Re: Incoming mail for recipients not in my domain
From: PaulB (p.bassett_at_zeda.co.uk)
Date: 02/05/04
- Next message: Max Maximov: "Theory Question"
- Previous message: Sean Macdonald: "Re: NDR loop"
- In reply to: PaulB: "Re: Incoming mail for recipients not in my domain"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Incoming mail for recipients not in my domain"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 5 Feb 2004 09:24:49 -0000
OK, I've logged the maximum amount of detail overnight and we've had 22,000
(spurious) messages in this time. Looking through the logs I can't see any
entries to indicate which credentials are being logged. I can post part of
the log if that would help?
"PaulB" <p.bassett@zeda.co.uk> wrote in message
news:eNOX2qz6DHA.2924@tk2msftngp13.phx.gbl...
> OK, Ben, I'll try that. Thanks. I guess I will need to turn on some
> advanced logging options as the info you mention is not captured by
default
> in the log.
>
> PaulB
>
>
> "Ben Winzenz [Exchange MVP]" <benwinzenz@NOSPAM.gardnerwhite.com> wrote in
> message news:O6CEZdz6DHA.2264@tk2msftngp13.phx.gbl...
> > They deal with 2 totally different things. Leave the access control
part
> > alone, as it simply deals with how other computers (think other e-mail
> > servers) can connect to your server. If you remove the anonymous
> selection,
> > no one else will be able to send you e-mail unless they provide
> > authentication (that's not gonna happen).
> >
> > The message that you showed is not an NDR, so my guess would be that
> you've
> > got a compromised account. I'd start looking at your SMTP log files and
> see
> > if you can figure out which account is being used. If you can import
the
> > logs into Excel, and massage the data around, it is a little easier to
> look
> > at, and there should be a user field that you can see the account used.
> If
> > you can't figure out which one, then force a password change for all
user
> > accounts. If you have to do that, you will need to check your servers
for
> > any services that depend on specific accounts. Exchange won't have a
> > problem because all of the Exchange services run under the Local System
> > context, but other programs may still have services dependant on
specific
> > accounts (akin to the Service Account in 5.5).
> >
> > --
> > Ben Winzenz
> > MVP - Exchange
> > Network Engineer
> > Gardner & White
> >
> > Exchange FAQ's: http://www.swinc.com/resource/exch_faq.htm
> > Exchange 2000 FAQ's: http://www.swinc.com/resource/e2kfaq.htm
> >
> >
> > "PaulB" <p.bassett@zeda.co.uk> wrote in message
> > news:eH110Pz6DHA.1504@TK2MSFTNGP12.phx.gbl...
> > > Thanks for the advice, Ben.
> > > Regarding point 1:
> > > Guest account is disabled
> > > The setting on my SMTP virtual server is indeed to allow authenticated
> > users
> > > to relay. However, in the access control 'anonymous access' is
allowed.
> > > Isn't this a paradox? Also 'basic authentication' and 'Integrated
> Windows
> > > authentication' are enabled. Is this what you would recommend or
should
> I
> > > disable one or more of these?
> > >
> > > Point 2:
> > > Just taking one of these damned mail messages at random:
> > > Sent from: "Aniana Burns" binisatchelsadorable@hahale.net
> > > Subject: Free S@mp1e of We1ght Loss Pr0duct!
> > > Envelope recipients: lerickso@eudoramail.com;
> > >
> > > This message sits in my queue trying to get back to the sender address
> as
> > it
> > > is presumably not deliverable to the eudora address. I have to say
that
> > > right now I would consider a brief custodial sentence as worthwhile if
> > only
> > > I could have the satisfaction of repeatedly smashing the perpetrator's
> > face
> > > into my knee...
> > >
> > > Any ideas? (about the technical problem, not the idea of violent
> > assault).
> > > PaulB
> > >
> > >
> > >
> > >
> > > "Ben Winzenz [Exchange MVP]" <benwinzenz@NOSPAM.gardnerwhite.com>
wrote
> in
> > > message news:ee#3g6y6DHA.360@TK2MSFTNGP12.phx.gbl...
> > > > A couple of things might be happening here.
> > > >
> > > > 1. Although you are not an open relay, someone could be relaying
> > through
> > > > your sever using authentication (i.e. a password has been
compromised,
> > or
> > > > your Guest account is Enabled). The default settings on the SMTP
> > Virtual
> > > > Server are to allow all computers that successfully authenticate to
> > relay.
> > > > There was another person on the newsgroups recently that had this
> > > problem -
> > > > it ended up being Norton Ghost had created an account and the
password
> > had
> > > > been compromised. Checking your SMTP Logs
> > > > (c:\winnt\system32\logfiles\smtpsvc1 is the default location) may
help
> > you
> > > > in finding out which account is doing this.
> > > >
> > > > 2. You are not an open relay, but someone else could still be
> > attempting
> > > to
> > > > relay off your server. There are certain formats of messages that
> > > Exchange
> > > > will initially accept (even though the recipient is not local), only
> to
> > > > later reject. If you look in the queues for thes remote domains,
and
> > > choose
> > > > "Enumerate 100 messages", are they actual e-mails, or is the sender
> <>,
> > or
> > > > postmaster@yourdomain.com?
> > > >
> > > > --
> > > > Ben Winzenz
> > > > MVP - Exchange
> > > > Network Engineer
> > > > Gardner & White
> > > >
> > > > Exchange FAQ's: http://www.swinc.com/resource/exch_faq.htm
> > > > Exchange 2000 FAQ's: http://www.swinc.com/resource/e2kfaq.htm
> > > >
> > > >
> > > > "PaulB" <p.bassett@zeda.co.uk> wrote in message
> > > > news:%23BuP7ww6DHA.1636@TK2MSFTNGP12.phx.gbl...
> > > > > I expect this is a simple problem but my mail server is, for want
of
> a
> > > > > better word, being attacked several times a day by incoming SMTP
> > traffic
> > > > > that is destined for recipients for domains outside of my domain.
> > > > > To clarify: my domain is zeda.co.uk but frequently I see in the
> > 'current
> > > > > connections' a connection from a spurious external host with a
name
> > like
> > > > > 'regal' or 'dolphin' or some other word that looks like it has
been
> > > picked
> > > > > from a dictionary rather than host.domain.tld The mail that is
> being
> > > > > accepted by my server is destined for thousands of spurious users
at
> > > other
> > > > > domains. Therefore my Exchange server starts creating queues to
try
> > to
> > > > send
> > > > > these mails out but, in the majority of cases, the server or
> recipient
> > > > > cannot be reached so they just sit in the queue until the message
> > > expires.
> > > > > I can't help but think that if there were a way to configure my
> server
> > > > only
> > > > > to accept incoming messages for users at zeda.co.uk rather than
> > > > > somone@hahale.net or someone@suite224.net this problem would not
> > exist.
> > > > >
> > > > > My server is not an open relay - have checked this with numerous
> > online
> > > OR
> > > > > testing services.
> > > > >
> > > > > Any help appreciated,
> > > > > PaulB
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Max Maximov: "Theory Question"
- Previous message: Sean Macdonald: "Re: NDR loop"
- In reply to: PaulB: "Re: Incoming mail for recipients not in my domain"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Incoming mail for recipients not in my domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
