Open Relay / SPAM / Default SMTP Virtual Server Access

RimFire007
RimFire007 used Ask the Experts™
on
Hi

A new SBS 2003 R2 (Exchange 2003 SP1) installation. The ISP routes mails directly to the server

I have several thousands of MAILS IN QUEYE and the tests says that the server is Open Relay. Currently I'm freezing the mails in ESM and planning to delete them. The process seems to take awhile (30 mins so far) and I would love to finish it (or is there any quicker way to get rid of those spams?).

I have few end users on the Site using Outlook 2000 - 2007 and couple RPC over HTTPS Outlook users Off Site. I have read "SMTP server failed open relay test"
http://technet.microsoft.com/en-us/library/aa996901(EXCHG.80).aspx

Following above instructions I have done this:

In SMTP Virtual Server / Properties / Access / Relay Restrictions:
clear the Allow all computers which successfully authenticate to relay, regardless of the list below check box, and then click Users to specify a subset of users that you want to grant relay permissions on this SMTP virtual server.

I have granted Submit permissions for AUtenticated Users
I have granted Submit and Relay permissions for selected users (to those who use Outlook)
The Tarpit time is 5 seconds

What can I do? I'm affraid that the ISP will block port 25 pretty soon. I have noticed that there were delays when sending or receiving mails apparently the server were busy processing spam.

Rgs,

Juha


Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Paul SolovyovskySenior IT Advisor
Top Expert 2008
Commented:
Check to see security logs in event viewer.  If you are allowing authenitcated users to login and one of the accounts has an easy password that was hacked the hacker could have easily been using a valid account/password to send unwanted emails.

For the Virtual SMTP Server, can you do a a screenshot under realy option

Author

Commented:
Hi Paul

Thanks you for your reply.

Regarding security logs I can't say - basicly Success Audits for System and Administrator. I saw a article somewhere how to setup Audit for this situation. I also change administarators passwor now.

For some reason the relay setting has bounched back as illustrated in image

Rgs,

Juha

Capture1.JPG
Paul SolovyovskySenior IT Advisor
Top Expert 2008

Commented:
The success audits..are they from one account or multiple accounts.  If you're getting many of them from a single account that is your cuplrit.

Also do a netstat to see if one of the machines is a spambot relaying through your exchange.  You will notice a disproportionate amount of connections from this system

Author

Commented:
Hi

Success audits mainly from administrator and I feel that it is not hijacked (at least anymore since I changed the PW.

Regarding netstat: nothing special

Below is my current Relay Restriction. Nothing to change there. Should it be OK?.

I will strat this procedure to empty the queye:
http://www.amset.info/exchange/spam-cleanup.asp

"Cleaning Up the Exchange Server's SMTP Queues

Warning: This process will delete all email that is due to go to external recipients. Internal messages are not affected, neither are new inbound messages from the Internet unless they are from the spammer continuing to try and abuse your server...."

Rgs,

Juha






RelayRestrictionsNow.doc
Your screen dump is correct, what do you have in the Users (button on the bottom of the Relay Restrictions)?

Also make sure you have the following options selected, Global Settings > Message Delivery > Recipient Filtering tab 'Filter recipients who are not in the Directory' check box.  It would alo be worth checking Sender Filtering tab 'Filter messages with a blank sender'. These will help you manage in-bound spam.

Author

Commented:
richclawson

"what do you have in the Users (button on the bottom of the Relay Restrictions)?"
The Authenticated users
And
Sahkopostin kayttajat Security Group (Members are users who need to use email)

"'Filter recipients who are not in the Directory' check box."
It was allready there
"'Filter messages with a blank sender'."
No such selection (Exchange SP1)

I'm currently doing the cleanup proces to queye.

Rgs,

Juha Rimmi



Author

Commented:
Btw

It seems that the server setup were basicly quite OK all ready (this server were setup on last friday).
Nothing special netstat results in the LAN.
Why is the server regognized to be an Open Relay (which it really seems to be)?

It is true that I changed the administrators pw 1 hrs ago.
I started to install winupdates 16 hrs ago and no it lasks only Exchange SP2

Have I missunderstand something here? In HW firewall I have forwarded all SMTP traffic to servers Internal address.

The smtp is currently blocked from Internet while i'm cleaning the spam. Surely I don't want to see they Queye fill up again so is there any further settings I can do? The Tarpit is set to 5 secs.

Rgs,

Juha
Hi Juha, your config settings seem to be ok.  Do you have any spam filtering solution in place?

