• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 496
  • Last Modified:

Unknown SMTP Traffic Leaving Exchange

I have NetFlow Analyzer monitoring network traffic and have noticed hundreds of outgoing SMTP connections from our Exchange server to IPs all over the world. This is happening after hours when no one is at the office and remote users are probably not sending mail (not at 2 or 3 in the morning.) When I look at the messages sent in the message tracking center everything looks on the up and up. I also have an Untangle box monitoring all SMTP traffic but it doesn't seem to watch the outgoing SMTP just POP. When I look in the outgooing queue in System Manager everything looks OK. I have followed all of the instructions from Amset's site about securing Exchange. I also have snort running and see hundreds of SMTP relaying denied entries coming from the Exchange box.  
0
jdcreece
Asked:
jdcreece
  • 3
  • 3
1 Solution
 
flaphead_comCommented:
is it happening all the time?

If the messages are trying to go out, why not put netmon on the exchange server and run it for a while to capture where on your network is trying to send mail
0
 
jdcreeceAuthor Commented:
Is netmon like snort or wireshark? Does it show which exchange users are sending mail to who? NetFlow Analyzer uses the Cisco pflow data sent from the gateway that shows all traffic on the network already and I know for fact that all SMTP traffic is coming from exchange only. Plus port 25 is blocked oubound except for Exchange. The data is definitely coming from Exchange but i don't know where.
0
 
MesthaCommented:
If you are seeing nothing in the queues then I doubt whether your server is being abused. If an Exchange server is abused successfully then you can tell as the logs will be full of messages.
If you are seeing relaying attempts in the logs then your Exchange server is doing what it is designed to - blocking the relay attempts. Nothing you can do to stop spammers from probing the server to see if it is an open relay, or doing an authenticated relay attack. All you can do is slow it down with tarpit and recipient filtering.

This maybe a simple case of having too much information, information that you don't really need to worry about.

Simon.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
jdcreeceAuthor Commented:
Thanks, I know I seem a little paranoid but  I just want cover all of my bases. What is auth relay attack?
0
 
MesthaCommented:
It is where a spammer is attempting to guess a password on your server, so that they can abuse it. Exchange has authenticated relaying enabled by default. Therefore if they can get a valid username and password then they can relay email through the server.

Simon.
0
 
jdcreeceAuthor Commented:
i have users using owa and rpc-http can i turn auth relay off?
0
 
MesthaCommented:
If you don't have any POP3/IMAP clients then it can be turned off. Will stop spammers from trying to attack the server, they will simply get no where.

Simon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now