asked on

Exchange Event Log Analysis NDR Backscatter? Intruder?

Last month my server got was hit by an attack that generated hundreds of these types of errors. I stopped outbound mail, cleaned up the queues, and addressed the blacklist issues. I have scanned all computers including the server. I now have GFI spam app in place. Any suggestions on what additional steps I can take to prevent this type of attack in the future? I am running SBS 2003.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/23/2009
Time:            12:46:09 AM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #7480. The remote host "216.17.222.224", responded to the SMTP command "rcpt" with "421 4.7.1 <calwaterserver.calruralwater.org[71.6.54.234]>: Client host rejected: Abusive activity detected - relay temporarily suppressed ". The full command sent was "RCPT TO:<ebrown@frii.com> ". This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      NDR
Event ID:      3030
Date:            12/22/2009
Time:            7:35:37 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
A non-delivery report with a status code of 5.2.0 was generated for recipient rfc822;344donna@charter.net (Message-ID <CALWATERSERVERLAztx0000005c@calruralwater.org>).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:31 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #355. The remote host "207.67.72.231", responded to the SMTP command "mail" with "421-Connection dropped because your IP is a suspected spam source. 421-Please retry delivery later. 421-If you believe this may be in error you may go here: 421 http://www.commtouch.com/Site/Resources/Check_IP_Reputation.asp ". The full command sent was "MAIL FROM:<careers@survey.com> ". This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:36 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 <careers@survey.com>: Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/). ". The full command sent was "RCPT TO:<026276912@hos.sandnet.se> ". This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

leakim971

Hello Rowy,

With GFI ME : http://kbase.gfi.com/showarticle.asp?id=KBID003322

Regards.

Rowy

ASKER

This is good! I checked the config of GFI ME and all is well. CAn you explain what this error is trying to say??? In laymans terms?
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 12/22/2009
Time: 7:35:36 PM
User: N/A
Computer: CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 <careers@survey.com>: Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/). ". The full command sent was "RCPT TO:<026276912@hos.sandnet.se> ". This may cause the connection to fail.

Rowy

ASKER

I was flooded with outbound messages from careers@surveys.com

FYI: I have added the address to my blackllst

ASKER CERTIFIED SOLUTION

Alan Hardisty

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

leakim971

Try this online tools : http://www.abuse.net/relay.html
Confirm you've Exchange 2003

Rowy

ASKER

Thank you very much. It was exactly what was happening.

Alan Hardisty

To make sure you don't fall foul again, make sure your passwords to all accounts are changed regularly and use strong passwords.

If one does get compromised, you should know what to do.

Thanks for the points.

Alan

Rowy

ASKER

One last question! It says to select "only the list below" and "clear the list below"under the relay button of the SMTP virtual server. I thought this was encouraged to only allow mail to be routed from the IP/Domain name specified. What is the best practice???

Alan Hardisty

It is best practise to not let anything relay unless absolutely necessary.

Depending on how your clients are configured, you will either need to relay or not.

The best way to setup clients is to use HTTPs over RPC as this does not need relaying, whereas SMTP /POP3 does.

Rowy

ASKER

I was actually looking into RPC/HTTP when this happened, that will be my next project.

So I should remove my IP from the list?

Alan Hardisty

Which IP is listed? Internal IP or external IP?

Rowy

ASKER

Internal

Alan Hardisty

Yes - you can remove it.

Rowy

ASKER

Thanks soooo very much!!!!

Alan Hardisty

You are welcome.

If you need help with HTTPs over RPC, let me know.

Rowy

ASKER

Do you have an article on the subject?

Alan Hardisty

I have always used this one:
http://www.amset.info/exchange/rpc-http.asp

It helps to buy a 3rd party SSL certificate and GoDaddy are about the cheapest around (www.godaddy.com).

Rowy

ASKER

Will do Alan,and thanks again...

Alan Hardisty

You're welcome. Have fun.