We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
COURSE of the MONTH
11 days, 7 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Exchange server 2003 being used as a spam relay
Posted on 2012-12-20
Hi
My client's Windows 2K Exchange 2003 sp3 is being used a a spam relay :
There were over 50000 emails in the SMTP queue !
Apparently the destination email adresses are bad
because the Exchange diagnostics log is FULL or
5.4.0 errors (I had approx 2GB worth of these logged
errors).
Is this spam ? or maybe a type of DoS attack ?
The server was on its needs two days following the
beginning of this situation.
I don't understand how these got through though
because I have specified in the SMTP protocol
properties that only the local subnet is allowed
(192.168.1.0/24) is allowed to relay.
So far the only solution I have found was to stop the
SMTP service and delete the files in the mailroot
queue
I'll check the access-rules on the CISCO 831 config to
see if there's any holes through there.
thanks
yann
NB
This is a copy of the cisco config:
My client's Windows 2K Exchange 2003 sp3 is being used a a spam relay :
Received: from User ([184.61.168.250]) by mailhost.XXXXXXXXXX.com with
Microsoft SMTPSVC(5.0.2195.7381);
Tue, 18 Dec 2012 20:36:39 +0100
From: "E-Mail Technical Services"<support@hp.com>
Subject: IMPORTANT INFORMATION IN YOUR MAILBOX
Date: Tue, 18 Dec 2012 13:40:50 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: support@hp.com
Message-ID: <EXCHANGE2KVp20N39x600000a56@mailhos t.XXXXXXXX XX.com>
X-OriginalArrivalTime: 18 Dec 2012 19:36:40.0378 (UTC)
FILETIME=[007E41A0:01CDDD57]
Your mailbox is almost full.
20GB
Your Web-mail Quota Has Exceeded The Set Quota/Limit Which Is 20GB.
You Are Currently Running On 23GB Due To Hidden Files And Folder On
Your Mailbox.
Please Click the Link Below To Validate Your Mailbox And Increase Your Quota.
CLICK HERE: http://activatenow.nclidz.com/
you keep changing your password allowed Web Mail Services to work
on your quota limit.Failure To Click This Link And Validate Your Quota
May Result In Loss Of Important Information In Your Mailbox/Or Cause
Limited Access To It.
Thank you for your cooperation.
Web Mail Technical Services
There were over 50000 emails in the SMTP queue !
Apparently the destination email adresses are bad
because the Exchange diagnostics log is FULL or
5.4.0 errors (I had approx 2GB worth of these logged
errors).
Is this spam ? or maybe a type of DoS attack ?
The server was on its needs two days following the
beginning of this situation.
I don't understand how these got through though
because I have specified in the SMTP protocol
properties that only the local subnet is allowed
(192.168.1.0/24) is allowed to relay.
So far the only solution I have found was to stop the
SMTP service and delete the files in the mailroot
queue
I'll check the access-rules on the CISCO 831 config to
see if there's any holes through there.
thanks
yann
NB
This is a copy of the cisco config:
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp
ip inspect name FWOUT smtp
!
interface Ethernet0
ip address 192.168.1.254 255.255.255.0
ip access-group 122 out
ip nat inside
no cdp enable
!
interface Ethernet1
ip address XXX.XXX.XXX.XXX 255.255.255.248
ip nat outside
ip inspect FWOUT out
duplex auto
no cdp enable
!
ip local pool DIAL-IN 192.168.201.10 192.168.201.230
ip nat inside source list 20 interface Ethernet1 overload
ip nat inside source static tcp 192.168.1.5 443 interface Ethernet1 443
ip nat inside source static tcp 192.168.1.5 110 interface Ethernet1 110
ip nat inside source static tcp 192.168.1.5 143 interface Ethernet1 143
ip nat inside source static tcp 192.168.1.5 25 interface Ethernet1 25
ip nat inside source static tcp 192.168.1.5 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.1.5 80 interface Ethernet1 80
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 10
no ip http server
no ip http secure-server
!
