Re: Help! Being Used As A Relay
anonymous_at_discussions.microsoft.com
Date: 09/05/04
- Next message: Gregg Hill: "Re: Remote access to another company's Outlook calendar?"
- Previous message: Deji Akomolafe: "Re: Help! Being Used As A Relay"
- In reply to: Deji Akomolafe: "Re: Help! Being Used As A Relay"
- Next in thread: Rich Matheisen [MVP]: "Re: Help! Being Used As A Relay"
- Reply: Rich Matheisen [MVP]: "Re: Help! Being Used As A Relay"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 5 Sep 2004 11:08:58 -0700
Hi Deji,
Here is two that I found interesting. The first one
looks like it was authenticated. I am wondering if my
relaying is occuring from another computer inside my
network and forwarding it to my exchange server. Thanks
for you help, Gerry
*****************************************************
250-AUTH LOGIN
250 AUTH=LOGIN
9/4/04 10:44:40 PM : <<< IO: |AUTH LOGIN
|
9/4/04 10:44:40 PM : <<< AUTH LOGIN
9/4/04 10:44:40 PM : >>> 334 VXNlcm5hbWU6
9/4/04 10:44:43 PM : <<< IO: |YWRtaW5pc3RyYXRvcg==
|
9/4/04 10:44:43 PM : <<< YWRtaW5pc3RyYXRvcg==
9/4/04 10:44:43 PM : >>> 334 UGFzc3dvcmQ6
9/4/04 10:44:50 PM : <<< IO: |YWRtaW5pc3RyYXRvcg==
|
9/4/04 10:44:50 PM : <<< ########
9/4/04 10:44:50 PM : >>> 235 LOGIN authentication
successful
9/4/04 10:44:52 PM : <<< IO: |MAIL FROM:
<exaggerationpoplin@ntlworld.com>
|
9/4/04 10:44:52 PM : <<< MAIL FROM:
<exaggerationpoplin@ntlworld.com>
9/4/04 10:44:52 PM : >>> 250 OK - mail from
<exaggerationpoplin@ntlworld.com>
9/4/04 10:44:55 PM : <<< IO: |RCPT TO:<haugh@maui.net>
|
9/4/04 10:44:55 PM : <<< RCPT TO:<haugh@maui.net>
9/4/04 10:44:55 PM : >>> 250 OK - Recipient
<haugh@maui.net>
9/4/04 10:44:59 PM : <<< IO: |DATA
|
9/4/04 10:44:59 PM : <<< DATA
9/4/04 10:44:59 PM : >>> 354 Send data. End with CRLF.CRLF
9/4/04 10:45:04 PM : <<< IO: |From: "Joyce
Ho"<exaggerationpoplin@ntlworld.com>
|
9/4/04 10:45:05 PM : <<< IO: |To: haugh@maui.net
Subject: D0N'T WA|T T0 F|ND OUT...
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html><body ><b>
haugh: <br> C|AI1lS & lEV|TRA starts wor<sub></sub>king up
to tw<sup></sup>ice as fast as V|I1A_GRA & 1ast up to 24-
36 hou<em></em>rs </b><br><br>
1. save mon<font></font>ey - upto 70% <br> 2. save time -
over<big></big>night shipping <br> 3. no doctors ap<a
href=http://haugh.net>poi</a>ntment- needed <br> 4. no
presc<b></b>ription - req<i></i>uired <br> 5. doctor &
F.D<b></b>.A a<a href=http://haugh.org>ppr</a>oved !
<p><b>
<a href=http://craw.mates.enabvzw.com/as>VlS|T OUR
S|TE AND 0RD<u></u>ER HE<a></a>RE</a></b>
</P>
</BODY></HTML>
.
