Solved

MSX 2K3 relays even thought open relays have been blocked

Posted on 2013-06-05
7
321 Views
Last Modified: 2013-06-12
I have been fighting a problem with my mail server for a couple of weeks now and need some assistance.

My MSX 2K3 server passes a 16 point open relay test, however, about once a week, I have to go to the ESM and inspect the SMTP connections.  I will see an IP that is making several concurrent connections and I get alerted from MX Toolbox that I am now a spammer.

I will go into the properties of the smtp virtual server and block that IP for incoming connections and the problems will subside until another spammer starts the process all over again.

I have trend micro WFBS 8.0 and the server passes weekly malware scans, however I am aware that if there is already an infection, the system may be ignoring the condition, thinking that "all's well".

So, other than my system having a possible infection, what else can I do?  I have followed all lockdown procedures outlined in several documents from MS and EE and it appears as if the open relay issue is not an issue...  I am now getting reported as a spamming server and this is causing a breakage in the business.

What am I missing?
0
Comment
Question by:CandSNetworking
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39222607
Have you completely disabled authenticated relaying?
Do you have any systems listed in the allow relay list on the SMTP VS in ESM?

Simon.
0
 

Author Comment

by:CandSNetworking
ID: 39222887
Simon,

Please let me know which feature is configured to disallow authenticated relaying and I will look and see.  


We have the IP of the router and the localhost (127.0.0.1) as "allowed" in the SMTP VS...

Is this what you were asking?
0
 

Author Comment

by:CandSNetworking
ID: 39222951
Simon,

Is this what you were asking me about?
Screen shot of my SMTP relay config
Also, authenticated users from the  "users" button are enabled for submit only, not relay.  And I was incorrect about the ip addresses... we've used the NAT address of the server internally and Localhost.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39222997
You don't need either 127.0.0.1 or the router in the list for Exchange to work.
In some cases having the router listed can turn the server in to an open relay, because of how Exchange sees the traffic. Therefore I would remove the two entries and then restart the SMTP Server service and test again.

Simon.
0
 

Author Comment

by:CandSNetworking
ID: 39223033
I'll be happy to remove these two ip addresses (even the NAT address?  I was told that this had to be in the SMTP VS)

I am not sure how to test this, as all relay testing already shows that I have a closed relay....  recommendations?

To date, the "test" has been, "hey admin, I can't send email to xxxx@xxx.xx"  :)
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39223496
Who told you they had to be in the list? As who or whatever the source was, is incorrect.
You may not have an open relay, it could be an authenticated relay, unfortunately you will have to wait to see whether the problem goes away.

Worst case is you have compromised account and the attacker is actually logging in to OWA or using Outlook to send the messages. Not unheard of as the result of a phishing attack.

Simon.
0
 

Author Closing Comment

by:CandSNetworking
ID: 39241385
Simon,

Thank you for bringing these misconfigurations to our attention... up until now, we did not realize that relays could be authenticated through several mechanisms.

We believe that we are ready to close this question and appreciate the assist!

Sky
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Suggested Courses
Course of the Month5 days, 13 hours left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question