Exchange 2003 being used as spam server - sort of....
I have an Exchange 2003 server that appears to be being used as a spam host. It it not an open relay and the Default SMTP Virtual Server properties under Access/Relay have the mail server and the network scanner listed with "Only the list below" checked. The box to allowed authenticated users to relay is unchecked.
I see spam to/from the same user. So bsmith@ is sending spam to bsmith@, but it is coming from outside the network. Here are the headers:
Received: from host145-98-static.206-37-b
([37.206.98.145]) by MYMAILSERVER with Microsoft
SMTPSVC(6.0.3790.4675); Wed, 19 Sep 2012 05:42:34 -0700
Message-ID: <5059BCF9.804060@XXX.com>
Date: Wed, 19 Sep 2012 13:42:19 +0100
From: <user@mydomain.com>
Content-Class: urn:content-classes:messag
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <user@mydomain.com>
Subject: =?utf-8?Q?Spam:find=20Clla
The to and from and the same and it's not from inside my network. I'm not sure how this is getting through or how is it happening. There is not a lot of it, but I would like to stop it.
I see spam to/from the same user. So bsmith@ is sending spam to bsmith@, but it is coming from outside the network. Here are the headers:
Received: from host145-98-static.206-37-b
([37.206.98.145]) by MYMAILSERVER with Microsoft
SMTPSVC(6.0.3790.4675); Wed, 19 Sep 2012 05:42:34 -0700
Message-ID: <5059BCF9.804060@XXX.com>
Date: Wed, 19 Sep 2012 13:42:19 +0100
From: <user@mydomain.com>
Content-Class: urn:content-classes:messag
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <user@mydomain.com>
Subject: =?utf-8?Q?Spam:find=20Clla
The to and from and the same and it's not from inside my network. I'm not sure how this is getting through or how is it happening. There is not a lot of it, but I would like to stop it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Exchange 2003 is very open to abuse unfortunately.
Hopefully it is just an NDR attack which should subside with Recipient Filtering enabled, but if not, then you should be able to find the relevant account.
Shout if you need any more info.
Hopefully it is just an NDR attack which should subside with Recipient Filtering enabled, but if not, then you should be able to find the relevant account.
Shout if you need any more info.
ASKER
I do have a slight issue now. I forgot to mention I have an outside vendor that sends emails through our server and they log in with a service account (with a strong random password) and I am now seeing this:
The SMTP client "X.X.X.X" authenticated as user "DOMAIN\account" attempted to send as "legituser@mydomain.com". Access was denied because the authenticated client does not have permission to Send As this SMTP address.
Am I going to need to set up Send As permissions on each of those users who use this third party service?
The SMTP client "X.X.X.X" authenticated as user "DOMAIN\account" attempted to send as "legituser@mydomain.com". Access was denied because the authenticated client does not have permission to Send As this SMTP address.
Am I going to need to set up Send As permissions on each of those users who use this third party service?
Yes - if they need to send as a particular user and log in as a different user, then will need Send As permissions.
ASKER
Thanks. All is looking well now.
ASKER
Also going to run through the authenticated user attack. Strange that it happens when the box is unchecked and only allowing relaying from a very specific set of IPs.