|
9/4/04 10:45:05 PM : >>> 250 OK
9/4/04 10:45:07 PM : <<< IO: |MAIL FROM:
<accompanistscuffles@adelphia.net>
|
9/4/04 10:45:07 PM : <<< MAIL FROM:
<accompanistscuffles@adelphia.net>
9/4/04 10:45:07 PM : >>> 250 OK - mail from
<accompanistscuffles@adelphia.net>
9/4/04 10:45:11 PM : <<< IO: |RCPT
TO:<haugsteel@dtgnet.com>
|
9/4/04 10:45:11 PM : <<< RCPT TO:<haugsteel@dtgnet.com>
9/4/04 10:45:11 PM : >>> 250 OK - Recipient
<haugsteel@dtgnet.com>
9/4/04 10:45:13 PM : <<< IO: |DATA
|
9/4/04 10:45:13 PM : <<< DATA
9/4/04 10:45:13 PM : >>> 354 Send data. End with CRLF.CRLF
9/4/04 10:45:15 PM : <<< IO: |From: "Enedina
Sullivan"<accompanistscuffles@adelphia.net>
|
9/4/04 10:45:16 PM : <<< IO: |To: haugsteel@dtgnet.com
Subject: ADD 2+ |NCHES TO Y0UR PEN1lS!
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html><body ><b>
CIA1l|S & |EV|ITRA starts wor<font></font>king up to
tw<big></big>ice as fast as V1l|AGR_A & Iast up to 24-36
h<b></b>ours </b><br><br>
C|AI1lS works in as |itt1e as 30 mi<a
href=http://haugsteel.org>nute</a>s and lasts for up to 36
ho<i></i>urs. <br> 1EV|TRA works in as Iitt|e as 25
min<u></u>utes and |asts fro up to 24 h<a
href=http://haugsteel.net>our</a>s .
<p><b>
<a
href=http://scramming.expressions.aszxeesa.com/as>PlE<a></a
>ASE CI|CK H<tr></tr>ERE</a></b>
</P>
</BODY></HTML>
.
|
9/4/04 10:45:16 PM : >>> 250 OK
9/4/04 10:45:19 PM : <<< IO: |MAIL FROM:
<boldpowered@excite.com>
|
9/4/04 10:45:19 PM : <<< MAIL FROM:
<boldpowered@excite.com>
9/4/04 10:45:19 PM : >>> 250 OK - mail from
<boldpowered@excite.com>
9/4/04 10:45:23 PM : <<< IO: |RCPT TO:<hauke@gici.net>
|
9/4/04 10:45:23 PM : <<< RCPT TO:<hauke@gici.net>
9/4/04 10:45:24 PM : >>> 250 OK - Recipient
<hauke@gici.net>
9/4/04 10:45:28 PM : <<< IO: |DATA
|
9/4/04 10:45:29 PM : <<< DATA
9/4/04 10:45:29 PM : >>> 354 Send data. End with CRLF.CRLF
9/4/04 10:45:31 PM : <<< IO: |From: "Enriqueta
Brown"<boldpowered@excite.com>
|
9/4/04 10:45:33 PM : <<< IO: |To: hauke@gici.net
Subject: MEN'S HEA||TH UPDATE
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html><body ><b>
save money and enjoy 1onger with your every C|AI1lS &
lEVV||TRA p<big></big>urchase. </b><br><br>
If you are ser<b></b>ious about enI<a
href=http://hauke.com>argin</a>g, streng<i></i>thening and
deve|oping your p^e^n^i<u></u>^s n<a
href=http://hauke.net>atura|</a>1y, then you have finalIy
found what you are |ooking for.
<p><b>
<a href=http://bogus.cripples.zmnnbag.com/as>C|1CK
HE<a></a>RE KN0W M0RE</a></b>
</P>
</BODY></HTML>
**********************************************************
Thanks again,
Gerry
BTW, I have to step out for a prior scheduled engagement.
I will be unavailable for the next few hours. Sorry about
that but I wasn't expecting my whole weekend to be shot
and I can't get out of this engagement.
>-----Original Message-----
>Open one of the messages up in Notepad and copy
everything in there. Post it
>here and we'll be able to help you dissect it.
>
>Alternatively, you can send it to me at deji at
readymaids dot com.
>
>--
>Sincerely,
>
>Dèjì Akómöláfé, MCSE MCSA MCP+I
>Microsoft MVP - Directory Services
>www.readymaids.com - COMPLETE SPAM Protection
>www.akomolafe.com
>Do you now realize that Today is the Tomorrow you were
worried about
>Yesterday? -anon
>
>
><anonymous@discussions.microsoft.com> wrote in message
>news:64aa01c49314$ca933310$a301280a@phx.gbl...
