We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

SMTP Relay Issue - Has server been hijacked?

trumaj66
trumaj66 asked
on
Medium Priority
755 Views
Last Modified: 2013-11-30
Hi,
An issue has come to light where we are unable to successfully send email to a handle of clients. These clients have recently changed internet and email providers, but these clients have no issue receiving email from anywhere else.

I suspect blacklisting de to spam, so I've been checking over our server's SMTP configuration.

I referred to Microsoft's KB article to determine whether the server's SMTP relay was exposed to the web (http://support.microsoft.com/kb/324958)

Having followed this test, it appears that the SMTP is NOT open. In fact, this is confirmed by checking the actual SMTP relay configuration, which is configured to only accept mail from 2 specific machines in our internal network.

So, as suggested in the article, I enabled SMTP logging.

My concern now is that, having checked the event logs after an hour or so, there does seem to be some strange activity, attemping to send email that has not been initiated by our users.

See below for a sample of the errors/warnings.

I'm not sure now what to check.

Can anyone advise?

The server is Windows 2003 SBS.
This is an SMTP protocol warning log for virtual server ID 1, connection #137. The remote host "207.155.248.53", responded to the SMTP command "rcpt" with "451 <alnahcok1978@FujiAmerica.com>: Recipient address rejected: MX service temporarily unavailable [06POKU772H00]  ". The full command sent was "RCPT TO:<alnahcok1978@FujiAmerica.com>  ".  This may cause the connection to fail. 
 
This is an SMTP protocol error log for virtual server ID 1, connection #136. The remote host "89.208.32.121", responded to the SMTP command "rcpt" with "550 <fcompactify@cdemons.com>: Recipient address rejected: User unknown in virtual mailbox table  ". The full command sent was "RCPT TO:<fcompactify@cdemons.com>  ".  This will probably cause the connection to fail. 
 
This is an SMTP protocol error log for virtual server ID 1, connection #135. The remote host "216.13.37.56", responded to the SMTP command "rcpt" with "550 5.1.1 <terrid@mamma.com>: Recipient address rejected: User unknown  ". The full command sent was "RCPT TO:<terrid@mamma.com>  ".  This will probably cause the connection to fail.

Open in new window

Comment
Watch Question

Either your e-mail server is sending spam or a host on your network is relaying spam through your exchange server. I would recommend checking out this article:

http://www.spamstopshere.com/blog/2008/04/09/locking-down-your-outgoing-e-mail/

Basically you'll need to rule out whether your e-mail server itself is compromised, and then if it isn't, enable additional logging to see which host on your network is relaying the messages.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
If your server is being abused then you will have a lot of messages in the queues, as spammers lists are not always that clean.

There are three ways that Exchange can be abused - open relay, authenticated relaying and NDR.

What you have in the queues will give an idea.

-M

Author

Commented:
Thanks guys.

@Mestha
I have checked the email queues, are there are a number of spam messages in there, the oldest dating from a couple of days ago.

All of them are marked with the senderas "postmaster@ourdomain.com".

Is there any way of me tracing where the email was actually generated?
Senior System Engineer
CERTIFIED EXPERT
Commented:

These postmaster emails are basically reverse NDR attack. Its very easy to get rid of them.
enable all the spam filterings on the exchange server and then stop the smtp service.
then rename the queue folder. and then again restart the smtp service.
I have mentioned the steps for configuring the spam filters in this : Just make the changes accordingly:

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/McAfee/Q_24125836.html?cid=238#a23669727

-x

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Expert of the Quarter 2009
Expert of the Year 2009
Commented:
Recipient Filtering will stop future attacks of this type.
http://www.amset.info/exchange/filter-unknown.asp

-M
SurajSenior System Engineer
CERTIFIED EXPERT

Commented:
did you enable the filterings ..i asked you to configure...? let me know if you have any issues..
jst go to the link i provided and make those settings....then restrt the smtp service...
Your issue will be fixed !
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.