?
Solved

SmallBusiness SMTP connectors for unknown domains keep being created

Posted on 2012-09-21
22
Medium Priority
?
902 Views
Last Modified: 2012-10-04
I have a Windows 2003 SBS Server running Exchange 2003.
When I view the Queues using Exchange System Manager there a over 50 "Smallbusiness SMT connector - <adomain.com> (SMTP Connector)" where <adomain.com> is all kinds of names nothing to do with me. Each one has a message or two in them. The number in the list keeps growing
When I look in C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue there are always 20 or so EML files which when I open them usually say they are Delivery Status Notifications of failure to deliver to an unknown address on my domain. Something or someone is obviously crteating this stuff but I can't think where to start to look.
Guidance appreciated
0
Comment
Question by:ClintonK
  • 10
  • 6
  • 5
  • +1
22 Comments
 
LVL 7

Expert Comment

by:djStraTTos
ID: 38420902
You have left your Exchange as an Open Relay...Soon your IP will be blacklisted. You should stop Open Relay ASAP.

How to block open SMTP relaying and clean up Exchange Server SMTP queues in Windows Small Business Server
0
 

Author Comment

by:ClintonK
ID: 38420912
The Computers dialog box has Access Granted to the internal IP address of my server and 127.0.0.1
"Allow all computers which successfully authenticate to relay" is also checked
0
 
LVL 7

Expert Comment

by:djStraTTos
ID: 38420929
This is correct. First of all you should stop the SMTP in order to avoid negative consequences (being blacklisted). Then since it seems that your Server is not an Open Relay you should start looking at your users. Someone that is authenticating properly to your server is generating all this traffic. Does your server have 2 NIC's, internal and external or you are using NAT to bring external traffic to your internal network? If you have 2 NIC's remove the connection to your LAN clean your queue and see if the server stops to generate this traffic. If this is the case then for sure someone from your LAN is causing the issue. Check this and revert. Of course in order to test this you should start again SMTP on your server.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:ClintonK
ID: 38420950
I have one card only and just a handful of registered users.
I will do as you suggest and see if I can pinpoint the culprit.
How can I remove all the dodgy SMTP connectors?
0
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 38421240
If you do not find the culprit on your internal LAN consider that you are the recipient of a reverse DNS attack where the spammer has used your ip and/or email domain name to send out spam and those that cannot be delivered are returned via NDR to your server.  

If this is the case having a SPF record for you domain and/or having your mail filtered by an outside service may help.
0
 
LVL 7

Expert Comment

by:djStraTTos
ID: 38421250
Kindly see the link I sent you. It is all described in there in details.

Having an SPF record is as vital as having your server a Non Open Relay. I agree with fl_flyfishing
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38424641
SPF record would make no difference to this kind of attack. SPF records are used by other servers to ensure that your server is the only one valid to send email. Has no difference on your ability to send email. I wouldn't consider it vital at all.

Having email filtered by another service would help, but woudln't always stop the problem.

My guide on this problem is here:
http://exchange.sembee.info/2003/smtp/spam-cleanup.asp

The most likely cause is authenticated user, rather than open relay. Could be that your Administrator password has been compromised, or a user was phished to give their credentials out to allow them to be abused.

Simon.
0
 

Author Comment

by:ClintonK
ID: 38426103
I have changed the users who are allowed to submit for relay from Authenticated users to just me and that has stopped the SMTP connections. I have added in two more domain users and still all is OK. I have a few more to do and then that will hopefully eliminate the domain users as suspects. When I've let this run for a day or two I will add Authenticated Users back to the list and see if it starts again. If it does then I think I can assume it's an external source that's using my SMTP server to relay and I guess they must have access via a user.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38426232
I would also suggest a global password change, particularly the administrator account. That will stop most things as well.

Simon.
0
 

Author Comment

by:ClintonK
ID: 38442723
I'm still having problems. I have restricted permission for Submit and Relay to the SMTP Virtual Server to just me and have changed the Administrator and my passwords but still the emails appear in the Exchange Queue folder and the SMTP connectors appear in the Exchange System Manager list. I did uncheck Anonymous access Authentication too but that just seemed to have the effect that I then received no email at all.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38442895
You don't need relay permission for anyone, so remove the list completely, then restart the SMTP Server service.

Have you done a recent check for open relay?

Simon.
0
 

Author Comment

by:ClintonK
ID: 38449166
I have removed all permission for relay so the list is now empty but still the SMTP connectors appear. I have also checked for open relay and this is negative.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38449891
Did you restart the SMTP server service after doing so?
You will need to stop the SMTP Server service so that you can look at the messages to see if they are coming from an external source or not.

The default location is c:\Program Files\Exchsrvr\mailroot\vs 1\queue

Open one of the messages in Notepad and look for the first received from line - remember headers read up, so the first delivery path will be midway through the text.

Simon.
0
 

Author Comment

by:ClintonK
ID: 38449931
They all say they are from "ADP Mail System" but from random addresses, e.g. <4CBC9DB3@anydomain.com> and all trying to deliver to a random username at my domain. The IP address the mail has come from is external to me.
0
 
LVL 7

Expert Comment

by:djStraTTos
ID: 38449944
Most probably. You are facing a DHA (Directory Harvest Attack). Don't you use any Anti Spam mechanism before emails reach your mail server?
0
 

Author Comment

by:ClintonK
ID: 38449945
no, none I'm afraid
0
 
LVL 7

Expert Comment

by:djStraTTos
ID: 38449950
You could set relaying to all except the IP of the spammer and check if this resolves your problem.
Please revert with outcome.

And of course you need a more sophisticated Anti Spam mechanism before your mail server. E.g. Symantec Brightmail or Fortinet Fortimail
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 38450038
If you are under DHA then you are going to have to use a third party tool to deal with that. This isn't a problem with the configuration of the server, because the email is going to a valid user at your domain.

If it is going to a random invalid name at your domain, then you need to check you have recipient filtering enabled. If not, then you need to enable it.

Simon.
0
 

Author Comment

by:ClintonK
ID: 38450297
The emails are going to a random name on my domain so your second suggestion sounds good. I have checked the option to "Filter recipients who are not in the Directory" - I assume this is the correct option?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 2000 total points
ID: 38462838
You need to enable it on the SMTP virtual server as well.

http://exchange.sembee.info/2003/smtp/filter-unknown.asp

Simon.
0
 

Author Comment

by:ClintonK
ID: 38462860
Thanks. I did that and so far all seems to be good as no unknown SMTP connections have appeared since.
0
 

Author Closing Comment

by:ClintonK
ID: 38462870
Problem cured. No more spurious SMTP connections and no more blacklisting for me.
Thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question