Re: seeking some further insight concerning bad mail
From: Lars (lib99_at_myway1.com)
Date: 03/21/04
- Next message: mmac: "Re: Migration instructions from PSS unclear. help?"
- Previous message: Matthew Kitchin: "Re: Is this possible??"
- In reply to: Fitz Crittle [MSFT]: "Re: seeking some further insight concerning bad mail"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 20 Mar 2004 19:56:01 -0500
Thank you very much for your reply Fitz. Most of your recommendations are
already configured. However, I did not try turning on the SMTP logging. I
did now, and that may prove interesting.
~Lars
"Fitz Crittle [MSFT]" <fitzcrit@online.microsoft.com> wrote in message
news:%23ol96BeDEHA.3788@TK2MSFTNGP10.phx.gbl...
> First check the Default SMTP Virtual Server or SMTP Connector properties
to
> ensure that it is not open for relay. If not an account on the Exchange
2000
> server may have been compromised and could be being used to send
> authenticated relayed mail.
>
> To determine if an account is sending authenticated relayed mail:
> From the Exchange Server 2000 System Manager, right click on the Exchange
> Server object and choose Properties.
>
> On the Diagnostics Logging tab, enable logging to maximum for Transports,
> SMTP Protocol.
>
> Restart the SMTP Service.
>
> Examine the Application log and look for event 1708, this should show you
> the account Auth Login event which will indicate that this account is
> Authenticating with the Exchange server to send relayed e-mail from the
> server.
>
> If there is an account that is referenced in the Event 1708 and it is not
> being authenticated then the Guest account may be enabled.
>
> Always check to make sure the Guest account for the Domain/Server is
> disabled if possible, otherwise if the Default SMTP Virtual Server is
> allowing authenticated accounts to relay, then the Guest account will
allow
> anyone to relay using any account name or password, even invalid ones.
>
> Next depending on the customer environment you have several ways to try
and
> prevent this.
>
> If there are no POP3 clients involved that need to be able to relay, you
> should change the account password, possibly rename the account, and
disable
> the Check box for "Allow all computers which successfully authenticate to
> relay regardless of the list above"... in the Relay Restrictions dialog.
>
> If there are specific servers or clients that need to relay, add them to
> list in
> the Relay Restrictions dialog.
>
> Once you have stopped the relaying from continuing, you will need to clean
> up and stop the existing SPAM from leaving the server:
>
> First let your users know not to send any mail to the Internet until this
> process us complete, then create an SMTP Connector called SPAM with a
> smarthost setting of [1.1.1.1] adding the local servers Default SMTP
Virtual
> Server as the bridgehead, and an Address Space of *, and restart the SMTP
> service.
>
> This will cause all the Internet mail to queue up under the SPAM Connector
> queue, or a Destination unreachable queue, where you right click on these
> queues and select delete all messages (no NDR).
> Refresh, and continue doing this until no more mail is queuing up, and
once
> it stops, you can delete the SPAM connector and restart the SMTP Service
to
> return the server to normal operation.
>
> More Information:
> 310380 HOW TO: Prevent Exchange 2000 from Being Used as a Mail Relay in
> Windows
> http://support.microsoft.com/?id=310380
>
> 266686 XCON: How to Configure a SMTP Virtual Server Part 1
> http://support.microsoft.com/?id=266686
>
> Thanks,
> Fitz Crittle
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please do not send email to this address, post a reply to this newsgroup
>
> "Lars" <lib99@myway1.com> wrote in message
> news:OZRT0kRDEHA.3280@TK2MSFTNGP09.phx.gbl...
> > I have a single MS Exchange 2000 (SP3) server that is behind separate
> > external and internal Linux firewalls. Each of the 2 firewalls relay
mail
> > into and out of the organization. I am confident that the firewalls are
> > locked down as well as can be.
> >
> > In the last 2 months I notice a lot of e-mails dispatched to the badmail
> > folder (currently about 40-70 items an hour). I've looked at many of
them
> > and not surprisingly, they are messages that are sent mostly to AOL
e-mail
> > users, Yahoo e-mail users and the likes. The return path and from
address
> > has a nonsense user@ourdomain.com (where 'ourdomain.com' is our
registered
> > domain name). So when these fraudulant mass mailings are rejected by
the
> > recipient mail servers for whatever reason, they travel back to my
> exchange
> > server. With no where to go, they end up in bad mail.
> >
> > I have not changed any of my relay settings on the default virtual
server
> or
> > my smtp connector. I read through the following article: Understanding
> > Relaying and Spam with Exchange 2000
> > http://www.msexchange.org/tutorials/MF005.html and my E2K server appears
> set
> > up correctly. The only 2 IP's I allow to relay are 2 internal subnet
> > addresses 192.168.1.x
> >
> > I can and do run a script to delete the items in badmail on a routine
> basis.
> > However, is there a means for refusing e-mail that is "returned"
(depsite
> > not originating from) ourdomain.com ? It would seem like an oversight
not
> > to have Exchange validate the address somehow.
> >
> > Thank you.
> >
> > ~Lars
> >
> >
> >
> >
>
>
- Next message: mmac: "Re: Migration instructions from PSS unclear. help?"
- Previous message: Matthew Kitchin: "Re: Is this possible??"
- In reply to: Fitz Crittle [MSFT]: "Re: seeking some further insight concerning bad mail"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
