Re: NDR Spam
- From: "chrisskrod@xxxxxxxxx" <chrisskrod@xxxxxxxxx>
- Date: 22 Sep 2006 06:33:26 -0700
When I telnet to my server from an IP address outside the network I see
220 tergadc.dcsanswire.com ESMTP ready.
My mail server is named mail.mydomain.com and I remember seeing this
from a telnet in the past.
I am testing by telneting to the server and typing Click Start, click
Run, type telnet, and then click OK.
2. At the Telnet command prompt, type set local_echo, and then press
ENTER.
3. At the Telnet command prompt, type open sbs-IP-address 25, and then
press ENTER (where sbs-IP-address is the external public IP address of
the Small Business Server computer).
The output is similar to the following:
220 server.smallbusiness.local Microsoft ESMTP MAIL Service, Version:
5.0.2195.4905 ready at "date" -0500
Note The "Version" reference may vary, depending on the version of
Small Business Server.
4. Type ehlo anydomain.com, and then press ENTER (where anydomain is
not the Small Business Server computer's e-mail domain. Make sure that
the last line is:
250 OK
IN my case the response is
250-tergadc.dcsanswires.com Hello hoosac.dcsanswires.com [64.69.32.247]
250-size 41943040
250-pipelining
250-starttls
250 help
5. Type mail from:youremail@xxxxxxxxxxxxx, and then press ENTER (where
youremail@anydomain is an SMTP address that is not hosted on the Small
Business Server computer). Make sure that the result is:
250 2.1.0 youremail@xxxxxxxxxxxxxxxxxxxxxxx OK
I get a 250 OK
6. Type rcpt to:user@xxxxxxxx, and then press ENTER (where user@spam is
not your e-mail domain). Make sure that the result is one of the
following two responses:
550 5.7.1 Unable to relay for user@xxxxxxxx
I get 250 accepted
-or-
250 2.1.5 user@xxxxxxxx
I have filtering enabled as per the KB but not sp2
Lanwench [MVP - Exchange] wrote:
In news:1158929055.657888.67710@xxxxxxxxxxxxxxxxxxxxxxxxxxx,
chrisskrod@xxxxxxxxx <chrisskrod@xxxxxxxxx> typed:
I have a SBS 2003 box hosting email with Exchange. Many of the users
are getting NDR reports with spam in them every few minutes. I have
Symantec Mail Agent for Exchange updated and running. Clients report
no virus problems.
I have a telneted to the mail server from the outside. The reply to
telnet xxx.xxx.xxx.xxx 25 is a different name than my mail server.
That's not uncommon.
I
type in the correct IP address and receive the wrong hostname.
What are you expecting to see, and what are you seeing, and from where?
When I
test for open relay, it responds with the 250 ok instead of blocking.
How are you testing? Unless you or someone deliberately enabled relay, all
that's enabled is authenticated relay. However, check - and also disable
auth relay unless you need it. And if you *do* need it, you really want to
have a good complex password policy to prevent it being exploited.
I went through the Microsoft KB for closing an open relay. Default
SMTP and SmallBusiness SMTP set as they should be.
Is there a way to determine if the emails are originating elsewhere,
if the sender address was being spoofed.
Check the headers....
The mails that are going out
Going out, or coming in?
are coming from mydomain@mydomain which is not one of my email
addresses. Thanks,
That's a pretty good sign you're being spoofed.
Do you have SP2 installed, and filtering enabled? You should....
Chris
.
- Follow-Ups:
- Re: NDR Spam
- From: Lanwench [MVP - Exchange]
- Re: NDR Spam
- From: chrisskrod@xxxxxxxxx
- Re: NDR Spam
- References:
- NDR Spam
- From: chrisskrod@xxxxxxxxx
- Re: NDR Spam
- From: Lanwench [MVP - Exchange]
- NDR Spam
- Prev by Date: Re: ICW wizard SBS2003
- Next by Date: Re: ICW wizard SBS2003
- Previous by thread: Re: NDR Spam
- Next by thread: Re: NDR Spam
- Index(es):
Relevant Pages
|
