?
Solved

SMTP Relay Issue - Has server been hijacked?

Posted on 2009-02-18
7
Medium Priority
?
723 Views
Last Modified: 2013-11-30
Hi,
An issue has come to light where we are unable to successfully send email to a handle of clients. These clients have recently changed internet and email providers, but these clients have no issue receiving email from anywhere else.

I suspect blacklisting de to spam, so I've been checking over our server's SMTP configuration.

I referred to Microsoft's KB article to determine whether the server's SMTP relay was exposed to the web (http://support.microsoft.com/kb/324958)

Having followed this test, it appears that the SMTP is NOT open. In fact, this is confirmed by checking the actual SMTP relay configuration, which is configured to only accept mail from 2 specific machines in our internal network.

So, as suggested in the article, I enabled SMTP logging.

My concern now is that, having checked the event logs after an hour or so, there does seem to be some strange activity, attemping to send email that has not been initiated by our users.

See below for a sample of the errors/warnings.

I'm not sure now what to check.

Can anyone advise?

The server is Windows 2003 SBS.
This is an SMTP protocol warning log for virtual server ID 1, connection #137. The remote host "207.155.248.53", responded to the SMTP command "rcpt" with "451 <alnahcok1978@FujiAmerica.com>: Recipient address rejected: MX service temporarily unavailable [06POKU772H00]  ". The full command sent was "RCPT TO:<alnahcok1978@FujiAmerica.com>  ".  This may cause the connection to fail. 
 
This is an SMTP protocol error log for virtual server ID 1, connection #136. The remote host "89.208.32.121", responded to the SMTP command "rcpt" with "550 <fcompactify@cdemons.com>: Recipient address rejected: User unknown in virtual mailbox table  ". The full command sent was "RCPT TO:<fcompactify@cdemons.com>  ".  This will probably cause the connection to fail. 
 
This is an SMTP protocol error log for virtual server ID 1, connection #135. The remote host "216.13.37.56", responded to the SMTP command "rcpt" with "550 5.1.1 <terrid@mamma.com>: Recipient address rejected: User unknown  ". The full command sent was "RCPT TO:<terrid@mamma.com>  ".  This will probably cause the connection to fail.

Open in new window

0
Comment
Question by:trumaj66
6 Comments
 
LVL 4

Expert Comment

by:AdamsConsulting
ID: 23673771
Either your e-mail server is sending spam or a host on your network is relaying spam through your exchange server. I would recommend checking out this article:

http://www.spamstopshere.com/blog/2008/04/09/locking-down-your-outgoing-e-mail/

Basically you'll need to rule out whether your e-mail server itself is compromised, and then if it isn't, enable additional logging to see which host on your network is relaying the messages.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 23674135
If your server is being abused then you will have a lot of messages in the queues, as spammers lists are not always that clean.

There are three ways that Exchange can be abused - open relay, authenticated relaying and NDR.

What you have in the queues will give an idea.

-M
0
 

Author Comment

by:trumaj66
ID: 23674211
Thanks guys.

@Mestha
I have checked the email queues, are there are a number of spam messages in there, the oldest dating from a couple of days ago.

All of them are marked with the senderas "postmaster@ourdomain.com".

Is there any way of me tracing where the email was actually generated?
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 17

Accepted Solution

by:
Suraj earned 1000 total points
ID: 23674665

These postmaster emails are basically reverse NDR attack. Its very easy to get rid of them.
enable all the spam filterings on the exchange server and then stop the smtp service.
then rename the queue folder. and then again restart the smtp service.
I have mentioned the steps for configuring the spam filters in this : Just make the changes accordingly:

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/McAfee/Q_24125836.html?cid=238#a23669727

-x
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 1000 total points
ID: 23675756
Recipient Filtering will stop future attacks of this type.
http://www.amset.info/exchange/filter-unknown.asp

-M
0
 
LVL 17

Expert Comment

by:Suraj
ID: 23677712
did you enable the filterings ..i asked you to configure...? let me know if you have any issues..
jst go to the link i provided and make those settings....then restrt the smtp service...
Your issue will be fixed !
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses
Course of the Month14 days, 11 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question