No announcement yet.

SBS 2008 being used for open relay

  • Filter
  • Time
  • Show
Clear All
new posts

  • SBS 2008 being used for open relay

    Hi Everyone.

    Bit confused here...A customer's server we have just inherited the support of is being used as an open relay it seems.

    The obvious signs were them being blacklisted. I checked wireshark and sure enough there was a ton of SMTP traffic flying about (and they are a 5 user network), but it was actually coming from the server (I originally thought there was a mailer on one of the client PCs). Checked the queue and there was 14000 emails queued to random domains.

    I then checked the receive connectors, all looked Ok apart from the 'Default SBSSERVERNAME' which had anonymous ticked. Thought this would be the obvious problem so I unticked that, recreated the queue so it was empty again, restarted the transport service and thought that would do the trick.

    I kept an eye on wireshark and there was still loads of SMTP traffic, but I presumed this was just attempts to access the server to relay out spam, but there were some interesting lines that looked like:

    Info RCPT TO:<[email protected]>

    Info 250 2.1.5 Recipient OK

    This looked strange...surely it shouldnt be verifying the identity of the recipient for a domain??!?!

    Checked the queue in Exchange and a couple of Domains started appearing (one being the the message count increasing quickly

    I checked the Hub Transport config with a few other SBS servers we look after and they now look the same (with anonymous unchecker on the Default connector)

    If anyone could spare a couple of minutes to try troubleshooting further, I would really appreciate it. Thought I had it cracked, but obv not

    Thanks in advance.

  • #2
    Re: SBS 2008 being used for open relay

    Any ideas anyone?

    I've run AV, as the receive connectors look fine, but nothing's been picked up.

    Perhaps this post is better suited in the Exchange forum as it's not necessarily SBS specific?


    • #3
      Re: SBS 2008 being used for open relay

      maybe you've got a botnet or other nasty on your server?
      Please do show your appreciation to those who assist you by leaving Rep Point


      • #4
        Re: SBS 2008 being used for open relay

        Hi tehcamel,

        Yeah I thought it could be but looks clean as a whistle...

        Anyway, an update... I deleted and recreated the 'Windows SBS Internet Receive' connector that gets created automatically when you install SBS, and so far so good, no more spam going through the server - touch wood.

        Perhaps the incorrect config before was locked in (despite a restart of the services and the whole server). Thats the only lame explanation I have...

        Cheers anyway!


        • #5
          Re: SBS 2008 being used for open relay

          Running the fix my network wizard, or the connect to the Internet wizard should have corrected things. The default connector needs to have anonymous enabled so that the server can receive email by SMTP. Therefore if it is deselected then you don't receive email.

          It is quite hard to turn Exchange 2007 in to an open relay. The usual way is to enable externally secured on the authentication settings.

          The most common compromise is to change the authentication settings on the default receive connector so that Exchange Users are included. You then get authenticated relaying spam. That is more likely than an open relay. A user's account, or more likely the administrator account has been compromised. If the server hasn't been configured correctly then the administrator account was probably enabled and that opened the server up.

          Simon Butler
          Exchange MVP

          More Exchange Content:
          Exchange Resources List:
          In the UK? Hire me:

          Sembee is a registered trademark, used here with permission.


          • #6
            Re: SBS 2008 being used for open relay

            Sembee - Hi How are you doing?

            Good point about the Fix my network wizard, completely forgot about that - so just compared the connectors to other SBS customer's servers. May still run that anyway to verify everything else is OK.

            Anonymous is selected and mailflow is working both inbound and outbound. Currently using a smarthost until they are off the various blacklists.

            It was definitely an open relay. I used your method from your amset website to check this, but it was only when I deleted the connector and recreated it seemed to fix it...