RE: SPAM via SMTP? RPC?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I *think*, since "authenticated users" and all computers that are members of
your domain are allowed to relay, then assuming you have DHCP set up the way
it usually is, anyone who can connect to either a WiFi access point or plug
in to a network jack can relay (DHCP will assign them an IP address that will
basically make them part of your domain).

Or, it could be as simple as a compromised end-user password, or a trojaned
PC.

I think your log files are your best bet. There are a number of free and
third-party tools to help read/analyze Exchange log files.

Good luck!

"Brian Edwards" wrote:

> Thanks for the thought, but I'm certain it's not an open AP. It's definitely
> something occurring on the Exchange server. I'm trying to go through our
> SMTP logs to see where mail is being generated from, but these things might
> as well be in Swahili. I suspect an RPC problem involving Outlook Web Access
> and/or IIS 6.0. Anyone know how I might check that? I've verified that I
> have all the RPC patches, sans 823980 installed. I'll have to uninstall SP1
> to install that. Or is that already patched with SP1 (I'm running Windows
> 2003 Server SP1 and Exchange 2003 Server SP1).
>
> TIA.
>
> "MichaelHensley" wrote:
>
> > Have you considered the possibility of an open WiFi access point? Note that
> > it doesn't have to be one you know about. Users have been known to buy a
> > cheap access point and plug it in at their desks so they can use their
> > laptops around the office.
> >
> > Buy a good scanner, and see what you can find.
> >
> > "Brian Edwards" wrote:
> >
> > > I just received my first abuse complaint from my ISP. It appears that
> > > somebody has sent out a ton of spam using our Exchange server. I have
> > > diligently worked for the last two years to prevent this and now it appears
> > > my efforts have been in vain.
> > >
> > > Abuse.net tells me that my mail server is not an open relay, as does
> > > dnsstuff.com. I had my ISP run a port scan and there are only a handful of
> > > ports "open":
> > > 21/tcp: FTP: needed for business use
> > > 25/tcp: SMTP: smtp email port - needed for business use
> > > 110/tcp: POP3: pop3 email port - needed for business use
> > > 1040/tcp: NETSAINT: IPSec Policy Agent
> > > 1108/tcp: Exchange System Attendant stuff
> > > 1110/udp: Exchange System Attendant stuff
> > > 1117/tcp: "Message Queuing - QMRT V1"
> > > 1117/tcp: "Message Queuing - QMRT V2"
> > > 1117/tcp: "Message Queuing - QM2QM V1"
> > > 1117/tcp: "Message Queuing - RemoteRead V1"
> > > 1156/tcp: Exchange Directory NSPI Proxy
> > > 1261/tcp: "Exchange MTA 'Mta' Interface" and "Exchange MTA 'QAdmin' Interface"
> > > 1263/udp: "Exchange MTA 'Mta' Interface" and "Exchange MTA 'QAdmin' Interface"
> > > 1284/tcp: Exchange Server STORE ADMIN Interface
> > > 1285/udp: Exchange Server STORE ADMIN Interface
> > > 1723/tcp: PPTP - for our VPN connection
> > > 2103/tcp: same as the stuff running on 1117/tcp
> > > 2105/tcp: same as the stuff running on 1117/tcp
> > > 2107/tcp: same as the stuff running on 1117/tcp
> > > 3389/tcp: Terminal Services
> > > 6001/tcp: Exchange Server STORE ADMIN Interface
> > > 6002/tcp: Exchange System Attendant stuff
> > > 6004/tcp: MS Exchange Directory NSPI Proxy
> > > 6983/tcp: ?? (no services listed, but port is open)
> > > 6984/tcp: ?? (no services listed, but port is open)
> > > 6987/tcp: ?? (no services listed, but port is open)
> > > 6988/tcp: ?? (no services listed, but port is open)
> > > 6991/tcp: ?? (no services listed, but port is open)
> > > 7004/tcp: ?? (no services listed, but port is open)
> > > 7005/tcp: ?? (no services listed, but port is open)
> > >
> > > My SMTP Virtual Server has the following settings:
> > >
> > > General tab:
> > > IP address: 192.168.0.110
