Re: Help! Being Used As A Relay
From: Deji Akomolafe (deji_at_REMOVEPADDINGakomolafedotcom)
Date: 09/06/04
- Next message: 1BigMess: "Re: Tools --> Monitoring and Status --> Status"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: Help! Being Used As A Relay"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Help! Being Used As A Relay"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Help! Being Used As A Relay"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Help! Being Used As A Relay"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 5 Sep 2004 17:27:15 -0700
Sorry. Had to take a break :)
Quite an interesting thing you have in that list. To answer the original
question, you are NOT open relay. However, I think you have a problem worse
that Open Relay. It appears that you are the target of direct spam-relay
exploit. This is where a spammer gets hold of an account on your SMTP server
and uses that account to supply authentication credentials to your SMTP
server and therefore use it to relay his/her spam. For all intent and
purposes, YOU are the one sending the SPAM now and you could be subject to
blocking/RBL.
You need to have your users change their passwords nad youn need to change
the passwords on all the service/admin accounts you have in your domain. I
don't mean to scare you, but it appears to me that you have more issues now
than relay.
I have been known to be wrong before, so someone else may come around
shortly and shoot this theory down with more reasonable explanations.
--
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - COMPLETE SPAM Protection
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
<anonymous@discussions.microsoft.com> wrote in message
news:67d901c4939e$25151130$a301280a@phx.gbl...
Hi Deji,
I've posted the info you've requested in an earlier
post. Just thought you should know.
Thanks
Gerry
>-----Original Message-----
>I should clarify something here:
>"You mention that Open Relay occurs when my Exchange
server accepts emails
>where NEITHER the SENDER nor the RECIPIENT is verified to
belong to my
>domain."
>
>That is not completely correct. Even though your server
should NOT accept
>mails where neither the SENDER nor the RECIPIENT "domain"
is LOCAL to your
>exchange org, merely doing so does not constitute an Open
Relay. IF your
>server then proceeds to send that mail to the non-local
address, then it is
>decidedly an open relay.
>
>We will be able to tell you definitely when we see what
you are looking at.
>
>--
>Sincerely,
>
>Dèjì Akómöláfé, MCSE MCSA MCP+I
>Microsoft MVP - Directory Services
>www.readymaids.com - COMPLETE SPAM Protection
>www.akomolafe.com
>Do you now realize that Today is the Tomorrow you were
worried about
>Yesterday? -anon
>
>
><anonymous@discussions.microsoft.com> wrote in message
>news:64aa01c49314$ca933310$a301280a@phx.gbl...
>Hi Deji,
>
> I can't thank you enough for that great explanation.
>There is, however, a couple of things that I am having a
>hard time understanding. You mention that Open Relay
>occurs when my Exchange server accepts emails where
>NEITHER the SENDER nor the RECIPIENT is verified to belong
>to my domain. When I check the "SMTP Protocol Log", that
>is what I am seeing....an unknown sender AND an unknown
>recipient NOT on my domain. Most messages get transfered
>out of my server, while some get the "Relaying is
>Prohibited" message. In fact, it is very rare that I see
>a SPAM addressed to my domain. This is where I get
>confused. Am I missing your point? Maybe I am....I have
>been dealing with this for the last 48 hours and my mind
>has turned to mush. Can you please help explain this, I
>feel that with your help, I may be able to finally get
>this thing resolved. Thanks once again for all of your
>time and your great explanation.
>
>Sincerely,
>Gerry
>>-----Original Message-----
>>Most SMTP server implementations are RELAY servers. There
>is more to this,
>>but I don't think this is useful for this discussion.
>>
>>I mentioned that just so that you can understand that
>there is a difference
>>between being a relay and being an OPEN relay.
>>
>>Your Exchange server will accept mails FROM anyone FOR
>any user in the
>>domain for which it is responsible. Before Exchange 2003,
>there's no
>>built-in mechanism for Exchange to check and verify that
>the address exists
>>in your domain. All that is needed for your Exchange to
>accept the mails is
>>for the TO address to end in @yourdomain.whatever
>>
>>Also, your Exchange will accept mails FROM your users FOR
>anyone in the
>>world by default. All that is needed is for the Exchange
>server to verify
>>that the message is actually being sent by a legitimate
>(authenticated) user
>>within your domain. IF this verification is done,
>exchange will attempt to
>>deliver the message.
>>
>>OPEN relay comes into play where NEITHER the SENDER nor
>the RECIPIENT is
>>verified to belong to your domain. IF I (deji@nowhere)
>send an email THROUGH
>>your exchange server (e.g. by telneting to port 25 on
>your server) to
>>foo@foobar and foobar is not a local domain on your
>exchange server, an OPEN
>>RELAY situation will occur IF your Exchange server
>delivers that message to
>>foo@foobar.
>>
>>There is a long-standing and unresolved argument as to
>where the Open Relay
>>actually occurs. Some people argue that, just by
>accepting the mail in the
>>first place, you are consider open relay. Some RBL
>operators will block your
>>server for this. Others argue that a relay race (as in
>Tracks and Fields)
>>does not take place until one runner has handed of the
>baton to the next
>>runner nad that race is not complete until the last
>runner has crossed the
>>finish line WITH THE baton in hand. So, even if your
>server accepts the
>>mail, unless and until you sent it onwards to the non-
>local final recipient,
>>you can't be judged an Open Relay.
