Rowy
asked on
Exchange Event Log Analysis NDR Backscatter? Intruder?
Last month my server got was hit by an attack that generated hundreds of these types of errors. I stopped outbound mail, cleaned up the queues, and addressed the blacklist issues. I have scanned all computers including the server. I now have GFI spam app in place. Any suggestions on what additional steps I can take to prevent this type of attack in the future? I am running SBS 2003.
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 12/23/2009
Time: 12:46:09 AM
User: N/A
Computer: CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #7480. The remote host "216.17.222.224", responded to the SMTP command "rcpt" with "421 4.7.1 <calwaterserver.calruralwa ter.org[71 .6.54.234] >: Client host rejected: Abusive activity detected - relay temporarily suppressed ". The full command sent was "RCPT TO:<ebrown@frii.com> ". This may cause the connection to fail.
For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Error
Event Source: MSExchangeTransport
Event Category: NDR
Event ID: 3030
Date: 12/22/2009
Time: 7:35:37 PM
User: N/A
Computer: CALWATERSERVER
Description:
A non-delivery report with a status code of 5.2.0 was generated for recipient rfc822;344donna@charter.ne t (Message-ID <CALWATERSERVERLAztx000000 5c@calrura lwater.org >).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 12/22/2009
Time: 7:35:31 PM
User: N/A
Computer: CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #355. The remote host "207.67.72.231", responded to the SMTP command "mail" with "421-Connection dropped because your IP is a suspected spam source. 421-Please retry delivery later. 421-If you believe this may be in error you may go here: 421 http://www.commtouch.com/Site/Resources/Check_IP_Reputation.asp ". The full command sent was "MAIL FROM:<careers@survey.com> ". This may cause the connection to fail.
For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 12/22/2009
Time: 7:35:36 PM
User: N/A
Computer: CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 <careers@survey.com>: Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/). ". The full command sent was "RCPT TO:<026276912@hos.sandnet. se> ". This may cause the connection to fail.
For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 12/23/2009
Time: 12:46:09 AM
User: N/A
Computer: CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #7480. The remote host "216.17.222.224", responded to the SMTP command "rcpt" with "421 4.7.1 <calwaterserver.calruralwa
For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Error
Event Source: MSExchangeTransport
Event Category: NDR
Event ID: 3030
Date: 12/22/2009
Time: 7:35:37 PM
User: N/A
Computer: CALWATERSERVER
Description:
A non-delivery report with a status code of 5.2.0 was generated for recipient rfc822;344donna@charter.ne
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 12/22/2009
Time: 7:35:31 PM
User: N/A
Computer: CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #355. The remote host "207.67.72.231", responded to the SMTP command "mail" with "421-Connection dropped because your IP is a suspected spam source. 421-Please retry delivery later. 421-If you believe this may be in error you may go here: 421 http://www.commtouch.com/Site/Resources/Check_IP_Reputation.asp ". The full command sent was "MAIL FROM:<careers@survey.com> ". This may cause the connection to fail.
For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 12/22/2009
Time: 7:35:36 PM
User: N/A
Computer: CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 <careers@survey.com>: Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/). ". The full command sent was "RCPT TO:<026276912@hos.sandnet.
For more information, click http://www.microsoft.com/contentredirect.asp.
ASKER
This is good! I checked the config of GFI ME and all is well. CAn you explain what this error is trying to say??? In laymans terms?
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 12/22/2009
Time: 7:35:36 PM
User: N/A
Computer: CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 <careers@survey.com>: Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/). ". The full command sent was "RCPT TO:<026276912@hos.sandnet. se> ". This may cause the connection to fail.
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 12/22/2009
Time: 7:35:36 PM
User: N/A
Computer: CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 <careers@survey.com>: Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/). ". The full command sent was "RCPT TO:<026276912@hos.sandnet.
ASKER
I was flooded with outbound messages from careers@surveys.com
FYI: I have added the address to my blackllst
FYI: I have added the address to my blackllst
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try this online tools : http://www.abuse.net/relay.html
Confirm you've Exchange 2003
Confirm you've Exchange 2003
ASKER
Thank you very much. It was exactly what was happening.
To make sure you don't fall foul again, make sure your passwords to all accounts are changed regularly and use strong passwords.
If one does get compromised, you should know what to do.
Thanks for the points.
Alan
If one does get compromised, you should know what to do.
Thanks for the points.
Alan
ASKER
One last question! It says to select "only the list below" and "clear the list below"under the relay button of the SMTP virtual server. I thought this was encouraged to only allow mail to be routed from the IP/Domain name specified. What is the best practice???
It is best practise to not let anything relay unless absolutely necessary.
Depending on how your clients are configured, you will either need to relay or not.
The best way to setup clients is to use HTTPs over RPC as this does not need relaying, whereas SMTP /POP3 does.
Depending on how your clients are configured, you will either need to relay or not.
The best way to setup clients is to use HTTPs over RPC as this does not need relaying, whereas SMTP /POP3 does.
ASKER
I was actually looking into RPC/HTTP when this happened, that will be my next project.
So I should remove my IP from the list?
So I should remove my IP from the list?
Which IP is listed? Internal IP or external IP?
ASKER
Internal
Yes - you can remove it.
ASKER
Thanks soooo very much!!!!
You are welcome.
If you need help with HTTPs over RPC, let me know.
If you need help with HTTPs over RPC, let me know.
ASKER
Do you have an article on the subject?
I have always used this one:
http://www.amset.info/exchange/rpc-http.asp
It helps to buy a 3rd party SSL certificate and GoDaddy are about the cheapest around (www.godaddy.com).
http://www.amset.info/exchange/rpc-http.asp
It helps to buy a 3rd party SSL certificate and GoDaddy are about the cheapest around (www.godaddy.com).
ASKER
Will do Alan,and thanks again...
You're welcome. Have fun.
With GFI ME : http://kbase.gfi.com/showarticle.asp?id=KBID003322
Regards.