Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 607
  • Last Modified:

open relay was closed, but spam still showing up in queue

Hi All,
We had misconfigured receive connector in exchange 2007, which caused it to be an open relay for a couple of days. I've since disabled that receive connector, only leaving the default. When I run a open relay tester online, it says its closed. However, i'm still seeing relayed messages in the outbound queue that are sticking.

Does anyone know what else I should be checking to make sure i'm secure or perhaps how I relayed messages are still making it in? Please don't hesitate to ask clarification or current settings. Thanks!
0
-JT
Asked:
-JT
  • 5
  • 2
2 Solutions
 
-JTAuthor Commented:
Oh, by the way, we have the current service pack installed and this is a single exchange box environment, no edge server.
0
 
Britt ThompsonSr. Systems EngineerCommented:
You may have an authenticated relay going on or a user on your network with a bug. Check this article to help you lock it down.

http://renazonse.com/?p=1
0
 
-JTAuthor Commented:
renazonse, thank you. I'm currently going through the article you sent me. I'll post back as soon as I finish...
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
-JTAuthor Commented:
blacklist check: Well, luckily we hadn't gotten blacklisted in the last couple of days! So I was clear there.
Filtering service: We had just instituted Postini, which I believe was the origin of this problem. Not postini, but my misconfiguration of the exchange sever side of it. I had worked with Postini and exchange 2003 but not with exchange 2007. I've only been administering 2007 for a few months now.  :)
Close port 25: I denied SMTP  from INSIDE_ANY to OUTSIDE_ANY. But set another rule for SERVER_GROUP to OUTSIDE_ANY SMTP allow.  That seems like it should allow port 25 from our servers, while blocking it from anywhere else right?
enable transport logging: I did enable to transport logging and so far so good, I don't see anything much of anything showing up in the logs with the source being MSExchangeTransport. The last thing was a  "recipient group membership cache loaded" message with an address of a legit local user.
Clean the Queue:  Thats a handy deletion tip you had inthat article, I could have used that yesterday, lol. Anyhow, I cleaned out the handful that had trickled in this morning and it is clear right now.
-----------------------------------
I disabled the original send connector and only the Postini send connector is enabled, so everything should go to postini, right? I checked the headers from a test message to a personal acct of mine and it did show reception from postini. However, I did noticed that the header still contains the origin, which included my actual server name in it. That doesn't seem good. Is that normal? or something that should/can be changed?
Sorry this so long, but I wanted to be thourough so you know exactly what I did!
0
 
SurajCommented:
guess you do not have the anti spam fiters installed or confugured properly :

Just do the following :

1)  installed the Agents :
           C:\Program Files\Microsoft\Exchange Server\Script\ Install-AntispamAgents,ps1
2) RESTART THE TRANSPORT SERVICE

3) +> Check if they are installed By : get-TransportAgent

4)  Then go to exchange management console.
Under org configuration..chlck on Hub transport
click on Anti spam tab
And you need to  configure the following:
+> on the IPBlock List provider added

1) Spam Haus
       zen.spamhaus
2) open relay test
       dnsbl.sorbs.net

3) abusive host
      dnsbl.ahbl.org

+> on the Recipient filtering -> Blocked Recipient->checked the option - Block
Message sent to recipient not listed in the Global Address List.
+> on the Sender filtering -> Blocked sender -> checked the option - Block message
from Blank sender.

5) Stop the Microsoft exchange transport service
6) Now open My computer... DRIVE\PROGRAM FILE\MICROSOFT\EXCHANGE SERVER\.... DATA
RENAME THE DATA FOLDER...TO DATAold
7) Restart the Transport service again.........

x-sam
0
 
-JTAuthor Commented:
Hi x-sam, thanks for the reply. Actually we setup Postini mail services to handle all that stuff, but I can definitely use your tips for when I have to setup exchange 07 for someone who doesn't have a spam service. So, i'm going to keep that info handy.
 
Thanks again.
 
0
 
SurajCommented:
though you have postini thats not enough.. exchange inbuilt spam filters are better.. try that out
0
 
-JTAuthor Commented:
OK, I'll setup the exchange filtering as well. I guess you really can never be too careful. thanks again.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now