Re: Email being received on my renamed admin account
- From: v-chayan@xxxxxxxxxxxxxxxxxxxx ("Charles Yang [MSFT]")
- Date: Wed, 04 Jan 2006 01:35:02 GMT
Hi Adm,
Thanks for letting us know that my information helpful to you, I am sorry
for the wrong link.
For the administrator accounts issue, I can give you an example, as I know
most of the spam sender will try to send as many as spam to one email
domain, then some of email they will get NDR while the other not, then they
will know which accounts exists on the this email domain. Please understand
that they use special tool to send the spam email so that they can send
thousand of spam emails to one email domain at the same time, so it might
be really bad issue. For the tarpit function, we could not resolve the spam
issue completely, but we can delay the response of NDR for example 10 or 30
seconds later after they send the spam emails, then most of the spam sender
will give up to guess the existing email accounts on this email domain.
Hope the above information helpful, please let me know if you have any
further concerns on this issue. I am glad to be of help:
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Adam Butler" <adambutler100@xxxxxxxxxxx>
| References: <OyVZ4p$DGHA.2424@xxxxxxxxxxxxxxxxxxxx>
<eFdGfmAEGHA.3384@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Email being received on my renamed admin account
| Date: Tue, 3 Jan 2006 00:31:09 -0600
| Lines: 201
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| Message-ID: <eyfNK9CEGHA.1312@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: adsl-66-140-203-41.dsl.stlsmo.swbell.net 66.140.203.41
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:233649
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Charles!
|
| Thanks for the info!
| I applied the tarpit key into the registry.
|
| I'd still like to know how someone could have even guessed my admin name.
| Is it possible to get a response back from AD showing my admin name when
a
| spammer tries a lot of times?
|
| Also thanks for the link concerning IMF.
| I wanted to point out that the link you provided is not correct!
| The correct link for the IMF Deployment Guide is now
|
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy
mspx
|
| Thanks again,
|
| Adam
|
| ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:eFdGfmAEGHA.3384@xxxxxxxxxxxxxxxxxxxxxxxx
| > HI Adam,
| >
| > Welcome to SBS newsgroup.
| >
| > Issue description:
| > ============
| >
| > I understand that you receive the spam emails on the administrator
account
| > which you never use to send internet emails.
| >
| > Analyzing and suggestion:
| > =============
| >
| > Generally speaking, the issue should be related to NDR attacks, the
hacker
| > might try to send as many emails to your Exchange server to test the
real
| > accounts that exists on your Exchange server, this is not the Exchange
| > side
| > issue, all the mail server encounter same issue, currently we can not
stop
| > such issue, however we can try to reduce this kinds of issue, you can
| > refer
| > to my suggestion below to reduce the NDR attacks:
| >
| > After Exchange SP1 we have a special design for Exchange server to
reduce
| > the NDR attacks from the internet. Please refer to my suggestion below:
| >
| > The issue might be caused by some incoming emails outside try to search
| > the
| > AD on SBS domain, so that they send spam emails, the Exchange will reply
| > with NDR to that user, if there are too many spam emails, the outgoing
| > queue will be full of the NDR messages, currently every kinds of email
| > server will encounter such problem, we could not stop the issue
eventually
| > but we can delay the behavior, you can refer to my suggestions below, it
| > should be helpful to your issue.
| >
| > Tarpitting is supported by a Windows Server, which is installed as part
of
| > Win2K3 SP1. The tarpitting registry value (shown below) should be set to
| > TarpitTime=5. This will delay SMTP address verification responses for 5
| > seconds, as recommended by the Exchange team.
| >
| > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters
| >
| > 842851 SMTP tar pit feature for Microsoft Windows Server 2003
| > http://support.microsoft.com/?id=842851
| >
| > The hotfix also include in SBS 2003 SP1, you can check the KB article
| > above.
| >
| > After changing the registry above, please also refer to my suggestion
| > below, I would like to give you some article that can help protect your
| > Exchange server beyond the spam emails.
| >
| > If you just want to block the email from special senders, you can refer
to
| > my suggestions below to check it:
| >
| > 1. Please check SMTP virtual server, right click it to choose
properties.
| > 2. In the access tab, then choose connection control, add the domain you
| > want to allow to access the SMTP virtual server
| > 3. Please also check the properties of Message Deliver, you can also set
| > the rules there. ( You can check the message deliver properties by
Opening
| > Exchange System Management->Global setting->Message deliver.)
| >
| > We also have a good anti-spam free software called IMF, please refer the
| > information below:
| >
| > Microsoft Exchange Intelligent Message Filter Deployment Guide
| >
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy
| > mspx
| >
| > Thanks for your efforts in this issue, if you have any further concern,
| > please feel free to post back. I am glad to be of assistance.
| >
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | From: "Adam Butler" <adambutler100@xxxxxxxxxxx>
| > | Subject: Email being received on my renamed admin account
| > | Date: Mon, 2 Jan 2006 18:13:03 -0600
| > | Lines: 35
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| > | Message-ID: <OyVZ4p$DGHA.2424@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: adsl-66-140-203-41.dsl.stlsmo.swbell.net
| > 66.140.203.41
| > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| > | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:233582
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Hi,
| > |
| > | Running a fully patched SBS2003 Standard box here with Exchange.
| > |
| > | Today I received several spam emails addressed to my renamed
| > administrator
| > | account.
| > | The name on my admin account is not one that would be easily guessed
and
| > is
| > | not in any dictionary!
| > |
| > | My question is, how could someone have gotten my admin account name?
| > |
| > | I NEVER use that account to send email.
| > |
| > | The only port I have open to the server from the public is SMTP port
25.
| > | I do use the exchange server for some email but only from one regular
| > user
| > | account.
| > |
| > | Is it possible that someone somehow was able to extract the admin
| > account
| > | name?
| > |
| > | I'm baffled by this!
| > |
| > | I just can't figure this one out.
| > | Reviewing my exchange logs, I can see where the same spammer did send
to
| > a
| > | lot of common names like root, admin, webmaster, but sure as heck, my
| > goofy
| > | admin account is also listed in the spammers attempts!
| > |
| > | Anyone have a clue?
| > |
| > | This is the first spam I've ever received on my SBS box which I've had
| > | running since they started selling SBS!
| > |
| > | Thanks a bunch
| > |
| > |
| > |
| >
|
|
|
.
- Follow-Ups:
- Re: Email being received on my renamed admin account
- From: "Charles Yang [MSFT]"
- Re: Email being received on my renamed admin account
- References:
- Email being received on my renamed admin account
- From: Adam Butler
- RE: Email being received on my renamed admin account
- From: "Charles Yang [MSFT]"
- Re: Email being received on my renamed admin account
- From: Adam Butler
- Email being received on my renamed admin account
- Prev by Date: Re: all incoming mail is being blocked
- Next by Date: Re: Client Log in after AD Migration
- Previous by thread: Re: Email being received on my renamed admin account
- Next by thread: Re: Email being received on my renamed admin account
- Index(es):
Relevant Pages
|
