Exchange is generating a lot of NDRs from PostMaster@domain.com

They are most likely being generated by people attempting to relay mail through your server, or someone attempting to guess and determine what email addresses exist on your email domain.

You should enable both Recipient Filtering and Tarpitting as per http://www.amset.info/exchange/filter-unknown.asp. This will mean any emails destined for an email address your server is not responsible for will be dropped before an NDR can be sent, and the tarpitting increases the time it would take for a spammer to guess the addresses on your network.

Some people would say to disable NDRs. This is NOT an option and NDRs must not be disabled to keep your server in conformance with the SMTP RFCs.

-tigermatt

The postmaster NDR is trying to send the NDR to either survey@walmart.com and marketing@walmart.com. These are generating a lot of emails to people we donot know. How can I stop it from generating these emails to go out.
In the queue it says the sender is survey@walmart.com. It is trying to send to an unknown domain. Then i get the NDR. or some of the messages actually do show as being delivered successfully.

I do have receipent filtering on and tarpitting. How would I know if tarpitting actually is working?

Also, I have verified my Exchange server is not an open relay.

I think this might be causing another issue I am experiencing.

Another thing, do you know how I can identify if a mailbox or system has been compromised? I have been very unsuccessful in thying to identify the system/mailbox that might have started all of this.

HELP!!!

an easy solution is to enable SMTP Diag Log on the default SMTP VS and see  the result of this relay
have a SMTP filter
 

Here are some of the messages from the Event Viewer MSExchangeTransport: NDR
Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      NDR
Event ID:      3022
Date:            10/18/2008
Time:            3:21:21 PM
User:            N/A
Computer:      NLIGHTEXCH
Description:
A non-delivery report with a status code of 5.5.0 was generated for recipient rfc822;debebj@aol.com (Message-ID <NLIGHTEXCHExkiyPoHZ000000a7@mail.domain.com>).  
Cause:  This message indicates a generic protocol error (SMTP error).  For example, the remote SMTP responds to an issued EHLO with a 500 level error and the sending system will QUIT the connection and report this with NDR indicating the remote SMTP server canÆt handle the protocol.    
Solution:  View the SMTP log or run a netmon trace to see why the remote SMTP server rejects the protocol request.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Here is an STMP Protocol message:
Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7512
Date:            10/18/2008
Time:            3:21:32 PM
User:            N/A
Computer:      NLIGHTEXCH
Description:
The message with ID  <5c41b883$68ddd1bb$7055e0ab@tequil>, P1 From smtp:tequil@libero.it, Subject  Hello, from remote host "servername"   was Rejected/Deleted by Intelligent Message Filter. This is an informational event and does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.

This is one of the messages from the email address wiht walmart.com (this is causing a big problem)
Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            10/18/2008
Time:            3:16:00 PM
User:            N/A
Computer:      NLIGHTEXCH
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #5402. The remote host "64.136.52.37", responded to the SMTP command "mail" with "550 Access denied...1e203d6dcd6db5207919559d64e48565e4510100712575493074d594d044a17d217da134f4a47d9dbdd4cd7d...  ". The full command sent was "MAIL FROM:<survey@walmart.com>  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


Also, is there a way to determine who or what (machine or mailbox) started this?

Looking at those warning messages it would appear that somebody is trying to spoof the sender of messages as Walmart, and probably relay them through your server. It is incredibly easy to spoof the From address on an email; the fact the sender of the mail appears to be using a 'Juno Online Services' IP address would further indicate this.

The next troubleshooting step I would suggest would be to enable Message Tracking, and actually see where these messages are being sent to. Are they an internal address on your network, or external? http://www.amset.info/exchange/message-tracking.asp

The other step I would like you to take is to perform a manual telnet test to see whether you are indeed an Open Relay. I know you have already confirmed this, but a second clarification wouldn't go amiss. http://www.amset.info/exchange/telnet-test.asp

-tigermatt

Ok. The messages are trying to be send to external addresses from survey@walmart.com or marketing@walmart.com. (See attached file)

I have confirmed the Exchange server is not an open relay:
mail from:address@testdomain.com
501 5.5.4 Invalid Address
mail from:address@testdomain.com
250 2.1.0 address@testdomain.com....Sender OK
rcpt to:address@anotherdomain.com
550 5.7.1 Unable to relay for address@anotherdomain.com
tracking-message.bmp

Looking at your output from a Telnet Test, these NDRs should not be being generated. The telnet test shows that mail to external servers is being rejected without even being accepted, so no NDRs should be generated by Exchange.

Do you still see the queues fill when all the workstations on the network are switch off?

I cannot switch off all my workstations at the moment.

But around 2 am, my Exchange server lost connection to the Internet due to my ISP going down. I reviewed the logs and saw only a handful of NDRs recorded. There was no other activity on for STMP Protocol.  After I got the server back on the Internet, the STMP Protocol (MSExchagneTransport) errors started up again. Take a look:
Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            10/19/2008
Time:            8:51:54 AM
User:            N/A
Computer:      NLIGHTEXCH
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #6290. The remote host "206.171.125.194", responded to the SMTP command "rcpt" with "450 sorry, no mailbox found by that name. (#4.7.1)  ". The full command sent was "RCPT TO:<gail@nctimes.net>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            10/19/2008
Time:            8:51:45 AM
User:            N/A
Computer:      NLIGHTEXCH
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #6289. The remote host "216.253.154.120", responded to the SMTP command "rcpt" with "554 cuda_nsu 5.7.1 <iry@nmdi.com>: Relay access denied  ". The full command sent was "RCPT TO:<iry@nmdi.com>  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            10/19/2008
Time:            8:53:42 AM
User:            N/A
Computer:      NLIGHTEXCH
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #6319. The remote host "206.139.32.1", responded to the SMTP command "rcpt" with "450 4.1.1 <vorlon@pdn.net>: Recipient address rejected: User unknown in local recipient table  ". The full command sent was "RCPT TO:<vorlon@pdn.net>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

(I am getting a lot of the errors listed above) currently in the queue I have around 1000 entries in the queue. The message for walmart.com is filling up to aroun 20000 messages. I have frozen majority of these entries to stop them from going out. I have noticed that some invalid messages are being sent.

