Many unknown domains in my Exchange 2003 Outbound Queue

Hi,
This is normal when users send directly through the exchange server when the exchange server does not have a dedicated smart host in the routing options.  Lets just say that you had a anti-spam firewall or a relay server that handled your outgoing request that the exchange server passed the outgoing emails onto.  Your exchange server would then send the information via the routing entries to the defined smart host, and that would be the entry that showed up every time someone within your organization sent an email.  

You can see this by sending an email to a gmail or hotmail account or some other external domain while watching /refreshing the queue.  The domains that have emails sent to them will pop up in the queue and stay there for a determined amount of time as to facilitate more emails (like an open connector to that domain).  I am sure that there is a registry fix for this somewhere as for how long these queue entries stick around, perhaps someone else can elaborate on this.  

You can learn more about smarthost and the ways to use them here:

http://www.dnsexit.com/support/mailrelay/exchange/setup.htm
http://www.petri.co.il/configure_iis_to_be_a_smart_host_for_exchange.htm


Here is an excellent resource on how to clean up your queues and perform some preventative maintenance.
http://www.amset.info/exchange/spam-cleanup.asp

HTH

Well I guess I am a little worried since many of the domain names in the queue are domains that no one in the office would be sending to... heres an idea what I mean.

beefhive9.feeserve.co.uk
erotictreasures.com
exoticwoodfloor.com
hideakifan.com
ifg.com
hotelgalleriapark.com
tnvolleyball.com
etc
etc

These are not domains my users are sending email to.  So how did they end up in this queue?

Again, check this link out and check how to mitigate spam.  You may have your server setup for open relay:

http://www.amset.info/exchange/spam-cleanup.asp

Thanks for the link.  It looks like I'm under an NDR attach.  I'm going through the instructions on how to "close the hole" and they are referring to a Connectors folder in System Manager.  For some reason, I don't have that folder.  Any idea how I can find it?

Here are the instructions I am referencing.
SMTP Connections

Start ESM, then open Connectors.
Right click on each SMTP Connector in turn and choose Properties.
Click on the "Address Space" tab.
If you have a "*" in the address list, check that "Allow messages to be routed to these domains" is not enabled.
Apply/OK until all windows are closed.

Yes, goto ESM, expand domain, expand routing groups, expand domain, expand connectors, right click on each connector.  You should have a default connector named 'mail'  and you may have others.  This depends on how you have it setup and how you are doing your routing.  From the sounds of things you will probably just have one.

This is where those instructions apply.

HTH

when you goto address space, it will actually say Allow messages to be RELAYED to these domains.  You don't want this checked.

Hmm. Allow Messages was actually unchecked and all my settings are in line with the instructions so I suspect it could be an Authenticated User Relaying.  I turned on logging and will be monitoring eventvwr.

Here is an event that has already showed up in Eventviewer...

This is an SMTP protocol error log for virtual server ID 1, connection #24. The remote host "205.158.62.181", responded to the SMTP command "rcpt" with "550 <teet@singapore.net>: No thank you rejected: User unknown  ". The full command sent was "RCPT TO:<teet@singapore.net>  ".  This will probably cause the connection to fail.

Hi,
goto domain, server, protocols, smtp, rightclick on default smtp virtual... select properties, click access tab and click relay.

How do you have it set?

Should be set to only the list below, (either empty, or a listed machine in there may be relaying for you) and allow all computers which successfull auth... unchecked.  Click on users and ONLY authenticated users with allow submit and allow relay are checked.  If there are other list them here.

The usual account used for an authenticated user attack is administrator. Therefore I would suggest you change the administrator password, restart the SMTP Server Service and then turn off authenticated relaying completely.

-M

Yes, however this is a production server and it is working so allowing authenticated users not to relay would break your outbound mail.

Oh, I see what you are saying Mestha, yes just uncheck relaying and leave send checked.

Not sure what you mean by "uncheck relaying and leave send checked".  So I should UNcheck "Allow all computers which successfully authenticate to relay, regardless of the list above."?  Where do I "leave send checked"?  

Ok, I think I understand.  So I unchecked "Allow all computers which successfully authenticate to relay, regardless of the list above." and then clicked "Users" and Authenticated Users are only allowed the Submit Permission.  This is correct right?

You had Allow all computers which successfully authenticate to relay checked?

Yes, you are correct, you need to uncheck that, and click users and uncheck authenticated users relay  (leave submit checked).

That will cut out rouge or hijacked accounts within your network using your exchange server for relaying.  But if they are just sending out then you could still see the issue.

Check the event logs after you verify these settings and clear the queues.

I cleared the queues and started SMTP.  Everything was clear for about 10 minutes but now I see more random domains in the Queue again.  I checked event viewer and getting some errors like "504 Need to authenticate first" which seems like a good sign, then the next error is "550.5.7.1 Unable to relay for SOMECRAZYDOMAINNAME".

Another thing, I am using this box to send messages for one of my hosted sites.  It doesn't seem to be letting me send from the site anymore.  I get the  "550.5.7.1 Unable to relay for MYDOMAIN" error.  Is there anyway to allow this?  Maybe that username and password is compromised?

