• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 359
  • Last Modified:

spam relay issue with exchange 2003

hi, we have been having an issue with our exchange 2003 server acting as an external smtp relay for spammers.
I have tried to block it for external access. but in the process we stop getting emails.
can you advice me how to do this properly.

thanks
0
total123
Asked:
total123
  • 10
  • 8
  • 2
  • +2
1 Solution
 
PapertripCommented:
Check this link out.
0
 
RadweldCommented:
HAve a look at this blog, it's pretty straight forward to fix

http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm
0
 
ingeticCommented:
technet microsoft :

http://technet.microsoft.com/en-us/library/aa996446(EXCHG.65).aspx

Relaying is the ability to forward mail to domains other than your own. More specifically, relaying occurs when an inbound connection to your SMTP server is used to send e-mail messages to external domains. By default, your Exchange server accepts mail submitted by internal or authenticated users and sends it to an external domain. If your server is open for relaying, or if relaying is unsecured on your server, unauthorized users can use your server to send unsolicited commercial e-mail (spam). Therefore, to secure your SMTP virtual server, it is crucial that you set relay restrictions.

It is important to understand the difference between authenticated relaying and anonymous or open relaying:

Authenticated relaying   Authenticated relaying allows your internal users to send mail to domains outside of your Exchange organization, but requires authentication before the mail is sent. By default, Exchange allows only authenticated relaying.
Anonymous relaying   Anonymous relaying allows any user to connect to your Exchange server and use it to send mail outside your Exchange organization.
The following examples demonstrate how Exchange Server 2003 accepts and relays mail by using authenticated relaying:

An anonymous user connects to the SMTP virtual server and attempts to deliver mail to an internal user in the Exchange organization.
In this situation, the SMTP virtual server accepts the message because it is destined for an internal domain and because the user exists in Active Directory.
An anonymous user connects to the SMTP virtual server and attempts to deliver mail to an external user in an external domain.
In this situation, the SMTP virtual server rejects the mail because it is destined for an external domain for which the Exchange server is not responsible. Because the user is not authenticated, the SMTP virtual server does not relay this mail outside of the Exchange organization.
A user connects to the SMTP virtual server using a Post Office Protocol (POP) or Internet Message Access Protocol (IMAP) client (for example, Microsoft Outlook® Express), authenticates, and then attempts to send a message to a user in an external domain.
In this situation, the e-mail client connects directly to the SMTP virtual server and authenticates the user. Although the message is destined for a remote domain, the SMTP virtual server accepts and relays this mail because the user is authenticated.
By using the relay control features of Exchange Server 2003, you can prevent third parties from relaying mail through your server. Relay control allows you to specify a list of incoming remote IP address and subnet mask pairs that have permission to relay mail through your server. Exchange checks an incoming SMTP client's IP address against the list of IP networks that are allowed to relay mail. If the client is not allowed to relay mail, only mail that is addressed to local recipients is allowed. You can also implement relay control by domain. However, this approach requires the implementation of reverse DNS resolution, which is controlled at the SMTP virtual server level.

   Configuring Default Relay Restrictions
By default, the SMTP virtual server allows relaying only from authenticated users. This configuration is designed to prevent unauthorized users from using your Exchange server to relay mail. The virtual server's default configuration allows only authenticated computers to relay mail.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
sumit_aroraCommented:
Follow this article:
==============

http://support.microsoft.com/kb/895853
0
 
total123Author Commented:
hi, thanks for the reply.
I have checked the relay on the virtual smtp. It is set correctly. Under Authentication. Anonymous is ticked. If i untick this, we recieve no external emails.
I believe this should be ticked ?

Is there any chance that some external source could have hacked a user password ?
some users don't have passwords ?
0
 
sumit_aroraCommented:
yes, that can be possible. Mostly this happen with POP or IMAP user.

Best thing to do at this moment request all POP and IMAP users to change there password.
0
 
sumit_aroraCommented:
http://support.microsoft.com/kb/895853 this article by microsoft has all the possiblities in it
0
 
total123Author Commented:
sumit, I've gone through the MS article loads and still have the same spam in my out going queue for exchange 2003.
One question, under default smtp virtual server - access - authenication - anonyomous tick box. This has always been checked. If i uncheck it, I can't recieve email, is that correct ?
should it stay ticked ?
0
 
total123Author Commented:
i found this which supports my previous question. But how do you get around it.

http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm
0
 
sumit_aroraCommented:
Yes that is correct you need to have Anonymouse Auth selected on SMTP to receive the mails.  
====================================================================

Do this
=========

Determine whether an authenticated user is relaying
This section enables logging in the Windows Event Viewer such that any authentication attempts against the SMTP service (successful or failures) are logged in the application log.
1.Start Exchange Administrator.
2.Double-click Servers.
3.Under Servers, right-click ServerName, and then click Properties.
4.Click the Diagnostic Logging tab.
5.Click MSExchangeTransport on the left.
6.On the right, click SMTP Protocol.
7.Under Logging Level, click Maximum.
8.Click OK to close Server Properties.


If a remote user is authenticating against the Small Business Server computer as part of an operation to relay SMTP e-mail, you will see an event that is similar to the following in the application log:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 8/13/2003
Time: 10:13:24 AM
User: N/A
Computer: SERVER
Description: SMTP Authentication was performed successfully with client remote_computername. The authentication method was LOGIN and the username was company\username.

