No announcement yet.

My Exchange Server is an open relay

  • Filter
  • Time
  • Show
Clear All
new posts

  • My Exchange Server is an open relay


    I am no Exchange Expert, our server is running for a long time now but I recently found out, that it distributes SPAM mails.

    After checking with mailradar open relay check I saw, that our server fails the tests 7, 8 and 14.

    I found in this forum a similar problem and it recommended to check:
    www amset info / exchange / smtp-openrelay.asp

    Unfortunately, my server settings are "correct":
    Server / Protokoll / SMTP / Virtueller Standardsver für SMTP
    Under "RELAY", I have set "only computer in the list below" + list is empty.

    (2) Connectors, SMTP Connector
    Adress Space is "*" and relay is not ticked (allow relay of messages to this domain; this is translated)

    I am using a GERMAN Small Business Server 2003; Exchange Server 6.5 Build 7638.2: SP2.


    We are using a smarthost for sending Email and I have access to the logfiles of the smarthost. It shows the sending process of the spam mails, so it is not a display problem of the mailradar relay check, the SPAM mail really get sent.

    The incoming mail comes from the internet, I verified this with wireshark.


  • #2
    Re: My Exchange Server is an open relay

    I am still struggling with my SPAM sending server.
    After doing some more research, I found hints on the internet, that our SMTP server is misused with hacked account passwords.

    I did the wireshark trace again and did not find an "AUTH" statement for the incoming (to be relayed) Email.

    I get an
    then hello...

    then: MAIL FROM: <[email protected]>
    then: 250 2.1.0 sender ok

    this is ok, because any user can send me emails.

    then: RCP TO: <[email protected]>
    then: 250 2.1.5 [email protected]

    the user bla2 does not exist on my server. At this point - from my opinion, the relay should be stopped.

    but then the client sends data until the server finally sends the confirmation with:

    250 2.6.0 ...... queued mail for delivery.

    When the SPAM mail is sent through the smarthost, I can see the AUTH statement in the outgoing traffic.

    Can anybody give me some help with finding out, whats going on?

    The standard Exchange 2003 settings do not seem to pretect me from being an open relay.

    One more information:

    All the Emails in the queue of the smarthost come from "[email protected]". I do not see any user related to the postmaster Email adress.


    Last edited by spo; 18th February 2013, 16:30.


    • #3
      Re: My Exchange Server is an open relay

      Ok, I think I finally found the reason.

      It was an NDR attack.

      I used the settings of:

      MS Knowledge Base 886208...

      and my server stopped being a relay.