RE: ISA Secure NAT sessions with long activation times
- From: v-chacez@xxxxxxxxxxxxx (chace zhang)
- Date: Wed, 20 Dec 2006 09:10:14 GMT
Hi,
Thank you for posting here.
I understand that you have concerns external session from external network.
I think this is expect behavior, as you published your Exchange Server to
the internet, in other words the 25 port is allowed to be accessed for
inbound and outbound traffic. And the external domains established the
connection with your SBS to deliver message.
To isolate the source is a valid SMTP session or a Spam, you could check
the source IP address in www.dnsstuff.com, paste it in the Spam database to
verify the domain name.
Also I'd like to provide some general information to prevent SPAM on SBS
2003 Server
319356.KB.EN-US HOW TO: Prevent Unsolicited Commercial E-Mail in Exchange
2003 Server
http://support.microsoft.com/kb/821746/en-us
823866 How to configure connection filtering to use Realtime Block Lists
(RBLs)
http://support.microsoft.com/?id=823866
Using IMF for Exchange 2003, refer to the following article:
http://www.microsoft.com/technet/prodtechnol/exchange/downloads/2003/imf/def
ault.mspx
Exchange Server 2003 Anti-Spam Framework Overview:
https://download.microsoft.com/download/0/E/6/0E6A7113-DDA4-4FD7-AABA-B9E264
700225/Anti-Spam.doc
Hope this helps, if anything unclear or you need more helps, please do not
hesitate to let me know!
Have a nice day!
Best Regards,
Chace Zhang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: ISA Secure NAT sessions with long activation times
| thread-index: AccjbXQqkA3AgF7bQE6ZJJR+m/Fjhw==
| X-WBNR-Posting-Host: 84.12.245.72
| From: =?Utf-8?B?QVBT?= <AndyS@xxxxxxxxxxxxx>
| Subject: ISA Secure NAT sessions with long activation times
| Date: Tue, 19 Dec 2006 04:59:01 -0800
| Lines: 24
| Message-ID: <D8AE793C-401C-4133-9C9C-CB4CE20AD1A2@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:5300
| NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| This is a repost of a positing on the ISA community which did not
generate
| any feedback. I'd appreciate any ideas from this community. Thanks
|
| Andy
|
| I have two to three SecureNat sessions appearing in the sessions list
each
| day which remain indefinitely until I close them manually. The firewall
log
| shows that these are SMTP connections to ISA from various (probably spam)
IP
| addresses around the world. The connection is allowed by the default
"sbs
| smtp server access rule" which allows SMTP connections from external to
| localhost. Each connection is logged in the firewall log as a "connect"
| action, with subsequent "intermediate" action events logged for the same
| connection every 15 minutes. All the bytes fields shown in the firewall
log
| entries are 0.
|
| Can anyone help me by explaining what the ISA "intermediate" action
actually
| means, or suggest how to investigate these connections further?
|
| thanks
| Andy
|
| ISA 2004 install on SBS2003 with Exchange, no modifications to default
| install (i.e. relaying not permitted, recipient filter on, tarpit on.)
|
|
.
- Prev by Date: Re: Security Event Check - ANONYMOUS LOGON
- Next by Date: Re: Connecting an SBS 2003 Server to the internet - the preferred way?
- Previous by thread: Re: Security Event Check - ANONYMOUS LOGON
- Next by thread: RE: ISA Secure NAT sessions with long activation times
- Index(es):
Relevant Pages
|
Loading
