Announcement

Collapse
No announcement yet.

New queues were addad to the server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • New queues were addad to the server

    hello,

    something very strange is happening to one of my clients.

    The following queues were added to the list of queues.

    rfong.com
    xxxerotic.com
    shovre-bar.co.il

    Is the a mail relay issue?
    how do i fix it ?
    how do i prevent it ; securing my exch server?

  • #2
    Re: New queues were addad to the server

    It woudl appear that someone or some thing is sending email to those domains using your Exchange server which may or may not be legit.

    You should not allow relaying on your Exchange server.

    Jas
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
    boche.net - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.

    Comment


    • #3
      Re: New queues were added to the server

      Check whether the server is an open relay.
      Don't use one of the web based checking tools, because if you fail the test then you will be listed on lots of blacklists.
      A telnet test will allow you to test.

      http://exchange.sembee.info/network/openrelaytest.asp

      It may also be an authenticated user relaying. This is where an account has been compromised. The usual target is the administrator account. Change the administrator's account password.
      If you do not have any users sending email through your server using a POP3/SMTP client (Outlook Express for example) , then you can disable authenticated relaying.

      Finally it could be an NDR attack. If you look at the messages in the queues, if they are all from [email protected] then it is an NDR attack.

      As you haven't included the version of Exchange/Windows, further advice is a little more difficult.

      Simon.
      Last edited by Sembee; 15th July 2011, 12:33. Reason: URL Correction
      --
      Simon Butler
      Exchange MVP

      Blog: http://blog.sembee.co.uk/
      More Exchange Content: http://exchange.sembee.info/
      Exchange Resources List: http://exbpa.com/
      In the UK? Hire me: http://www.sembee.co.uk/

      Sembee is a registered trademark, used here with permission.

      Comment


      • #4
        Re: New queues were addad to the server

        First of all, thanks for the help

        My exchange version is 2003 on 2003 server.
        how do i prevent an ndr attack?
        I'll be gald to get more security tips.

        Now i have another question,
        If i'm using pop3 and exchange on the same profile
        I understand pop3 is for pulling mail lets say from your mailbox on the isp server.
        and the exchange is for synchronizing and have a copy on the company server.
        but if i send mail from which address i do that. Is it according to the address priority. and if i 'm sending mail in the inter-site does it leave the company to the net and back?


        thanks guys
        you the best

        Comment


        • #5
          Re: New queues were addad to the server

          You should ask the other question in a new thread.

          For NDR attacks, you need to configure recipient filtering AND the tar pit options. Doing recipient filtering without the tarpit actually exposes the server.

          Filter unknown recipients: http://exchange.sembee.info/2003/smt...er-unknown.asp
          Tarpit: http://support.microsoft.com/default.aspx?kbid=842851

          Simon.
          Last edited by Sembee; 15th July 2011, 12:33. Reason: URL Correction
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment

          Working...
          X