a day or hour, whichever comes first. I say that's probably not possible, so I take a look at the usage logs on our SBS 2003 server. Administrator has sent over 7000 emails to external addresses in the past day.
So, I run the connect to the internet wizard to see if that fixes any possible open-relay issue. It completes successfully.
I check the following sites with the following results:
mxtoolbox.com: NOT an open relay
dnsgoodies.com: YES I am an open relay
http://verify.abuse.net/cgi-bin/relaytest: First 7 tests say NO, but the last test says YES I am an open-relay.
dnsstuff.com: NOT an open-relay
So what's going on. I need to get this resolved ASAP and I'm confused as to what's even going on.
I have a SBS 2003 server running Exchange 2003. All of our outgoing mail is sent through a smarthost (smtp connector is configured to send through our isp's mail server).
All of a sudden today our emails are getting bounced back and I called our ISP to figure out if we were blocked for some reason. They say that they think we're blocked due to sending out more than 1000 emails in a day or hour, whichever comes first. I say that's probably not possible, so I take a look at the usage logs on our SBS 2003 server. Administrator has sent over 7000 emails to external addresses in the past day.
So, I run the connect to the internet wizard to see if that fixes any possible open-relay issue. It completes successfully.
I check the following sites with the following results:
mxtoolbox.com: NOT an open relay
dnsgoodies.com: YES I am an open relay
http://verify.abuse.net/cgi-bin/relaytest: First 7 tests say NO, but the last test says YES I am an open-relay.
dnsstuff.com: NOT an open-relay
So what's going on. I need to get this resolved ASAP and I'm confused as to what's even going on.
Have you looked at the settings on the smtp virtual server yet? What are the authentication settings and relay settings? Also, if you don't mind list your mail server.
What emails is the administrator account sending - are they NDR bounces or actual spam?
Add an Open Relay filter to your config.
Vamsoft ORF is one candidate.
Vamsoft ORF is one candidate.
dnsgoodies.com: YES I am an open relay- MIne says the same but I am not an open relay. Could you have a virus somewhere?
You have to test it from a different environment and using different email addresses. Try this:
http://www.cyberciti.biz/tips/test-mail-server-for-an-open-relay.html
You have to test it from a different environment and using different email addresses. Try this:
http://www.cyberciti.biz/tips/test-mail-server-for-an-open-relay.html
ASKER
My relay settings are set to allow the following: <ip address of the exchange server> and <localhost> (127.0.0.1). "Allow all computers that authenticate to relay, regardless of the above" IS checked.
Under "Connection Control", it is set to "Allow all except the list below" and there is nothing listed below.
Under "Authentication", the following are checked:
- Anonymous Access
- Basic Authentication (password is sent in clear text)
- Integrated Windows Authentication
Are NOT checked:
- Resolve Anonymous Email
- Require TLS encryption
Default domain textbox is left BLANK.
When I click the "Users" button in "Authentication", "Authenticated Users" are given "Submit" rights, not "Relay".
Under "Connection Control", it is set to "Allow all except the list below" and there is nothing listed below.
Under "Authentication", the following are checked:
- Anonymous Access
- Basic Authentication (password is sent in clear text)
- Integrated Windows Authentication
Are NOT checked:
- Resolve Anonymous Email
- Require TLS encryption
Default domain textbox is left BLANK.
When I click the "Users" button in "Authentication", "Authenticated Users" are given "Submit" rights, not "Relay".
ASKER
How can I tell exactly what emails the Administrator is sending? There isn't anything in his sent folder. Is there a log somewhere to look through for sent messages? Must be huge if so...
ASKER
Also, if there is a virus, then wouldn't it need to reside on the server itself (since Administrator is sending out the emails)? If it were on one of the employee's machines, then their username would be sending out all the bad emails, correct?
Not really. try this
wireshark.org.
run that for an hour and find the ip sending all the packets.
wireshark.org.
run that for an hour and find the ip sending all the packets.
If you have the smtp transport logs enabled you can parse through them and look for the offending messages.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"Change the administrator password"
- Do you think it has been compromised?
