Anti-Mhz
asked on
Could my Exchange server be open relay?
Using Exchange 2003 SP2
I have quite a few of these dated today, Saturday, when there are no employees sending out emails:
MSExchangeTransport 3030
A non-delivery report with a status code of 4.1.7 was generated for recipient rfc822;m.lunetta@cia.it (Message-ID <SERVERSORH9HWP5RvIT00000c fa@mydomai n.com>).
A non-delivery report with a status code of 4.1.1 was generated for recipient rfc822;fmorandi@unimo.it (Message-ID <SERVERGzrLCCtgx8VUk00000c d6@mydomai n.com>).
A non-delivery report with a status code of 4.1.7 was generated for recipient rfc822;dusan@ictp.trieste. it (Message-ID <SERVERW3l1GM3h3vLgA00000c c7@mydomai n.com>).
A non-delivery report with a status code of 4.1.1 was generated for recipient rfc822;longd@sgi.net (Message-ID <SERVERHusMjQHtMFauk00000c 43@mydomai n.com>).
Now I've run the test at mxtoolbox.com against my domain to check if its open relay. Mxtoolbox gave me green lights on all checks, meaning that its not. I've also run the domain against numerous blacklists on the web and we don't see me to be listed anywhere (good thing). Now we have anti virus daily scans with Symantec Endpoint Protection that checks for viruses and rootkits. Yet I keep receiving these messages in the Event Log. Whats the meaning of this? Do I have a huge whole somewhere in my security? If so what should I be checking?
I have quite a few of these dated today, Saturday, when there are no employees sending out emails:
MSExchangeTransport 3030
A non-delivery report with a status code of 4.1.7 was generated for recipient rfc822;m.lunetta@cia.it (Message-ID <SERVERSORH9HWP5RvIT00000c
A non-delivery report with a status code of 4.1.1 was generated for recipient rfc822;fmorandi@unimo.it (Message-ID <SERVERGzrLCCtgx8VUk00000c
A non-delivery report with a status code of 4.1.7 was generated for recipient rfc822;dusan@ictp.trieste.
A non-delivery report with a status code of 4.1.1 was generated for recipient rfc822;longd@sgi.net (Message-ID <SERVERHusMjQHtMFauk00000c
Now I've run the test at mxtoolbox.com against my domain to check if its open relay. Mxtoolbox gave me green lights on all checks, meaning that its not. I've also run the domain against numerous blacklists on the web and we don't see me to be listed anywhere (good thing). Now we have anti virus daily scans with Symantec Endpoint Protection that checks for viruses and rootkits. Yet I keep receiving these messages in the Event Log. Whats the meaning of this? Do I have a huge whole somewhere in my security? If so what should I be checking?
ASKER
550 5.7.1 Unable to relay for bad@gmail.com
steps 1 and 2 are ok
If it's not an open relay, then what are all these messages in the event log could be. there's lots of them. could that be "hackers" attempting to relay?
steps 1 and 2 are ok
If it's not an open relay, then what are all these messages in the event log could be. there's lots of them. could that be "hackers" attempting to relay?
If your server is being abused then you can tell because there will be a lot of messages in the queues. It could be a spammer probing the defences.
However it isn't just open relay that can allow your server to be abused - authenticated relaying can also take place. Again if your server has been compromised then there will be a lot of messages in the queues.
Simon.
However it isn't just open relay that can allow your server to be abused - authenticated relaying can also take place. Again if your server has been compromised then there will be a lot of messages in the queues.
Simon.
ASKER
yeah there's lots of messages in the que. is there a good reading material on what my steps should be to eliminate this
No...your server is not open for relay.....
The NDR's you are getting is something called as GreyListing
Go through the following post....it will make sense
http://theessentialexchang e.com/blog s/michael/ archive/20 07/11/16/e xchange-20 03-sp2-and -greylisti ng.aspx
The NDR's you are getting is something called as GreyListing
Go through the following post....it will make sense
http://theessentialexchang
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If there are lots of messages in the queues, then your server is being abused, you need to find out how. The most likely is an authenticated relay, and the usual account targeted for that is the Administrator account.
Start with my clean up article: http://www.amset.info/exchange/spam-cleanup.asp
Simon.
Start with my clean up article: http://www.amset.info/exchange/spam-cleanup.asp
Simon.
ASKER
@mestha i followed your article http://www.amset.info/exchange/spam-cleanup.asp
Check Whether an Authenticated User is Relaying
This technique requires the Windows Event Viewer to determine whether a user is trying to use the SMTP service in Exchange to send email. If you have disabled the authenticated user option already then this isn't an issue. (more info)
Start ESM.
Expand Servers and then right click on your server and choose Properties.
Click on the "Diagnostic Logging" tab.
In the list of "Services" on the right, find "MSExchangeTransport".
In the resulting list choose "SMTP Protocol".
Below the list, change the "Logging Level" to Maximum.
Press Apply/OK to close Server Properties.
and now I have 4 new error messages under Applications in the Event Viewer.
Here they are.
MSExchangeTransport Eventid 7010
This is an SMTP protocol log for virtual server ID 1, connection #1. The client at "88.102.192.190" sent a "mail" command, and the SMTP server responded with "503 5.5.2 Sender already specified ". The full command sent was "mail FROM: <meandersvpw4@allcitypestc ontrol.com >". This will probably cause the connection to fail.
For more information, click http://www.microsoft.com/contentre
MSExchangeTransport Eventid 7010
This is an SMTP protocol log for virtual server ID 1, connection #1. The client at "88.102.192.190" sent a "mail" command, and the SMTP server responded with "503 5.5.2 Sender already specified ". The full command sent was "mail FROM: <meandersvpw4@allcitypestc ontrol.com >". This will probably cause the connection to fail.
