Solved

Exchange 2003 SMTP (Again!)

Posted on 2011-02-16
14
248 Views
Last Modified: 2012-05-11
This is starting to frustrate me a little.

This is the same server that has had issues before, and is still a server I inherited and did not initially set up. The server is in a different location to me, but I can access it 24/7 via VPN.

Ports 25 and 80 are 'open'. MXToolbox reports that it -may- be an open relay, but only since my last bout of changes (Reference: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26721695.html)

For a week it was absolutely fine. Now we are receiving, luckily I guess, massive 'internal' spam. SMTP Logs say it is coming from an outside source (Russian, New Zealand and Italian IP Addresses and TLDs) but is masking itself as from: user.name@ourdomain.co.uk. For obvious reasons I am removing our domain and IP address information.

Please can someone make sense of this problem and suggest a once and for all fix. I really don't want to have to start blocking each external offending IP Address.

From the code snippet (SMTP Log for one of these emails) you can see it is coming from an external source and looks like it is SMTP'ing through an external box (the DATA), but is showing as sent in our System Manager / Message Tracking Service. It does not show in the user's Sent Items.

The Message ID in System Manager shows SERVER-NAME(random character string)@mail.ourdomain.co.uk for these emails whereas other, legitimate email shows as (garbage string)@sendingdomain.co.uk.

No machines are now left on overnight other than the servers. Both servers have been virus checked and scanned with HJT (nothing suspect).

I totally understand that this is a big ask on an essentially free forum. My next module for my MCSE / MCIPT is Exchange 2003 so I'm hoping that I can rebuild this abomination and help othes in turn once I'm done!

TIA
2011-02-16 06:00:17 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 EHLO - +smtp5.clear.net.nz 250 0 320 23 0 SMTP - - - -
2011-02-16 06:00:17 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) - +FROM:<services@lloydstsb.com> 250 0 47 44 0 SMTP - - - -
2011-02-16 06:00:17 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 RCPT - +TO:<user.name@ourdomain.co.uk> 250 0 0 67 62 SMTP - - - -
2011-02-16 06:00:18 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 DATA - +<0LGP007H44K0KQ50@smtp5.clear.net.nz> 250 0 121 1837 766 SMTP - - - -
2011-02-16 06:00:18 203.97.33.68 smtp5.clear.net.nz SMTPSVC1 SERVER-NAME (server.internal.ip.address) 0 QUIT - smtp5.clear.net.nz 240 1781 77 4 0 SMTP - - - -

Open in new window

0
Comment
Question by:Vampireofdarkness
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 500 total points
Comment Utility
Do you have any POP users in your domain? If not, then turn on 'Sender Filtering' so that your server will not accept internet mail from your domain.
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
0
 
LVL 9

Author Comment

by:Vampireofdarkness
Comment Utility
Before I do change this, there are some in the SMTP Log for read/delivery notifications that are from ourdomain@.co.uk. Will these be affected by disallowing @ourdomain.co.uk in Sender Filtering?
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Read/delivery notifications are not affected by Sender Filtering.
0
 
LVL 41

Expert Comment

by:Amit
Comment Utility
You need 3rd party tool for this. Look for Message Labs or Trend Micro. Exchange doesn't have that much options to do all this.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Please read my article that MegaNuk3 has posted - you may well be an authenticated relay and if you are, you have an account whose password has been compromised.

You can also check to see if you are an open relay on www.checkor.com - that should advise if you are as it is a more comprehensive check that mxtoolbox.

Alan
0
 
LVL 9

Author Comment

by:Vampireofdarkness
Comment Utility
I'm doing exactly the same tests as checkor via telnet and my results are different. My results are all showing as '5.5.0 ...', Checkor is showing all EXCEPT the blank from address as going through.  I'm assuming therefore that checkor is using a different method, even though the header is the same:

Checkor: 220 mail.ourdomain.co.uk Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Thu, 17 Feb 2011 18:15:26 +0000
My Telnet: 220 mail.ourdomain.co.uk Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Thu, 17 Feb 2011 18:34:44 +0000

I should have mentioned in my original post that I already have logs set to maximum and there are no 1708s in the event viewer.
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 9

Author Comment

by:Vampireofdarkness
Comment Utility
Worth noting at this point that I didn't change Sender filtering yet.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Do you have any Anti-Spam software installed?  If not, please have a serious look at Vamsoft ORF and install their 30-day trial version.  If you are getting spam, it will kill it pretty much stone dead and should you decide to buy it = it is only $239 per server.
0
 
LVL 9

Author Comment

by:Vampireofdarkness
Comment Utility
No Anti-Spam software and no budget at the moment to get it - which is a little silly, I know, but it is what I have to work with.

Set up Sender Filtering this morning and so far so good. I've used *@*.ru, *@*.it, *@*.nz and *@ourdomain.co.uk (blocking Russia, Italy, New Zealand and ourdomain.co.uk). We only deal with a small section of the UK, so no mail expected from RU/IT/NZ that is legitimate. So far, in the last 40 minutes, about 10 554 responses.

Example: MAIL - +FROM:<HilariaDyser6043@info-link.ru>+SIZE=1484 554 0 25 51 0 SMTP - - - -

Still, the failed tests at checkor and mxtoolbox saying it can be an open relay (and both, according to logs, not being denied at the rcpt stage) concerns me a little -- my telnets block at rcpt stage.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Why not install ORF and use it for 30 days for free and then find another free trial Anti-Spam software which could buy you some time, get rid of your spam problem and then allow you to try out various products?
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Just see if Sender Filtering satisfies you.
0
 
LVL 9

Author Closing Comment

by:Vampireofdarkness
Comment Utility
Sender Filtering appears to be working fine. I've added a few foreign TLDs as well as we've had some foreign domains sending internal spam. Addresses such as *@*.ru and *@*.tw are now automatically blocked.

Thanks again. Much appreciated.
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
No problem, I am glad sender filtering is giving you some relief.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now