If not, you can update Exchange to SP2 and impliment IMF (details here http://www.petri.co.il/block_spam_with_exchange2003_imf.htm) its a fairly basic application but ive used it for many years and it is quite effective and free.

regards richard

Author

Commented:
Hi richard

I will defenetly install Exchange SP2 after I have cleaned spams (apx 150 000 in queye and keep growing). Unfortunatelly there is not any external spam filtering company to relay right now. I have had IMF in some places and some kind of understanding how to setup the security level.

Actually the server AV is pretty old so I will update it as well.

Rgs, Juha

Author

Commented:
Aha

No I have more information. Ín queyed mails the sender is postmaster@mydomain.fi (at least first 10 000). According my Google research that indicates NDR attack.

Hopefully WinUpdates + Exchange SP2 helps with that + what I find regarding NDR attac.

Rgs,

Juha
I recommend also using mxtoolbox.com to test your server. It will also provide some help.
Paul SolovyovskySenior IT Advisor
Top Expert 2008

Commented:
You could disable NDRs, listed instuctions below.  Yoy may not be spamming just your queues are getting hijacked by NDRs

To disable NDRs, follow these steps:
Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
Expand the Global Settings container in the left pane, click Internet Message Formats, right-click the Default object, and then click Properties.
Click the Advanced tab.
Click to clear the Allow non-delivery reports check box, and then click OK.
To specify who can receive copies of NDRs, follow these steps:
Under Administrative Groups, expand First Administrative Group, expand Servers, expand servername, expand Protocols, expand SMTP, and then open the Default SMTP Virtual Server properties.
Click the Messages tab, and then add an address to the Send copy of non-delivery report to field.
Stop, and then restart the MS Exchange Routing Engine and SMTP services.
Microsoft recommends that you also create a postmaster e-mail address for NDRs that come from other servers. This can be a secondary SMTP address for a user or a mail-enabled User account. Use Active Directory Users and Computers to add the e-mail address or mail-enabled account.

The user will not receive the actual message that caused the NDR. However, if the notice is opened and Send Again is selected, the actual message appears and can be forwarded if you want.


Distinguished Expert 2018

Commented:
Go to mxtoolbox and test your server again when mail is enabled. If it still is testing as an open relay then you have more than just NDR issues. You have a compromised password or a deep-seeded misconfiguration somewhere.

Author

Commented:
Thanks cgaliher

I'm almost falling in sleep here. I have opened an another conversation. I magaded to get rid Open Relay but now i'm again on ot. Sunny is working with this with me and he is about to go on. II update here soon.

Rgs, Juha

Author

Commented:
Hi

This case seem to be closed. I really took awile to solve all issues. I'll grant point laiter on and explain what has happened. I need to have some rest now.

Thank you all and specially for helping me.

Involved open questions / same server:

"Outlook Clients lost Exchange. LDAP Bind was unsuccessful on directory FQDN 0x31 Invalid Credentials."
"Problems deleting Spam from SMTP Queye"
"Open Relay / SPAM / Default SMTP Virtual Server Access"
"OWA DNS Internally + OWA DNS Externally"

Rgs,

Juha
Top Expert 2010
Commented:
hi the problem in this case was in the screenshot itself.
The relay restrictions to localhost >
Relay restrictions to the Exchange server --> this should not be configured.

Once you remove these 2 - it will work ok.

Author

Commented:
I can close the case now.

The attact came probably from Taiwan. Additionally what Sunny says above (which is the fact) the customer decided to use D-Fence service. Their servers filters the spam and in the HW FW I'll forward SMTP only from their IP addresses. ISP noticed the SPam situation and asked explanation. I admit the spam but in that time the spamming has stopped cause the server were fixed. I'll also let them know that we hired D-Fence to filter spam in the future. The ISP sayd OK but we will monitor the behavior of the internet taraffic of that Internet Connection awhile.

The domain is balcklisted at Barracuda and Tiopan. I'll try to contact them today. Now when the D-Fence filters spam the the test mxtoolbox blacklist says that the domain is Ok but I believe that I have to contakt them anyway.

Very special thanks to Sunny who helped me out from this nightmare! Without that direct help I don't know how I could guide out from the terrible situation.
Also great thanks to all you other. Exchange-Experts can save lives.

In the future I won't setup a Exchange as carelesly. The good thing that I learned in the hard way to take care immdiently the Open Relay situation! I also believe that I can now fix the SMTP Banner problem perhaps by my self.

Again thank you all for helping me solve the multiple problems i had. Have a Great Summer!

With Best Regards,

Juha

Author

Commented:
With honor I grade 400 to Sunny for excelent job and direct hands on work. Unfortunatelly I have only 100 points left to grade all other.

I grant  the left 100 points to  paulsolov due to guiding me intoright place SMTP Virtual Server / realy option.
Thank you very much all for exelent support. Have a Great Summer"

With Best Regards,

Juha

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial