am i relaying?

[aking]

Hi

i want to know if there is a definitive way to check an STMP send log for relaying. I'm running exchange server 2007 - it is not an open relay - according to various test sites and my isp.
But there are log entries that look to me as if unknown emails are being sent through my server to recipients i have never heard of and that are accepted by the receiving mail server even tho the sender is unknown.
i am sure that no-one on my network is sending these emails and all workstations get scanned daily and are reporting no viruses.

This is an example from last night:
,>,EHLO mail.domain.co.uk,
,<,250-yakko.circlerdesigns.net Hello mail.domain.co.uk
,<,250-SIZE 52428800,
,<,250-PIPELINING,
,<,250-AUTH PLAIN LOGIN,
,<,250 HELP,
,*,62516,sending message
,>,MAIL FROM:<> SIZE=21992,
,>,RCPT TO:<angered@rodneyb.com>,
,<,250 OK,
,<,"550 """,
,>,QUIT,
,<,221 yakko.circlerdesigns.net closing connection,
,-,,Local

From this log i assume that my server has sent an email to 'angered' and that the receiving mail server has accepted it. Is this correct? And if so is this relaying?

 

[jveldh]

Hi,

This kind of e-mails are most times caused by spammers who send e-mail from an existing/non-existing sender but send to a user who does not exists in your environment. This causes your mailserver to react with a NDR which it tries to send to the angered user who also does not exist.

Regards,

Johan

Regards,

Johan

visit my site:

http://www.johanveldhuis.nl

 

[aking]

thans for the hint johan, i'll check out NDR's and try and turn them off on my server.

 

[58sniper]

First thing to do is enable recipient filtering.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[ShackDaddy]

Have you gone to MXToolbox.com or TestExchangeConnectivity.com and done a simple SMTP/relay test to see if your server is functioning as an open relay? That's the easiest way to rule that out. Once that's ruled out, it's easier to think up alternate scenarios to explain the logs, but if that's still lurking as a possibility, it's harder to read the logs and come to a different conclusion.

Dave Shackelford
ThirdTier.net

 

[58sniper]

try this

Get-ReceiveConnector | Get-ADPermission | ? {($_.User -like 'NT AUTHORITY\ANONYMOUS LOGON') -and ($_.ExtendedRights -like 'ms-Exch-SMTP-Accept-Any-Recipient')} | FT Identity, User, ExtendedRights -auto

This would list any receive connectors that are configured for relaying. If any are listed, look at the properties of each and see who they'll accept from on the bottom of the "network" tab.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[aking]

ShackDaddy: yes i've done relaying tests. That's kind of why i posted this question....

58sniper: thanks for the code, i ran it, didn't seem to do anything. i.e. it doesn't list anything but doesn't give any errors either. I am hoping this is a good sign as in there are no receive connectors configured for relaying?

 

[58sniper]

Correct - if it doesn't list anything, you have no receive connectors that are configured for relaying.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/