> > > Limit number of connections to: [unchecked]
> > > Connection time-out: 3 minutes
> > > Enable logging: [checked]
> > > Active log format: W3C Extended Log File Format
> > >
> > > Access tab:
> > > Access Control section, Authentication Button:
> > > Anonymous Access: [checked]
> > > Resolve anonymous e-mail: [unchecked]
> > > Basic authentication: [unchecked]
> > > Integrated Windows authentication: [checked]
> > > Grant or Deny Users button: "Authenticated Users" have Submit/Relay
> > > permissions
> > > Secure Communication section, Certificate button: [unused]
> > > Connection Control section, Connection button: [unused]
> > > Relay Restrictions section, Relay button:
> > > "Only the list below" selected, our domain name entered
> > > "Allow all computers which successfully authenticate...": [checked]
> > >
> > > Messages tab: stuff set up how I want it
> > >
> > > Delivery tab: retry intervals configured as desired
> > > Outbound Security button: "anonymous access" only item selected
> > > Outbound Connections: configured to default, port 25 selected
> > > Advanced tab: hop count = 30, reverse DNS lookup selected, external DNS
> > > servers properly configured
> > >
> > >
> > > With those settings, external POP/SMTP clients CANNOT send email. They can
> > > receive it fine, they just cannot send it. I DO NOT want to use Basic
> > > Authentication. And in what bizarro world does anonymous access need to be
> > > allowed? That is totally insane.
> > >
> > > I have read about three dozen different "How to set up your SMTP Exchange
> > > server..." articles now. Each one is slightly different. Following each of
> > > their directions to a 'T' results in not being able to send/relay mail.
> > > Opening up the relay's authentication to remove the Windows authentication
> > > portion allows anyone in the world to send/relay through the server.
> > >
> > > So, can someone, anyone, please direct me to the absolute correct "this is
> > > EXACTLY how you need to configure your Exchange 2003 SP1 server to allow your
> > > employees to smtp/relay from outside the domain/office while NOT allowing
> > > spammers to hack your system, including RPC connections" document, KB
> > > article, TechNet discussion, etc., place? I NEVER had this much trouble with
> > > sendmail or any other ~x mail server software. Is it so hard for MS to
> > > duplicate those systems?
> > >
> > > TIA for any help anyone can provide. I'm sure there are thousands out there
> > > who feel my pain.
> > >
.

Relevant Pages

  • Re: Unable to relay to a.asn.au
    ... Okay, I found three policies, so I've added the domains to another policy, ... mail gets refusal to relay. ... it should accept mail for several internet domains? ... Our exchange server answers as exchange.c.net, ...
    (microsoft.public.exchange.admin)
  • Re: Can not sent mail using blat (to Exchange)
    ... Relay restrictions and added the ip's of the Exchange server and the DC. ... When I try blat it says that the mail server does not like to TO field. ... However in the new setup I can not get blat to work. ...
    (microsoft.public.exchange.admin)
  • exim4 config - what EXACTLY is "final destination"
    ... running debian etch w/ exim 4. ... to a recipient listed in a text file, on to my exchange server. ... that this sys will relay for. ... My WHOLE initial setup is a freaking guess!!!! ...
    (Debian-User)
  • Re: Configuring Sendmail under Solaris 9 to relay
    ... Sendmail passes the mail to a Microsoft Exchange Server, ... > to relay the mail. ...
    (comp.unix.solaris)
  • Re: How do I determine the role of this server in my Exchange
    ... It just hangs until it times out with an error that the Exchange server is ... I go back to the server in question and plug the nic cable ... Then my Outlook opens instantly. ...
    (microsoft.public.exchange.admin)