Re: Help! Being Used As A Relay

From: Deji Akomolafe (deji_at_REMOVEPADDINGakomolafedotcom)
Date: 09/05/04 

Date: Sun, 5 Sep 2004 10:53:58 -0700

Open one of the messages up in Notepad and copy everything in there. Post it
here and we'll be able to help you dissect it.

Alternatively, you can send it to me at deji at readymaids dot com. 

-- 
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - COMPLETE SPAM Protection
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon
<anonymous@discussions.microsoft.com> wrote in message
news:64aa01c49314$ca933310$a301280a@phx.gbl...
Hi Deji,
     I can't thank you enough for that great explanation.
There is, however, a couple of things that I am having a
hard time understanding.  You mention that Open Relay
occurs when my Exchange server accepts emails where
NEITHER the SENDER nor the RECIPIENT is verified to belong
to my domain.  When I check the "SMTP Protocol Log", that
is what I am seeing....an unknown sender AND an unknown
recipient NOT on my domain.  Most messages get transfered
out of my server, while some get the "Relaying is
Prohibited" message.  In fact, it is very rare that I see
a SPAM addressed to my domain.  This is where I get
confused.  Am I missing your point?  Maybe I am....I have
been dealing with this for the last 48 hours and my mind
has turned to mush.  Can you please help explain this, I
feel that with your help, I may be able to finally get
this thing resolved.  Thanks once again for all of your
time and your great explanation.
Sincerely,
Gerry
>-----Original Message-----
>Most SMTP server implementations are RELAY servers. There
is more to this,
>but I don't think this is useful for this discussion.
>
>I mentioned that just so that you can understand that
there is a difference
>between being a relay and being an OPEN relay.
>
>Your Exchange server will accept mails FROM anyone FOR
any user in the
>domain for which it is responsible. Before Exchange 2003,
there's no
>built-in mechanism for Exchange to check and verify that
the address exists
>in your domain. All that is needed for your Exchange to
accept the mails is
>for the TO address to end in @yourdomain.whatever
>
>Also, your Exchange will accept mails FROM your users FOR
anyone in the
>world by default. All that is needed is for the Exchange
server to verify
>that the message is actually being sent by a legitimate
(authenticated) user
>within your domain. IF this verification is done,
exchange will attempt to
>deliver the message.
>
>OPEN relay comes into play where NEITHER the SENDER nor
the RECIPIENT is
>verified to belong to your domain. IF I (deji@nowhere)
send an email THROUGH
>your exchange server (e.g. by telneting to port 25 on
your server) to
>foo@foobar and foobar is not a local domain on your
exchange server, an OPEN
>RELAY situation will occur IF your Exchange server
delivers that message to
>foo@foobar.
>
>There is a long-standing and unresolved argument as to
where the Open Relay
>actually occurs. Some people argue that, just by
accepting the mail in the
>first place, you are consider open relay. Some RBL
operators will block your
>server for this. Others argue that a relay race (as in
Tracks and Fields)
>does not take place until one runner has handed of the
baton to the next
>runner nad that race is not complete until the last
runner has crossed the
>finish line WITH THE baton in hand. So, even if your
server accepts the
>mail, unless and until you sent it onwards to the non-
local final recipient,
>you can't be judged an Open Relay.
>
>Some MTAs were actually written to accept everything sent
to them and then
>silently drop whatever is not local.
>
>Have I digressed?
>
>Anyways, in your situation, the fact that you got an
affirmative "550
>Relaying Prohibited" is proof that you are not Open
Relay. The problem you
>are experiencing is that spammers sent emails to randomly
generated SMTP
>addresses ending in @yourdomainname. The mails got to
your Exchange server
