Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Could my Exchange server be open relay?

Posted on 2009-04-11
13
Medium Priority
?
2,123 Views
Last Modified: 2012-05-06
Using Exchange 2003 SP2

I have quite a few of these dated today, Saturday, when there are no employees sending out emails:

MSExchangeTransport 3030

A non-delivery report with a status code of 4.1.7 was generated for recipient rfc822;m.lunetta@cia.it (Message-ID <SERVERSORH9HWP5RvIT00000cfa@mydomain.com>).

A non-delivery report with a status code of 4.1.1 was generated for recipient rfc822;fmorandi@unimo.it (Message-ID <SERVERGzrLCCtgx8VUk00000cd6@mydomain.com>).

A non-delivery report with a status code of 4.1.7 was generated for recipient rfc822;dusan@ictp.trieste.it (Message-ID <SERVERW3l1GM3h3vLgA00000cc7@mydomain.com>).
 

A non-delivery report with a status code of 4.1.1 was generated for recipient rfc822;longd@sgi.net (Message-ID <SERVERHusMjQHtMFauk00000c43@mydomain.com>).

Now I've run the test at mxtoolbox.com against my domain  to check if its open relay. Mxtoolbox gave me green lights on all checks, meaning that its not.  I've also run the domain against numerous blacklists on the web and we don't see me to be listed anywhere (good thing).  Now we have anti virus daily scans with Symantec Endpoint Protection that checks for viruses and rootkits. Yet I keep receiving these messages in the Event Log. Whats the meaning of this? Do I have a huge whole somewhere in my security? If so what should I be checking?
0
Comment
Question by:Anti-Mhz
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 24123150
Hello Anti-Mhz,

see my website here http://www.petenetlive.com/Tech/Exchange/openrelay.htm

Regards,

PeteLong
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 24123184
550 5.7.1 Unable to relay for bad@gmail.com
steps 1 and 2 are ok

If it's not an open relay, then what are all these messages  in the event log could be. there's lots of them. could that be "hackers" attempting to relay?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24123599
If your server is being abused then you can tell because there will be a lot of messages in the queues. It could be a spammer probing the defences.

However it isn't just open relay that can allow your server to be abused - authenticated relaying can also take place. Again if your server has been compromised then there will be a lot of messages in the queues.

Simon.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 1

Author Comment

by:Anti-Mhz
ID: 24123632
yeah there's lots of messages in the que. is there a good reading material on what my steps should be to eliminate this
0
 
LVL 13

Expert Comment

by:FearNoMore
ID: 24123635
No...your server is not open for relay.....
The NDR's you are getting is something called as GreyListing
Go through the following post....it will make sense
http://theessentialexchange.com/blogs/michael/archive/2007/11/16/exchange-2003-sp2-and-greylisting.aspx
 
0
 
LVL 14

Accepted Solution

by:
Roachy1979 earned 300 total points
ID: 24124023
Just to emphasize Simon's point....if you've run other tests (and there are many) for open relays, and you can see queues building up then it is likely that an smtp-auth attack has taken place - someone is using working credentials to relay mail through your server....

Job 1 - find out which email account is sending these messages - any account with exchange services enabled should definitely be using a strong password.  If in doubt disable the account until the password can be reset. Message tracking is a useful feature and should be enabled....

Job 2 - Find out whether it is a single IP that is relaying though your server or multiple IP's.....if it's a single IP, then block it at firewall level.  Tools such as wireshark (or TCPdump/ WinpCap) can be used to establish the source of the traffic.

Job 3 - Whois the source IP's and report them to the abuse email address for that IP block

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24124155
If there are lots of messages in the queues, then your server is being abused, you need to find out how. The most likely is an authenticated relay, and the usual account targeted for that is the Administrator account.

Start with my clean up article: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 24130179
@mestha i followed your article http://www.amset.info/exchange/spam-cleanup.asp

Check Whether an Authenticated User is Relaying

This technique requires the Windows Event Viewer to determine whether a user is trying to use the SMTP service in Exchange to send email. If you have disabled the authenticated user option already then this isn't an issue. (more info)

Start ESM.
Expand Servers and then right click on your server and choose Properties.
Click on the "Diagnostic Logging" tab.
In the list of "Services" on the right, find "MSExchangeTransport".
In the resulting list choose "SMTP Protocol".
Below the list, change the "Logging Level" to Maximum.
Press Apply/OK to close Server Properties.


and now I have 4 new error messages under Applications in the Event Viewer.
Here they are.


MSExchangeTransport Eventid 7010

This is an SMTP protocol log for virtual server ID 1, connection #1. The client at "88.102.192.190" sent a "mail" command, and the SMTP server responded with "503 5.5.2 Sender already specified  ". The full command sent was "mail FROM: <meandersvpw4@allcitypestcontrol.com>".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentre

MSExchangeTransport Eventid 7010

This is an SMTP protocol log for virtual server ID 1, connection #1. The client at "88.102.192.190" sent a "mail" command, and the SMTP server responded with "503 5.5.2 Sender already specified  ". The full command sent was "mail FROM: <meandersvpw4@allcitypestcontrol.com>".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

MSExchangeTransport Eventid 7010

This is an SMTP protocol log for virtual server ID 1, connection #1. The client at "88.102.192.190" sent a "mail" command, and the SMTP server responded with "503 5.5.2 Sender already specified  ". The full command sent was "mail FROM: <spaghettiytlu8736@centroformacionvial.com>".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.as

MSExchangeTransport Eventid 7010

This is an SMTP protocol log for virtual server ID 1, connection #2. The client at "213.221.60.186" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first  ". The full command sent was "xexch50 2136 3".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 24130196
@Mestha I should add that I checked whether the server is under NDR attack using the following method

spot.

   1. Start Exchange System Manager.
   2. Go to Servers, <your server>, Queues in Exchange 2003, or down to Protocols, SMTP in Exchange 2000.
   3. Select a queue that contains many messages, click Find messages, and then click Find Now.
   4. In the Sender field of the messages will be an address. If it is postmaster@ your domain then the message is an NDR. You can view the recipient of the NDR by double clicking on the message.

and all of the ques are at 0, which i take as a good thing.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24133606
If all of your queues are empty, then unless you are using a smart host that does not mean your server is being abused. If a spammer finds a server they can abuse they will - you will get 1000s of messages dumped on to the server.

The rest of the errors are most likely syntax errors by the sending server or a spammer probing away. Alas with logging turned right up you will see a lot of things that can normally be ignored.

Simon.
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 24208355
i keep getting these errors in the application log like:

This is an SMTP protocol log for virtual server ID 1, connection #266. The client at "213.221.60.186" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first  ". The full command sent was "xexch50 2352 2".  This will probably cause the connection to fail.

For more information, click http://w

This is an SMTP protocol log for virtual server ID 1, connection #276. The client at "82.135.105.22" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first  ". The full command sent was "xexch50 1020 2".  This will probably cause the connection to fail.


This is an SMTP protocol warning log for virtual server ID 1, connection #270. The remote host "80.93.49.78", responded to the SMTP command "rcpt" with "451 4.7.1 Greylisting in action, please come back later  ". The full command sent was "RCPT TO:<zai@nevael.ru>  ".  This may cause the connection to fail.
0
 
LVL 13

Assisted Solution

by:FearNoMore
FearNoMore earned 150 total points
ID: 24208430
"Greylisting in action"
Did you read my comment that I posted previously
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 300 total points
ID: 24209038
The two errors about xexch50 is another Exchange server talking to your Exchange server. Perfectly normal. You must have logging turned up as things like that are routine and not normally shown in the event logs.

Simon.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question