• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 299
  • Last Modified:

Exchange 2003 SMTP (Again!)

This is starting to frustrate me a little.

This is the same server that has had issues before, and is still a server I inherited and did not initially set up. The server is in a different location to me, but I can access it 24/7 via VPN.

Ports 25 and 80 are 'open'. MXToolbox reports that it -may- be an open relay, but only since my last bout of changes (Reference: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26721695.html)

For a week it was absolutely fine. Now we are receiving, luckily I guess, massive 'internal' spam. SMTP Logs say it is coming from an outside source (Russian, New Zealand and Italian IP Addresses and TLDs) but is masking itself as from: user.name@ourdomain.co.uk. For obvious reasons I am removing our domain and IP address information.

Please can someone make sense of this problem and suggest a once and for all fix. I really don't want to have to start blocking each external offending IP Address.

From the code snippet (SMTP Log for one of these emails) you can see it is coming from an external source and looks like it is SMTP'ing through an external box (the DATA), but is showing as sent in our System Manager / Message Tracking Service. It does not show in the user's Sent Items.

The Message ID in System Manager shows SERVER-NAME(random character string)@mail.ourdomain.co.uk for these emails whereas other, legitimate email shows as (garbage string)@sendingdomain.co.uk.

No machines are now left on overnight other than the servers. Both servers have been virus checked and scanned with HJT (nothing suspect).

I totally understand that this is a big ask on an essentially free forum. My next module for my MCSE / MCIPT is Exchange 2003 so I'm hoping that I can rebuild this abomination and help othes in turn once I'm done!

TIA
2011-02-16 06:00:17 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 EHLO - +smtp5.clear.net.nz 250 0 320 23 0 SMTP - - - -
2011-02-16 06:00:17 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) - +FROM:<services@lloydstsb.com> 250 0 47 44 0 SMTP - - - -
2011-02-16 06:00:17 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 RCPT - +TO:<user.name@ourdomain.co.uk> 250 0 0 67 62 SMTP - - - -
2011-02-16 06:00:18 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 DATA - +<0LGP007H44K0KQ50@smtp5.clear.net.nz> 250 0 121 1837 766 SMTP - - - -
2011-02-16 06:00:18 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 QUIT - smtp5.clear.net.nz 240 1781 77 4 0 SMTP - - - -

Open in new window

0
Vampireofdarkness
Asked:
Vampireofdarkness
  • 5
  • 5
  • 3
  • +1
1 Solution
 
MegaNuk3Commented:
Do you have any POP users in your domain? If not, then turn on 'Sender Filtering' so that your server will not accept internet mail from your domain.
0
 
VampireofdarknessAuthor Commented:
Before I do change this, there are some in the SMTP Log for read/delivery notifications that are from ourdomain@.co.uk. Will these be affected by disallowing @ourdomain.co.uk in Sender Filtering?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
MegaNuk3Commented:
Read/delivery notifications are not affected by Sender Filtering.
0
 
AmitIT ArchitectCommented:
You need 3rd party tool for this. Look for Message Labs or Trend Micro. Exchange doesn't have that much options to do all this.
0
 
Alan HardistyCommented:
Please read my article that MegaNuk3 has posted - you may well be an authenticated relay and if you are, you have an account whose password has been compromised.

You can also check to see if you are an open relay on www.checkor.com - that should advise if you are as it is a more comprehensive check that mxtoolbox.

Alan
0
 
VampireofdarknessAuthor Commented:
I'm doing exactly the same tests as checkor via telnet and my results are different. My results are all showing as '5.5.0 ...', Checkor is showing all EXCEPT the blank from address as going through.  I'm assuming therefore that checkor is using a different method, even though the header is the same:

Checkor: 220 mail.ourdomain.co.uk Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Thu, 17 Feb 2011 18:15:26 +0000
My Telnet: 220 mail.ourdomain.co.uk Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Thu, 17 Feb 2011 18:34:44 +0000

I should have mentioned in my original post that I already have logs set to maximum and there are no 1708s in the event viewer.
0
 
VampireofdarknessAuthor Commented:
Worth noting at this point that I didn't change Sender filtering yet.
0
 
Alan HardistyCommented:
Do you have any Anti-Spam software installed?  If not, please have a serious look at Vamsoft ORF and install their 30-day trial version.  If you are getting spam, it will kill it pretty much stone dead and should you decide to buy it = it is only $239 per server.
0
 
VampireofdarknessAuthor Commented:
No Anti-Spam software and no budget at the moment to get it - which is a little silly, I know, but it is what I have to work with.

Set up Sender Filtering this morning and so far so good. I've used *@*.ru, *@*.it, *@*.nz and *@ourdomain.co.uk (blocking Russia, Italy, New Zealand and ourdomain.co.uk). We only deal with a small section of the UK, so no mail expected from RU/IT/NZ that is legitimate. So far, in the last 40 minutes, about 10 554 responses.

Example: MAIL - +FROM:<HilariaDyser6043@info-link.ru>+SIZE=1484 554 0 25 51 0 SMTP - - - -

Still, the failed tests at checkor and mxtoolbox saying it can be an open relay (and both, according to logs, not being denied at the rcpt stage) concerns me a little -- my telnets block at rcpt stage.
0
 
Alan HardistyCommented:
Why not install ORF and use it for 30 days for free and then find another free trial Anti-Spam software which could buy you some time, get rid of your spam problem and then allow you to try out various products?
0
 
MegaNuk3Commented:
Just see if Sender Filtering satisfies you.
0
 
VampireofdarknessAuthor Commented:
Sender Filtering appears to be working fine. I've added a few foreign TLDs as well as we've had some foreign domains sending internal spam. Addresses such as *@*.ru and *@*.tw are now automatically blocked.

Thanks again. Much appreciated.
0
 
MegaNuk3Commented:
No problem, I am glad sender filtering is giving you some relief.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 5
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now