>and your server saw the @yourdomainame part and happily
accepted them - as
>it is designed to do. If you had been using Exchange 2003
AND had enabled
>Recipient Filtering, your Exchange would have accepted
ONLY the SPAMs that
>were addressed to SMTP addresses that ACTUALLY exist in
your organization. I
>digress again.
>
>Now that your exchange had accepted all these mails, it
has to do something
>with them. It tries to deliver them and found out that
those addresses do
>not exist. So, now it has to return an NDR to the
original sender (or
>purported sender) of the undeliverable mails.
Unfortunately for you (and
>your Exchange server), the SPAMMER had forged the sender
address. To make
>matters worse, the spammer may have forged an address
that does not exist at
>another domain as the sender. So, your Exchange sends an
NDR to a
>non-existent address at wigglewaggle.whatever. The SMTP
server at
>wigglewaggle.whatever then replies back to your Exchange
server that that
>address does not exist, etc, etc.
>
>Now, the moral of the above story? Upgrade to Exchange
2003 or get a proven
>effective Anti-SPAM solution (hint.... hint ....). For a
really good
>solution get both. If you can't do both my Anti-SPAM
solution is cheaper
>than E2K3 license fee and way better than Exchange IMF.
>
>-- 
>Sincerely,
>
>Dèjì Akómöláfé, MCSE MCSA MCP+I
>Microsoft MVP - Directory Services
>www.readymaids.com - COMPLETE SPAM Protection
>www.akomolafe.com
>Do you now realize that Today is the Tomorrow you were
worried about
>Yesterday?  -anon
>
>
><anonymous@discussions.microsoft.com> wrote in message
>news:01e201c492e2$b73fc350$a401280a@phx.gbl...
>Hi Deji,
>
>     Thank you for your reply.  Excuse my ignorance, but
>why would my server accept the mail and try to deliver
>it?  Is this not what relaying is?  I would have thought
>that the SPAM would be dropped because it wants my server
>to relay the mail.  I noticed that some of the mail does
>get delivered to its intended targets while others get
>NDRs.  Can you please explain this to me a little better.
>Again, sorry for my ignorance and I appreciate all the
>help I've been receiving on this.
>
>Sincerely,
>Gerry
>
>>-----Original Message-----
>>You are confusing SPAM attack with open relay. Someone is
>blasting SPAM into
>>your server, your server accepts the mails but can't
>deliver it, then your
>>server tries to return them (NDR) but can't either
>because the source
>>addresses are spoofed.
>>
>>This is where you need an Anti-SPAM filter like mine.
>>
>>-- 
>>Sincerely,
>>
>>Dèjì Akómöláfé, MCSE MCSA MCP+I
>>Microsoft MVP - Directory Services
>>www.readymaids.com - COMPLETE SPAM Protection
>>www.akomolafe.com
>>Do you now realize that Today is the Tomorrow you were
>worried about
>>Yesterday?  -anon
>>
>>
>><anonymous@discussions.microsoft.com> wrote in message
>>news:601601c4929f$c8d8e710$a601280a@phx.gbl...
>>>
>>> >-----Original Message-----
>>> >
>>> >"Gerry" <anonymous@discussions.microsoft.com> wrote in
>>> message
>>> >news:600b01c4929a$8260b010$a501280a@phx.gbl...
>>> >>I am running Exchange 5.5 and I've noticed that I
>have a
>>> >> ton of mail messages in my IMS Queue waiting to be
>>> >> delivered.  They are all unknown senders and
>recipients.
>>> >> I've followed Microsoft's instructions to prohibit
>>> >> relaying, but I still get messages coming through.
>>> When I
>>> >> telnet my server and type in RCPT TO: xx@xx.xx  I
>>> get "550
>>> >> Relaying Prohibited".  When I check the "Diagnostic
>>> >> Logging" file created by the "SMTP Protocol Log", I
>can
>>> >> see the RCPT TO: xx@xx.xx and it is followed
>with "350
>>> Go
>>> >> Ahead".  I would have thought to see "Relaying
>>> >> Prohibited".  Any help would greatly be appreciated.
>>> >
>>> >Why don't you delete them from the queue?
>>> >
>>> >
>>> >.
>>> >I have deleted them from the queue.  Once I re-enable
>the
>>> IMS Service, the messages start piling up again.
>>>
>>> Thanks,
>>> Gerry
>>
>>
>>.
>>
>
>
>.
>

Relevant Pages