?
Solved

Exchange Event Log Analysis NDR Backscatter? Intruder?

Posted on 2010-01-12
19
Medium Priority
?
1,558 Views
Last Modified: 2013-11-30
Last month my server got was hit by an attack that generated hundreds of these types of errors. I stopped outbound mail, cleaned up the queues, and addressed the blacklist issues. I have scanned all computers including the server. I now have GFI spam app in place. Any suggestions on what additional steps I can take to prevent this type of attack in the future? I am running SBS 2003.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/23/2009
Time:            12:46:09 AM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #7480. The remote host "216.17.222.224", responded to the SMTP command "rcpt" with "421 4.7.1 <calwaterserver.calruralwater.org[71.6.54.234]>: Client host rejected: Abusive activity detected - relay temporarily suppressed  ". The full command sent was "RCPT TO:<ebrown@frii.com>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      NDR
Event ID:      3030
Date:            12/22/2009
Time:            7:35:37 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
A non-delivery report with a status code of 5.2.0 was generated for recipient rfc822;344donna@charter.net (Message-ID <CALWATERSERVERLAztx0000005c@calruralwater.org>).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:31 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #355. The remote host "207.67.72.231", responded to the SMTP command "mail" with "421-Connection dropped because your IP is a suspected spam source.  421-Please retry delivery later.  421-If you believe this may be in error you may go here:  421 http://www.commtouch.com/Site/Resources/Check_IP_Reputation.asp  ". The full command sent was "MAIL FROM:<careers@survey.com>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.



Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:36 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 <careers@survey.com>: Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/).  ". The full command sent was "RCPT TO:<026276912@hos.sandnet.se>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.
0
Comment
Question by:Rowy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 2
19 Comments
 
LVL 82

Expert Comment

by:leakim971
ID: 26298688
Hello Rowy,

With GFI ME : http://kbase.gfi.com/showarticle.asp?id=KBID003322

Regards.
0
 

Author Comment

by:Rowy
ID: 26298950
This is good! I checked the config of GFI ME and all is well. CAn you explain what this error is trying to say??? In laymans terms?
Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:36 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 <careers@survey.com>: Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/).  ". The full command sent was "RCPT TO:<026276912@hos.sandnet.se>  ".  This may cause the connection to fail.
0
 

Author Comment

by:Rowy
ID: 26298963
I was flooded with outbound messages from careers@surveys.com

FYI: I have added the address to my blackllst
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 26299013
That sounds like you were an authenticated relay - please have a read of my article relating to similar problems with solutions:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
0
 
LVL 82

Expert Comment

by:leakim971
ID: 26299021
Try this online tools : http://www.abuse.net/relay.html
Confirm you've Exchange 2003
0
 

Author Closing Comment

by:Rowy
ID: 31676394
Thank you very much. It was exactly what was happening.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26299210
To make sure you don't fall foul again, make sure your passwords to all accounts are changed regularly and use strong passwords.

If one does get compromised, you should know what to do.

Thanks for the points.

Alan
0
 

Author Comment

by:Rowy
ID: 26299281
One last question! It says to select "only the list below" and "clear the list below"under the relay button of the SMTP virtual server. I thought this was encouraged to only allow mail to be routed from the IP/Domain name specified. What is the best practice???
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26299320
It is best practise to not let anything relay unless absolutely necessary.

Depending on how your clients are configured, you will either need to relay or not.

The best way to setup clients is to use HTTPs over RPC as this does not need relaying, whereas SMTP /POP3 does.
0
 

Author Comment

by:Rowy
ID: 26299330
I was actually looking into RPC/HTTP when this happened, that will be my next project.

 So I should remove my IP from the list?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26299365
Which IP is listed?  Internal IP or external IP?
0
 

Author Comment

by:Rowy
ID: 26299374
Internal
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26299396
Yes - you can remove it.
0
 

Author Comment

by:Rowy
ID: 26299401
Thanks soooo very much!!!!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26299411
You are welcome.

If you need help with HTTPs over RPC, let me know.
0
 

Author Comment

by:Rowy
ID: 26299426
Do you have an article on the subject?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26299442
I have always used this one:
http://www.amset.info/exchange/rpc-http.asp

It helps to buy a 3rd party SSL certificate and GoDaddy are about the cheapest around (www.godaddy.com).
0
 

Author Comment

by:Rowy
ID: 26299446
Will do Alan,and thanks again...
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26299451
You're welcome.  Have fun.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
We aren’t perfect, just like everyone else.  Check out the email errors our community caught and learn the top errors every email marketer should avoid.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question