Re: Problem with spam relay in exchange 2003

I recommend checking your domain for accounts/passwords like test/test,
admin/admin and check if the Guest account is enabled. Spammers often try
some common user name and password combinations. See
http://www.vamsoft.com/authattack.asp.

Peter

<coffeyp@xxxxxxxxx> wrote in message
news:1169676410.201600.5340@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

No machines are listed in the current sessions and I haven't been able
to catch one there. Relaying is not allowed although 127.0.0.1 was
permited originally. I removed this just in case that was providing an
exploit and allow all computers which successfully authenticate to
relay is checked as well. I do support pop for external users so smpt
authentication is on. I collected several hours worth of netstat
output and I went ahead and banned that specific email address and IP
from my server but I'm assuming he or she will simply come back as a
different connection.


On Jan 24, 2:59 pm, "Alexander Zammit" <alex@respond_to_group> wrote:
Do you need to allow relaying from authenticated connections?
There is a good chance you don't.

Check this for details on how to disable such relaying and to verify your
config settings:http://www.exchangeinbox.com/articles/034/openrelay.htm

--
Alexander Zammit
WinDeveloper Software
IMF Tune - Unleash the Full Intelligent Message Filter
Powerhttp://www.windeveloper.com/imftune/

<coff...@xxxxxxxxx> wrote in
messagenews:1169667035.178626.277200@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



I've got a relaying issue where a spammer is able to relay mail through
my exchange 2003 server and I hope someone can tell me how this is
happening and how to stop it.

First my server is SBS 2003 and Exchange 2003 with the latest service
packs installed for both. The server does not allow relaying and
passed all the relaying tests at mail abuse.

I first noticed the problem when the mail queue filled up. What I
found was thousands of NDR emails that could not be sent to invalid
address. All of these emails were from aw-conf...@xxxxxxxxx Looking
at the message header I can see that the email is addressed to an
invalid user in my domain and I assumed the spammer was using RNDR to
get his spam out so I enabled the "Filter recipients who are not in the
Directory" option under Message Delivery Properties.

This prevented the ndr messages but now I can actually see the original
email being sent to addresses not in my domain and I don't understand
how the relay is working and depending on where I look the information
about the email is different.

In the original email the to field is none and the headers do not show
any to address. In the ndr you can see the sender and the spammer's
target email address. In message tracking I can see the email come
from aw-conf...@xxxxxxxx and that it's recipients are email address
external to my domain and that smtp transfers are actually taking place
to valid addresses. Even though the NDRs have been stopped I'm still
geting a ton of email sent through my server.

How is this guy relaying through my server and how do I stop this? Any
help is greatly appreciated

Here is the header from the spam email. The TO: address in the email
is none.

Received: from User ([63.200.161.26]) by elitedc01.elite-management.biz
with Microsoft SMTPSVC(6.0.3790.211);
Tue, 23 Jan 2007 16:30:30 -0500
From: "eBay"<aw-conf...@xxxxxxxx>
Subject: eBay automatically invites qualified users to be Titanium
PowerSeller
Date: Tue, 23 Jan 2007 13:17:45 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: aw-conf...@xxxxxxxx

Here is the NDR message:
From: <postmas...@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
To: <aw-conf...@xxxxxxxx>
Subject: Delivery Status Notification (Failure)
Date: Tuesday, January 23, 2007 4:26 PM

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

aol...@xxxxxxxxx

Here is the header from the NDR:

From: postmas...@xxxxxxxxxxxxxxxxxxxxxxxxxxx
To: aw-conf...@xxxxxxxx
Date: Tue, 23 Jan 2007 16:26:01 -0500
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="9B095B5ADSN=_01C73F33CF30CD7400000137elitedc01.elite?"
X-DSNContext: 7ce717b1 - 1383 - 00000002 - C00402EF
Message-ID: <VrS6IWttP00000...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: Delivery Status Notification (Failure)

This is a MIME-formatted message.
Portions of this message may be unreadable without a MIME-capable mail
program.

--9B095B5ADSN=_01C73F33CF30CD7400000137elitedc01.elite?
Content-Type: text/plain; charset=unicode-1-1-utf-7

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

aol...@xxxxxxxxx

--9B095B5ADSN=_01C73F33CF30CD7400000137elitedc01.elite?
Content-Type: message/delivery-status

Reporting-MTA: dns;elitedc01.elite-management.biz
Received-From-MTA: dns;User
Arrival-Date: Tue, 23 Jan 2007 16:22:42 -0500

Final-Recipient: rfc822;aol...@xxxxxxxxx
Action: failed
Status: 5.4.0

--9B095B5ADSN=_01C73F33CF30CD7400000137elitedc01.elite?
Content-Type: message/rfc822

Received: from User ([63.200.161.26]) by elitedc01.elite-management.biz
with Microsoft SMTPSVC(6.0.3790.211);
Tue, 23 Jan 2007 16:22:42 -0500
From: "eBay"<aw-conf...@xxxxxxxx>
Subject: eBay automatically invites qualified users to be Titanium
PowerSeller
Date: Tue, 23 Jan 2007 13:09:57 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: aw-conf...@xxxxxxxxx Hide quoted text -- Show quoted
text -



.

Relevant Pages

  • Re: Spammers die!
    ... guest account, just for the hell of it, and the junk seems to be drying up.. ... >> set right to prevent open relay, and the server passes open relay ... >> I can't figure out how these dirtbags are relaying. ...
    (microsoft.public.inetserver.iis.smtp_nntp)
  • Re: Spammers die!
    ... guest account, just for the hell of it, and the junk seems to be drying up.. ... >> set right to prevent open relay, and the server passes open relay ... >> I can't figure out how these dirtbags are relaying. ...
    (microsoft.public.exchange.misc)
  • Re: Spammers die!
    ... guest account, just for the hell of it, and the junk seems to be drying up.. ... >> set right to prevent open relay, and the server passes open relay ... >> I can't figure out how these dirtbags are relaying. ...
    (microsoft.public.exchange.setup)
  • Re: Please help stop spam relaying with my server
    ... The email address that is used to send the emails is not ... I immediately retested my server to confirm it was not an open ... my loglevel to 15 in sendmail to help diagnose the situation. ... anyone with a valid address that gets used by spammers is part of the ...
    (comp.mail.sendmail)
  • Re: Same question, still no answer!!!
    ... You'd be happier buying Win 2000 Server. ... > to use) but the other 4 pc's all only share a "temp" folder. ... > Expectation #1) keep the ethernet more or less as is. ... > this Guest account just moves the problem to item #2. ...
    (microsoft.public.windowsxp.basics)
Quantcast