What should I do?  I do not want our server to be blacklisted.

Thanks

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      NDR
Event ID:      3030
Date:            10/19/2008
Time:            9:24:56 AM
User:            N/A
Computer:      NLIGHTEXCH
Description:
A non-delivery report with a status code of 4.0.0 was generated for recipient rfc822;blaise.donhouede@laposte.net (Message-ID <NLIGHTEXCHRhQdOgl4r00000361@mail.NLIGHTENED.COM>).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: d1 02 04 c0               Ñ..À    

I'm going to get you to check some of the configuration to see that everything is set properly.

In Exchange System Manager, first check the SMTP Virtual Server. (Servers > <server name> > Protocols > SMTP > Default SMTP Virtual Server. In Properties, go to 'Advanced' and then press Edit. Ensure the Sender, Recipient and Connection Filters are enabled. Press OK twice.

Now go to Access tab > Authentication. You need to have Anonymous Authentication enabled here. If you press the 'Users' button, you should see 'Authenticated Users' is granted ONLY Submit Permission, and all Relay Permissions are not unchecked. OK twice.

Back on the 'Access' tab, click 'Connection'. You should have selected 'All but the list below', and then have no entries in the list. Press OK.

Now press the 'Relay' button. The option 'Only the list below' should be selected, and the entries in the Computers list should be blank. The checkbox 'Allow all computers which successfully authenticate to relay' box should be UNCHECKED. On the 'Users' button, you should again see 'Authenticated Users' has ONLY Submit Permission.

Verify again that in Global Settings, Message Delivery, you have Recipient Filtering enabled.

-tigermatt

Ok. I had all the settings as you listed except "The checkbox 'Allow all computers which successfully authenticate to relay' box should be UNCHECKED. On the 'Users' button, you should again see 'Authenticated Users' has ONLY Submit Permission."  This was checked. I unchecked it and gave the Authenicated user submit permission.


Can you please explain the purpose for this change?

Thanks

On the Relay section, you have a checkbox 'Allow all computers which successfully authenticate to relay'. I assume at present you have this checked. Essentially what this means is any computer which can successfully authenticate with your server may be able to relay through it. While this is useful in some cases, it is NOT useful on your Default SMTP Virtual Server. This is because this VS has Anonymous Authentication enabled (it must, for internet email to flow in to your mailboxes), so ANY computer can theoretically authenticate anonymously, and with that checkbox checked, those computers will have Relay rights. It must be unchecked at all costs.

As for the Authenticated Users group on the Users tab, they could theoretically have Relay Permissions if they wished, but it is unnecessary. Since nobody should have a POP3/SMTP setup going through the Exchange Server, there is no need to grant relay privileges, and this simply goes back to the old security statement of 'don't give more privileges than someone needs'.

-tigermatt

OK.

By denying access to the relay permissions, will users still be able to pop/smtp using their mobile device?

I presume they are all sending out through this single SMTP connector. By making these changes, you will most likely prevent their Mobile Devices using SMTP to relay through the Exchange Server.

However, you should not have Relay enabled for Anonymous Users anyway, which means unchecking the 'All computers which successfully authenticate' checkbox. However, when you press the Users button, you should be safe leaving the Authenticated Users group with 'Relay' permissions Granted.

Alternatively, a much better approach would be to have a new SMTP Virtual Server configured on a different IP or port number. This VS would have Anonymous Authentication turned off, requiring users to authenticate to relay through it. I won't go into this here though.

-tigermatt

Now. I did run the aqadmcli.exe tool and deleted the survey@walmart.com, marketing@walmart.com and postmaster@mydomain.com. After I deleted the email addresses, the NDRs and invalid email messages stopped filling up the queue. I also had to make another change to the Exchange server. My ISP went down, so I had to change the external IP address to the server. But , this was before I ran the tool. Do you think they are related or two seperate incidences? Thanks

From what you describe it would seem the changing of the external IP address is what is related to the stopping of the queues filling.

The spammer(s) would have found your server by two possible methods. The most likely one is they did a port scan of your external IP block on port 25, and found they were able to relay mail through your server to these external systems. Thus, that IP was noted, and your server ended up being used to send spam.

Alternatively, and much less likely, the spammer used your MX record (mail.domain.com, usually) to determine the IP of your server, and spam you based on that.

If the problem is still there, it will only be a matter of time before someone (or something) detects your server and its new IP, and the same behaviour occurs again.

-tigermatt

So, how can I avoid this from happening again. The external IP is a Nat'd address on my network. How can I avoid the spammers from discovering the new IP address. I also have a reverse dns configured which points to the server's external IP address. What should I do?
Thanks

You can't do anything to stop them finding you, but what you can do is stop them knocking your server over. You are wide open to the Internet, and you must be in order for you to receive email. Any one could do a port scan on your IP, but if they figure that your server is secured, they will not even look deeper into it and just look at the next one.

Matt

What else can i do to make my server even more secure?

We determined the server is not open to relay messages. It is behind a firewall to handle any intrusions. I have a virus protection, malware and spybot software installed. What else should be done? Thanks for all your help.