We help IT Professionals succeed at work.

SBS 2003 - Mail Server Appears To Be Sending TONS of random mail - PLEASE Help

dsmjeff
dsmjeff asked
on
283 Views
Last Modified: 2013-11-30
Hi. I need some assistance locking down the Exchange side of a SBS 2003 server. We haven't ever had a issue until the last few weeks, but now I see hundreds of messages getting bounced backed in the queus so I know someone is using this server to relay. I've tried several random things and read different posts, but it appears that I have everything in order to prevent relays, but I guess not.

Can someone advice what I can do?
Thank you
Comment
Watch Question

tsmit877IT Manager

Commented:
You have to turn on authentication for SMTP relay.  It sounds like you have anonymous access enabled.

If you are sure you have SMTP secured then you have to investigate the possibility that someone out there has a legit username\password for you domain.  You'll have to enable logging and start looking for what user account is being used to send these emails then change the password on that account to resolve the issue.

Author

Commented:
Thanks for getting back to me.
What do I need to do to log? Where do I go?
Thanks
CERTIFIED EXPERT

Commented:
Check this article and make sure that you are not open relay.
http://amset.info/exchange/smtp-openrelay.asp
Other security measures are
Antivirus update to date on exchange server.
mail scanning software on exchange.
spam filterring software
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
"You have to turn on authentication for SMTP relay.  It sounds like you have anonymous access enabled."

That isn't quite correct.
To receive email you need to have anonymous enabled.
What you need to do is turn off authenticated relaying. That is the most common cause.
However do ensure that you have secured the server correctly. My spam clean up article linked to above will assist you in securing the server and cleaning it up.

Simon.

Author

Commented:
I am actually working with Exchange 2003 so this 2007 article was a little off. However, I did find a 2003 article and verified that I had logging setup.
I do see several emails that were NOT suppose to be sent from our domain in the logs.
They are all to different targets, addresses, etc.
Lets start at the beggining. What steps should I take from the top to block people from sending mail from our server?
Thanks
tsmit877IT Manager

Commented:
1. Go to Start | All Programs | Microsoft Exchange | Exchange System Manager.
2. Expand Servers, expand <Servername> (the name of your Exchange server), expand Protocols, and expand SMTP.
3. Right-click Default SMTP Virtual Server, and select Properties.
4. On the Access tab, click the Relay button at the bottom.
5. Select the Only The List Below check box, and remove any entries in the list that aren't a part of your business network.
6. Select the Allow All Computers Which Successfully Authenticate To Relay, Regardless Of The List Above check box.
7. Close all dialog boxes.
tsmit877IT Manager

Commented:
Also when you are in the "Access" tab you will see an Authentication button.  Click on Authentication then de-select "Anonymous Access".

Don't forget to restart the SMTP (Simple Mail Transfer Protocol) service to make the changes take effect.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
My article linked to above - https://www.amset.info/exchange/spam-cleanup.asp will go through the complete procedure to find out which method is being used to abuse the server and to clean it up.

It is either authenticated relay, open relay or NDR spam.

Simon.

Author

Commented:
Also when you are in the "Access" tab you will see an Authentication button.  Click on Authentication then de-select "Anonymous Access".

If I do the above, what will that do exactly?
Thanks
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
That is bad advice.
If you turn off anonymous then you will be unable to receive any email from external sources.

Simon.

Author

Commented:
I thought I read that somewhere - thats why I wanted to confirm.

Okay - regarding the access tab and relay - I have two IP's there:
127.0.0.1 and the LAN server IP address.
I also have all users who authenticated to relay - is that good or bad?

Author

Commented:
Okay - just ran the telnet tests and it was NOT able to relay, so the open relay is not open which is great. But, I have temporarily turned off outbound mail and I'm seeing a queue that is still getting unathorized mail.... I've changed the passwords, looked at all users to confirm we don't have any rogue users - what am I missing?
Thanks
Expert of the Quarter 2009
Expert of the Year 2009
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I did clean up the queue and have temporarily disabled outbound mail.
I'm not sure what you are referring to about "your article above". Are you also using the name : mboppe?
I have updated my Symantec Endpoint definitions and ran the server is set to run daily scans - but the logs are clean.
What do you have in mind for:

mail scanning software on exchange.
spam filterring software  
 
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
The article on amset.info is mine. The fact that someone else linked to it is just a matter of coincidence.

The queue should be clean and stay clean. Disabling outbound email isn't really what needs to be done, because a spammer can keep feeding messages to the server. You need to break the chain, which usually means taking the server off the Internet. Restarting the SMTP server service will also break the connection, but if you haven't closed the hole then it can be used again.

For AV on Exchange, anything but Symantec, McAfee or Trend. I have a number of clients on GFI Mail Security which is a multi engine product. Microsoft ForeFront is another.

For Antispam, making a recommendation is almost impossible. I have seen almost every product on the market work well, and then work very poorly.
I have two or three sites using Vamsoft ORF to great effect, including my home network. However I have another site where it isn't working that well.

You just need to go through the products and evaluate them against the email that you receive.

Simon.

Author

Commented:
I'm running wireshark now to see what we got going in and out on 25.

Author

Commented:
Still haven't figured it out.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.