SMTP Relay Issue - Has server been hijacked?

Hi,
An issue has come to light where we are unable to successfully send email to a handle of clients. These clients have recently changed internet and email providers, but these clients have no issue receiving email from anywhere else.

I suspect blacklisting de to spam, so I've been checking over our server's SMTP configuration.

I referred to Microsoft's KB article to determine whether the server's SMTP relay was exposed to the web (http://support.microsoft.com/kb/324958)

Having followed this test, it appears that the SMTP is NOT open. In fact, this is confirmed by checking the actual SMTP relay configuration, which is configured to only accept mail from 2 specific machines in our internal network.

So, as suggested in the article, I enabled SMTP logging.

My concern now is that, having checked the event logs after an hour or so, there does seem to be some strange activity, attemping to send email that has not been initiated by our users.

See below for a sample of the errors/warnings.

I'm not sure now what to check.

Can anyone advise?

The server is Windows 2003 SBS.
This is an SMTP protocol warning log for virtual server ID 1, connection #137. The remote host "207.155.248.53", responded to the SMTP command "rcpt" with "451 <alnahcok1978@FujiAmerica.com>: Recipient address rejected: MX service temporarily unavailable [06POKU772H00]  ". The full command sent was "RCPT TO:<alnahcok1978@FujiAmerica.com>  ".  This may cause the connection to fail. 
 
This is an SMTP protocol error log for virtual server ID 1, connection #136. The remote host "89.208.32.121", responded to the SMTP command "rcpt" with "550 <fcompactify@cdemons.com>: Recipient address rejected: User unknown in virtual mailbox table  ". The full command sent was "RCPT TO:<fcompactify@cdemons.com>  ".  This will probably cause the connection to fail. 
 
This is an SMTP protocol error log for virtual server ID 1, connection #135. The remote host "216.13.37.56", responded to the SMTP command "rcpt" with "550 5.1.1 <terrid@mamma.com>: Recipient address rejected: User unknown  ". The full command sent was "RCPT TO:<terrid@mamma.com>  ".  This will probably cause the connection to fail.

Open in new window

trumaj66Asked:
Who is Participating?
 
SurajCommented:

These postmaster emails are basically reverse NDR attack. Its very easy to get rid of them.
enable all the spam filterings on the exchange server and then stop the smtp service.
then rename the queue folder. and then again restart the smtp service.
I have mentioned the steps for configuring the spam filters in this : Just make the changes accordingly:

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/McAfee/Q_24125836.html?cid=238#a23669727

-x
0
 
AdamsConsultingCommented:
Either your e-mail server is sending spam or a host on your network is relaying spam through your exchange server. I would recommend checking out this article:

http://www.spamstopshere.com/blog/2008/04/09/locking-down-your-outgoing-e-mail/

Basically you'll need to rule out whether your e-mail server itself is compromised, and then if it isn't, enable additional logging to see which host on your network is relaying the messages.
0
 
MesthaCommented:
If your server is being abused then you will have a lot of messages in the queues, as spammers lists are not always that clean.

There are three ways that Exchange can be abused - open relay, authenticated relaying and NDR.

What you have in the queues will give an idea.

-M
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
trumaj66Author Commented:
Thanks guys.

@Mestha
I have checked the email queues, are there are a number of spam messages in there, the oldest dating from a couple of days ago.

All of them are marked with the senderas "postmaster@ourdomain.com".

Is there any way of me tracing where the email was actually generated?
0
 
MesthaCommented:
Recipient Filtering will stop future attacks of this type.
http://www.amset.info/exchange/filter-unknown.asp

-M
0
 
SurajCommented:
did you enable the filterings ..i asked you to configure...? let me know if you have any issues..
jst go to the link i provided and make those settings....then restrt the smtp service...
Your issue will be fixed !
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.