Re: Email being received on my renamed admin account
- From: "Adam Butler" <adambutler100@xxxxxxxxxxx>
- Date: Tue, 3 Jan 2006 00:31:09 -0600
Hi Charles!
Thanks for the info!
I applied the tarpit key into the registry.
I'd still like to know how someone could have even guessed my admin name.
Is it possible to get a response back from AD showing my admin name when a
spammer tries a lot of times?
Also thanks for the link concerning IMF.
I wanted to point out that the link you provided is not correct!
The correct link for the IMF Deployment Guide is now
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy.mspx
Thanks again,
Adam
""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:eFdGfmAEGHA.3384@xxxxxxxxxxxxxxxxxxxxxxxx
> HI Adam,
>
> Welcome to SBS newsgroup.
>
> Issue description:
> ============
>
> I understand that you receive the spam emails on the administrator account
> which you never use to send internet emails.
>
> Analyzing and suggestion:
> =============
>
> Generally speaking, the issue should be related to NDR attacks, the hacker
> might try to send as many emails to your Exchange server to test the real
> accounts that exists on your Exchange server, this is not the Exchange
> side
> issue, all the mail server encounter same issue, currently we can not stop
> such issue, however we can try to reduce this kinds of issue, you can
> refer
> to my suggestion below to reduce the NDR attacks:
>
> After Exchange SP1 we have a special design for Exchange server to reduce
> the NDR attacks from the internet. Please refer to my suggestion below:
>
> The issue might be caused by some incoming emails outside try to search
> the
> AD on SBS domain, so that they send spam emails, the Exchange will reply
> with NDR to that user, if there are too many spam emails, the outgoing
> queue will be full of the NDR messages, currently every kinds of email
> server will encounter such problem, we could not stop the issue eventually
> but we can delay the behavior, you can refer to my suggestions below, it
> should be helpful to your issue.
>
> Tarpitting is supported by a Windows Server, which is installed as part of
> Win2K3 SP1. The tarpitting registry value (shown below) should be set to
> TarpitTime=5. This will delay SMTP address verification responses for 5
> seconds, as recommended by the Exchange team.
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters
>
> 842851 SMTP tar pit feature for Microsoft Windows Server 2003
> http://support.microsoft.com/?id=842851
>
> The hotfix also include in SBS 2003 SP1, you can check the KB article
> above.
>
> After changing the registry above, please also refer to my suggestion
> below, I would like to give you some article that can help protect your
> Exchange server beyond the spam emails.
>
> If you just want to block the email from special senders, you can refer to
> my suggestions below to check it:
>
> 1. Please check SMTP virtual server, right click it to choose properties.
> 2. In the access tab, then choose connection control, add the domain you
> want to allow to access the SMTP virtual server
> 3. Please also check the properties of Message Deliver, you can also set
> the rules there. ( You can check the message deliver properties by Opening
> Exchange System Management->Global setting->Message deliver.)
>
> We also have a good anti-spam free software called IMF, please refer the
> information below:
>
> Microsoft Exchange Intelligent Message Filter Deployment Guide
> http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy
> mspx
>
> Thanks for your efforts in this issue, if you have any further concern,
> please feel free to post back. I am glad to be of assistance.
>
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "Adam Butler" <adambutler100@xxxxxxxxxxx>
> | Subject: Email being received on my renamed admin account
> | Date: Mon, 2 Jan 2006 18:13:03 -0600
> | Lines: 35
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | X-RFC2646: Format=Flowed; Original
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | Message-ID: <OyVZ4p$DGHA.2424@xxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: adsl-66-140-203-41.dsl.stlsmo.swbell.net
> 66.140.203.41
> | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:233582
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Hi,
> |
> | Running a fully patched SBS2003 Standard box here with Exchange.
> |
> | Today I received several spam emails addressed to my renamed
> administrator
> | account.
> | The name on my admin account is not one that would be easily guessed and
> is
> | not in any dictionary!
> |
> | My question is, how could someone have gotten my admin account name?
> |
> | I NEVER use that account to send email.
> |
> | The only port I have open to the server from the public is SMTP port 25.
> | I do use the exchange server for some email but only from one regular
> user
> | account.
> |
> | Is it possible that someone somehow was able to extract the admin
> account
> | name?
> |
> | I'm baffled by this!
> |
> | I just can't figure this one out.
> | Reviewing my exchange logs, I can see where the same spammer did send to
> a
> | lot of common names like root, admin, webmaster, but sure as heck, my
> goofy
> | admin account is also listed in the spammers attempts!
> |
> | Anyone have a clue?
> |
> | This is the first spam I've ever received on my SBS box which I've had
> | running since they started selling SBS!
> |
> | Thanks a bunch
> |
> |
> |
>
.
- Follow-Ups:
- Re: Email being received on my renamed admin account
- From: "Charles Yang [MSFT]"
- Re: Email being received on my renamed admin account
- References:
- Email being received on my renamed admin account
- From: Adam Butler
- RE: Email being received on my renamed admin account
- From: "Charles Yang [MSFT]"
- Email being received on my renamed admin account
- Prev by Date: Re: i have problem when change ISP
- Next by Date: RE: sbs 2003 dns resolve problem after applying patch
- Previous by thread: RE: Email being received on my renamed admin account
- Next by thread: Re: Email being received on my renamed admin account
- Index(es):
Relevant Pages
|
