Re: Exchange Hijacked

Rob <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

>
>>Lot's of spammers use domains that either have no inbound SMTP server,
>>a MX record that points to a host with an address of 127.0.0.1 or
>>0.0.0.0, or they just reply with a 4xx status to your connection.
>
>So I should remove 127.0.0.1 from the relay restrictions tab under default
>virtual smtp server?

Well, unless you have something running on the server that sends to
"localhost" it's not necssary.

But my point was that the messages in your queues that can't be
delivered may be there because the address they're supposed to go to
can't be accessed. You may find MX records that lead to 10.x.x.x,
192.160.x.x, or 172.yy.xx.xx networks, too. None are routable on the
'net.

>>Turn off the ability for authenticated users to realy and see what
>>happens. If this stops your problem, find the compromised user account
>>and change the password to something strong. If the problem continues,
>
>where would I do that?

The checkbox at the bottom of the "Relay..." dialog box for the SMTP
Virtual Server -- the same place you mentioned in your 1st paragraph.

>> Because your server is sending NDR's to the originators. If you don't
>> accept mail for addresses that don't exist in your organization you
>> won't be sending NDR's.
>
>So these are replys saying that the message was not delivered?

They may be. It sounds like they are.

>Someone
>spamming us? Thats a lot of spam and a lot of email addresses, they dont
>appear to be duplicates..

The definition of "a lot of spam" is relative. I haven't looked into
the number of messages we don't accept because they cannot be
delivered, but in January we were turning away a million messages a
week for that reason.

>> Turn off the ability for authenticated users to realy and see what
>> happens. If this stops your problem, find the compromised user account
>> and change the password to something strong.
>
>Where would I do that?

See above.

>> However, by rejecting mail for addresses you don't have you do open
>> yourself a bit do directory harvesting and you may see an increase in
>> the the number os spam messages you receive that *do* reach working
>> mailboxes. So use a good spam filter in conjunction with the rejction
>> of messages.
>
>What is directory harvesting

A spammer begins sending messages to your server using a series of
addresses. Those that are NOT rejected are added to mailing lists for
later use.

>and where would I reject addresses that I dont
>have?

Global Settings | Message Delivery | Recipient Filtering > Filter
recipients who are not in the directory

Then display the property page of your SMTP Virtual Server. Click the
"Advanced..." button, select the IP Address that's listening on the
Internet-facing NIC and click "Edit". Check the "Apply Recipient
Filtering" box.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
.