>>
>>Some MTAs were actually written to accept everything sent
>to them and then
>>silently drop whatever is not local.
>>
>>Have I digressed?
>>
>>Anyways, in your situation, the fact that you got an
>affirmative "550
>>Relaying Prohibited" is proof that you are not Open
>Relay. The problem you
>>are experiencing is that spammers sent emails to randomly
>generated SMTP
>>addresses ending in @yourdomainname. The mails got to
>your Exchange server
>>and your server saw the @yourdomainame part and happily
>accepted them - as
>>it is designed to do. If you had been using Exchange 2003
>AND had enabled
>>Recipient Filtering, your Exchange would have accepted
>ONLY the SPAMs that
>>were addressed to SMTP addresses that ACTUALLY exist in
>your organization. I
>>digress again.
>>
>>Now that your exchange had accepted all these mails, it
>has to do something
>>with them. It tries to deliver them and found out that
>those addresses do
>>not exist. So, now it has to return an NDR to the
>original sender (or
>>purported sender) of the undeliverable mails.
>Unfortunately for you (and
>>your Exchange server), the SPAMMER had forged the sender
>address. To make
>>matters worse, the spammer may have forged an address
>that does not exist at
>>another domain as the sender. So, your Exchange sends an
>NDR to a
>>non-existent address at wigglewaggle.whatever. The SMTP
>server at
>>wigglewaggle.whatever then replies back to your Exchange
>server that that
>>address does not exist, etc, etc.
>>
>>Now, the moral of the above story? Upgrade to Exchange
>2003 or get a proven
>>effective Anti-SPAM solution (hint.... hint ....). For a
>really good
>>solution get both. If you can't do both my Anti-SPAM
>solution is cheaper
>>than E2K3 license fee and way better than Exchange IMF.
>>
>>--
>>Sincerely,
>>
>>Dèjì Akómöláfé, MCSE MCSA MCP+I
>>Microsoft MVP - Directory Services
>>www.readymaids.com - COMPLETE SPAM Protection
>>www.akomolafe.com
>>Do you now realize that Today is the Tomorrow you were
>worried about
>>Yesterday? -anon
>>
>>
>><anonymous@discussions.microsoft.com> wrote in message
>>news:01e201c492e2$b73fc350$a401280a@phx.gbl...
>>Hi Deji,
>>
>> Thank you for your reply. Excuse my ignorance, but
>>why would my server accept the mail and try to deliver
>>it? Is this not what relaying is? I would have thought
>>that the SPAM would be dropped because it wants my server
>>to relay the mail. I noticed that some of the mail does
>>get delivered to its intended targets while others get
>>NDRs. Can you please explain this to me a little better.
>>Again, sorry for my ignorance and I appreciate all the
>>help I've been receiving on this.
>>
>>Sincerely,
>>Gerry
>>
>>>-----Original Message-----
>>>You are confusing SPAM attack with open relay. Someone
is
>>blasting SPAM into
>>>your server, your server accepts the mails but can't
>>deliver it, then your
>>>server tries to return them (NDR) but can't either
>>because the source
>>>addresses are spoofed.
>>>
>>>This is where you need an Anti-SPAM filter like mine.
>>>
>>>--
>>>Sincerely,
>>>
>>>Dèjì Akómöláfé, MCSE MCSA MCP+I
>>>Microsoft MVP - Directory Services
>>>www.readymaids.com - COMPLETE SPAM Protection
>>>www.akomolafe.com
>>>Do you now realize that Today is the Tomorrow you were
>>worried about
>>>Yesterday? -anon
>>>
>>>
>>><anonymous@discussions.microsoft.com> wrote in message
>>>news:601601c4929f$c8d8e710$a601280a@phx.gbl...
>>>>
>>>> >-----Original Message-----
>>>> >
>>>> >"Gerry" <anonymous@discussions.microsoft.com> wrote
in
>>>> message
>>>> >news:600b01c4929a$8260b010$a501280a@phx.gbl...
>>>> >>I am running Exchange 5.5 and I've noticed that I
>>have a
>>>> >> ton of mail messages in my IMS Queue waiting to be
>>>> >> delivered. They are all unknown senders and
>>recipients.
>>>> >> I've followed Microsoft's instructions to prohibit
>>>> >> relaying, but I still get messages coming through.
>>>> When I
>>>> >> telnet my server and type in RCPT TO: xx@xx.xx I
>>>> get "550
>>>> >> Relaying Prohibited". When I check the "Diagnostic
>>>> >> Logging" file created by the "SMTP Protocol Log", I
>>can
>>>> >> see the RCPT TO: xx@xx.xx and it is followed
>>with "350
>>>> Go
>>>> >> Ahead". I would have thought to see "Relaying
>>>> >> Prohibited". Any help would greatly be
appreciated.
>>>> >
>>>> >Why don't you delete them from the queue?
>>>> >
>>>> >
>>>> >.
>>>> >I have deleted them from the queue. Once I re-enable
>>the
>>>> IMS Service, the messages start piling up again.
>>>>
>>>> Thanks,
>>>> Gerry
>>>
>>>
>>>.
>>>
>>
>>
>>.
>>
>
>
>.
>
- Next message: 1BigMess: "Re: Tools --> Monitoring and Status --> Status"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: Help! Being Used As A Relay"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Help! Being Used As A Relay"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Help! Being Used As A Relay"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Help! Being Used As A Relay"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
