Re: Spam attack from within, please help!!!
- From: Stephen <coder@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 22 Feb 2007 08:53:03 -0800
Thanks for the info. I will check into your suggestions. However after
coming in this morning and finding 650+ instances of this spam locked in the
queue (I frooze the queue before going to sleep), I deleted all, applied SP2
for exchange and post reboot find that i am no longer a servant to the gods
of spam. I get the feeling that simply rebooting the server severed their
connection. Whether or not they or someone else trys again is probably only
a matter of time which is why I will take your comments to heart but going
forward I'm wondering if there are any programs of utilities out their that
can detect this type of activity and proactivly freeze the queue, send a
notification email or SMS to me, or simply not allow this to occur.
I've heard of a product from Symantec that sits on top of an exchange server
called anti-spam or something like that. Not sure if something like that
would be helpful or if i simply need to verify the points that you made.
"Bharat Suneja [MVP]" wrote:
- If the messages didn't originate on your internal network, there's less.
stuff to worry about.
- Check the destination/recipient of messages? Are these your internal
recipients? If yes, you're being spammed.
- If not, your server's being used as a relay.
- Relaying is disabled by default - check that you haven't enabled it for
all hosts, and if enabled for selected hosts examine their IP addresses -
anything out of whack?
- Next, test relaying from outside your firewall.
- If the SMTP vs receives inbound internet email directly (no smarthosts /
relay hosts in between) and you're using the default SMTP vs, create an
additional SMTP vs instead, set only anonymous authentication and do not
allow relaying (including to authenticated senders, which is enabled by
default). Will require changes to firewall (redirect inbound smtp to new
internal IP address of new SMTP vs).
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
----------------------------------------------
"Stephen" <coder@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0D462A38-D8D6-4411-9C42-D8587F1127F3@xxxxxxxxxxxxxxxx
got ya... a quick random sampling of the queue currently shows the
following...
Received: from jeugwcb.com ([210.96.229.37]) by xxx.xxx.xxx with Microsoft
SMTPSVC(6.0.3790.1830);
Wed, 21 Feb 2007 20:59:37 -0500
Received: from 203.92.42.221 (203.92.42.221) by jeugwcb.com; Thu, 22 Feb
2007 11:01:59 GMT
Received: from rgioedth.com ([218.53.105.167]) by xxx.xxx.xxx with
Microsoft
SMTPSVC(6.0.3790.1830);
Wed, 21 Feb 2007 21:00:42 -0500
Received: from 203.94.54.226 (203.94.54.226) by rgioedth.com; Thu, 22 Feb
2007 11:03:04 GMT
Received: from sabewrt.com ([218.53.105.174]) by xxx.xxx.xxx with
Microsoft
SMTPSVC(6.0.3790.1830);
Wed, 21 Feb 2007 21:06:21 -0500
Received: from 210.74.136.150 (210.74.136.150) by sabewrt.com; Thu, 22 Feb
2007 11:08:43 GMT
If I read the top of these message correctly could it be that I am under
attack by a number of different external ip's?
Please advise!!!
Thank you!!!
"Bharat Suneja [MVP]" wrote:
Look at the queues for source of messages - you can open up messages in
the
queue using Outlook Express or Notepad. Determine if it's an internal IP
or
external.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
----------------------------------------------
"Stephen" <coder@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6D4A99DC-1D53-45A2-B612-B92CF41DEC0E@xxxxxxxxxxxxxxxx
This morning I started to receive Undeliverable reports from my email
server
such as the following...
______________________________________________________
Your message did not reach some or all of the intended recipients.
Subject: ¢ºÀºÇàÀÌÀ²·Î °í¹ÎÇØ°á(³â7.5~12%)!1109120
Sent: 2/21/2007 6:36 PM
The following recipient(s) could not be reached:
soccerloveman73@xxxxxxxxxxx on 2/21/2007 6:38 PM
There was a SMTP communication problem with the recipient's
email server. Please contact your system administrator.
< dns1-alb.paetec.net #5.5.0 SMTP; 554 5.7.1 64.80.0.162:
Connection refused. Your IP address is blocked(unregistered bulk).>
__________________________________________________
I received about 100 of these before I figured out that freexing a
certain
SMTP connector stopped the flow. But know I have to check that que
every
so
often and remove that crap and allow the legitimate emails to go out.
I've
probably deleted a few hundred of these today.
I need help trying to figure out if this is an open relay problem (I
thought
I closed that up a long time ago), or if this could be due to some
rogue
process that could have been downloaded by a user opening a bad email,
or
what. I'm sort of at a loss as Exchange is not my forte. I've run
Spybot
and
Adaware on my email server and both reported clean results. I do not
have
an
antivirus installed on the email server (but perhaps it's time to do
so).
I'm not sure if I should be looking at the email server, another server
with
smtp service running, or perhaps even a workstatin on my network. I'm
really
at a loss and am turning to you, the guru's of exchange, to help me get
to
the bottom of this. I'll be trying to work this problem out through
the
night if necessary and will promptly reply to any question to help
clarify
the situation.
Any and all help is greatly appreciated.
- References:
- Re: Spam attack from within, please help!!!
- From: Bharat Suneja [MVP]
- Re: Spam attack from within, please help!!!
- From: Stephen
- Re: Spam attack from within, please help!!!
- From: Bharat Suneja [MVP]
- Re: Spam attack from within, please help!!!
- Prev by Date: Re: Spam attack from within, please help!!!
- Next by Date: Re: Exch 2003 Front-End / 2000 Back-End
- Previous by thread: Re: Spam attack from within, please help!!!
- Next by thread: Re: Exch 2003 Front-End / 2000 Back-End
- Index(es):
Relevant Pages
|
Loading
