Announcement

Collapse
No announcement yet.

Stop Exchange 2003 sending mail to .uk

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stop Exchange 2003 sending mail to .uk

    I have a Windows 2003 server with Exchange 2003 on it. All updates are applied and for antivirus i have GFI Mailessentials/Mailsecurity. We also have Clamwin running (checking everything every night).

    It's just an Exchange server, not fileserver.

    There are about 70-100 clients connected with Rpc over http proxy.

    Everything runs great but once in a while the queue fills up with a few thousend spam mails being send to variouos addresses in the UK. Mostly .co.uk but also some other .uk variants.

    Since we use the datacenters smarthost thats being handled bij an Ironport, the mail is nog send to the .co.uk addresses but is held at the Ironport.

    I checked the server over and over again for virusses but none are found. So it is possibly on of the clients with a virs. Some are in The Netherlands an some are in Russia. Everyone says it has checked it's computer but i do not believe them.
    Since we have no customers in the UK, i would like to stop the server from sending mail to the .uk tld. How can i do this.

    Are there ways to figure out who (or what pc) is filling up the queue?

  • #2
    Re: Stop Exchange 2003 sending mail to .uk

    Originally posted by jantje.vlaam View Post
    I have a Windows 2003 server with Exchange 2003 on it. All updates are applied and for antivirus i have GFI Mailessentials/Mailsecurity. We also have Clamwin running (checking everything every night).

    It's just an Exchange server, not fileserver.

    There are about 70-100 clients connected with Rpc over http proxy.

    Everything runs great but once in a while the queue fills up with a few thousend spam mails being send to variouos addresses in the UK. Mostly .co.uk but also some other .uk variants.

    Since we use the datacenters smarthost thats being handled bij an Ironport, the mail is nog send to the .co.uk addresses but is held at the Ironport.

    I checked the server over and over again for virusses but none are found. So it is possibly on of the clients with a virs. Some are in The Netherlands an some are in Russia. Everyone says it has checked it's computer but i do not believe them.
    Since we have no customers in the UK, i would like to stop the server from sending mail to the .uk tld. How can i do this.

    Are there ways to figure out who (or what pc) is filling up the queue?
    Exchange is capable of blacklisting subnets for particular countrys according to IANA's IP address allocation, but that's not a very practical solution. If i were you id enable logging under the SMTP virtual server and examine the logs to see who is an authenticated relay. The logs will tell you in granular detail all SMTP transactions going through your exchange.
    Last edited by scurlaruntings; 30th May 2009, 10:07.

    Comment


    • #3
      Re: Stop Exchange 2003 sending mail to .uk

      Originally posted by jantje.vlaam View Post
      Are there ways to figure out who (or what pc) is filling up the queue?
      Sembee wrote an article on how to check for this.

      http://blog.sembee.co.uk/archive/2009/02/28/93.aspx
      Last edited by Octagon; 28th May 2009, 09:38.

      Comment


      • #4
        Re: Stop Exchange 2003 sending mail to .uk

        Rather than trying to stop the result of the problem (messages being sent to .uk domains) you should really stop the cause - why are those messages being dumped on your server. That is not normal behaviour and you should not have to accept it.

        The blog posting above should assist you in telling you why the message did not originate inside your network. Your server is being abused directly, you need to work out how and then secure it.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Stop Exchange 2003 sending mail to .uk

          We found an infected laptop with a spambot. But since we never mail to the .uk tld i would like to prevent it from happening again.

          Comment


          • #6
            Re: Stop Exchange 2003 sending mail to .uk

            You could start by creating a rule that only allows your exchange server outbound on port 25 on your firewall. At least that way you know to start with the Exchange server in the event of an authenticated relay or any spurious email activity. If your gateway has some UTM feature start using it now. UTM's go a long way to prevent malware/virus's etc espcially trojans with there own SMTP engines from even entering your network. The next step would be to harden your exchange server. Use the Exchange Best practive Anylyzer to check for any flaws in your exchange enviroment.
            Last edited by scurlaruntings; 29th May 2009, 23:29.

            Comment


            • #7
              Re: Stop Exchange 2003 sending mail to .uk

              First of all, if you're using RPC over HTTP, be sure to switch to RPC over HTTPS to gain the benefits of a secured connection.

              That being said, if you don't have any clients connecting through POP3/SMTP, disable relaying for computers which successfully authenticate in the SMTP Virtual server (Access>Relay).

              I presume that the laptop with the spambot was on your internal network, thus the spambot was able to use your Exchange server, more precise the SMTP virtual server, to send SPAM.

              Comment


              • #8
                Re: Stop Exchange 2003 sending mail to .uk

                Your logic for wanting to stop sending email to .uk is all wrong.

                If you kept hitting a tree with your car, would you cut the tree down? No, you would not. You would take other measures to ensure that you didn't hit the tree, like steering round it.

                The spammer who is abusing your server is simply targeting UK banks at the moment. Next week it could be Australian, or New Zealand, or Canadian. Are you going to block all of those domains?

                The third largest bank in the UK doesn't use a .uk domain anyway, so if it is a target against UK banks then blocking emails to .uk domain isn't going to help.

                You are attempting to deal with the result, not the cause. Blocking domains isn't going to help. You need to look at how your server is being abused, before you get blacklisted yourself - which will happen, it is just a matter of when.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment

                Working...
                X