Not receiving email after NDR attack - Exchange 2003

Hi,

A server we look after was the victim of an NDR attack and / or open SMTP relay attack today. Since around 8:30am this morning, none of the recipients have been able to receive email from external sources (mail sent internally is fine). I've completed the steps explained at:-

http://support.microsoft.com/kb/886208

and

http://support.microsoft.com/kb/324958

Now, the queues no longer fill with NDR's, but it still hasn't resolved the problem where email is not being received. I'm sending emails to the recipients connected to this Server, but the emails aren't reaching their inboxes.

Any suggestions?
Robox1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Can you test external mail flow?    Use telnet testing for connectivity or use http://www.mxtoolbox.com/ 

Who knows I have seen ISP turn off SMTP if they are hit with spam...
Robox1Author Commented:
I can telnet in, and email is sent OK from Exchange, so SMTP is ok - it's just incoming mail that's the issue. Internal mail is sent to the inbox, but mail sent from external sources don't reach the inbox.
Robox1Author Commented:
These are the results when running an SMTP check on mxtoolbox.com:-

220 exchange.<domain>.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Thu, 22 Apr 2010 17:00:16 +0100


Not an open relay.
 0 seconds - Good on Connection time
 0.281 seconds - Good on Transaction time
 OK - <IP Address> resolves to exchange.<domain>.com
 OK - Reverse DNS matches SMTP Banner

Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 exchange.<domain>.com Hello [64.20.227.133] [140 ms]
MAIL FROM: <supertool@mxtoolbox.com>
454 5.7.3 Client does not have permission to submit mail to this server. [125 ms]
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Here is your issue...if your mail server is 64.20.227.133 it is not accepting SMTP traffic...
When I run telnet 64.20.227.133 25   fails to connect.    You didn't modifiy the firewall did you?
Looks like this is Exchange 2003...is the SMTP Virtual server running?   SMTP running?
Locally from a workstation can you run telnet exchangeserver 25 do you get a banner?
Robox1Author Commented:
I think 64.20.227.133 is mxtoolbox.com's IP address..... The Server's IP address is 213.152.36.177. I can telnet into this IP address on port 25 both locally and externally. I've not touched the firewall... I've run a port scan on the IP and this is the result:-

5 open ports:

       25      smtp      Success      140 ms
       80      http      Success      140 ms
       110      pop3      Success      140 ms
       143      imap      Success      140 ms
       389      ldap      Success      140 ms

This shows that port 25 is open...

The SMTP Virtual Server and SMTP Connector's are running...
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
There we go...your connector is not set to allow Anonymous....
Exchange 2007...to set this go to Server Config -->  Hub Transport --> Receive connector -->  Default receive connector check box Anonoymous
Exchange 2003 -->  Default SMTP Virtual Server -->  Properties -->   Access Tab -->  Auth button...check Anonymous
Let me know what you find...
Robox1Author Commented:
Should the "Resolve anonymous e-mail" also be checked (in Exchange 2003, under "Anonymous Access")?
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Only this that should be checked under Access should be
Anonymous for acceptable authentication...
Once you have this set I will attempt to send and email to your Administator@ via telnet

access-authentication.gif

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robox1Author Commented:
Works great now, thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.