Re: Is Exchange reporting the rejection of Open Relay?

From: Jim Behning SBS MVP (jimbehingmvp_at_mindspring.com)
Date: 04/27/04 

Date: Tue, 27 Apr 2004 13:01:31 GMT

NDR reports. Your Exchange server postmaster is trying to send out
messages to people stating that the peson in the To: address in not
found in your domain. There are some clicks in Exchange to reduce the
amount of ndrs.

Here is something Les Connor recommended. I saw teh same stuff in one
of my Exchange boks the same time he was posting. His steps just made
more sense.

Quote

Hi Clevere,

This reply is a little more than you need, hope you don't mind. But
the
answer is contained within ;-). I was hoping to clean it up a bit
before
posting (but that may never happen). It's relevent to several recent
posts.

Basically, I've been trying to get the best spam/antivirus protection
I can
with SBS2k3 OOB and Trend Micro CSM SMB - no other third party
products.

If you don't use CSM, then just ignore those parts. I have been
experimenting with this configuration for a while, and am very pleased
with
the present result.

<snip>

I believe I have this under control presently. Possibly at the expense
of a
few legit emails (but very few, if any).

Without any third party apps except Trend CSM - here is what I use.

1. Exchange

a) Internet Message Format

Advanced Tab

Disallow:
Out of Office responses
Automatic replies
Automatic forward
Delivery Reports
non-delivery Reports
Allow:
Preserve sender's display name on message.

b) Message Delivery > properties

Sender Filtering Tab

Filter messages with blank sender
Drop connection if address matches filter

Recipient Filtering Tab

Filter recipients who are not in the directory

c) Default SMTP Server

| General | Advanced | Edit (all unassigned)

Apply Sender Filter (although I have no filters presently)
Apply Recipient Filter
Apply Connection Filter (although I have none of these either,
presently)

Messages Tab

Send copy of NDR reports is blank.

2. Trend Scanmail eManager

a) Antispam

Enabled
Threshold: High
Action: Quarantine
Notifications Button: None
Approved Senders Button: I have had to add a few to the list, but not
many -
mostly list subscriptions.
Blocked Senders Button: None - useless against a reasonably competent
spammer.

b) Content Filter
Anti-spam, hoaxes, chainmail, and Melissa Virus enabled.
The other items will do a *lot* of blocking - too much when your
threshold
is set to high.

c) Update

The automatic updates don't work. No reason, no error. But the Update
button
does. I've been meaning to take this up with Trend, but haven't yet
looked
into it. There are reasonably frequent updates, and they do make a
difference. I update whenever I think of it, generally at least
monthly.

d) Log Files

Log files are daily, set to delete after 30 days. The reporting is
useful
here, especially for initial tuning.

3. Scanmail

a) Options

Attachment Blocking is *not* enabled in Scanmail, but it is in
Exchange. I
think you want to go with one or the other, not both. I may turn off
attachment blocking in Exchange, and instead do it in Scanmail as
there are
more options in scanmail.

Virus actions are set to delete, delete, delete, delete.

b) Active Message Filter

Filter Inbound Messages *see Outlook section for a note.

c) Notification

virus scan - windows event log only
outbreak alert - email me, and event log.
attachment blocking - windows event log.

d) Quarantine Manager

This is where you go to check on the blocked items, including eManager
spam
blocked mail. You spend some time here initially tuning things for
your
environment.

Quarantine Maintenance is set to delete at 7 days. Works well.

4. Outlook

Junk Mail was identifying about 50% of what got through to the mailbox
with
Scanmail Filter Inbound turned OFF, and the old junk mail pattern file
(or
whatever they call it)

A new junk mail pattern file was released (office update) not long
ago, I
installed it a few days ago. This has caught 100 % of what got through
to
the mailbox, no false positives thus far.

With the Scanmail Filter Inbound turned ON, you can even keep your
junk mail
folder almost empty by letting Scanmail handle attachment blocking
instead
of Exchange. Much of the junk mail that does get through has
attachments,
mostly replaced by either Exchange (blocked att. type) or Scanmail
(virus).
With scanmail doing attachment blocking, you can elect to kill these
before
they come to the mail store.

Notes: (these are out of date, and system specific - just examples -
YMMV).

In the past 48 hours, my inbox has been 100% clean of junk. Junk Mail
folder
has about 100 that made it through the Exchange, Emanager, and
Scanmail
filters. (this is with Scanmail Filter Inbound Off)

**** New info - with the Scanmail Filter Inbound *on*, junk mail has
been
reduced to about 10 per 24 hours. I've been checking the blocked
emails in
Scanmail console, and have been pleasantly surprised at the lack of
false
positives.

The exchange server has about 25 mailboxes, there are 3 or 4 heavy
email
users, and about 10 very heavily spammed addresses.

eManager filtered out 392 emails.
Scanmail scanned 1341 emails, 19 had viruses and were deleted.

Presently, I'm happy with the tools I have ;-). 

-- 
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !
endquote
<anonymous@discussions.microsoft.com> wrote:
>I ran the tests as outlined in "324958 - How to block Open 
>SMTP Relaying..." and all appeared well.
>
>When I opened the Exchange Server Queues, I saw several 
>entries Labelled "SmallBusiness SMTP connector - aaa.com" 
>where aaa.com represents one of the several domain names.
>
>Associated with these queues, I noticed "Additional queue 
>information",  in the status bar area, the following 
>messages: 
>- The connection was dropped due to an SMTP protocol event 
>sink.
>- The connection was dropped by the remote host.
>- The remote server did not respond to a connection 
>attempt.
>- An SMTP protocol error occurred.
>- No additional information available.
>
>Do these messages mean it is working?  I believe the 
>sender for all the messages in these queues is 
>postmaster@netopps.com (netopps.com is my domain).  
>
>P.S. - I'd like to try to learn more about the meaning of 
>these messages. 
>
>Thanks!
Jim B. SBS  MVP 
remove the mvp to send email