Re: SMTP Woes

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Stuart Mackie [MCSE MCSA] (newsgroups_at_--REMOVE_THIS-NO_SPAM--stu.uk.com)
Date: 03/15/05 

Date: Tue, 15 Mar 2005 16:35:57 -0000

Hi MR.

Can you provide some additional information on your configuration:
- What services are you running which are visible to the internet such as
DNS, IIS etc.
- Do you host the DNS for your external domain or is this done by your ISP
or domain host ?
- What settings have you configured for IMF ?
- Are there a large number of emails outgoing from postmaster@domainname.com
in your queues, or is the problem only the total number of connections ?
- Are you up to date with SP1 and patches for Exchange ?
- Is there any possibility at some point your server was allowing anonymous
relaying ? The volume of connections your getting presuming these have
started recently is unusual and would suggest a configuration issue
encouraging additional connections, one of the most common being anonymous
relay. Have you made any other changes to your network, mail server, DNS
settings for your external domain etc
- How did you test for mail relay ?

>From reading your replies you do appear to have taken a lot of the right
steps to resolving the problem. Moving your email hosting to an external
source is an option if you really did struggle to get this under control,
but as Jack has mentioned there disadvantages to this as well. Although
external email hosting try to provide as much configuration over their
filtering, it generally isn't flexible as running your own server with
filtering software. Some of the other issues could be filtering which is
too strict or they uses RBLs which block legitimate connections etc. But,
there are arguments for both so it is still something to consider.

1. Configure recipient filtering to filter recipients who are not in the
Directory.

2. Configure sender filtering to filter messages with blank sender

3. Make sure after configuring the above filtering to enable the filters on
your Virtual SMTP Server by viewing its properties, in the General tab click
Advanced then Edit, the three filter options are then listed.

4. To reduce the number of connection attempts you should consider RBLs to
blocking connections which are known to be abused by spammers.
Unfortunately getting a balance with RBLs is difficult becuase you have no
control over the lists. To make this worse the RBL features provided in
Exchange IMF and most 3rd party Filter software only Allow or Deny a
connection request, there is no middle ground for consideration. This is
one area where Linux servers to get some additional flexiblity becuase it's
possible to implement RBLs using a scoring system to try and overcome false
positives. Personally we use the following RBLs and have had only 2 or 3
false positives that we've been informed of in the last 12+ months.

    bl.spamcop.net
    dul.dnsbl.sorbs.net
    sbl-xbl.spamhaus.org
    list.dsbl.org

5. If you are up to date with patches the last SMTP patch added tarpit
options. This allows you to configure the SMTP services so that when a
connection is made to your server that uses an invalid recipient address,
instead of returning the invalid address error instantly it delays the
response up to 10 seconds. Only invalid addresses responses are delayed,
legitimate requests/emails are not. The KB article below explains how to
configure the tarpit option. If you have all patches it's just one registry
edit, otherwise you may need to download the latest SMTP patch first.

http://support.microsoft.com/kb/842851/

6. You don't list in any of your posts anti-virus or filtering software
other than the IMF. Many of the 3rd party filtering and AV products provide
the same features as IMF and more as well as AV. Although some of these
features won't assist with your problem now, it's worth looking at getting
at least an AV filter for your mail.

- -
Hth,
Stuart Mackie MCSE MCSA
www.stu.uk.com

"Jack Pea***" <pea***@simconv.com> wrote in message
news:eBk5%23wOKFHA.508@TK2MSFTNGP12.phx.gbl...
> "MR" <comconix@newsgroup.nospam> wrote in message
> news:uSOQjHMKFHA.656@TK2MSFTNGP14.phx.gbl...
>> i thought that i could have all my mail routed to my ISP and give them
>> the list of valid email addresses in my company (only about 15) and then
>> using a POP3 connector, pull the filtered messages into my server.
> You might want to look at the Exchange Intelligent Message Filter first,
> as a replacement for the ISA message filter (MS says don't use both). It
> functions as a front end filter for incoming email. You can also include
> spammer blacklists in Exchange 2003 (I use Spamhaus). I manually block
> certain domains in ISA and Exchange if I know for certain no one in the
> company receives mail from legitimate sources there.
>
> One often neglected area is to take a look at who is hitting your DNS
> server. Gather some statistics from the ISA firewall about the heaviest
> DNS requesters. Block a few of the unrecognizable ones at the top of the
> usage list and see what happens. Is there any reason a single requester
> would send 10's or 100's of requests a day to your DNS server? Look for
> DNS zone transfer requests too, chances are they aren't legit if they
> don't come from your ISP's DNS servers (and make sure your external DNS
> blocks zone transfer to anyone except your ISP).
>
> Do you have any valid reason to assume your ISP can do a better job at
> filtering spam than you can? Ask yourself why they let it through in the
> first place, if they have better tools to catch it. And how will your ISP
> know the difference between your legit senders and spammers? I for one
> would not care to have the mailman filter my snail mail before delivering
> it to my house.
> Jack Pea***

Quantcast