Re: Exchange Hijacked

Rob <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

>Block postmaster@xxxxxxxxxxxx? There are to many destination addresses for
>this. But what I really would like to know is how come I have a thousand
>messages failed outgoing from postmaster@mydomain in 2 days time to other
>domains, no dupes?

Because your server is sending NDR's to the originators. If you don't
accept mail for addresses that don't exist in your organization you
won't be sending NDR's.

However, by rejecting mail for addresses you don't have you do open
yourself a bit do directory harvesting and you may see an increase in
the the number os spam messages you receive that *do* reach working
mailboxes. So use a good spam filter in conjunction with the rejction
of messages.

>We have under 10 users. There is no postmaster account,

You may not have assigned the postmaster address, but it's there. If
you send a message to postmaster@xxxxxxxxxxxxxx and ask for a delivery
receipt you'll find the mailbox that accepts the mail.

>no
>email is assigned to accept emails for that address. The ougoing mail says it
>IS from our domain. 30 or so virtual SMTP connectors are queued up to deliver
> messages that are failing, there is only one default smtp connector setup.
>It really looks like we are being used as a relay.

Or you're just being spammed and the spammer is using some purchased
mailing list or they're creating mail addressed by combining common
names (a dictionary attack) and hoping to find a few that work (e-mail
is cheap so this works).

>I have started artcile kb324958. No authenticated relaying is happening, the
>server is not a open relay. Even if I clean up the queues, It most likely
>will return. I need to understand HOW this got started.

If your server's secured then either it's just spam or you're allowing
authenticated uses to relay and you either have the Guest account
enabled or somebody's password was cracked.

Turn off the ability for authenticated users to realy and see what
happens. If this stops your problem, find the compromised user account
and change the password to something strong. If the problem continues,
it's sapma and you need a good spam filter to go along with your
rejecting unknown addresses in your own domain.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
.

Relevant Pages

  • Re: Exchange Relay Option
    ... You need to figure out why your spam filter is not picking up the ... > account for my company. ... Does the relay option do what it is ...
    (microsoft.public.exchange.admin)
  • Re: Need help with SMTP relay problem
    ... spam using authenticated relay. ... clean-up from the open relay: ... Block Open SMTP Relaying and Clean Up Exchange Server SMTP ... Account Passwords and Policies ...
    (microsoft.public.exchange2000.protocols)
  • Re: restrict from address
    ... in the respect that anyone who can authenticate against the server can drop ... The fact that anyone with a domain account can ... authenticate and relay might be a problem in a higher-security environment ...
    (microsoft.public.exchange.admin)
  • Re: Open relay
    ... I have downloaded a trial-version of ORF (Open Relay Filter) from ... If not an account on the Exchange 2000 ... > From the Exchange Server 2000 System Manager, ... > Authenticating with the Exchange server to send relayed e-mail from the ...
    (microsoft.public.exchange.admin)
  • Re: Exchange 2K is getting hammered
    ... if anyone's account has been compromised by spammers. ... Thanks Jim! ... The SMTP logs show IP addresses, ... >>We are coming up clean on the relay abuse sites so far. ...
    (microsoft.public.backoffice.smallbiz2000)