Solved

open relay was closed, but spam still showing up in queue

Posted on 2009-07-15
8
604 Views
Last Modified: 2013-11-30
Hi All,
We had misconfigured receive connector in exchange 2007, which caused it to be an open relay for a couple of days. I've since disabled that receive connector, only leaving the default. When I run a open relay tester online, it says its closed. However, i'm still seeing relayed messages in the outbound queue that are sticking.

Does anyone know what else I should be checking to make sure i'm secure or perhaps how I relayed messages are still making it in? Please don't hesitate to ask clarification or current settings. Thanks!
0
Comment
Question by:-JT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 

Author Comment

by:-JT
ID: 24861319
Oh, by the way, we have the current service pack installed and this is a single exchange box environment, no edge server.
0
 
LVL 30

Accepted Solution

by:
Britt Thompson earned 300 total points
ID: 24861450
You may have an authenticated relay going on or a user on your network with a bug. Check this article to help you lock it down.

http://renazonse.com/?p=1
0
 

Author Comment

by:-JT
ID: 24862138
renazonse, thank you. I'm currently going through the article you sent me. I'll post back as soon as I finish...
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 

Author Comment

by:-JT
ID: 24862575
blacklist check: Well, luckily we hadn't gotten blacklisted in the last couple of days! So I was clear there.
Filtering service: We had just instituted Postini, which I believe was the origin of this problem. Not postini, but my misconfiguration of the exchange sever side of it. I had worked with Postini and exchange 2003 but not with exchange 2007. I've only been administering 2007 for a few months now.  :)
Close port 25: I denied SMTP  from INSIDE_ANY to OUTSIDE_ANY. But set another rule for SERVER_GROUP to OUTSIDE_ANY SMTP allow.  That seems like it should allow port 25 from our servers, while blocking it from anywhere else right?
enable transport logging: I did enable to transport logging and so far so good, I don't see anything much of anything showing up in the logs with the source being MSExchangeTransport. The last thing was a  "recipient group membership cache loaded" message with an address of a legit local user.
Clean the Queue:  Thats a handy deletion tip you had inthat article, I could have used that yesterday, lol. Anyhow, I cleaned out the handful that had trickled in this morning and it is clear right now.
-----------------------------------
I disabled the original send connector and only the Postini send connector is enabled, so everything should go to postini, right? I checked the headers from a test message to a personal acct of mine and it did show reception from postini. However, I did noticed that the header still contains the origin, which included my actual server name in it. That doesn't seem good. Is that normal? or something that should/can be changed?
Sorry this so long, but I wanted to be thourough so you know exactly what I did!
0
 
LVL 17

Assisted Solution

by:Suraj
Suraj earned 200 total points
ID: 24862941
guess you do not have the anti spam fiters installed or confugured properly :

Just do the following :

1)  installed the Agents :
           C:\Program Files\Microsoft\Exchange Server\Script\ Install-AntispamAgents,ps1
2) RESTART THE TRANSPORT SERVICE

3) +> Check if they are installed By : get-TransportAgent

4)  Then go to exchange management console.
Under org configuration..chlck on Hub transport
click on Anti spam tab
And you need to  configure the following:
+> on the IPBlock List provider added

1) Spam Haus
       zen.spamhaus
2) open relay test
       dnsbl.sorbs.net

3) abusive host
      dnsbl.ahbl.org

+> on the Recipient filtering -> Blocked Recipient->checked the option - Block
Message sent to recipient not listed in the Global Address List.
+> on the Sender filtering -> Blocked sender -> checked the option - Block message
from Blank sender.

5) Stop the Microsoft exchange transport service
6) Now open My computer... DRIVE\PROGRAM FILE\MICROSOFT\EXCHANGE SERVER\.... DATA
RENAME THE DATA FOLDER...TO DATAold
7) Restart the Transport service again.........

x-sam
0
 

Author Comment

by:-JT
ID: 24863856
Hi x-sam, thanks for the reply. Actually we setup Postini mail services to handle all that stuff, but I can definitely use your tips for when I have to setup exchange 07 for someone who doesn't have a spam service. So, i'm going to keep that info handy.
 
Thanks again.
 
0
 
LVL 17

Expert Comment

by:Suraj
ID: 24867374
though you have postini thats not enough.. exchange inbuilt spam filters are better.. try that out
0
 

Author Comment

by:-JT
ID: 24870643
OK, I'll setup the exchange filtering as well. I guess you really can never be too careful. thanks again.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question