Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2003 SMTP (Again!)

Posted on 2011-02-16
14
Medium Priority
?
296 Views
Last Modified: 2012-05-11
This is starting to frustrate me a little.

This is the same server that has had issues before, and is still a server I inherited and did not initially set up. The server is in a different location to me, but I can access it 24/7 via VPN.

Ports 25 and 80 are 'open'. MXToolbox reports that it -may- be an open relay, but only since my last bout of changes (Reference: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26721695.html)

For a week it was absolutely fine. Now we are receiving, luckily I guess, massive 'internal' spam. SMTP Logs say it is coming from an outside source (Russian, New Zealand and Italian IP Addresses and TLDs) but is masking itself as from: user.name@ourdomain.co.uk. For obvious reasons I am removing our domain and IP address information.

Please can someone make sense of this problem and suggest a once and for all fix. I really don't want to have to start blocking each external offending IP Address.

From the code snippet (SMTP Log for one of these emails) you can see it is coming from an external source and looks like it is SMTP'ing through an external box (the DATA), but is showing as sent in our System Manager / Message Tracking Service. It does not show in the user's Sent Items.

The Message ID in System Manager shows SERVER-NAME(random character string)@mail.ourdomain.co.uk for these emails whereas other, legitimate email shows as (garbage string)@sendingdomain.co.uk.

No machines are now left on overnight other than the servers. Both servers have been virus checked and scanned with HJT (nothing suspect).

I totally understand that this is a big ask on an essentially free forum. My next module for my MCSE / MCIPT is Exchange 2003 so I'm hoping that I can rebuild this abomination and help othes in turn once I'm done!

TIA
2011-02-16 06:00:17 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 EHLO - +smtp5.clear.net.nz 250 0 320 23 0 SMTP - - - -
2011-02-16 06:00:17 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) - +FROM:<services@lloydstsb.com> 250 0 47 44 0 SMTP - - - -
2011-02-16 06:00:17 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 RCPT - +TO:<user.name@ourdomain.co.uk> 250 0 0 67 62 SMTP - - - -
2011-02-16 06:00:18 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 DATA - +<0LGP007H44K0KQ50@smtp5.clear.net.nz> 250 0 121 1837 766 SMTP - - - -
2011-02-16 06:00:18 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 QUIT - smtp5.clear.net.nz 240 1781 77 4 0 SMTP - - - -

Open in new window

0
Comment
Question by:Vampireofdarkness
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 2000 total points
ID: 34913793
Do you have any POP users in your domain? If not, then turn on 'Sender Filtering' so that your server will not accept internet mail from your domain.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34913815
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 34913825
Before I do change this, there are some in the SMTP Log for read/delivery notifications that are from ourdomain@.co.uk. Will these be affected by disallowing @ourdomain.co.uk in Sender Filtering?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34913923
Read/delivery notifications are not affected by Sender Filtering.
0
 
LVL 44

Expert Comment

by:Amit
ID: 34914052
You need 3rd party tool for this. Look for Message Labs or Trend Micro. Exchange doesn't have that much options to do all this.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34914515
Please read my article that MegaNuk3 has posted - you may well be an authenticated relay and if you are, you have an account whose password has been compromised.

You can also check to see if you are an open relay on www.checkor.com - that should advise if you are as it is a more comprehensive check that mxtoolbox.

Alan
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 34919013
I'm doing exactly the same tests as checkor via telnet and my results are different. My results are all showing as '5.5.0 ...', Checkor is showing all EXCEPT the blank from address as going through.  I'm assuming therefore that checkor is using a different method, even though the header is the same:

Checkor: 220 mail.ourdomain.co.uk Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Thu, 17 Feb 2011 18:15:26 +0000
My Telnet: 220 mail.ourdomain.co.uk Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Thu, 17 Feb 2011 18:34:44 +0000

I should have mentioned in my original post that I already have logs set to maximum and there are no 1708s in the event viewer.
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 34919020
Worth noting at this point that I didn't change Sender filtering yet.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34921442
Do you have any Anti-Spam software installed?  If not, please have a serious look at Vamsoft ORF and install their 30-day trial version.  If you are getting spam, it will kill it pretty much stone dead and should you decide to buy it = it is only $239 per server.
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 34923824
No Anti-Spam software and no budget at the moment to get it - which is a little silly, I know, but it is what I have to work with.

Set up Sender Filtering this morning and so far so good. I've used *@*.ru, *@*.it, *@*.nz and *@ourdomain.co.uk (blocking Russia, Italy, New Zealand and ourdomain.co.uk). We only deal with a small section of the UK, so no mail expected from RU/IT/NZ that is legitimate. So far, in the last 40 minutes, about 10 554 responses.

Example: MAIL - +FROM:<HilariaDyser6043@info-link.ru>+SIZE=1484 554 0 25 51 0 SMTP - - - -

Still, the failed tests at checkor and mxtoolbox saying it can be an open relay (and both, according to logs, not being denied at the rcpt stage) concerns me a little -- my telnets block at rcpt stage.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34933585
Why not install ORF and use it for 30 days for free and then find another free trial Anti-Spam software which could buy you some time, get rid of your spam problem and then allow you to try out various products?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34933760
Just see if Sender Filtering satisfies you.
0
 
LVL 9

Author Closing Comment

by:Vampireofdarkness
ID: 34954515
Sender Filtering appears to be working fine. I've added a few foreign TLDs as well as we've had some foreign domains sending internal spam. Addresses such as *@*.ru and *@*.tw are now automatically blocked.

Thanks again. Much appreciated.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34954549
No problem, I am glad sender filtering is giving you some relief.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
how to add IIS SMTP to handle application/Scanner relays into office 365.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question