>Hi Deji,
>
> I can't thank you enough for that great explanation.
>There is, however, a couple of things that I am having a
>hard time understanding. You mention that Open Relay
>occurs when my Exchange server accepts emails where
>NEITHER the SENDER nor the RECIPIENT is verified to belong
>to my domain. When I check the "SMTP Protocol Log", that
>is what I am seeing....an unknown sender AND an unknown
>recipient NOT on my domain. Most messages get transfered
>out of my server, while some get the "Relaying is
>Prohibited" message. In fact, it is very rare that I see
>a SPAM addressed to my domain. This is where I get
>confused. Am I missing your point? Maybe I am....I have
>been dealing with this for the last 48 hours and my mind
>has turned to mush. Can you please help explain this, I
>feel that with your help, I may be able to finally get
>this thing resolved. Thanks once again for all of your
>time and your great explanation.
>
>Sincerely,
>Gerry
>>-----Original Message-----
>>Most SMTP server implementations are RELAY servers. There
>is more to this,
>>but I don't think this is useful for this discussion.
>>
>>I mentioned that just so that you can understand that
>there is a difference
>>between being a relay and being an OPEN relay.
>>
>>Your Exchange server will accept mails FROM anyone FOR
>any user in the
>>domain for which it is responsible. Before Exchange 2003,
>there's no
>>built-in mechanism for Exchange to check and verify that
>the address exists
>>in your domain. All that is needed for your Exchange to
>accept the mails is
>>for the TO address to end in @yourdomain.whatever
>>
>>Also, your Exchange will accept mails FROM your users FOR
>anyone in the
>>world by default. All that is needed is for the Exchange
>server to verify
>>that the message is actually being sent by a legitimate
>(authenticated) user
>>within your domain. IF this verification is done,
>exchange will attempt to
>>deliver the message.
>>
>>OPEN relay comes into play where NEITHER the SENDER nor
>the RECIPIENT is
>>verified to belong to your domain. IF I (deji@nowhere)
>send an email THROUGH
>>your exchange server (e.g. by telneting to port 25 on
>your server) to
>>foo@foobar and foobar is not a local domain on your
>exchange server, an OPEN
>>RELAY situation will occur IF your Exchange server
>delivers that message to
>>foo@foobar.
>>
>>There is a long-standing and unresolved argument as to
>where the Open Relay
>>actually occurs. Some people argue that, just by
>accepting the mail in the
>>first place, you are consider open relay. Some RBL
>operators will block your
>>server for this. Others argue that a relay race (as in
>Tracks and Fields)
>>does not take place until one runner has handed of the
>baton to the next
>>runner nad that race is not complete until the last
>runner has crossed the
>>finish line WITH THE baton in hand. So, even if your
>server accepts the
>>mail, unless and until you sent it onwards to the non-
>local final recipient,
>>you can't be judged an Open Relay.
>>
>>Some MTAs were actually written to accept everything sent
>to them and then
>>silently drop whatever is not local.
>>
>>Have I digressed?
>>
>>Anyways, in your situation, the fact that you got an
>affirmative "550
>>Relaying Prohibited" is proof that you are not Open
>Relay. The problem you
>>are experiencing is that spammers sent emails to randomly
>generated SMTP
>>addresses ending in @yourdomainname. The mails got to
>your Exchange server
>>and your server saw the @yourdomainame part and happily
>accepted them - as
>>it is designed to do. If you had been using Exchange 2003
>AND had enabled
>>Recipient Filtering, your Exchange would have accepted
>ONLY the SPAMs that
>>were addressed to SMTP addresses that ACTUALLY exist in
>your organization. I
>>digress again.
>>
>>Now that your exchange had accepted all these mails, it
>has to do something
>>with them. It tries to deliver them and found out that
>those addresses do
>>not exist. So, now it has to return an NDR to the
>original sender (or
>>purported sender) of the undeliverable mails.
>Unfortunately for you (and
>>your Exchange server), the SPAMMER had forged the sender
>address. To make
>>matters worse, the spammer may have forged an address
>that does not exist at
>>another domain as the sender. So, your Exchange sends an
>NDR to a
>>non-existent address at wigglewaggle.whatever. The SMTP
>server at
>>wigglewaggle.whatever then replies back to your Exchange
>server that that
>>address does not exist, etc, etc.