access-list 5 remark SNMP
access-list 5 permit XXX.XXX.XXX.XXX
access-list 5 permit XXX.XXX.XXX.XXX
access-list 10 permit XXX.XXX.XXX.XXX 0.0.0.255
access-list 10 deny any
access-list 20 permit 192.168.1.0 0.0.0.255
access-list 20 deny any
access-list 23 permit xxx.xxx.xxx.xxx
access-list 23 permit xxx.xxx.xxx.xxx
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 102 remark Incoming traffic
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 143
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq 443
access-list 121 remark ANTISPOOFING
access-list 121 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 121 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 121 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 121 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 121 permit ip any any
access-list 122 permit ip any host 192.168.1.5
access-list 122 permit ip any host 192.168.1.213
access-list 122 permit ip any host 192.168.1.117
access-list 122 permit ip any host 192.168.1.116
access-list 122 permit ip any host 192.168.1.108
access-list 122 permit ip any host 192.168.1.121
access-list 122 permit ip any host 192.168.1.107
access-list 122 permit ip any host 192.168.1.101
access-list 122 permit ip any host 192.168.1.100
access-list 122 permit ip any host 192.168.1.106
access-list 122 permit ip any host 192.168.1.105
access-list 122 deny ip 192.168.201.0 0.0.0.255 any
access-list 122 permit icmp any any
access-list 122 permit ip any any
access-list 122 permit ip any host 192.168.1.251
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
2
6 Comments
It's hard to t/s from here because I don't know your ip's or anything, but make sure you check the SMTP "server" and not just the smtp connector. There is an option under the SMTP server properties (under protocals) called Relay under Access that controls who can relay.
It's a good idea to do an open relay test on your server, that will verify whether it is truely open or not. I generally do them by hand with Telnet, but if you don't know how to do that there are a variety of sites that will do it for you such as this one:
http://www.mailradar.com/openrelay/
It's a good idea to do an open relay test on your server, that will verify whether it is truely open or not. I generally do them by hand with Telnet, but if you don't know how to do that there are a variety of sites that will do it for you such as this one:
http://www.mailradar.com/openrelay/
Active today
thanks rsimsee
I did specify that only the local subnet can relay messages through the SMTP server
We don't use an SMTP connector
I tried the openrelay test you suggested and all 18
methods passed except for test 7, 8 and 14
I'll look more deeply into why those three didn't pass
thanks
I did specify that only the local subnet can relay messages through the SMTP server
We don't use an SMTP connector
I tried the openrelay test you suggested and all 18
methods passed except for test 7, 8 and 14
I'll look more deeply into why those three didn't pass
thanks
Active today
Apparently this is the result of an Reverse NDR attack
I'll let you know which solution I used to fix our situation
I'll let you know which solution I used to fix our situation
Just an fyi, I just tested a client of mine with 2003 and all tests passed, so it must be something on your end.
Looking at the tests that you failed, I see that all of them have a "user unknown" response sent back from the server (at least on my server). I know that have Exchange set to drop all mail not addressed to somebody in my organization, do you have that set?
Looking at the tests that you failed, I see that all of them have a "user unknown" response sent back from the server (at least on my server). I know that have Exchange set to drop all mail not addressed to somebody in my organization, do you have that set?
Active today
thanks for that RSIMSEE
Well, I fixed the issue by implementing the recipient filtering option aswell as the SMTP tar pit registry modification :
http://support.microsoft.com/kb/886208
http://support.microsoft.com/kb/842851
And now when I run the openrelay test, no more errors !
Phew, I'm glad that that's over !
thanks
Well, I fixed the issue by implementing the recipient filtering option aswell as the SMTP tar pit registry modification :
http://support.microsoft.com/kb/886208
http://support.microsoft.com/kb/842851
And now when I run the openrelay test, no more errors !
Phew, I'm glad that that's over !
thanks
Featured Post
Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Read this checklist to learn more about the 15 things you should never include in an email signature.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory.
NOTE: For Outlook 2016 and 2013 perform the exact same steps.
Open a new email: Click the New email button in Outlook.
Start typing the address: …
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
Suggested Courses
Course of the Month11 days, 7 hours left to enroll
752 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.