No announcement yet.

bogus email addresses being sent out and internally

  • Filter
  • Time
  • Show
Clear All
new posts

  • bogus email addresses being sent out and internally

    I read in an earlier post regarding open relay but not sure if it ended up answering the first person's request or the second in the thread. We have Ex2000. I have a lot of email being sent to old users no longer in the AD. I assumed we had a virus/trojan within the network which has gotten the old email addresses and it is sending out and receiving (not actually receiving them because the account doesn't exist anymore) in emails. Then the NDR's were generated for the bogus addresses. I have disabled the generate NDR for this reason. I had all users shut down their systems one evening in an attempt to locate the problem. Only the servers and one other user stayed on. The bogus emails were still sent. I looked at the users logged on and it showed a lot of SMTP - NT/Authority logons, system attendant logons. How can I get rid of this constant relaying. Set up in the SMTP virtual server for Access/Relay are set as: Only list below and Allow all.... has a check in the box. Can anyone please help
    Last edited by jg53; 16th September 2005, 14:55.

  • #2
    Re: bogus email addresses being sent out and internally

    Your current settings should stop relaying only if all your users have a password and if it's not easy to guess. Spammers can probe TCP port 25, brute force the passwords, and behold, you're an open relay again.

    You can easily prevent your Exchange from receiving bogus mail by using SMTP event sinks (which you need to write on your own) or install a 3rd party tool . Exchange 2003 has some built-in filtering capabilities, perhaps it's time to upgrade.

    Next, are you running the Symantec AV software for Exchange? If you are, get rid of it and install a decent AV.

    Finally, is the BAD MAIL folder filling up? If you stop the SMTP service on the server itself, does the SMTP traffic stop? If you answer yes, you might be facing infection on the server itself, and if you also answered yes to the Symantec AV, then you should install a decent AV and begin scanning your server.

    Daniel Petri
    Microsoft Most Valuable Professional - Active Directory Directory Services