Solved

Open Relay in SBS 2003

Posted on 2010-08-17
25
872 Views
Last Modified: 2012-06-27
I am getting a lot of spam lately and I think the problem is open relay in my exchange server even though I used www.test-smtp.com and it said that All tests succeeded, no relay accepted. But when I check the Queues on exchange I see email sent to domains that we usually don't send (See queues.jpg) and when I check the sender I see postmaster@mydomain.net and we don't have that account. I already checked the small business connector to see if the Allow messages to be relayed is checked and it is not (see coonector.jpg) and on the relay restrictions I removed all IP addresses and uncheck the allow computer who authenticate to relay (see relay.jpg). The only problem that I can see is the Authentication, I have anonymous access enabled (see authentication.jpg) because we have some Xerox machines that scan and send the image to our email accounts but everything else looks good. Am I missing something or the authentication can be the problem for the spam? Any help will be really appreciated it.
Oswaldo
 QueuesRelay.JPG
Connector.JPG
Authentication.JPG
0
Comment
Question by:ocortes
  • 11
  • 8
  • 3
  • +2
25 Comments
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33456480
This is an exchange 2003 problem.It accepts mail for unkown recipients and wants to send a NDR (non delivery report) back to the sender.See: http://www.msexchange.org/tutorials/NDR-Microsoft-Small-Business-Server-2003.html
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33456580
The crucial part in the link above is to add Recipient Filtering - that way the onus is pushed back to the sender to generate the NDR - not you.
You will find you are listed on Backscatterer.org if you check on www.mxtoolbox.com/blacklists.aspx, unless you are very lucky.
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 33456868
In SBS 2003 you can turn on Authentication logging in Exchange and you will be able to verify if someone is trying to relay through your Server. As a priorty make sure that all guest account that are not being used are disabled or have strong password. Also, make sure all user accounts have strong passwords. Because hackers can crack accounts with weak passwords and then use this account to Authenticate with Exchange and relay through your Server.

The correct settngs for Exchange should be on your Default SMTP Virtual Server - go to properties - access tab - relay tab - make sure to select ONLY THE LIST BELOW option. Add to the list the ip address of your Server and the loop back address 127.0.0.1 - The option to Allow all computer which successfully authenticate to relay, regardless of the list above, SHOULD BE UNTICK.

You can check this link from microsoft which very insightful:
http://support.microsoft.com/kb/895853
0
 

Author Comment

by:ocortes
ID: 33457485
SGrossmann, I read the article and I have the Recipient Filtering enabled just like they said so I am not sure that is the problem. alanhardisty, I checked if I was listed and everything was OK with 4 timeouts.
JBond2010, I had the guest account disabled, and I used to have my IP address on the Relay  tab along with the 127.0.0.1 and I was thinking that was the problem  so I removed and now I don’t have anything (see relay.jpg) but I am able to send and receive emails without problems, should I put them back?
The main problem that I have is that a few users keep getting Viagra emails, quite a few every day and I want to stop them. I have Symantec Mail security for Exchange with the Premium Antispam and still kepp getting spam
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33457785
I used to use Symantec Mail Security with Premium Anti Spam and got fed up with receiving daily spam.  After a discussion last August with Mestha about Spam products, he put me on to Vamsoft ORF which I trialled for 30 days and now use regularly.

My spam has reduced from 5 or 6 a week to 5 or 6 a month.  I have also installed it on most of my customer's servers too and they love it as much as I do.

You can install it alongside Symantec apparently, so you might want to consider it.

The cost is only $239 per server no matter how many users and renewal is optional at $99 annually.

Check it out at www.vamsoft.com

In terms of your problem, are you using Intelligent Message Filtering as well as Symantec?
0
 

Author Comment

by:ocortes
ID: 33458395
alanhardisty, I think I will check Vamsoft, and I am not using Intelligent Message Filter I just have the Apply Recipient Filter Checked in the Identification screen
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33458644
I am not sure if you have done this before
- In the first screenshot relay.jpg.
Check All except the list below.
and check the box > allow all computers to authenticate.

0
 

Author Comment

by:ocortes
ID: 33459518
sunnyc7, after I deleted the addresses in the relay screen and unchecked the Allow all Computers to authenticate we haven't get spam but usually we get them at night. I will leave it like it is and tomorrow morning if we have spam I will make the changes you suggested.
Thank you
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33459588
Those are basic steps.

