Announcement

Collapse
No announcement yet.

Exchange 2003 Spam/Relay

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2003 Spam/Relay

    I am having a little issue with my Exchange Server. For the past day or two, someone keeps dumping about 300-400 messages to my exchange. I see the connectors trying to connect to bogus places.

    How is this guy doing this?

    Here a copy of one of the messages.

    Code:
    Received: from User ([66.203.232.33]) by myexchange.server with Microsoft SMTPSVC(6.0.3790.3959);
    	 Wed, 2 Jul 2008 11:26:46 -0400
    Reply-To: <[email protected]>
    From: "PayPal"<[email protected]>
    Subject: Confirm this Transaction!
    Date: Wed, 2 Jul 2008 10:27:22 -0500
    MIME-Version: 1.0
    Content-Type: text/html;
    	charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Bcc:
    Return-Path: [email protected]
    Message-ID: <[email protected]>
    X-OriginalArrivalTime: 02 Jul 2008 15:26:47.0034 (UTC) FILETIME=[0A6F05A0:01C8DC58]
    I removed my exchange dns from the message.
    Anything I should be looking for?
    CCNA, Network+

  • #2
    Re: Exchange 2003 Spam/Relay

    One of three...

    open relay
    authenticated relay
    NDR spam.

    My guess is probably the second.

    Although the 330/400 messages you are seeing are just the tip of the iceberg. Those are the messages that are failing.

    If you don't need authenticated relaying (and you don't if all clients are Outlook using Exchange, Windows Mobile using ActiveSync - ie no POP3/IMAP clients) then turn it off and restart the SMTP server service.

    You will also have to reset your administrator account password as that is the usual target.

    Of course I am presuming that the server has been checked to ensure that it is not an open relay?

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Exchange 2003 Spam/Relay

      I have done the telnet test, I am no an open relay. Plus I have tried other test online.

      As for authenticated relaying, we need it. Some people are using older versions of Outlook to connect with POP3. The only way I can see getting around this is everyone will need to have Outlook 2003 and setting them up with RPC/HTTPS (which has been implemented already).

      Anyway to log/see who is authenticating?

      NDR Spam? Anyway to catch/avoid this?
      CCNA, Network+

      Comment


      • #4
        Re: Exchange 2003 Spam/Relay

        If it is authenticated relaying, only one account is targeted - the administrator account. That is because the password has to be broken. If you need to use authenticated relaying then lock it down so that its use is limited.

        Either way you have to change your administrator password.

        NDR spam can be blocked by configuring recipient filter and the tarpit. http://www.amset.info/exchange/filter-unknown.asp

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Exchange 2003 Spam/Relay

          AFAIK, Outlook since at least Outlook 98 has been able to connect to Exchange server natively (MAPI) so why is it that you don't have your legacy clients configured in Exchange mode? Are you using the Disable MAPI Clients setting (registry entry) to restrict which versions of Outlook can connect to your Exchange server?

          Comment


          • #6
            Re: Exchange 2003 Spam/Relay

            Originally posted by joeqwerty View Post
            AFAIK, Outlook since at least Outlook 98 has been able to connect to Exchange server natively (MAPI) so why is it that you don't have your legacy clients configured in Exchange mode? Are you using the Disable MAPI Clients setting (registry entry) to restrict which versions of Outlook can connect to your Exchange server?
            We have people that are offsite. And AFAIK, only Outlook 2003 and above can use RPC/HTTPS. And no, we do not have "Disabled MAPI Clients" in the registry.
            CCNA, Network+

            Comment


            • #7
              Re: Exchange 2003 Spam/Relay

              Now I understand why. Thanks for the clarification.

              Comment


              • #8
                Re: Exchange 2003 Spam/Relay

                Just to update. I finally found the user account that they got the password to .

                Event ID 1708
                SMTP Authentication was performed successfully with client "User".
                The authentication method was "LOGIN" and the username was "OURDOMAINNAME\brandy".

                Changed the users password. And I will see if it happens again.
                CCNA, Network+

                Comment

                Working...
                X