Re: Were we an open relay, NDR's or glitch? SBS 2003 Exchange
- From: "Gregg Hill" <bogus@xxxxxxxxxxx>
- Date: Wed, 19 Oct 2005 10:28:29 -0700
You got hit by a reverse NDR attack.
http://support.microsoft.com/default.aspx?scid=kb;en-us;886208
Be sure to do the tarpit also.
Gregg Hill
<mjseeley@xxxxxxxxx> wrote in message
news:1129478340.777750.185530@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Hi all,
>
> Well I've looked around but can't find the exact symptoms we had. The
> other day the net connection got very slow, caused by a load of data
> being sent from the server (2003 SBS). On inspection i found exchange
> had queues with thousands of emails in them. My initial thought was
> that I was an open relay. However, i'm not so sure.
>
> On inspection, ALL of the around 8000 emails in the queues were to one
> of two addresses. One was an AOL account and one a Demon account, both
> clients of ours. There were a load of identical emails going to the
> Demon address, then another load emails going to the AOL address.
> Finally there were a load of emails from postmaster@mydomain to one of
> them (can't remember which one now).
>
> So i'm thinking if we were an open relay we'd be sending emails all
> over the place, not just to two people we know. If we were just
> sending NDR's then surely they'd all be from postmaster. So why did we
> end up sending the other emails?
>
> I did notice when going therough clearing the queues that in the SMTP
> section in Exchange that as well as 192.168.0.1 being authorised, so
> was 127.0.0.1, and i'd read that this can make the server an open
> relay. I have disabled 127.0.0.1 just in case.
>
> Does anyone actually know what went on here?
>
> Many thanks.
> Mark
>
.
- Prev by Date: Re: ISA-to-Router VPN
- Next by Date: dns not letting me login to microsoft passport
- Previous by thread: Re: Were we an open relay, NDR's or glitch? SBS 2003 Exchange
- Next by thread: Remove Exchange Info from Active Directory after server reinstall
- Index(es):
Relevant Pages
|
