Announcement

Collapse
No announcement yet.

Exchange 2003 is sending emails not from own domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2003 is sending emails not from own domain

    Hi,

    Our client "abc.co.uk" has an SBS 2003 server with 14 users and I can see 8,000 emails in the queue and the Message Tracking tool that have a sender as "[email protected]" and "[email protected]" and other such domains, which are nothing to do with our client's public domain "abc.co.uk".

    I believe the server has been compromised and I need to secure it so that only emails originating from abc.co.uk can be sent.

    I have done an open relay test and I get the good message back saying "This server is not an open relay".

    I have changed all the user account passwords, including Administrator and other service accounts, and made sure services start and scheduled tasks run with the new credentials. But aside from that general precaution, is there a way I can tell Exchange 2003 "Do not send emails unless they have a sender domain of abc.co.uk" ?

    Thank you.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

  • #2
    Re: Exchange 2003 is sending emails not from own domain

    What settings do you have on the exchange virtual server?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Exchange 2003 is sending emails not from own domain

      Hi Andy,

      Would that be the default SMTP virtual server that you are referring to? If so, email goes out via then Connectors > SBS SMTP connector, and the Protocols > SMTP > Default SMTP Virtual server has no settings (other than defaults).

      I hope that makes sense! And thanks for your input. Should I configure the Default SMTP Server in some way to deny sending of emails from non-abc.co.uk domains? and if so how?
      Best wishes,
      PaulH.
      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

      Comment


      • #4
        Re: Exchange 2003 is sending emails not from own domain

        To my knowledge Exchange will only relay for non-known domains if it is set to permit relaying somewhere. Your test may have only checked from a certain source. What do the permissions tabs look like? (like this link below)
        http://www.petri.com/preventing_exch...m_relaying.htm
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Exchange 2003 is sending emails not from own domain

          Hi Andy,

          Many thanks for that info: I'm going away on holiday now so as soon as I get back I can look into it and see where this takes me. Thank you.
          Best wishes,
          PaulH.
          MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

          Comment


          • #6
            Re: Exchange 2003 is sending emails not from own domain

            Relaying is denied by default so it has to be somethng someone has configured.

            Easy way to make sure everything is back to default is to add a second SMTP virtual server to the box then add it to the SMTP connector (also remove the original and restart iisadmin.)

            Then on the SMTP connector , on the address space tab make sure "allow messages to be relayed...." is not selected.

            If at this point messages from other domains are still being sent then someone is using AUTH Login. If so you can crank up logging to figure out what account is being used.

            Comment


            • #7
              Re: Exchange 2003 is sending emails not from own domain

              Exchange doesn't have any mechanism to validate the sender's email address. Since you stated that you've run the open relay test and passed then my opinion is that it's an internal user who's using POP (maybe from home?) to connect to the server, they're being authenticated to the SMTP server and sending the spam emails because their home computer has been compromised.

              Comment


              • #8
                Re: Exchange 2003 is sending emails not from own domain

                Just to add to joeqwerty's comments, the only thing I would thrown in there is that the open relay test is only valid from the IP it is testing from.
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: Exchange 2003 is sending emails not from own domain

                  Hi.

                  The same thing happened to me on a SBS 2003 box. At that moment I freaked out and deleted all the mail queue, then I was sorry I couldn't investigate any further.

                  As far as I could tell, there was one PC infected with a spambot, that used the server as a SMTP relay with the domain user credentials.

                  In my case, because all the users were using Outlook to connect directly to the Exchange server, rather than POP3/SMTP, I went to the propreties of the Virtual SMTP Server > Access > Relay and unticked the checkbox "Allow all computers that succesfully authenticate to relay, regardless of the list above"

                  After that, found the computer with the spambot, cleaned it, but left the above mentioned checkbox unchecked. Safety measure for the future

                  Hope this helps.

                  Comment


                  • #10
                    Re: Exchange 2003 is sending emails not from own domain

                    I've just got back from holiday so that's why I've not been able to keep current with this thread. Very many thanks indeed to all the above contributions. As far as I can tell, making all the users change their passwords (and changing all the admin and service account passwords) may have solved things for now, so in addition to that basic security measure, I'll carry out some of the suggestions above to secure the system even more.

                    Once again, thanks to all for your valued contributions.
                    Best wishes,
                    PaulH.
                    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                    Comment

                    Working...
                    X