I'd go with alan's recommendation of installing vamsoft ORF trials and see what you catch there.

Please post back @ how this goes.

thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33459743
Have a read of the following article - Recipient Filtering has to be enabled in two places:
http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
Intelligent Message Filtering and SMTP Virtual Server.  If you are not using Intelligent Message Filtering, then the job is left to Symantec and I don't recall if they can do it.
I would enable IMF and Enable Recipient Filtering only, then leave the rest to Symantec / Vamsoft.  You may decide to uninstall Symantec after your 30-day trial - it is so much better that Symantec Mail Security in my experience.
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33462169
ocortes: Please check aswell if there are new messages in the queue after you changed the recipient filtering.
0
 

Author Comment

by:ocortes
ID: 33464220
alanhardisty, I already have the Recipient Filtering enabled in the two places and today we still got spam. To enable Intelligent Message Filtering I just have to check the Apply Intelligent Message Filter in the Identification screen under the Advanced tab of the Default SMTP virtual Server? or Do I have to do some more configuration?
Please let me know.
Thank you
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33464263
To be perfectly honest - unless you use a 3rd party solution, you will continue to get spam.
I use Vamsoft ORF which does a brilliant job for only $239 per server.  It is simple to install (4Mb), relatively simple to configure, the logs are brilliant to analyze what is going on in terms of mail being rejected etc and I used to get about 5-6 spam a week.  Now I get 5-6 spam a month, if that.
www.vamsoft.com - Download the free trial (30 days).  You won't be disappointed.
0
 

Author Comment

by:ocortes
ID: 33464596
SGrossmann: I just checked the queues after enabling Intelligent message filtering and recipient filtering and still can see messages going to weird domains. That makes me worry because my exchange is still open relay, or could it be that one of the computers in my network has some spyware and it is sending the emails? I just made everybody to change their password yesterday but still the problem is there.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33464879
Is the sender still postmaster@yourdomain.com for those random emails?
0
 

Author Comment

by:ocortes
ID: 33464937
Yes, still postmaster.
0
 

Author Comment

by:ocortes
ID: 33464961
alanhardisty: Even if I install Vamsoft it won't stop the emails going out if my exchange is doing open realy correct?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 33465111
If you are an open relay, then the sender won't be Postmaster and you will be blacklisted.
As the messages are from Postmaster and IMF does not seem to be working, install Vamsoft, configure it and the problem will go away.
If you need help with the config, let me know.
If you don't trust the advice, please post your domain name and IP Address and I will obscure it immediately. I will then check and verify what is happening.
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33465561
If the sender is postmaster there are still NDR (NonDeliveryReport) or DSN (DeliveryStatusNotification) going out.That there are still some left is quite normal, they will stay there for one week.But the main question is if there are any new entries since you changed the configuration?
0
 

Author Comment

by:ocortes
ID: 33466318
alanhardisty: I downloaded and installed orf and followed the configuration instructions but I am not sure if I did it right.
For the DNS it show up my server I have SBS 2003 and it is the IP address of my server in my network, i test it and passed all the tests but want to make sure it is correct.
For the binding I just selected Default SMTP for Inbound and Outbound.
I don't think I have intermediate hosts, how do you check that?
Do you have any suggestions for the DNS blacklists and SURBLS?
Please let me know if you have any tips?
Thank you very much.
0
 

Author Comment

by:ocortes
ID: 33466360
SGrossmann: I think there are a few new entries but just 2 or 3 at the time I checked with weird domain names with time of old message submited from today. I will keep checking
Thank you
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33466599
DNS of your server is correct.  Inbound and Outbound is correct too.  You probably don't have any intermediate hosts, so don't worry about that.
Blacklists I use are Barracuda (which catches most of the blighters) and SORBS.
I use most tests all apart from Recipient Blacklist, DNS Whitelist, Attachment Filtering and External Agents.  Most tests are set for Before Arrival apart from Auto-Sender Whitelist (both).
0
 

Author Comment

by:ocortes
ID: 33466746
alanhardisty: I will give it a try and let you know.
Thank you very much
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33466775
You are welcome.  Here if you have other questions.
With Vamsoft installed and working, you can disable IMF completely and let Vamsoft handle it all.
0
 

Author Closing Comment

by:ocortes
ID: 33502512
Thank you, Vamsoft seems to be working really good. We are not getting Spam and it was easy to configure.
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now