Re: Another HUGE number of email sent

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Frustrated Poster. (anonymous_at_discussions.microsoft.com)
Date: 08/17/04 

Date: Tue, 17 Aug 2004 07:47:19 -0700

The first time I installed SBS2k, I did it by the books,
totally default, as suggested by MS.

Three and a half months later, their server was being used
as a Spam Relay. I called MS, and was told there was no
way SBS2k could be used as a spam relay as it was
designed, by default not to do so. Though since I bought
the server from Dell, I had to call them for further
support.

Dell told me that since I was three months out from
purchase, our support on the OS and applications had
lapsed. Cost me $$$ for support. Anyhow, they helped us
plug the hole, and then suggested we install Exch-SP2
ASAP. The next week I did so, and left. Week later they
were being used as a relay again. For some reason SP2,
undid the fixes we had employed. Lucky I had writtent the
process down!

>-----Original Message-----
>Just a thought - are you sure you're not an open relay???
>
>Have you ensured your external interface is not
configured to allow mail
>relay?
>
>I had that problem when I first set up SBS & the spammers
found it!
>
>Rick
>
>"Jim Duncan" <nospam@leavemealone.pls> wrote in message
>news:Ok5O5P9gEHA.3864@TK2MSFTNGP10.phx.gbl...
>> Thanks, Jonathan and Susan for the pointers.
>>
>> Jonathan,
>> I've followed the steps to 'Determine Whether the
Exchange Server Is an
>Open
>> SMTP Relay' (it isn't) and the steps to 'Determine
Whether an
>Authenticated
>> User is Relaying' (nothing so far).
>> The BadMail folder was still empty (I deleted all 6
items from there on
>> Thursday), and the Queues are empty.
>>
>> Susan,
>> The eTrust Antivirus Realtime scanner has caught quite
a number of
>NetSkys,
>> MyDooms, Bagels, etc. Even some Unknown.Trojans (and
automatically
>reported
>> these, with samples, back to Computer Associates for
study). This coupled
>> with Exchange attachment blocking and the attachment
blocking on the
>client
>> side (Outlook) leave me feeling pretty good on the Anti-
Virus front,
>though
>> I will try your recommendation to trap some emails.
>>
>> I've even poked around in the SMTP logs and didn't
notice anything
>unusual.
>> The average (daily) log size is about 300k with the
largest being only 1
>MB.
>> Since each outgoing message creates about 4 lines in
the log file, I would
>> think that 3 million outgoing messages would create
VERY large log files.
>>
>> All of this, along with the fact that others are
reporting the same kind
>of
>> thing there in the newsgroup, leads me to believe that
there is some kind
>of
>> error in the process that generates the usage report.
>>
>> Any thoughts?
>>
>> -Jim
>>
>>
>>
>> "susan" <smcrey@mindspring.com> wrote in message
>> news:OO0sOX8gEHA.2908@TK2MSFTNGP10.phx.gbl...
>> > Jim,
>> > I use eTrust also and have had to manually control
virus issues. Had the
>> > very same problem you did. I find the CA eTrust Mail
Option is useless
>and
>> > have had to put another line of defense in place.
>> >
>> > Try to trap some emails (using some filtering
software -- i'm using
>Policy
>> > Patrol right now and LOVE it)...then, run scans on
the directory you
>> trapped
>> > them in and you will probably find infection (i did).
I researched the
>> virus
>> > and manually removed reg entries etc.
>> >
>> > I wouldn't trust your security solution if it relies
only on the eTrust
>> > antivirus program.
>> >
>> > Susan
>> >
>> >
>> > "Jonathan Lotman [MSFT]" <a-
jonlot@online.microsoft.com> wrote in
>message
>> > news:LKcO3S8gEHA.2416@cpmsftngxa06.phx.gbl...
>> > > It's highly possible that you have a compromised
user account that is
>> > > being used to authorize as an open relay.
Knowledge Base article
>324958
>> > > (http://support.microsoft.com/?id=324958) will show
you how to isolate
>> who
>> > > the user is, how to clean up the server, and how to
prevent future
>> misuse
>> > > of the server in this fashion.
>> > >
>> > > Thank you,
>> > > --------------------------
>> > > Jonathan Lotman
>> > > Microsoft Online Support Engineer
>> > >
>> > > Microsoft Corporation
>> > > Get Secure! - www.microsoft.com/security
>> > >
>> > >
=====================================================
>> > > When responding to posts, please "Reply to Group"
via
>> > > your newsreader so that others may learn and benefit
>> > > from your issue.
>> > >
=====================================================
>> > >
>> > > --------------------
>> > > | From: "Jim Duncan" <nospam@leavemealone.pls>
>> > > | Subject: Another HUGE number of email sent
>> > > | Date: Mon, 16 Aug 2004 10:58:15 -0700
>> > > | Lines: 12
>> > > | Organization: Collutions, Inc.
>> > > | X-Priority: 3
>> > > | X-MSMail-Priority: Normal
>> > > | X-Newsreader: Microsoft Outlook Express
6.00.2800.1437
>> > > | X-MimeOLE: Produced By Microsoft MimeOLE
V6.00.2800.1441
>> > > | Message-ID:
<eKppbq7gEHA.3992@TK2MSFTNGP11.phx.gbl>
>> > > | Newsgroups: microsoft.public.windows.server.sbs
>> > > | NNTP-Posting-Host: adsl-63-198-201-
54.dsl.snfc21.pacbell.net
>> > 63.198.201.54
>> > > | Path:
>> > >
>> >
>>
>cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!
TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
>> > > phx.gbl
>> > > | Xref: cpmsftngxa06.phx.gbl
microsoft.public.windows.server.sbs:97513
>> > > | X-Tomcat-NG: microsoft.public.windows.server.sbs
>> > > |
>> > > | Hello group,
>> > > |
>> > > | The biweekly usage report shows 2,985,943 (that's
almost 3 million)
>> with
>> > a
>> > > | total size of 1,704,353.5 MB external e-mails
sent by one user in
>two
>> > > weeks.
>> > > | Must I assume that his computer is infected
(running fully updated
>> > eTrust
>> > > | antivirus) or is there perhaps something wrong
with the usage report
>> > > | processing?
>> > > |
>> > > | Thanks,
>> > > | Jim
>> > > |
>> > > |
>> > > |
>> > >
>> >
>> >
>>
>>
>
>
>.
>

Relevant Pages

  • Re: URGENT: Application_Start - doesnt fire
    ... It's as if the Web site simply ignores ANY ... > changes I make once the exception is encountered for the first time. ... You never said what the exception was. ... How can I get the Web server itself to ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: messages stuck and then released after exchange reboot
    ... any messages stuck in an outbox on the web or in outlook. ... checked with the users and the messages were delivered the first time. ... Both times the backend server was rebooted. ... All of the users were from the same exchange server. ...
    (microsoft.public.exchange.admin)
  • filesystem? "Failed to load module ..."
    ... This is the second time this symptom (Failed to load module "bitmap", ... first time, I had to re-install the OS from scratch. ... Before reporting problems, check http://www.XFree86.Org/ ... When reporting a problem related to a server crash, ...
    (RedHat)
  • Re: Escaping from a borked hibernate
    ... Thats the first time its frozen. ... Java terminal emulator that talks to a C server that serves to interface ... and isn't nearly as good a browser as Opera. ...
    (uk.comp.os.linux)
  • Re: Cannot complete this action error on top level sites?
    ... Failed to look up string with key "RulesUrl", ... I may need to go back to a clean install and check it does not occur, ... have so far undertaken and view the logs for the first time this ...
    (microsoft.public.sharepoint.windowsservices)