RE: Email being received on my renamed admin account

HI Adam,

Welcome to SBS newsgroup.

Issue description:
============

I understand that you receive the spam emails on the administrator account
which you never use to send internet emails.

Analyzing and suggestion:
=============

Generally speaking, the issue should be related to NDR attacks, the hacker
might try to send as many emails to your Exchange server to test the real
accounts that exists on your Exchange server, this is not the Exchange side
issue, all the mail server encounter same issue, currently we can not stop
such issue, however we can try to reduce this kinds of issue, you can refer
to my suggestion below to reduce the NDR attacks:

After Exchange SP1 we have a special design for Exchange server to reduce
the NDR attacks from the internet. Please refer to my suggestion below:

The issue might be caused by some incoming emails outside try to search the
AD on SBS domain, so that they send spam emails, the Exchange will reply
with NDR to that user, if there are too many spam emails, the outgoing
queue will be full of the NDR messages, currently every kinds of email
server will encounter such problem, we could not stop the issue eventually
but we can delay the behavior, you can refer to my suggestions below, it
should be helpful to your issue.

Tarpitting is supported by a Windows Server, which is installed as part of
Win2K3 SP1. The tarpitting registry value (shown below) should be set to
TarpitTime=5. This will delay SMTP address verification responses for 5
seconds, as recommended by the Exchange team.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters

842851 SMTP tar pit feature for Microsoft Windows Server 2003
http://support.microsoft.com/?id=842851

The hotfix also include in SBS 2003 SP1, you can check the KB article above.

After changing the registry above, please also refer to my suggestion
below, I would like to give you some article that can help protect your
Exchange server beyond the spam emails.

If you just want to block the email from special senders, you can refer to
my suggestions below to check it:

1. Please check SMTP virtual server, right click it to choose properties.
2. In the access tab, then choose connection control, add the domain you
want to allow to access the SMTP virtual server
3. Please also check the properties of Message Deliver, you can also set
the rules there. ( You can check the message deliver properties by Opening
Exchange System Management->Global setting->Message deliver.)

We also have a good anti-spam free software called IMF, please refer the
information below:

Microsoft Exchange Intelligent Message Filter Deployment Guide
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy
..mspx

Thanks for your efforts in this issue, if you have any further concern,
please feel free to post back. I am glad to be of assistance.



Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Adam Butler" <adambutler100@xxxxxxxxxxx>
| Subject: Email being received on my renamed admin account
| Date: Mon, 2 Jan 2006 18:13:03 -0600
| Lines: 35
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| Message-ID: <OyVZ4p$DGHA.2424@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: adsl-66-140-203-41.dsl.stlsmo.swbell.net 66.140.203.41
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:233582
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi,
|
| Running a fully patched SBS2003 Standard box here with Exchange.
|
| Today I received several spam emails addressed to my renamed
administrator
| account.
| The name on my admin account is not one that would be easily guessed and
is
| not in any dictionary!
|
| My question is, how could someone have gotten my admin account name?
|
| I NEVER use that account to send email.
|
| The only port I have open to the server from the public is SMTP port 25.
| I do use the exchange server for some email but only from one regular
user
| account.
|
| Is it possible that someone somehow was able to extract the admin account
| name?
|
| I'm baffled by this!
|
| I just can't figure this one out.
| Reviewing my exchange logs, I can see where the same spammer did send to
a
| lot of common names like root, admin, webmaster, but sure as heck, my
goofy
| admin account is also listed in the spammers attempts!
|
| Anyone have a clue?
|
| This is the first spam I've ever received on my SBS box which I've had
| running since they started selling SBS!
|
| Thanks a bunch
|
|
|

.

Relevant Pages

  • Sending email to mydomain.com
    ... server will appear as undeliverable. ... This happens because you are using the POP3 connector... ... an NDR when an account doesn't exist). ... >different from the user account names for the exchange ...
    (microsoft.public.windows.server.sbs)
  • Re: Entourage account setup applescript not working
    ... I pasted the script at the end just in case. ... When comparing the account settings on 2 computers, ... This script assists a user with the setup of his Exchange account ... Customize the network and server properties below with information ...
    (microsoft.public.mac.office.entourage)
  • Re: Deseperately Need Your HELP!
    ... Since I am going to use the new hardware server, ... around not to upgrade the exchange 2000 frontend server and install exchange ... The error *sounds* like it could be an issue with the Computer Account. ... Error code 0XC0070574: Logon Failure: The target ...
    (microsoft.public.exchange.admin)
  • Re: OWA doesnt appear to work
    ... enabled (in IIS Manager) on your exchweb virtual directory. ... You can see the left hand side folder view, the list of emails and the ... and a cannot find server message is displayed. ... I don't really want to re-install Exchange if I can help it ...
    (microsoft.public.exchange.setup)
  • Re: Deseperately Need Your HELP!
    ... I will not upgrade this exchange 2000 frontend server. ... Account. ... Error code 0XC0070574: Logon Failure: The ...
    (microsoft.public.exchange.admin)