Re: Exchange Hijacked

From: Rob <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 18 Jun 2005 15:05:02 -0700

>Lot's of spammers use domains that either have no inbound SMTP server,
>a MX record that points to a host with an address of 127.0.0.1 or
>0.0.0.0, or they just reply with a 4xx status to your connection.

So I should remove 127.0.0.1 from the relay restrictions tab under default
virtual smtp server?

>Turn off the ability for authenticated users to realy and see what
>happens. If this stops your problem, find the compromised user account
>and change the password to something strong. If the problem continues,

where would I do that?

> Because your server is sending NDR's to the originators. If you don't
> accept mail for addresses that don't exist in your organization you
> won't be sending NDR's.

So these are replys saying that the message was not delivered? Someone
spamming us? Thats a lot of spam and a lot of email addresses, they dont
appear to be duplicates..

> Turn off the ability for authenticated users to realy and see what
> happens. If this stops your problem, find the compromised user account
> and change the password to something strong.

Where would I do that?

> However, by rejecting mail for addresses you don't have you do open
> yourself a bit do directory harvesting and you may see an increase in
> the the number os spam messages you receive that *do* reach working
> mailboxes. So use a good spam filter in conjunction with the rejction
> of messages.

What is directory harvesting and where would I reject addresses that I dont
have?

"Rich Matheisen [MVP]" wrote:

> Rob <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> >Block postmaster@xxxxxxxxxxxx? There are to many destination addresses for
> >this. But what I really would like to know is how come I have a thousand
> >messages failed outgoing from postmaster@mydomain in 2 days time to other
> >domains, no dupes?
>
>
> However, by rejecting mail for addresses you don't have you do open
> yourself a bit do directory harvesting and you may see an increase in
> the the number os spam messages you receive that *do* reach working
> mailboxes. So use a good spam filter in conjunction with the rejction
> of messages.
>
> >We have under 10 users. There is no postmaster account,
>
> You may not have assigned the postmaster address, but it's there. If
> you send a message to postmaster@xxxxxxxxxxxxxx and ask for a delivery
> receipt you'll find the mailbox that accepts the mail.
>
> >no
> >email is assigned to accept emails for that address. The ougoing mail says it
> >IS from our domain. 30 or so virtual SMTP connectors are queued up to deliver
> > messages that are failing, there is only one default smtp connector setup.
> >It really looks like we are being used as a relay.
>
> Or you're just being spammed and the spammer is using some purchased
> mailing list or they're creating mail addressed by combining common
> names (a dictionary attack) and hoping to find a few that work (e-mail
> is cheap so this works).
>
> >I have started artcile kb324958. No authenticated relaying is happening, the
> >server is not a open relay. Even if I clean up the queues, It most likely
> >will return. I need to understand HOW this got started.
>
> If your server's secured then either it's just spam or you're allowing
> authenticated uses to relay and you either have the Guest account
> enabled or somebody's password was cracked.
>
> Turn off the ability for authenticated users to realy and see what
> happens. If this stops your problem, find the compromised user account
> and change the password to something strong. If the problem continues,
> it's sapma and you need a good spam filter to go along with your
> rejecting unknown addresses in your own domain.
>
> --
> Rich Matheisen
> MCSE+I, Exchange MVP
> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
>
.

Follow-Ups:
- Re: Exchange Hijacked
  - From: Rich Matheisen [MVP]

References:
- Exchange Hijacked
  - From: Rob
- Re: Exchange Hijacked
  - From: Rich Matheisen [MVP]

Prev by Date: Re: How can I block email spoofing our domain?
Next by Date: Re: Exchange Hijacked
Previous by thread: Re: Exchange Hijacked
Next by thread: Re: Exchange Hijacked
Index(es):
- Date
- Thread

Relevant Pages

Re: SMTP not relaying all emails
... The emails are flagged due to having the SMTP Server in another domain, ... If it is spam blocked, the receiver can set it so it allows the GoDaddy ... ADODB.Fields oFields; ...
(microsoft.public.dotnet.framework.aspnet)
Re: UOL Anti spam is back, again...
... smtp server. ... you gain conformity with RFC's by rejecting it whereas ... obviously rejecting when using fetchmail is a pointless option. ... waste a second of time greylisting it, scanning it for attachments, spam ...
(Fedora)
Re: How long does read(2) wait before an EAGAIN is thrown?
... The idea being that if the server is known to be a pure spam source, ... It may also delay/block the connection just because the IP address is ... The idea is to slow the sender down a bit, ... I'm connecting to the Exim SMTP server on my local Linux box, ...
(comp.unix.programmer)
Re: UOL Anti spam is back, again...
... Not all mail from uol.br.com is spam - I do get genuine mail ... are summarily sent to the giant bit bucket in the sky and the ... The better place is to reject it at the smtp server and thus, ... Since we can't force them to fix it any ...
(Fedora)