Is your hosted site on an IP on your network?

If so then add it to the list that is allowed to relay through the server through ESM, domain, server, protocols, smtp, rightclick on default smtp virtual... select properties, click access tab and click relay.

Make sure you add in the IP and select ONLY the list below....

Again, did you also reset the administrator password before you stopped and restarted the Default SMTP Virtual Server?

Unfortunately, its not in my network.  It does have a static IP tho.  Could I still add it?

Yes you can, but I suspect this is where your issue is.

You should try another SMTP server that is accessible over the internet.  I wouldn't allow any external sources to relay on your internal exchange server.  This is just bad practice.

You should try to get an smtp relay from your isp / bandwidth provider?

The fact that you are getting bounces now shows that the relay has been disabled, but it could have been from an internal user account.

Follow the troubleshooting guidelines in that link.  You will have to re-enable relaying for authenticated users, either that or look for that event (for previous events when it was enabled) by looking for the type of event listed in the link:

Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 30/08/2004
Time: 15:45:08
User: N/A
Computer: EXCH-SRV1
Description: SMTP Authentication was performed successfully with client test-pc1. The authentication method was LOGIN and the username was testdomain\testusername.

So here is what I've done.  Changed the administrator password, shutdown relay, restarted SMTP, moved my website SMTP relay from my internal exchange server to my hosting company email system.  I also changed the password on the account I was using for relay.    I check the event viewer and I'm getting a bunch of "504 need to authenticate first" messages which is good I think.  But, I am STILL getting a bunch of weird domains in my queue.

Check for previous Event ID: 1708's  and look for the user that is doing it...

I actually don't have any 1708's, they more mostly 7010 and 7004.

We need to find the source of the authentication required.

enable the relay permission for authenticated users, stop and start smtp, and then watch the event viewer for 1708's

Did that and still just loads of 1710's and no 1708's.

What is the info in a 1710?

Are you getting this verbatim:

An SMTP client authenticated as user "NT AUTHORITY\ANONYMOUS LOGON"

Sorry, I meant 7010, not 1710.

Here is a 7010 and 7004

[7010]
This is an SMTP protocol log for virtual server ID 1, connection #169. The client at "204.16.179.242" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first  ". The full command sent was "xexch50 1036 2".  This will probably cause the connection to fail.

[7004]
This is an SMTP protocol error log for virtual server ID 1, connection #160. The remote host "82.223.191.131", responded to the SMTP command "rcpt" with "550 <ienoolta1979@STFMA.COM>: Recipient address rejected: User unknown in virtual alias table  ". The full command sent was "RCPT TO:<ienoolta1979@STFMA.COM>  ".  This will probably cause the connection to fail.

Looks like you are blocking, but they are sending 5.7.1's

Have a look through this:

http://support.microsoft.com/kb/895853

Yeah, it doesn't make sense because the 7010 messages are blocking but I still get new random domains in my queue.  I have checked and double checked the settings in the tutorials sent.  I don't get it.  Relay is turned off.

Lets clear a few things up.
If you do not have ANY SMTP clients - ie Outlook Express, sending through your server then you do not need any relay options set, nothing listed as an authenticated user and the authenticated relaying options can be complete disabled.

Next - Exchange is notorious for not showing the true extent of the queues. If the server has been blasted with email (which is what happens when a spammer gets hold of a server) then it can take three or four passes to clean the queues completely.

Next - The errors in the event logs are what I would expect to see. Spammers lists are not very clean, so there will be a lot of duff email addresses in the list. Your server is just reporting the ones that cannot be delivered.

A server that has been abused cannot be cleaned up in ten minutes. When I am doing one it normally takes me the best part of a day to get it clean.

-M

Thanks guys.  So I've used the command line tool to clean up my queue about  5 or 6 times now.  It clears them out, then a minute later more and more unknown domains start piling in.  I'm convinced there is still a hole somewhere.  When I logged in this morning my account was locked out.  Any suggestions?

I closed port 25 and cleared the queue.  Waited 5 minutes and the queue stayed clear.  I open port 25 and the queue starts getting dirty again.  So frustrating.

While the port was closed, did you verify that you have closed all three possible ways of email getting through?

Disabled authenticated relaying completely?
Turned off all relaying options - you do not need anything listed for Exchange to work
Checked the SMTP connector?

Do you have recipient filtering and the tarpit enabled?

There are very few ways that Exchange can allow email to be relayed.

Remember after making any changes you need to restart the SMTP Server service.

-M

Did you run Kapersky and malwarebytes on your computer?  

http://www.kaspersky.com/virusscanner

http://www.malwarebytes.org/

It seems that your account may be partially responsible for attempted relays which would indicate that you have a rootkit.  Goto sysinternals and download the rootkit detector on your machine.

http://www.sysinternals.com/Utilities/RootkitRevealer.html

HTH

Are these messages NDR's?

someone might be spoofing your address list for spamming purposes