Re: Why is my Exch srvr spamming people?
- From: "Bob in AZ" <none@xxxxxxxxxxx>
- Date: Mon, 24 Mar 2008 23:13:23 -0700
Ok, so if you've ruled out open relays--how about an internal host that's
compromised, sending mail out? The 400 connections, as mentioned earlier,
could certainly be the NDR replies back to the complaining servers, but
these 400 connections may not be the actual source. Do you allow outbound
port 25 traffic from anything/address other than your exchange server? If
it's on, and a client PC can send over TCP port 25 to another server on the
internet, an infected 'zombie' PC with some spam worms/virus could be your
problem.
If you've got the ability to monitor outbound traffic at your router, watch
for tcp25 outbounds and see if any other hosts are connecting/sending. If
you don't care about catching the offending PC, just make sure that port25
is blocked on outgoing. You'll still have a likely to be infected host
inside the network, but it won't be able to distribute anymore.
"Holo20" <Holo20@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:81A6C8CD-BB76-44B8-8875-007A8879FDBB@xxxxxxxxxxxxxxxx
Ok, after finding various addresses that it would take, I was able to
successfully complete each relay test, and each one came back "Unable to
relay...".
"Holo20" wrote:
Hi Rene,
I did start the procedures mentioned in the Microsoft KB, but never got
very
far. Upon inputting the "mail from" or "receipt to" addresses, I mostly
got a
reply of "Invalid address", with the exception (strangely) of my own
personal
Hotmail address.
Thanks for your continuing help...
"Rene Frenger" wrote:
Do a telnet test to check for relaying:
http://support.microsoft.com/kb/304897
--
Regards,
Rene Frenger
MCITP E2K7
MCP EX5.5, 2000, 2003
MCSE
"Holo20" wrote:
Hi Rene,
I did run the Exch BPA, and it came back good, only a few
informational
items such as Outdated driver, etc.
I did already have the recipient filtering set up as you suggested.
In the meantime, I will start the hunt for a virus-ridden machine...
"Rene Frenger" wrote:
It is also possible that your server is sending NDR spam:
A spamserver is trying to send spam to random email adresses in
your
organsiation.
Your server respons to that by sending an NDR back: user does not
exist, blah.
These NDR's are send by the postmaster email adress.
To prevent this:
Enable "Filter recipients who are not in the Directory" in the
Recipient
Filtering tab of the Message Delivery object (under Global Settings
in ESM).
--
Regards,
Rene Frenger
MCITP E2K7
MCP EX5.5, 2000, 2003
MCSE
"Holo20" wrote:
Gurus,
Mine is an Exch 2003 server on Server 2003. This is the second
time I have
gotten a call from the ISP about complaints of spam from my
domain. I check
the queue and sure enough, almost 400 connectors, all sending out
some kind
of Citibank phishing attempt.
I have gone through the steps to checks and as far as I can tell
I am not an
open relay. I have no clue how this can be happening, and any
suggestions and
advice would be greatly appreciated.
-Michael
.
- References:
- RE: Why is my Exch srvr spamming people?
- From: Rene Frenger
- RE: Why is my Exch srvr spamming people?
- From: Holo20
- RE: Why is my Exch srvr spamming people?
- From: Holo20
- RE: Why is my Exch srvr spamming people?
- Prev by Date: Re: Performance Monitor
- Next by Date: Re: bonehead question of the day: Certificates and EXCH2007
- Previous by thread: RE: Why is my Exch srvr spamming people?
- Next by thread: Re: Removing a Dead Exchange Front End Server
- Index(es):
Relevant Pages
|
