• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1153
  • Last Modified:

Exchange messages being sent from postmaster@domainname.com

I have been battling a problem for a few days.  Exchange 2003 on SBS, email queue filling up with NDR from postmaster@domainname.com to random email addresses.  So, I think the server is an open relay.  Check all the settings and run it against mxlookup, it is not an open relay.  Then I think it has to be an reverse NDR attack, I checked the settings on Message Delivery and Filter recipients is checked.  I check the SMTP connector and can't honestly remember now if Recipient Filters was checked originally, but it is now.  I restart exchange and SMTP, still geting emails filling the queue.
I also get emails trying to be delivered locally to domainnameArchive@domainname.com.  This seems to be a cut and dry reverse NDR attack, but I can't seem to get the filtering to engage.
Any ideas are appreciated.  I travel a lot and may not respond quickly, but will respond.
0
HaulnSS
Asked:
HaulnSS
  • 12
  • 7
  • 4
  • +2
2 Solutions
 
Simon Butler (Sembee)ConsultantCommented:
The filtering is probably working, it is just that you are having to deal with the after affects.
When a spammer finds a server he can abuse, he will abuse it - dumping 1000s of messages on to the server. Exchange cannot process them and the queue viewer doesn't display them all. Therefore it can take some hours to clear them.

http://exchange.sembee.info/2003/smtp/spam-cleanup.asp

You can verify that recipient filtering is enabled by using telnet to the server and trying to deliver to a non-valid recipient, it should get rejected.

Simon.
0
 
Alan HardistyCommented:
If your server was an Open Relay you wouldn't be seeing mail from Postmaster - you would be seeing mail from randomsender@randomdomain.com
0
 
NicolusCommented:
Hi there,

First let me give you some words of encouragement...  you will get through this... as much of a pain in the butt it is it is easily fixable if you follow these steps.

1 - In 100% of my experiance an NDR attack has been due to a transfer of password information to the bad guys.  So FIRST, run a solid antivirus / malware scan on everyone's PC.  second, change everyone's password.  AVAST AV has a great feature in that you can run a boot scan where it can scan the HD before the OS even loads so that it can check Windows files that are normally inaccessible to scans.

2 - Read this...  This is going to be your bible on this   http://exchange.sembee.info/2003/smtp/spam-cleanup.asp 

3 - You'll need to keep an eye on wheather or not you're blacklisted as a result of all this email traffic.

I'll keep my eye on this post for your response.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
S_K_SCommented:
Test through telnet to check if your server is open for relay or not is a good option.
Changing password is one thing that should be done.
AV check on the concerned machine is another thing that is necessary
Exchange server should have its files excluded from being scanned by the AV also - as a best practise
0
 
HaulnSSAuthor Commented:
Thank you for the responses.  I have been watching MX blacklist closely and haven't seen the server black listed at anytime, which confuses me...  
Anyway, I have gone through the link above as a result of searching for information on this before asking question.  I do run into a snag however, when I telnet and type ehlo testdomain.com, I receive "500.3.3 Unrecognized command.
0
 
Alan HardistyCommented:
Save yourself the hassle and visit www.checkor.com and let them prove you are not an Open Relay, which if you are not Blacklisted, then you won't be.

The only Blacklist you are likely to end up on is Backscatterer.org - nothing to serious to lose sleep over, but if you are not listed - that's good news.
0
 
HaulnSSAuthor Commented:
0
 
HaulnSSAuthor Commented:
Thank you alanhardisty, checkor site is currently unavailable.  Do you think it would take more than a couple days to clean up from NDR attack?  I have had to delete about 30 emails in the last several hours.
0
 
Alan HardistyCommented:
Darn websites!

Shouldn't take that long to clean it up - once Recipient Filtering is enabled that should take care of it.

If you want a more robust Anti-Spam solution, try Vamsoft ORF which is now available for Trial for 45 days instead of 30.  New version just released.