In this case, if the relaying appears to come from a hacked account password, go to the Active Directory Users and Computers snap-in and delete the account, disable the account, or change the password on the account.

Microsoft recommends that you implement a strong password policy. For additional information, visit the following Microsoft Web site:

If a remote user is authenticating against the Small Business Server as part of an operation to relay SMTP e-mail using the guest account, you will see an event that is similar to the following in the application log:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 8/13/2003
Time: 10:27:52 AM
User: N/A
Computer: SERVER
Description: SMTP Authentication was performed successfully with client remote_computername. The authentication method was LOGIN and the username was COMPANY\Guest.

In this case, the remote user is exploiting the guest account. Use the Active Directory Users and Computers snap-in to disable the guest account. Note It is not sufficient to change the password on the guest account. You must disable the guest account.

http://support.microsoft.com/kb/895853

===============================================================================
==>  

Allow all computers which successfully authenticate to relay ckech mark should be enabled on the relay restriction. This setting allows you to deny access to all users who do not authenticate. Any remote Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) users accessing this server will authenticate to send mail. If you do not have users who access this server through POP or IMAP, you can clear this check box to prevent relaying entirely, thereby increasing security.



0
 
total123Author Commented:
hi, thanks for the reply, I have enabled the monitoring and do not get any reports in the event viewer. Since i did enable it, I disabled the queue in the queue manager and the spam level keeps increasing. But it's not producing any events in regards to exchange.

what would this suggest ?
0
 
total123Author Commented:
hi, i have started getting these reports in the last few hours
event id 7004
This is an SMTP protocol error log for virtual server ID 1, connection #426. The remote host "212.159.8.104", responded to the SMTP command "rcpt" with "550 <e0931890368@yahoo.com.tw> too many recipients in last hour  ". The full command sent was "RCPT TO:<e0931890368@yahoo.com.tw>  ".  This will probably cause the connection to fail.
0
 
total123Author Commented:
I have now disabled all ports on my firewall and the exchange server is still counting up spam.
Would this suggest some form of spamming virus ?
0
 
RadweldCommented:
This would suggest a client pc could be infected and is generating spam mail. Disconnect all clients anddad see what happens then if the number still rises then there could be an infection on the SBS server it's self. The netstat command gmcan help you see the source an destination of all traffic in your network.
0
 
total123Author Commented:
hi radweid

could you give the netstat a quick look over, the ip address 82.132.136.142 is classed as a mailserver. but its using http. i'm going to block it, if it is that, how can it send emails through our exchange server via http.

also, these lines are the spam emails that are in the queue.

 TCP    SBS03:smtp             118-168-113-186.dynamic.hinet.net:4481  ESTABLISHED


netstat.txt.txt
0
 
total123Author Commented:
i have closed the http port on the router and still get this in netstat ?

TCP    SBS03:http             82.132.136.142:35329   ESTABLISHED
0
 
sumit_aroraCommented:
hello, sorry for the late response
===========================

•Events 7004 and 4001 occur if other mail servers list your Exchange computer as a messaging server that sends unsolicited commercial e-mail or if your Exchange computer is an open mail relay

0
 
sumit_aroraCommented:
1.Verify that your Exchange computer is not an open mail relay. To do this, follow these steps:
•Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
•In Exchange System Manager, expand the following object:
Servers\Your_Exchange_Server_Name\Protocols\SMTP•Right-click the virtual SMTP server where you want to prevent mail relay, and then click Properties.
•Click the Access tab, and then click Relay.
•By default, open relay is blocked. The default settings are as follows:
¦The Only the list below check box is selected.
¦The Allow all computers which successfully authenticate to relay, regardless of the list above check box is selected.
•If you must permit a single computer, a group of computers, or a domain to relay through the server, click Add. In the Computer dialog box, click the appropriate selection for the computers you want to relay through the server. Then, type the required information.

Note Enabling access by IP address or by domain name is helpful for users who do not authenticate with the Exchange computer.
•In the Relay Restrictions dialog box, click OK.
•Click Apply, and then click OK in the Default SMTP Virtual Server Properties dialog box.
If your Exchange computer continues to relay messages to external domains, your Exchange computer has an SMTP connector that allows for relay
0
 
sumit_aroraCommented:
Relay Restrictions on Default Virtual SMTP Server Are Not Working
================================================
http://support.microsoft.com/kb/314734

0
 
total123Author Commented:
I think the problem maybe sorted. I'd discovered in the address tab on the smtp connector it was ticked
as discribed in this text.
1.      Click the Address Space tab. Under Connector Scope, click either Entire Organization or Routing Group. As in earlier versions of Exchange Server, when you configure the Internet Mail Service, click Add, click SMTP, and then click OK. Accept the default (*) unless you require outbound e-mail domain restriction, and leave the cost as 1. If you have accepted the default of (*), you should never click to select the Allow messages to be relayed to these domains check box. Clicking to select the Allow messages to be relayed to these domains check box would open your server for relay to the world. The Allow messages to be relayed to these domains check box should be for secure domain to domain connections only.

I'll see how it goes for a few days. So far, thanks for your help
0
 
sumit_aroraCommented:
good to hear that :-)
0
 
total123Author Commented:
all seems good, who do i give the points to then ?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 10
  • 8
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now