Exchange Event Log Analysis NDR Backscatter? Intruder?

Last month my server got was hit by an attack that generated hundreds of these types of errors. I stopped outbound mail, cleaned up the queues, and addressed the blacklist issues. I have scanned all computers including the server. I now have GFI spam app in place. Any suggestions on what additional steps I can take to prevent this type of attack in the future? I am running SBS 2003.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/23/2009
Time:            12:46:09 AM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #7480. The remote host "216.17.222.224", responded to the SMTP command "rcpt" with "421 4.7.1 <calwaterserver.calruralwater.org[71.6.54.234]>: Client host rejected: Abusive activity detected - relay temporarily suppressed  ". The full command sent was "RCPT TO:<ebrown@frii.com>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      NDR
Event ID:      3030
Date:            12/22/2009
Time:            7:35:37 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
A non-delivery report with a status code of 5.2.0 was generated for recipient rfc822;344donna@charter.net (Message-ID <CALWATERSERVERLAztx0000005c@calruralwater.org>).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:31 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #355. The remote host "207.67.72.231", responded to the SMTP command "mail" with "421-Connection dropped because your IP is a suspected spam source.  421-Please retry delivery later.  421-If you believe this may be in error you may go here:  421 http://www.commtouch.com/Site/Resources/Check_IP_Reputation.asp  ". The full command sent was "MAIL FROM:<careers@survey.com>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.



Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:36 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 <careers@survey.com>: Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/).  ". The full command sent was "RCPT TO:<026276912@hos.sandnet.se>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.
RowyAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
That sounds like you were an authenticated relay - please have a read of my article relating to similar problems with solutions:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
0
 
leakim971PluritechnicianCommented:
Hello Rowy,

With GFI ME : http://kbase.gfi.com/showarticle.asp?id=KBID003322

Regards.
0
 
RowyAuthor Commented:
This is good! I checked the config of GFI ME and all is well. CAn you explain what this error is trying to say??? In laymans terms?
Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:36 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 <careers@survey.com>: Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/).  ". The full command sent was "RCPT TO:<026276912@hos.sandnet.se>  ".  This may cause the connection to fail.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
RowyAuthor Commented:
I was flooded with outbound messages from careers@surveys.com

FYI: I have added the address to my blackllst
0
 
leakim971PluritechnicianCommented:
Try this online tools : http://www.abuse.net/relay.html
Confirm you've Exchange 2003
0
 
RowyAuthor Commented:
Thank you very much. It was exactly what was happening.
0
 
Alan HardistyCo-OwnerCommented:
To make sure you don't fall foul again, make sure your passwords to all accounts are changed regularly and use strong passwords.

If one does get compromised, you should know what to do.

Thanks for the points.

Alan
0
 
RowyAuthor Commented:
One last question! It says to select "only the list below" and "clear the list below"under the relay button of the SMTP virtual server. I thought this was encouraged to only allow mail to be routed from the IP/Domain name specified. What is the best practice???
0
 
Alan HardistyCo-OwnerCommented:
It is best practise to not let anything relay unless absolutely necessary.

Depending on how your clients are configured, you will either need to relay or not.

The best way to setup clients is to use HTTPs over RPC as this does not need relaying, whereas SMTP /POP3 does.
0
 
RowyAuthor Commented:
I was actually looking into RPC/HTTP when this happened, that will be my next project.

 So I should remove my IP from the list?
0
 
Alan HardistyCo-OwnerCommented:
Which IP is listed?  Internal IP or external IP?
0
 
RowyAuthor Commented:
Internal
0
 
Alan HardistyCo-OwnerCommented:
Yes - you can remove it.
0
 
RowyAuthor Commented:
Thanks soooo very much!!!!
0
 
Alan HardistyCo-OwnerCommented:
You are welcome.

If you need help with HTTPs over RPC, let me know.
0
 
RowyAuthor Commented:
Do you have an article on the subject?
0
 
Alan HardistyCo-OwnerCommented:
I have always used this one:
http://www.amset.info/exchange/rpc-http.asp

It helps to buy a 3rd party SSL certificate and GoDaddy are about the cheapest around (www.godaddy.com).
0
 
RowyAuthor Commented:
Will do Alan,and thanks again...
0
 
Alan HardistyCo-OwnerCommented:
You're welcome.  Have fun.
0
All Courses

From novice to tech pro — start learning today.