Re: Help SBS2003 acting as relay
- From: "Ace Fekay [Microsoft Certified Trainer]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 22 Apr 2009 19:15:08 -0400
"dmh" <fake@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:eu5vu4h39658p0l0eimggnbkri751vg8ag@xxxxxxxxxx
Hi,
Could use some help at pinpointing where the hole is in my clients
setup.
First symptom was problem in sending emails.
1. Fully patched SBS2003 Standard. Exchange patched to SP2.
2. Confirmed multiple times that the SMTP Connector and Default SMTP
Virtual Server is setup correctly as per KB324958. No changes
apparent.
3. MXToolbox stills shows the server as an Open Relay.
4. Queue has over 160,000 emails waiting (currently directed to
99.99.99.99). Viewing messages shows them to be mostly asian language.
These build very rapidly after being cleared out.
This system has worked without issues for about 10 months. The email
relay problem started about 2-3 days ago.
I'm currently thinking that a client machine maybe at fault. Nothing
obvious has shown up after setting SMTP Protocol logging to maximum.
Just unchecked "Allow all computers which successfully authenticate to
relay, regardless of the list above" to see if that makes a
difference.
Any tips or checks you can suggest are most appreciated.
Particularly usefull would be a quick method of cleaning out the
queue. The method of selecting messages and choosing Delete All
Messages (No NDR) is rather painfull.
Thank you.
David
My first feeling is a user account's credential got hijacked. I worked in a 5000+ large environment where one account got hijacked while he was at home using OWA (webmail). His account was used to authenticate relays. We didn't catch it until 20,000+ relayed messages went through effectively putting the company's IP on the SORBS list (www.sorbs.net). That was a pain to get off the list because they want $50 to get your IP off the list. (Personal note: What a scam!)
If you have SMTP logging enabled, see if you can find out what account, if any, is being used to authenticate the relay. If they were using a direct relay through the SMTP service, I wouldn't imagine Message Tracking (if you have it enabled) will show the message, unless they used the user's account (assuming if it were hijacked) that sent it.
As for cleaning out the queues, stop the SMTP service, then go into the VS folder under the Exchange folder and rename the queue folder to queue.old, then restart the SMTP service. It will create a new empty queue.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
.
- Follow-Ups:
- Re: Help SBS2003 acting as relay
- From: Cliff Galiher
- Re: Help SBS2003 acting as relay
- References:
- Help SBS2003 acting as relay
- From: dmh
- Help SBS2003 acting as relay
- Prev by Date: Re: SBS 2003: Protect Exchange against SPAM (how to?)
- Next by Date: Re: SBS 2003: Protect Exchange against SPAM (how to?)
- Previous by thread: Help SBS2003 acting as relay
- Next by thread: Re: Help SBS2003 acting as relay
- Index(es):
Relevant Pages
|