That should tidy up your problem for 45 days happily - then you just need to decide if you like it enough to buy it.
0
 
HaulnSSAuthor Commented:
I actually use GFI Mailessentials, however, while troubleshooting this problem, I uninstalled it.  The Exchange portion of this server is forwarding email to another domain.
Scenario:  Company was bought out and parent company wanted all emails added to their domain.  I am forwarding any email to a valid recipient to their email on the parent server.  This is just to make sure people they don't communicate with often, still are able to email the user.
Am I creating any problems by doing that?
0
 
Alan HardistyCommented:
Fair enough - bit overkill to uninstall it but not to worry.  I'd put it back as soon as you can.

Nope - that sounds fine.
0
 
Simon Butler (Sembee)ConsultantCommented:
How are you doing the forwarding?
Are you doing a blanket forward where no user exists?
It can take some time to clean up a server that is under NDR attack, I think my record is something like six hours. An abused server is a pain to clean up, and if you aren't careful you will lose legitimate email. Turning off port 25 on the firewall for a period can help.
If you have a PIX, then that can cause problems as well - more problems than it protects against.

Simon.
0
 
HaulnSSAuthor Commented:
Simon, actually using an ASA Cisco Firewall.  I am still getting new items introduced, looks like the emails are going to companynameArchive@domainname.com, and then being sent from postmast@domainname.com.
Still got several new ones in queue from this weekend.
0
 
Simon Butler (Sembee)ConsultantCommented:
ASA is just as bad. So bad that Microsoft have an article about it on their own web site:
http://support.microsoft.com/kb/320027

The issue though is how you are doing the forwarding that you mentioned above.

Simon.
0
 
HaulnSSAuthor Commented:
Sorry, forgot to answer that question.  I am forwarding individual emails, not a blanket forward.
0
 
Simon Butler (Sembee)ConsultantCommented:
If you are doing individual forwarding then you should be able to use recipient filtering to block these emails. If you were doing some kind of blanket forward then that wouldn't work as those methods depend on Exchange not recognising the user and sending it on.

Simon.
0
 
HaulnSSAuthor Commented:
I have tested recipient filtering, seems to be working with the exception of domainnameArchive@domainname.com I can send to that address and it sits in the Queue, under local delivery.  I get several messages in this queue a day.
0
 
HaulnSSAuthor Commented:
I am still getting several emails being sent daily via postmaster@domain.com
0
 
Simon Butler (Sembee)ConsultantCommented:
Are you sure those messages are coming from outside and not some internal process? It isn't an address format that I recongise.

Simon.
0
 
HaulnSSAuthor Commented:
I honestly don't know where they are coming from.  I can email the domainnameArchive@domainname.com from an outside address, and the server accepts it and it just sits there in local delivery.  That appears to be the only problem left, I haven't had emails going to random domains since yesterday.
0
 
Simon Butler (Sembee)ConsultantCommented:
Does it reject any other email address that you attempt to send to?
If not, then recipient filtering isn't working correctly.

Simon.
0
 
HaulnSSAuthor Commented:
Sembee2, It does reject all other random addresses I have tried to send to.  I can't figure out why it is accepting for that mailbox, since it doesn't exist.
The outgoing mail does seem to be rectified.  I tried so many things, I can't recall which item actually fixed it...
0
 
Simon Butler (Sembee)ConsultantCommented:
That means the address must be in the domain somewhere.
Try this script to see if it is in there somewhere.
http://krisdev.blogspot.com/2005/09/search-your-domain-for-particular-smtp.html

Simon.
0
 
HaulnSSAuthor Commented:
Sembee2, sorry for late reply.  You were right, it was a public folder.  Didn't know it existed.  I have all problems resolved.  Thank you!
0
 
HaulnSSAuthor Commented:
I had to split the points, since I originally had two problems that you both helped me solve.<br />Thank you!
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 12
  • 7
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now