SmallBusiness SMTP connectors for unknown domains keep being created

I have a Windows 2003 SBS Server running Exchange 2003.
When I view the Queues using Exchange System Manager there a over 50 "Smallbusiness SMT connector - <adomain.com> (SMTP Connector)" where <adomain.com> is all kinds of names nothing to do with me. Each one has a message or two in them. The number in the list keeps growing
When I look in C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue there are always 20 or so EML files which when I open them usually say they are Delivery Status Notifications of failure to deliver to an unknown address on my domain. Something or someone is obviously crteating this stuff but I can't think where to start to look.
Guidance appreciated
ClintonKAsked:
Who is Participating?
 
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
If you are under DHA then you are going to have to use a third party tool to deal with that. This isn't a problem with the configuration of the server, because the email is going to a valid user at your domain.

If it is going to a random invalid name at your domain, then you need to check you have recipient filtering enabled. If not, then you need to enable it.

Simon.
0
 
djStraTTosCommented:
You have left your Exchange as an Open Relay...Soon your IP will be blacklisted. You should stop Open Relay ASAP.

How to block open SMTP relaying and clean up Exchange Server SMTP queues in Windows Small Business Server
0
 
ClintonKAuthor Commented:
The Computers dialog box has Access Granted to the internal IP address of my server and 127.0.0.1
"Allow all computers which successfully authenticate to relay" is also checked
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
djStraTTosCommented:
This is correct. First of all you should stop the SMTP in order to avoid negative consequences (being blacklisted). Then since it seems that your Server is not an Open Relay you should start looking at your users. Someone that is authenticating properly to your server is generating all this traffic. Does your server have 2 NIC's, internal and external or you are using NAT to bring external traffic to your internal network? If you have 2 NIC's remove the connection to your LAN clean your queue and see if the server stops to generate this traffic. If this is the case then for sure someone from your LAN is causing the issue. Check this and revert. Of course in order to test this you should start again SMTP on your server.
0
 
ClintonKAuthor Commented:
I have one card only and just a handful of registered users.
I will do as you suggest and see if I can pinpoint the culprit.
How can I remove all the dodgy SMTP connectors?
0
 
Larry Struckmeyer MVPCommented:
If you do not find the culprit on your internal LAN consider that you are the recipient of a reverse DNS attack where the spammer has used your ip and/or email domain name to send out spam and those that cannot be delivered are returned via NDR to your server.  

If this is the case having a SPF record for you domain and/or having your mail filtered by an outside service may help.
0
 
djStraTTosCommented:
Kindly see the link I sent you. It is all described in there in details.

Having an SPF record is as vital as having your server a Non Open Relay. I agree with fl_flyfishing
0
 
Simon Butler (Sembee)ConsultantCommented:
SPF record would make no difference to this kind of attack. SPF records are used by other servers to ensure that your server is the only one valid to send email. Has no difference on your ability to send email. I wouldn't consider it vital at all.

Having email filtered by another service would help, but woudln't always stop the problem.

My guide on this problem is here:
http://exchange.sembee.info/2003/smtp/spam-cleanup.asp

The most likely cause is authenticated user, rather than open relay. Could be that your Administrator password has been compromised, or a user was phished to give their credentials out to allow them to be abused.

Simon.
0
 
ClintonKAuthor Commented:
I have changed the users who are allowed to submit for relay from Authenticated users to just me and that has stopped the SMTP connections. I have added in two more domain users and still all is OK. I have a few more to do and then that will hopefully eliminate the domain users as suspects. When I've let this run for a day or two I will add Authenticated Users back to the list and see if it starts again. If it does then I think I can assume it's an external source that's using my SMTP server to relay and I guess they must have access via a user.
0
 
Simon Butler (Sembee)ConsultantCommented:
I would also suggest a global password change, particularly the administrator account. That will stop most things as well.

Simon.
0
 
ClintonKAuthor Commented:
I'm still having problems. I have restricted permission for Submit and Relay to the SMTP Virtual Server to just me and have changed the Administrator and my passwords but still the emails appear in the Exchange Queue folder and the SMTP connectors appear in the Exchange System Manager list. I did uncheck Anonymous access Authentication too but that just seemed to have the effect that I then received no email at all.
0
 
Simon Butler (Sembee)ConsultantCommented:
You don't need relay permission for anyone, so remove the list completely, then restart the SMTP Server service.

Have you done a recent check for open relay?

Simon.
0
 
ClintonKAuthor Commented:
I have removed all permission for relay so the list is now empty but still the SMTP connectors appear. I have also checked for open relay and this is negative.
0
 
Simon Butler (Sembee)ConsultantCommented:
Did you restart the SMTP server service after doing so?
You will need to stop the SMTP Server service so that you can look at the messages to see if they are coming from an external source or not.

The default location is c:\Program Files\Exchsrvr\mailroot\vs 1\queue

Open one of the messages in Notepad and look for the first received from line - remember headers read up, so the first delivery path will be midway through the text.

Simon.
0
 
ClintonKAuthor Commented:
They all say they are from "ADP Mail System" but from random addresses, e.g. <4CBC9DB3@anydomain.com> and all trying to deliver to a random username at my domain. The IP address the mail has come from is external to me.
0
 
djStraTTosCommented:
Most probably. You are facing a DHA (Directory Harvest Attack). Don't you use any Anti Spam mechanism before emails reach your mail server?
0
 
ClintonKAuthor Commented:
no, none I'm afraid
0
 
djStraTTosCommented:
You could set relaying to all except the IP of the spammer and check if this resolves your problem.
Please revert with outcome.

And of course you need a more sophisticated Anti Spam mechanism before your mail server. E.g. Symantec Brightmail or Fortinet Fortimail
0
 
ClintonKAuthor Commented:
The emails are going to a random name on my domain so your second suggestion sounds good. I have checked the option to "Filter recipients who are not in the Directory" - I assume this is the correct option?
0
 
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
You need to enable it on the SMTP virtual server as well.

http://exchange.sembee.info/2003/smtp/filter-unknown.asp

Simon.
0
 
ClintonKAuthor Commented:
Thanks. I did that and so far all seems to be good as no unknown SMTP connections have appeared since.
0
 
ClintonKAuthor Commented:
Problem cured. No more spurious SMTP connections and no more blacklisting for me.
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.