Re: Inside user spamming

From: exchangerookie1994 (exchangerookie1994_at_discussions.microsoft.com)
Date: 12/09/04

  • Next message: Deji Akomolafe: "Re: Inside user spamming" 
    Date: Wed, 8 Dec 2004 17:09:02 -0800

    With the help of MS support we figured out what was happening.
    Server was configured properly and spam was not initiated from inside
    Spammers were using a "rare" (ms tech words) technique to use our smtp as
    spam relay.
    1 Spammer sent email to non - exsitent user in our domain
    2 Spammer gets NDR back - modify's it to make it look like it came from us
    and can send it were they want through our server.
    Ms fix was to disable NDR's in the org. I cleaned SMTP que
    and have not had a problem since. MS Tech said Exchange 2003 has some
    setting to combat this kind of attack.

    "Deji Akomolafe" wrote:

    > >>I think it has to be someone on inside (domain user).
    > Why do you think that? Because you disabled relay? Relay does not prevent
    > spam. Look in your queues folder and use notepad to open up some of the
    > items you see in there. You will be able to tell if they are locally-sourced
    > or from a dedicated spammer.
    >
    > Then, get a good anti-spam solution.
    >
    > --
    >
    >
    > Sincerely,
    >
    > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
    > Microsoft MVP - Directory Services
    > www.readymaids.com - we know IT
    > www.akomolafe.com
    > Do you now realize that Today is the Tomorrow you were worried about
    > Yesterday? -anon
    > "exchangerookie1994" <exchangerookie1994@discussions.microsoft.com> wrote in
    > message news:2A7EC9F3-1591-43E8-BD14-17ADBAE33E62@microsoft.com...
    > > I have a set up Exch2000 fresh load. I have locked relay capabilties to
    > local
    > > ip subnet. I have tested for open relay from outside - good. I have
    > unchecked
    > > allow authenticated users to relay setting. My smtp queue is filling fast.
    > Is
    > > there a utilty /software to see were this mail is coming from. I think it
    > has
    > > to be someone on inside (domain user). I have also turned on logging on
    > > MStransport - smtp protocol to maximim
    > > logging.
    > > Please help
    >
    >
    >

  • Next message: Deji Akomolafe: "Re: Inside user spamming"

    Relevant Pages

    • RE: Spamcop listed - need help to diagnose why
      ... >> Unfortunately in the spam game, it only matters if the spammer ... move on to the next server. ... >> strangeness when SA checks blacklists and such to assign scores. ...
      (freebsd-questions)
    • Re: Spamcop anyone knows?
      ... > I have an issue with a spam engine that decided that my domain is a ... > work spam yet i am listed as a spammer... ... Spamcop is a fairly well respected RDNS/open relay database. ...
      (microsoft.public.backoffice.smallbiz2000)
    • Re: Exchnage 2000 Open Relay Issue!! "Help"
      ... any spammer who has your e-mail address can now inundate you with their ... what relaying means is that spammers are using your server ... Exchange FAQ's: http://www.swinc.com/resource/exch_faq.htm ... > still spam with my e-mail address? ...
      (microsoft.public.exchange2000.admin)
    • Re: Is Sender ID worth implementing?
      ... But if they *own* the server then a true spam-generating server gets blacklisted by RBL services so this becomes a non-issue. ... A message will get marked as spam regardless of its SenderID record. ... In both cases the spammer CANNOT create a SenderID record. ...
      (microsoft.public.windows.server.sbs)
    • Re: SPAM Relay
      ... I've had this thought about my own server multiple times. ... It was unclear whether there was a misconfiguration of their mail servers, or our SPF records, so I removed the SPF records to see if we could clarify that. ... This will both lessen the likelyhood of your valid mail being classed as spam, and also reduce the likelyhood of a spammer successfully using your domain in spoofed addresses. ... setup to relay unless your administrator specifically changed the settings. ...
      (microsoft.public.windows.server.sbs)
    Loading