Exchange 2010 Authenticated Relay Attack

I believe I am the victim of an Authenticated Relay Attack.

I have read the various posts by A. Hardisty on how to deal with this with Exchange 2003, but not with Exchange 2010.

First thing I need to know is how to identify which account is the compromised account.  Once I stop the authenticated relay, then I can move on to cleaning things up.
Who is Participating?
Alan HardistyCo-OwnerCommented:
Those are messages destined for invalid users that are all spam, but because your UTM device is accepting them and passing them to your Exchange server for delivery, you are forced to send an NDR message back.  If your UTM device rejected invalid recipients, then the sending server would be responsible for the NDR generation.

This forces you to send Backscatter and that is why you are listed on  If the UTM device cannot reject emails destined for invalid email addresses, then throw it away and get one that can, or use a product such as Vamsoft ORF Fusion which can and also does a brilliant job of rejecting spam (  You can trial it for 42 days before you decide to buy (in case it doesn't work for you).
Patrick BogersDatacenter platform engineer LindowsCommented:

You will finds thousands of "audit success" in the security logs which will give you an idea.
Next you can browse your Default SMTP connector logs. (or quickly expand its logging level)

For sure you have to enforce all users to reset their passwords.
Alan HardistyCo-OwnerCommented:
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

tech911Author Commented:
Checked MXTOOLBOX we are not an open relay

Here are the results of the command you requested I run

Get-ReceiveConnector | Get-ADPermission | where {($_.ExtendedRights -like “*SMTP-Accept-Any-Recipient*”)} | where {$_.User -like ‘*anonymous*’} | ft identity,user,extendedrights

123ExchangeServer\Copier Scan To Mail


Extended Rights
Alan HardistyCo-OwnerCommented:
Okay - so your copier looks like it can relay.  Does it need to?

Please run the following EMS command:

get-receiveconnector -identity "copier scan to mail" | fl

Please post the output.


tech911Author Commented:
[PS] C:\Windows\system32>get-receiveconnector -identity "copier scan to mail" | fl

RunspaceId                              : ef0608a5-626e-4a5a-8849-9705b474c723
AuthMechanism                           : None
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    :
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers, Custom
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : CLREXCHGSERVER
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Copier Scan To Mail
DistinguishedName                       : CN=Copier Scan To Mail,CN=SMTP Receive Connectors,CN=Protocols,CN=CLREXCHGSER
                                          VER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administ
                                          rative Groups,CN=CLRLAW,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC
Identity                                : CLREXCHGSERVER\Copier Scan To Mail
Guid                                    : 89640d18-7fac-47e5-99a9-4ec23be1d83c
ObjectCategory                          : CLRLAW/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 6/20/2013 4:27:50 PM
WhenCreated                             : 9/4/2012 10:46:07 AM
WhenChangedUTC                          : 6/20/2013 8:27:50 PM
WhenCreatedUTC                          : 9/4/2012 2:46:07 PM
OrganizationId                          :
OriginatingServer                       : CLRMainServer.CLRLAW
IsValid                                 : True
Alan HardistyCo-OwnerCommented:
Okay - that's restricted to just your copier (assuming its IP is

So - you don't look like an authenticated relay.

What makes you think you are?
tech911Author Commented:
We were fine...
Then we started to have a couple of bounces
Then I checked the BL at MXTOOLBOX and we were on 4 lists
Then I looked at the message Queue and saw a ton of messages that didn't have anything to do with what we do (Law Firm)
tech911Author Commented:
We have 4 receive connectors... I didn't set this up

Copier Scan To Mail
CL Inbound SMTP

One Send Connector
Alan HardistyCo-OwnerCommented:
Those are just postmaster NDR messages.  Nothing more sinister.

Does your Exchange server receive mail direct from the internet or via a 3rd party spam filtering service?

What Blacklists were you on? one of them?
tech911Author Commented:
Alan HardistyCo-OwnerCommented:
Thought so - what about my other question?
tech911Author Commented:
We do have a router that has anti-spam protection on it (Netgear with UTM)

Just to be clear we have had this setup for months.

We had someone leave the firm.
They asked me to make sure his mailbox was accessible to two other partners
I gave them both Full Access and Send As permissions
That was on Monday, we started seeing the bounces yesterday and full blown full queue today.

Does that help?
tech911Author Commented:
Look at the subject in those <> messages
tech911Author Commented:
Here is the Queue with the last error, every one is rejecting us... Most likely due to BL's
Alan HardistyCo-OwnerCommented:
The ones from <> look just like regular spam.

I would imagine your Netgear UTM device is not capable or not enabled for Recipient Filtering, so it is accepting messages for invalid email addresses, passing them on to your Exchange server and because your UTM device has accepted the message, your Exchange server is forced to send an NDR back to the sender (which is usually spoofed) and because some have gone out to honeypot addresses at places like, you get blacklisted.

You either need to enable recipient filtering on the UTM (if it is capable), or find an alternative solution to spam.
Alan HardistyCo-OwnerCommented:
According to Spamhaus you are on the CBL blocklist because you have a spam sending trojan (

Does your firewall block SMTP traffic outbound from all IP's other than your Exchange Server?

Extract from the link above:

It was last detected at 2013-06-18 22:00 GMT (+/- 30 minutes), approximately 2 days ago.

So about 2 days ago you had a problem and that is why you are blacklisted.  If the problem was ongoing, then you would see a more recent time as the most recent listing.

Did you have any visitors a couple of days ago with a laptop that connected to your network or a remote user who came back to the office?
tech911Author Commented:
So a couple of questions

1.) Suggestions for antispam

2.) How can I be sure my connectors are setup to receive messages only for people on my system?
Alan HardistyCo-OwnerCommented:
I'll let you read / reply to my last comment before responding to your last one.
tech911Author Commented:
I'm a hired gun, so I am not there everyday.

Basically I have a bug on the network sending messages is that what I am understanding?
Alan HardistyCo-OwnerCommented:
It looks that way - or it looks like you did have.

Make sure the firewall is locked down to ONLY allow port 25 traffic out from the Exchange server and nothing else (unless absolutely necessary) and if you have got an infected PC, then you will need to track it down.

You can use something like Wireshark to sniff for port 25 traffic from the network and see if you can locate a PC sending such traffic and then tackle it.

Malwarebytes may well help you, but blocking the firewall (if not already done) would be the first thing to check / lock down.
tech911Author Commented:
Made the firewall change.

Downloading MB's

How can I check to see who is sending mail out on my system...
Alan HardistyCo-OwnerCommented:

"How can I check to see who is sending mail out on my system..." - Do you mean virus or genuine user?

tech911Author Commented:
Genuine User

I am accumulating more and more of those <> messages in the queue and when I look at them the from info is not anyone in my system and the "to" is someone random outside my system and the subjects are totally spam.

So I'm not sure whats going on.

Should I load MS Exchange AV and enable recipient filtering or can I do it without MS Exchange AV (My router doesn't support it as we thought).
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.