Re: Spam attack
- From: "Cliff Galiher" <cgaliher@xxxxxxxxx>
- Date: Wed, 11 Jun 2008 17:17:14 -0600
I'm gonna go out on a limb and say that the two problems, although both related to spam, are separate. No NDR is generated for an SMTP message denied with a 550 regardless of whether you've configured NDRs or not. Since the connection is rejected at the time of transmission, it simply doesn't come into play.
As far as what you can do about it....AFAIK not much. Somebody is trying to relay, your server is stopping it and reporting that to you via the event log. So nothing, technically, is wrong. Usually this will subside in a few days as whoever is trying to relay will update their database of 'exposed' IPs.
The second problem, however, is somewhat concerning. Is it possible that what you are seeing is backscatter NDRs? This happens when a spammer tries to send to a non-existent mailbox on your doman, but spoofed the sending address. For example, if they said they were deartry@xxxxxxxxxxxx trying to send to lewzer@xxxxxxxxxxxxxx, exchange will (by default) initially accept the message. Then later, it realizes there is no lewzer in your organization and generates an NDR and tries to send it to deartry (spoofed) and, boom, you have backscatter. I suspect this is what you have going on. With that in mind, here is my usual list of suggestions for an SBS environment.
1) DON'T disable NDRs. There are differing opinions on this, but especially for SBS where IT resources are limited, NDRs become a very valuable troubleshooting tool. They are part of the SMTP spec for a reason, and should be sent when legitimate problems arise.
2) Turn on recipient filtering. Specifically, that little checkbox to reject addresses not in the directory. Once enabled and properly added to the SMTP virtual server, exchange will now generate a 550 for invalid mailboxes instead of accepting and later sending an NDR. No more backscatter. But it creates a new vulnerability. The Directory Harvest Attack. Somebody can connect and just start throwing addresses at your server and seeing which ones generate 550 or 250, thus eventually gathering legitimate emails. ...bad...
3) So, step three. As of Win2k3 SP1 (I see you have SP2) you can tar pit any 500 return codes. That means your server will still reply 550, but it'll wait a preset length of time to do so. 250 is still sent normally, so no delay to legitimate email. I tend to set my delays between 20 and 40 seconds depending on server load and find most spammers will disconnect...too painful to try to DHA against a server that slow. :)
Hope that helps,
-Cliff
"KMD" <KMD@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:07983410-6A25-4D8E-B785-FA08BBB17339@xxxxxxxxxxxxxxxx
I know this subject pops up all the time, but dispite hours of searching, I
can't find answers to my specific questions.
My server is a 2003 SBS with exchange SP2, windows 2003 SP2, and 2003 SBS
SP2 installed. I am using smtp smarthost to send emails through my ISP's
smtp servers. I used the wizard to set up email and internet connections.
As I type this, my 2003 sbs is generating hundreds of "event 7010" errors
from the msexchangetransport source.
*********************************************************************************************
The errors all look pretty much like this:
"This is an SMTP protocol log for virtual server ID 1, connection #3373. The
client at "220.225.238.242" sent a "rcpt" command, and the SMTP server
responded with "550 5.7.1 Unable to relay for yjij@xxxxxxxxxxxx ". The full
command sent was "rcpt TO:<yjij@xxxxxxxxxxxx>". This will probably cause the
connection to fail. "
******************************************************************************************************************
The emails in the queue look like this:
“ ±o¯q?O2z-1§{
5¯s?q?FRO?u±A?u-n50??
!•±q?i?f!B?Mo{?[?u!B?]?E!B|v°t?tµ{§C•A§@•~!C
!•3a?÷¯uaA?]?E,?e?KRA2z,AHRE|bRa?E?I(AH3fat?O2z?eak)!C
!•’??NA?U?Aa?P?A-J’OAa?o?i?@oO!C
~~~|v°t?ic2,Awai1IAE~~~
“
******************************************************************************************************************
The NDR’s that are still being generated even though NRD’s should be turned
off look like this:
“This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
deartry@xxxxxxxxxxxx
breathy@xxxxxxxxxxxx
llikeleehomtw@xxxxxxxxxxxx
roclky@xxxxxxxxxxxx
weley@xxxxxxxxxxxx
chinliang_tw@xxxxxxxxxxxx
asftrdsrew@xxxxxxxxxxxx
loadthru@xxxxxxxxxxxx
lionfaye_rabbitv@xxxxxxxxxxxx
yokohouse.tw@xxxxxxxxxxxx
shenyuchen.tw@xxxxxxxxxxxx
su_fairy@xxxxxxxxxxxx
bfahey@xxxxxxxxxxxx
kittybug.tw@xxxxxxxxxxxx
vallez@xxxxxxxxxxxx
hafey@xxxxxxxxxxxx
kx39ip0616y@xxxxxxxxxxxx
laijack.tw@xxxxxxxxxxxx
ycmiky@xxxxxxxxxxxx
bleakney@xxxxxxxxxxxx
emilyvsamy@xxxxxxxxxxxx
cellomay.tw@xxxxxxxxxxxx
viper66tw@xxxxxxxxxxxx
danishsu@xxxxxxxxxxxx
green.wu@xxxxxxxxxxxx
blazehenry@xxxxxxxxxxxx
advisably@xxxxxxxxxxxx
wxweaz@xxxxxxxxxxxx
chibenz@xxxxxxxxxxxx
ewig-x@xxxxxxxxxxxx
rocmyuritony@xxxxxxxxxxxx
I have confirmed that my server is not an open relay.
I have turned off NDR's, but my server still seems to be generating NDR's
I want to know why email that my server should not be relaying is still
getting into the SMTP vitural server queue and if there is a way to stop it
before it gets there.
I would also like to know why my server is still generating NDR's.
Thanks for any help with this problem, I’ve been on this since 8 am this
morning and it’s 3:30 now.
.
- References:
- Spam attack
- From: KMD
- Spam attack
- Prev by Date: Re: user account for server (SBS 2003 Premium SP1)
- Next by Date: Re: sbs2K terminal server
- Previous by thread: Spam attack
- Next by thread: RE: Spam attack
- Index(es):
Relevant Pages
|