- Do you think it has been compromised?
I can't be sure til you check the queues
ASKER
Okay, I unchecked the above. Thanks.
This is what my queues window looks like (jpg attached)...what are the ones at the bottom?
In my Virtual SMTP sessions, I see a bunch of different ip addresses whenever I refresh it. Normal? Is this incoming mail or someone connecting to send?
queues.jpg
This is what my queues window looks like (jpg attached)...what are the ones at the bottom?
In my Virtual SMTP sessions, I see a bunch of different ip addresses whenever I refresh it. Normal? Is this incoming mail or someone connecting to send?
queues.jpg
Right click on one with messages - find messages - find now - then post that in a screeny
ASKER
When I right click on a queue with messages, they are all coming from "Postmaster@<ourdomain>.co
Another weird thing I found out today - one of our users (and only one user) said that they suddenly received a ridiculous amount of spam email today from "Administrator@<ourdomain>
Another weird thing I found out today - one of our users (and only one user) said that they suddenly received a ridiculous amount of spam email today from "Administrator@<ourdomain>
ASKER
Also, I have a whole new list under the queue (similar to the above screen shot). All domains I don't recognize/trust. All sending to suspicious/vulgar email addresses. Subjects are "hidden" it says.
If I click "Current Sessions" under "Default SMTP Virtual Server", there are various sessions currently active from addresses that sound more than a little fishy. For instance, "ip-091-086-101-092.pools.
What's going on...this is more than a little strange...
If I click "Current Sessions" under "Default SMTP Virtual Server", there are various sessions currently active from addresses that sound more than a little fishy. For instance, "ip-091-086-101-092.pools.
What's going on...this is more than a little strange...
ASKER
I should also note that the user who is getting these near-constant "Administrator: Undeliverable <whatever>" messages seems to be getting them in response to the recipient not being available/does not exist.
I'm doing a virus scan on her computer now. Maybe something will turn up?
I'm doing a virus scan on her computer now. Maybe something will turn up?
ASKER
Here is an example of an email she will get back. I removed the domain and replaced it with <domain>. She is the only one getting these and it definitely seems to be connected to my problem:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
sasha@ipotekanow.ru
retry time not reached for any host after a long failure period
------ This is a copy of the message, including all the headers. ------
Return-path: <customer.service@<domain>
Received: from [92.113.210.248] (helo=248-210-113-92.pool.
by h4.dreamsee.org with esmtp (Exim 4.69)
(envelope-from <customer.service@<domain>
id 1KlfgE-0004Gk-UJ
for sasha@ipotekanow.ru; Fri, 03 Oct 2008 12:06:31 +0400
Message-ID: <000401c9252e$03c628b5$87f
From: "dalston huntley" <customer.service@<domain>
To: <sasha@ipotekanow.ru>
Subject: 3
Date: Fri, 03 Oct 2008 06:17:40 +0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding:
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
3
--------------------------
Notice it says from: dalston huntley <customer.service@<domain>
That's not the correct name, but it is the correct address that gets delivered to this mailbox.
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
sasha@ipotekanow.ru
retry time not reached for any host after a long failure period
------ This is a copy of the message, including all the headers. ------
Return-path: <customer.service@<domain>
Received: from [92.113.210.248] (helo=248-210-113-92.pool.
by h4.dreamsee.org with esmtp (Exim 4.69)
(envelope-from <customer.service@<domain>
id 1KlfgE-0004Gk-UJ
for sasha@ipotekanow.ru; Fri, 03 Oct 2008 12:06:31 +0400
Message-ID: <000401c9252e$03c628b5$87f
From: "dalston huntley" <customer.service@<domain>
To: <sasha@ipotekanow.ru>
Subject: 3
Date: Fri, 03 Oct 2008 06:17:40 +0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding:
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
3
--------------------------
Notice it says from: dalston huntley <customer.service@<domain>
That's not the correct name, but it is the correct address that gets delivered to this mailbox.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Points awarded.