>>
>>Now, the moral of the above story? Upgrade to Exchange
>2003 or get a proven
>>effective Anti-SPAM solution (hint.... hint ....). For a
>really good
>>solution get both. If you can't do both my Anti-SPAM
>solution is cheaper
>>than E2K3 license fee and way better than Exchange IMF.
>>
>>--
>>Sincerely,
>>
>>Dèjì Akómöláfé, MCSE MCSA MCP+I
>>Microsoft MVP - Directory Services
>>www.readymaids.com - COMPLETE SPAM Protection
>>www.akomolafe.com
>>Do you now realize that Today is the Tomorrow you were
>worried about
>>Yesterday? -anon
>>
>>
>><anonymous@discussions.microsoft.com> wrote in message
>>news:01e201c492e2$b73fc350$a401280a@phx.gbl...
>>Hi Deji,
>>
>> Thank you for your reply. Excuse my ignorance, but
>>why would my server accept the mail and try to deliver
>>it? Is this not what relaying is? I would have thought
>>that the SPAM would be dropped because it wants my server
>>to relay the mail. I noticed that some of the mail does
>>get delivered to its intended targets while others get
>>NDRs. Can you please explain this to me a little better.
>>Again, sorry for my ignorance and I appreciate all the
>>help I've been receiving on this.
>>
>>Sincerely,
>>Gerry
>>
>>>-----Original Message-----
>>>You are confusing SPAM attack with open relay. Someone
is
>>blasting SPAM into
>>>your server, your server accepts the mails but can't
>>deliver it, then your
>>>server tries to return them (NDR) but can't either
>>because the source
>>>addresses are spoofed.
>>>
>>>This is where you need an Anti-SPAM filter like mine.
>>>
>>>--
>>>Sincerely,
>>>
>>>Dèjì Akómöláfé, MCSE MCSA MCP+I
>>>Microsoft MVP - Directory Services
>>>www.readymaids.com - COMPLETE SPAM Protection
>>>www.akomolafe.com
>>>Do you now realize that Today is the Tomorrow you were
>>worried about
>>>Yesterday? -anon
>>>
>>>
>>><anonymous@discussions.microsoft.com> wrote in message
>>>news:601601c4929f$c8d8e710$a601280a@phx.gbl...
>>>>
>>>> >-----Original Message-----
>>>> >
>>>> >"Gerry" <anonymous@discussions.microsoft.com> wrote
in
>>>> message
>>>> >news:600b01c4929a$8260b010$a501280a@phx.gbl...
>>>> >>I am running Exchange 5.5 and I've noticed that I
>>have a
>>>> >> ton of mail messages in my IMS Queue waiting to be
>>>> >> delivered. They are all unknown senders and
>>recipients.
>>>> >> I've followed Microsoft's instructions to prohibit
>>>> >> relaying, but I still get messages coming through.
>>>> When I
>>>> >> telnet my server and type in RCPT TO: xx@xx.xx I
>>>> get "550
>>>> >> Relaying Prohibited". When I check the "Diagnostic
>>>> >> Logging" file created by the "SMTP Protocol Log", I
>>can
>>>> >> see the RCPT TO: xx@xx.xx and it is followed
>>with "350
>>>> Go
>>>> >> Ahead". I would have thought to see "Relaying
>>>> >> Prohibited". Any help would greatly be
appreciated.
>>>> >
>>>> >Why don't you delete them from the queue?
>>>> >
>>>> >
>>>> >.
>>>> >I have deleted them from the queue. Once I re-enable
>>the
>>>> IMS Service, the messages start piling up again.
>>>>
>>>> Thanks,
>>>> Gerry
>>>
>>>
>>>.
>>>
>>
>>
>>.
>>
>
>
>.
>
- Next message: Gregg Hill: "Re: Remote access to another company's Outlook calendar?"
- Previous message: Deji Akomolafe: "Re: Help! Being Used As A Relay"
- In reply to: Deji Akomolafe: "Re: Help! Being Used As A Relay"
- Next in thread: Rich Matheisen [MVP]: "Re: Help! Being Used As A Relay"
- Reply: Rich Matheisen [MVP]: "Re: Help! Being Used As A Relay"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
