• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 759
  • Last Modified:

Exchange 2010 Relay

I thought I had my exchange 2010 server tightened down. But I checked my queues and there were a few, about 20, messages in there with weird email address and a blank 'From' field. Here are the details of one of the messages:

Identity: my-server\177856\629547
Subject: Undeliverable: An E-card from your friend.
Internet Message ID: <3c020d3f-4c1d-4082-8c2a-9e7235a415f3@domain.com>
From Address: <>
Status: Retry
Size (KB): 11
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 8/31/2012 9:37:48 AM
Expiration Time: 9/2/2012 9:37:48 AM
Last Error: 451 Cannot connect to domain:123greetings.com - psmtp
Queue ID: my-server\177856
Recipients:  ecards@123greetings.com

It looks like they're relaying thru me, but I don't know how. My firewall is setup to only accept SMTP from Postini address range. How can I track down who is sending these messages?
0
imccoy
Asked:
imccoy
  • 7
  • 4
  • 2
  • +3
2 Solutions
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Is there a relay set on your Receive connector ?
If so does it not restrict to some IP's ?

- Rancy
0
 
S_K_SCommented:
Check the Relay settings on Receive Connector
0
 
imccoyAuthor Commented:
I have 5 receive connectors. They all have specific ip's except for the 'Default' one. I attached a pic of it. Should it only receive from Postini addresses also?
Default-Connector.JPG
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
What is that fffffff ?

- Rancy
0
 
imccoyAuthor Commented:
I think it's for IPv6. I'm not positive. I think those are just default settings.
0
 
DLeaverCommented:
The "fffffff" is the IPv6 address

This could be a PC on your internal network that is infected and trying to send SPAM through your Exchange, check your AV and run a scheduled scan on the network.

Also scan the Exchange server itself in case it has picked up an infection and is relaying itself.

If you are locked down to your AS towers then you don't need to restrict your receive connector
0
 
imccoyAuthor Commented:
I'm not sure what you mean by 'AS towers'?
0
 
DLeaverCommented:
Sorry, rushed that one down.  Anti Spam tower servers, which as you state you have locked your router down too with Postini, however you can test this from a remote site using telnet just to makes sure the communication is locked down.

I would check for viruses in the first instance......
0
 
Simon Butler (Sembee)ConsultantCommented:
That is an NDR in the original message.

So the simple question would be is Postini doing recipient validation? If not, then it should be.
If Postini isn't doing it, or cannot, then configure Exchange to do so, although Postini might require you to accept all email that they try to deliver to you.

Simon.
0
 
Exchange_GeekCommented:
Guys, don't get scared on the part of seeing a blank sender - this is a default setting since E2007 (don't rem in E2003 if this was there). There is no relay issues that i can read of, at least from you're post. You can perfom a simple telnet test to understand the problem of relay.

A blank sender isn't a problem - it is the system that is sending the NDR for a failed email that couldn't be received by a user. In other words, someone out there is trying to harvest you're environment and trying to gain knowledge - Rem: NDR would have data of you're environment.

What you need to lockdown (and this is to add what Sembee has mentioned) is the main issue here.

You'r Exchange box needs to perform Recipient Validation - this is a feature that was presented in E2003 first time, carried over to all the versions after that.

Here is the cmdlet to enable the feature
Set-RecipientFilterConfig -RecipientValidationEnabled $True

Read more:
http://mikecrowley.wordpress.com/2010/06/06/exchange-recipient-validation/

Regards,
Exchange_Geek
0
 
imccoyAuthor Commented:
>>>I tried running the script to install the AntiSpam features and got an error.

Nevermind, I didn't have the hyphen in the name.
0
 
imccoyAuthor Commented:
I have installed the the AntiSpam feature and all options are enabled, and restarted the Transport service. But I'm still getting the NDR notices with a status of Active or Retry. If someone is spoofing our address and we are just receiving the NDRs, why is our server trying to resend them? Shouldn't the Reciepient Validation see an invalid sender and delete the message?
0
 
Simon Butler (Sembee)ConsultantCommented:
If someone is using your domain to send email and you are getting the NDRs, then you have to accept them. Exchange has no where to deliver them.

Have you actually verified the Recipient Filtering is working? If you telnet in to the server on port 25 and try and send an email to a non-valid user then the email should get rejected.

Simon.
0
 
imccoyAuthor Commented:
Invalid recipients get an 'unable to relay'.

But invalid senders are able to send.

I went ahead and made these 2 changes:

     If Sender ID check fails, I rejected message.

     In Sender Filtering, I blocked messages that don't have sender information.

Are these settings OK?
Should I make any other changes?
0
 
Simon Butler (Sembee)ConsultantCommented:
Exchange doesn't check the sender.
That is why spam is such a problem because you can put anything that you like in the From field and it is accepted by the remote server.

SenderID is a DNS feature, and those checks should be done by Postini. However if they are NDR returns then Postini will allow them through.

Simon.
0
 
imccoyAuthor Commented:
Thanks.

Are the settings I selected OK? Or are there problems with these restrictions?
0
 
Simon Butler (Sembee)ConsultantCommented:
If you apply those settings without fully realising the consequences then you can block legitimate email. Furthermore I don't think it will resolve your problem.

Simon.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 7
  • 4
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now