PLEASE HELP: My Exchange server is being blasted by spammer

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Matthew Kaess (netadmin_at_advancebeverage.com)
Date: 02/05/04 

Date: Thu, 5 Feb 2004 09:10:34 -0800

How did you create your connection to the other site?

If this is like what I'm experiencing on my E2K server -
I don't think there is a short answer. I am getting
messages to our domain but to recipients that do not
exist in AD. They cycle through different names such as
jeff@mydomain.com, fred@mydomain.com, etc. and they all
contain the MyDoom virus. Exchange 2003 has the
capability of filtering to only recipients in AD which
would reject all but legitimate mail, but E2K does not.
If this is what you are experiencing and you find a
better answer to this - I'd like to hear it.

>-----Original Message-----
>Hey Guys I came into work this morning to find 7500 new
>messages in my inbox. More than usual ;) They are
>almost all coming from the Exchange Admin auto
>notification. Here's the type of message I get:
>
>****************************************
>A mail message could not be sent because the following
>host is unknown:
>
> tpts9.seed.net.tw
>The message that caused this notification was:
>
>
> To: <ripowev@ms34.hinet.net>;
><ormk@ms34.hinet.net>; <ppt12842@ms47.hinet.net>;
><ppt12750@tpts9.seed.net.tw>; <ppxn@yahoo.com.tw>;
><qsae@yahoo.com.tw>; <panchahan@yahoo.com.tw>;
><rqv@yahoo.com.tw>; <qianweiwa@yahoo.com.tw>;
><q123138412@yahoo.com.tw>; <powers@yahoo.com.tw>;
><oulaicui@yahoo.com.tw>; <ronaldcheung@yahoo.com.tw>;
><rang_zhai@yahoo.com.tw>; <q070@yahoo.com.tw>;
><q1208610@yahoo.com.tw>; <ovrn@yahoo.com.tw>;
><pengtengsuo@yahoo.com.tw>; <peter612022@yahoo.com.tw>;
><qiannaoshuo@yahoo.com.tw>; <quest877@yahoo.com.tw>;
><paios@yahoo.com.tw>; <s186353@yahoo.com.tw>;
><ousikai@yahoo.com.tw>; <richlai@ms2.hinet.net>;
><robert31@pchome.com.tw>; <r1212@pchome.com.tw>;
><preperceive@pchome.com.tw>; <onms@pchome.com.tw>;
><orhx@pchome.com.tw>; <routinist@pchome.com.tw>;
><q40359@pchome.com.tw>; <rabit654@pchome.com.tw>;
><pnqv@pchome.com.tw>; <prepontile@pchome.com.tw>;
><qepq@pchome.com.tw>; <paradigmatic@pchome.com.tw>;
><s860348@pchome.com.tw>; <oxxb@pchome.com.tw>;
><rirmam@pchome.com.tw>; <rdew@seed.net.tw>;
><quzj@seed.net.tw>; <oyjan@seed.net.tw>;
><pzpi@seed.net.tw>; <randyk@seed.net.tw>;
><rtgi@seed.net.tw>; <saga_kaede@seed.net.tw>;
><rqjp@seed.net.tw>; <pinge@seed.net.tw>;
><rbpr@seed.net.tw>; <pmkc@seed.net.tw>;
><samsa@ms65.hinet.net>; <rongwen@ms10.hinet.net>;
><r1217899@ms10.hinet.net>; <s66126@ms10.hinet.net>;
><saisunct@ethome.net.tw>; <ouk@ethome.net.tw>;
><ppt11837@ms11.hinet.net>; <po8038@ms26.hinet.net>;
><rkia@ms68.hinet.net>; <ppk13175@ms68.hinet.net>;
><penny005@sinamail.com>; <qjlg@sinamail.com>;
><sailor@sinamail.com>; <quintessence@sinamail.com>;
><rqna@sinamail.com>; <qeen@ms24.hinet.net>;
><peitou@ms24.hinet.net>; <oup@ms24.hinet.net>;
><rlin@ms32.hinet.net>; <pace@ms17.hinet.net>;
><rebbew@url.com.tw>; <p1219738@ms14.hinet.net>;
><peerage@ms48.hinet.net>; <rcl0403@ms48.hinet.net>;
><power@ms3.hinet.net>; <sammey@ms3.hinet.net>;
><ppt10820@ms31.hinet.net>; <sampo2@ms31.hinet.net>;
><pruco@ms21.hinet.net>; <ppt11197@ms21.hinet.net>;
><ppt20271@tpts4.seed.net.tw>; <pop2813@ms43.hinet.net>;
><peggie19@ms16.hinet.net>; <pumbaa@taiwan.com>;
><ppk10385@ms33.hinet.net>;
<reemphasize@mail2000.com.tw>;
><q33l21@ms27.hinet.net>; <printer@ms27.hinet.net>;
><ppk13387@ms69.hinet.net>; <ppk11599@ms69.hinet.net>;
><privacy@ms55.hinet.net>;
<p120077000@cm1.ethome.net.tw>;
><sam7184@cm1.ethome.net.tw>; <ppt13134@ms42.hinet.net>;
><r222@ms12.hinet.net>; <rmoney@ms57.url.com.tw>;
><rayleen@ms52.hinet.net>; <pan3586e@ms39.hinet.net>
> From: <mark@216.181.47.4>
> Subject:
>
>***************************************
>
>216.181.47.4 is my public IP for my exchange server.
This
>weekend I was making many changes to my router and
>firewall to open up my network to our new New Jersey
office
>(we are in Maryland). But I have a feeling I have
opened
>myself up to spammer attacks. I've got 7500 other
>messages that look just like the one above. The name
Mark
>will change to simon or john or frank periodically, but
>the type of error I'm getting and the from @218.181.47.4
>is always the same. What did I do on my firewall that
>opened me up to attack?
>
>Spammers suck! and now so does my morning.
>
>Your advice and wisdom is greatly appreciated.
>
>Thanks,
>Mike Busch
>
>
>.
>

Relevant Pages

  • problematic updates/hot fixes
    ... We are experiencing a lot of MSExchangeIMC, SMTP Interface Events, ... "A timeout occurred while trying to receive mail from <Server> and while ... that is not the way Exchange is supposed to work. ...
    (microsoft.public.exchange.connectivity)
  • Sender email address lost while replying to 1 specific address
    ... Recently we 've been experiencing a problem with our Exchange 2003 Server ... only seem to have problem when I am replying back from my Outlook 2003 Client ...
    (microsoft.public.exchange.connectivity)
  • EXCH 2k on Win2k (Event IDs 9095, 9143, 9074, 2104)
    ... I'm experiencing a very similar problem...but I don't know if it's the SAME ... the server, and it works fine...until the next time. ... Exchange 2000 shows the server running fine UNTIL 11:00pm, ... >> MAD Monitoring Thread is initializing ...
    (microsoft.public.exchange.connectivity)
  • RE: Exchange 2003 intermittent crashing
    ... I am experiencing this same problem, but our email is still flowing. ... installed Exchange 2003 sp 1 about 4 weeks ago. ... > All exchange services were not responding when I tried to ... >>Server Alive installed on the server and have it setup ...
    (microsoft.public.exchange.admin)
  • Re: Exchange Disaster Recovery Server
    ... The backup server is setup also in the lab so I ... >>> The Microsoft Exchange Server computer is not available. ... >>> Microsoft Exchange Server Information Store ...
    (microsoft.public.exchange2000.admin)