For more information, click http://www.microsoft.com/contentredirect.asp.
MSExchangeTransport Eventid 7010
This is an SMTP protocol log for virtual server ID 1, connection #1. The client at "88.102.192.190" sent a "mail" command, and the SMTP server responded with "503 5.5.2 Sender already specified ". The full command sent was "mail FROM: <spaghettiytlu8736@centrof ormacionvi al.com>". This will probably cause the connection to fail.
For more information, click http://www.microsoft.com/contentredirect.as
MSExchangeTransport Eventid 7010
This is an SMTP protocol log for virtual server ID 1, connection #2. The client at "213.221.60.186" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first ". The full command sent was "xexch50 2136 3". This will probably cause the connection to fail.
For more information, click http://www.microsoft.com/contentredirect.asp
Check Whether an Authenticated User is Relaying
This technique requires the Windows Event Viewer to determine whether a user is trying to use the SMTP service in Exchange to send email. If you have disabled the authenticated user option already then this isn't an issue. (more info)
Start ESM.
Expand Servers and then right click on your server and choose Properties.
Click on the "Diagnostic Logging" tab.
In the list of "Services" on the right, find "MSExchangeTransport".
In the resulting list choose "SMTP Protocol".
Below the list, change the "Logging Level" to Maximum.
Press Apply/OK to close Server Properties.
and now I have 4 new error messages under Applications in the Event Viewer.
Here they are.
MSExchangeTransport Eventid 7010
This is an SMTP protocol log for virtual server ID 1, connection #1. The client at "88.102.192.190" sent a "mail" command, and the SMTP server responded with "503 5.5.2 Sender already specified ". The full command sent was "mail FROM: <meandersvpw4@allcitypestc
For more information, click http://www.microsoft.com/contentre
MSExchangeTransport Eventid 7010
This is an SMTP protocol log for virtual server ID 1, connection #1. The client at "88.102.192.190" sent a "mail" command, and the SMTP server responded with "503 5.5.2 Sender already specified ". The full command sent was "mail FROM: <meandersvpw4@allcitypestc
For more information, click http://www.microsoft.com/contentredirect.asp.
MSExchangeTransport Eventid 7010
This is an SMTP protocol log for virtual server ID 1, connection #1. The client at "88.102.192.190" sent a "mail" command, and the SMTP server responded with "503 5.5.2 Sender already specified ". The full command sent was "mail FROM: <spaghettiytlu8736@centrof
For more information, click http://www.microsoft.com/contentredirect.as
MSExchangeTransport Eventid 7010
This is an SMTP protocol log for virtual server ID 1, connection #2. The client at "213.221.60.186" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first ". The full command sent was "xexch50 2136 3". This will probably cause the connection to fail.
For more information, click http://www.microsoft.com/contentredirect.asp
ASKER
@Mestha I should add that I checked whether the server is under NDR attack using the following method
spot.
1. Start Exchange System Manager.
2. Go to Servers, <your server>, Queues in Exchange 2003, or down to Protocols, SMTP in Exchange 2000.
3. Select a queue that contains many messages, click Find messages, and then click Find Now.
4. In the Sender field of the messages will be an address. If it is postmaster@ your domain then the message is an NDR. You can view the recipient of the NDR by double clicking on the message.
and all of the ques are at 0, which i take as a good thing.
spot.
1. Start Exchange System Manager.
2. Go to Servers, <your server>, Queues in Exchange 2003, or down to Protocols, SMTP in Exchange 2000.
3. Select a queue that contains many messages, click Find messages, and then click Find Now.
4. In the Sender field of the messages will be an address. If it is postmaster@ your domain then the message is an NDR. You can view the recipient of the NDR by double clicking on the message.
and all of the ques are at 0, which i take as a good thing.
If all of your queues are empty, then unless you are using a smart host that does not mean your server is being abused. If a spammer finds a server they can abuse they will - you will get 1000s of messages dumped on to the server.
The rest of the errors are most likely syntax errors by the sending server or a spammer probing away. Alas with logging turned right up you will see a lot of things that can normally be ignored.
Simon.
The rest of the errors are most likely syntax errors by the sending server or a spammer probing away. Alas with logging turned right up you will see a lot of things that can normally be ignored.
Simon.
ASKER
i keep getting these errors in the application log like:
This is an SMTP protocol log for virtual server ID 1, connection #266. The client at "213.221.60.186" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first ". The full command sent was "xexch50 2352 2". This will probably cause the connection to fail.
For more information, click http://w
This is an SMTP protocol log for virtual server ID 1, connection #276. The client at "82.135.105.22" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first ". The full command sent was "xexch50 1020 2". This will probably cause the connection to fail.
This is an SMTP protocol warning log for virtual server ID 1, connection #270. The remote host "80.93.49.78", responded to the SMTP command "rcpt" with "451 4.7.1 Greylisting in action, please come back later ". The full command sent was "RCPT TO:<zai@nevael.ru> ". This may cause the connection to fail.
This is an SMTP protocol log for virtual server ID 1, connection #266. The client at "213.221.60.186" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first ". The full command sent was "xexch50 2352 2". This will probably cause the connection to fail.
For more information, click http://w
This is an SMTP protocol log for virtual server ID 1, connection #276. The client at "82.135.105.22" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first ". The full command sent was "xexch50 1020 2". This will probably cause the connection to fail.
This is an SMTP protocol warning log for virtual server ID 1, connection #270. The remote host "80.93.49.78", responded to the SMTP command "rcpt" with "451 4.7.1 Greylisting in action, please come back later ". The full command sent was "RCPT TO:<zai@nevael.ru> ". This may cause the connection to fail.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
see my website here http://www.petenetlive.com/Tech/Exchange/openrelay.htm
Regards,
PeteLong