MSX 2K3 relays even thought open relays have been blocked

I have been fighting a problem with my mail server for a couple of weeks now and need some assistance.

My MSX 2K3 server passes a 16 point open relay test, however, about once a week, I have to go to the ESM and inspect the SMTP connections.  I will see an IP that is making several concurrent connections and I get alerted from MX Toolbox that I am now a spammer.

I will go into the properties of the smtp virtual server and block that IP for incoming connections and the problems will subside until another spammer starts the process all over again.

I have trend micro WFBS 8.0 and the server passes weekly malware scans, however I am aware that if there is already an infection, the system may be ignoring the condition, thinking that "all's well".

So, other than my system having a possible infection, what else can I do?  I have followed all lockdown procedures outlined in several documents from MS and EE and it appears as if the open relay issue is not an issue...  I am now getting reported as a spamming server and this is causing a breakage in the business.

What am I missing?
CandSNetworkingAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
Who told you they had to be in the list? As who or whatever the source was, is incorrect.
You may not have an open relay, it could be an authenticated relay, unfortunately you will have to wait to see whether the problem goes away.

Worst case is you have compromised account and the attacker is actually logging in to OWA or using Outlook to send the messages. Not unheard of as the result of a phishing attack.

Simon.
0
 
Simon Butler (Sembee)ConsultantCommented:
Have you completely disabled authenticated relaying?
Do you have any systems listed in the allow relay list on the SMTP VS in ESM?

Simon.
0
 
CandSNetworkingAuthor Commented:
Simon,

Please let me know which feature is configured to disallow authenticated relaying and I will look and see.  


We have the IP of the router and the localhost (127.0.0.1) as "allowed" in the SMTP VS...

Is this what you were asking?
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
CandSNetworkingAuthor Commented:
Simon,

Is this what you were asking me about?
Screen shot of my SMTP relay config
Also, authenticated users from the  "users" button are enabled for submit only, not relay.  And I was incorrect about the ip addresses... we've used the NAT address of the server internally and Localhost.
0
 
Simon Butler (Sembee)ConsultantCommented:
You don't need either 127.0.0.1 or the router in the list for Exchange to work.
In some cases having the router listed can turn the server in to an open relay, because of how Exchange sees the traffic. Therefore I would remove the two entries and then restart the SMTP Server service and test again.

Simon.
0
 
CandSNetworkingAuthor Commented:
I'll be happy to remove these two ip addresses (even the NAT address?  I was told that this had to be in the SMTP VS)

I am not sure how to test this, as all relay testing already shows that I have a closed relay....  recommendations?

To date, the "test" has been, "hey admin, I can't send email to xxxx@xxx.xx"  :)
0
 
CandSNetworkingAuthor Commented:
Simon,

Thank you for bringing these misconfigurations to our attention... up until now, we did not realize that relays could be authenticated through several mechanisms.

We believe that we are ready to close this question and appreciate the assist!

Sky
0
All Courses

From novice to tech pro — start learning today.