Re: Is my server hijacked or is it spammed

Thanks for the reply bharat, but I still don't get it.

Only authenticated hosts can relay through our server, yet this spammer
appear to be able to relay emails. The from address that is not
@ourdomain.com and the rcpt addresses are not @ourdomain.com, so it
would seem the spammer actually managed to authenticate.
Is there any switch I can turn on to confirm that the authentication
was successfull (and optionally another switch that would tell me which
user he impersonated)?

Tony.

Bharat Suneja [MVP] wrote:
Recipient Filtering does not impact relaying functionality as such.

The way relaying (and Recipient Filtering) works:
- if an external host (that does not have permission to relay by default)
sends mail for somethirddomain.com to your server, which is only responsible
for receiving mail to yourdomain.com, it will get a 5.7.1 relaying denied.
Recipient Filtering does not even come in play at this point.
- if the external host sends a message to AnyUser@xxxxxxxxxxxxxx - your
server is responsible for receiving mail to this domain, as defined in
Recipient Policies. It will accept the message. There was no relaying
invovled here because the message is for your domain.
- With Recipient Filtering enabled, if the host sends a message to
InvalidUser@xxxxxxxxxxxxxx, though your server is responsible for receiving
the message, it will check if InvalidUser exists in AD or not - in this case
the user is invalid, so the message is dropped.
- When authenticated or allowed hosts relay through your server, they are
sending to some domain that your server isn't responsible for. They will be
allowed to relay because they are authenticated or hosts allowed to
relay.... Exchange cannot and will not check whether a recipient is actually
valid or not on a 3rd party smtp domain.

--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


<georgevukas@xxxxxxxxx> wrote in message
news:1153876241.559093.24590@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks, I guess this will drop all incoming mail to non-existent
internal directory addresses.

Will this have an affect though on mail sent via relay to external
addresses by legitimate IMAP or POP3 users?

Is there any official MS doco on this behaviour?


.

Relevant Pages

  • Re: Relay Blues, #5.7.1 smtp;550 5.7.1 Unable to relay, But I need to
    ... > from your SBS2 server. ... > Based on my research you should set up the SBS 2 server to relay the email ... > that do not authenticate to be able to send mail. ... regardless of the list above is selected. ...
    (microsoft.public.windows.server.sbs)
  • Re: open relay
    ... for any connections accept authenticated ... Right click Default SMTP Virtual Server then Click Properties. ... Click the Access tab Click the relay button, ... Also ensure that "Allow all computers which successfully authenticate to ...
    (microsoft.public.exchange.admin)
  • MS Exchange Relay Authentication
    ... Relay restrictions are set to "allow all computers which successfully ... crash the server more often than not. ... spammer can successfully authenticate and voila, ... With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. ...
    (NT-Bugtraq)
  • Re: SMTP Relay
    ... Tarran wrote: ... It's either/or - either you permit the IP address to relay, ... I'm not in front of a server right now but I ... >> can allow them to authenticate. ...
    (microsoft.public.exchange.setup)
  • Re: Is my server hijacked or is it spammed
    ... statically enter relay hosts. ... Only authenticated hosts can relay through our server, ... would seem the spammer actually managed to authenticate. ...
    (microsoft.public.exchange.admin)