Solved

Exchange 2003 SMTP (Again!)

Posted on 2011-02-16
14
281 Views
Last Modified: 2012-05-11
This is starting to frustrate me a little.

This is the same server that has had issues before, and is still a server I inherited and did not initially set up. The server is in a different location to me, but I can access it 24/7 via VPN.

Ports 25 and 80 are 'open'. MXToolbox reports that it -may- be an open relay, but only since my last bout of changes (Reference: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26721695.html)

For a week it was absolutely fine. Now we are receiving, luckily I guess, massive 'internal' spam. SMTP Logs say it is coming from an outside source (Russian, New Zealand and Italian IP Addresses and TLDs) but is masking itself as from: user.name@ourdomain.co.uk. For obvious reasons I am removing our domain and IP address information.

Please can someone make sense of this problem and suggest a once and for all fix. I really don't want to have to start blocking each external offending IP Address.

From the code snippet (SMTP Log for one of these emails) you can see it is coming from an external source and looks like it is SMTP'ing through an external box (the DATA), but is showing as sent in our System Manager / Message Tracking Service. It does not show in the user's Sent Items.

The Message ID in System Manager shows SERVER-NAME(random character string)@mail.ourdomain.co.uk for these emails whereas other, legitimate email shows as (garbage string)@sendingdomain.co.uk.

No machines are now left on overnight other than the servers. Both servers have been virus checked and scanned with HJT (nothing suspect).

I totally understand that this is a big ask on an essentially free forum. My next module for my MCSE / MCIPT is Exchange 2003 so I'm hoping that I can rebuild this abomination and help othes in turn once I'm done!

TIA
2011-02-16 06:00:17 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 EHLO - +smtp5.clear.net.nz 250 0 320 23 0 SMTP - - - -
2011-02-16 06:00:17 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) - +FROM:<services@lloydstsb.com> 250 0 47 44 0 SMTP - - - -
2011-02-16 06:00:17 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 RCPT - +TO:<user.name@ourdomain.co.uk> 250 0 0 67 62 SMTP - - - -
2011-02-16 06:00:18 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 DATA - +<0LGP007H44K0KQ50@smtp5.clear.net.nz> 250 0 121 1837 766 SMTP - - - -
2011-02-16 06:00:18 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 QUIT - smtp5.clear.net.nz 240 1781 77 4 0 SMTP - - - -

Open in new window

0
Comment
Question by:Vampireofdarkness
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 500 total points
ID: 34913793
Do you have any POP users in your domain? If not, then turn on 'Sender Filtering' so that your server will not accept internet mail from your domain.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34913815
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 34913825
Before I do change this, there are some in the SMTP Log for read/delivery notifications that are from ourdomain@.co.uk. Will these be affected by disallowing @ourdomain.co.uk in Sender Filtering?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34913923
Read/delivery notifications are not affected by Sender Filtering.
0
 
LVL 43

Expert Comment

by:Amit
ID: 34914052
You need 3rd party tool for this. Look for Message Labs or Trend Micro. Exchange doesn't have that much options to do all this.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34914515
Please read my article that MegaNuk3 has posted - you may well be an authenticated relay and if you are, you have an account whose password has been compromised.

You can also check to see if you are an open relay on www.checkor.com - that should advise if you are as it is a more comprehensive check that mxtoolbox.

Alan
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 34919013
I'm doing exactly the same tests as checkor via telnet and my results are different. My results are all showing as '5.5.0 ...', Checkor is showing all EXCEPT the blank from address as going through.  I'm assuming therefore that checkor is using a different method, even though the header is the same:

Checkor: 220 mail.ourdomain.co.uk Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Thu, 17 Feb 2011 18:15:26 +0000
My Telnet: 220 mail.ourdomain.co.uk Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Thu, 17 Feb 2011 18:34:44 +0000

I should have mentioned in my original post that I already have logs set to maximum and there are no 1708s in the event viewer.
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 34919020
Worth noting at this point that I didn't change Sender filtering yet.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34921442
Do you have any Anti-Spam software installed?  If not, please have a serious look at Vamsoft ORF and install their 30-day trial version.  If you are getting spam, it will kill it pretty much stone dead and should you decide to buy it = it is only $239 per server.
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 34923824
No Anti-Spam software and no budget at the moment to get it - which is a little silly, I know, but it is what I have to work with.

Set up Sender Filtering this morning and so far so good. I've used *@*.ru, *@*.it, *@*.nz and *@ourdomain.co.uk (blocking Russia, Italy, New Zealand and ourdomain.co.uk). We only deal with a small section of the UK, so no mail expected from RU/IT/NZ that is legitimate. So far, in the last 40 minutes, about 10 554 responses.

Example: MAIL - +FROM:<HilariaDyser6043@info-link.ru>+SIZE=1484 554 0 25 51 0 SMTP - - - -

Still, the failed tests at checkor and mxtoolbox saying it can be an open relay (and both, according to logs, not being denied at the rcpt stage) concerns me a little -- my telnets block at rcpt stage.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34933585
Why not install ORF and use it for 30 days for free and then find another free trial Anti-Spam software which could buy you some time, get rid of your spam problem and then allow you to try out various products?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34933760
Just see if Sender Filtering satisfies you.
0
 
LVL 9

Author Closing Comment

by:Vampireofdarkness
ID: 34954515
Sender Filtering appears to be working fine. I've added a few foreign TLDs as well as we've had some foreign domains sending internal spam. Addresses such as *@*.ru and *@*.tw are now automatically blocked.

Thanks again. Much appreciated.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34954549
No problem, I am glad sender filtering is giving you some relief.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
This article outlines some of the reasons why an email message gets flagged as spam on a recipient's end.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question