Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Blocking External SMTP relay 1

Status
Not open for further replies.
Hungster

Hungster

IS-IT--Management
Mar 6, 2001
830
CA
Could some help me on the Exchange 5.5 on external people using my exchange 5.5 as a SMTP relay

i tried everything people told me to, but i still find crap showing up on the outgoing delivery box
the originator is <> to a ramdom e-mail which is not existed

any trick i should do beside shutting down the Do not re-route external mail

thanks
Hung
 
Sort by date Sort by votes
E-mail spam can be done very simple.
Take ie outlook express and make the outgoing e-mail
server your ip address. That's all.

So if you do not want to shut of your relay
you choose to be a sitting duck for spam attacks.

However,

Build a second small machine and install a smtp mail delivery program on it. this can be a unix machine,
but also microsoft with exchange or IIS.

Configure your thirst machine to deliver on the second
a voila things do what you hoped they did.

Microsoft does have a technical paper on this issue
I can mail it to you if you cannot find it.


If you have been attacked by a &quot;proffesional company&quot;,
this is precaution is by far not enough.


succes

hanheeze@hotmail.com



 
Upvote 0 Downvote
I'm looking for more information on this issue.

I'm having the same problem as AoE. I've taken the precautions outlined to prevent relay and I'm running Exchange sp3. My server passes the telnet relay test: ie I can't send relay mail through telnet session connected to my exchange server. Yet, my IMS queue fills up with crap e-mails from <> originator and destined to who knows where.

The odd thing about this is, the current server is one I put in place of an old server. The old server never had this problem. New one does.
 
Upvote 0 Downvote
Actually i do have them on both of mine, but i have test it thru telnet and using client e-mail software testing thru STMP but like Caustic, i did get crap fill up in my IMS Queues Outbound messages awaiting delivery, and i am on SP 4.
and i checked for my ip is not on the RSS list (MAPS RELAY SPAM STOPPER) and yet it is not on there but some how people still able to get in using my SMTP port

Any Expert on this board could help ?

thanks
Hung
 
Upvote 0 Downvote
Hung,

I found an old helpful post in the archive's of this board. It's thread10-98450 titled &quot;Close the Relay in Exchange 5.5&quot; (Jun-26 2001). Not sure how to link that from here.

Anyway, if you telnet from your mail server to the address &quot;relay-rest.mail-abuse.org&quot; it will run 8 relay attempts. By following the tips in the article I mentioned I was able to close most of the holes. For some reason test #8 is able to relay but it seems to have gotten rid of the outbound <> mail.
 
Upvote 0 Downvote
I am also having the same problem as AoE. I have set up everything occording to Microsoft, tested the telnet and get relay prohibited, even went to a website that tested relaying for you which they claimed they couldn't. Set everything correct in our Firewall to accept only email going to ourdomain. Nothing seems to work. Still get the same old <> originators in the que.

Any other suggestions would be appreciated.

(Exchange 5.5 SP4, SBS 4.5 SP6)

Drew
 
Upvote 0 Downvote
sorry, that should be &quot;relay-test.mail-abuse.org&quot;. One other thing. RSS doesn't run those probes constantly. The result from their test may be very old. Using that telnet address will give you a current result.
 
Upvote 0 Downvote
Thanks Caustic,

i am working on testing a few method and should have some answer soon

i was unable to find the thruead 10-98450 or relay-test.mail-abuse.org

i can also be contacted by icq 41249851
thanks

Hung
 
Upvote 0 Downvote
Drew,

check 100% sure you do not have an virus to start with
then what my attemp to do this time is to have your isp to switch ip on the mx-record

Hung
 
Upvote 0 Downvote
I haven't had too many problems with being used as a relay, even when I had just selected &quot;Do Not Reroute...&quot; in the IMS, but I saw that the telnet test from above was accepting relay connections. I then went through and made the changes from Thread10-98450 and it blocked relaying for all but the test #8. Has anyone passed test #8? What else did you change to prevent this relay?

Alex
 
Upvote 0 Downvote
Alex,

Sounds like you're right where I am. The difference in test #8 is how they address the rcpt to:

I have no idea how to prevent that particular relay attempt. I would sure be interested in the answer though.
 
Upvote 0 Downvote
I have also been fighting this beast. Here is my input. I am assuming you cannot relay mail thru your exchange server. See below. My mail from <> is actually from the exchange server returning an email that could not be delivered (employee left company or just a bogus address) but the return address is invalid. Could this be your problem also?

Telnet into your exchange server from the outside. Once you're connected on port 25:
1. Enter &quot;HELO me&quot;
The server will respond with 250 OK and identify your IP address and possibly your host name.
2. Enter &quot;MAIL FROM: someaddress@somedomain.com&quot;
Again, the server will respond with 250 OK.
3. Enter &quot;RCPT TO: nobody@afakedomain.com&quot;
The server will respond with 550 Relaying prohibited!.
4. Using a valid address from your GAL, enter
&quot;RCPT TO: thegaladdress@yourdomain&quot;
The IMS will reply with 250 OK when it accepts the address.

 
Upvote 0 Downvote
AlexIT, I tried going through the three steps that were listed in that thread you mentioned, and I couldn't figure out how to do the third one. Was he giving instructions assuming an NT4 environment, or is there something about Win2K networking that was missing from SomaTrain hypno sessions I paid such big bucks for? %-)

I was able to verify with the test that Jim676 enummerated that I'm still wide open for relaying, despite various crap I've tried in the routing restrictions sheet. I sure don't get a '550 Relaying Prohibited'.

I can't really use relay-test.mail-abuse.org since all my outgoing sessions are NATted dynamically.

This relaying thing is one issue I too would love some help on.

ShackDaddy
 
Upvote 0 Downvote
I believe I have found why my test #8 accepted the connection! Looking closely at the different tests, I find that all other tests are trying to send mail to other domains, while test #8 is trying to send to my own domain. I follow tek-tips closely, and when the suggestion came up to turn of the admin notification for incoming mail that does not have a valid address (preventing my admin mailbox from becoming full of &quot;Notification Inbound Mail Failure&quot;) I did this, and I no longer get these notifications. My server will accept mail to itself, but since they are not valid mailboxes, it deletes them and does not (any longer) send the Admin box a notification. So it accepts a connection and fails the test, but the mail is immediately deleted, so it should not be a problem. See example of my test below:

:Relay test: #Test 6
>>> mail from: <spamtest@myserver.mycorp.com>
<<< 250 OK - mail from <spamtest@myserver.mycorp.com>
>>> rcpt to: <nobody@mail-abuse.org>
<<< 550 Relaying is prohibited
>>> rset
<<< 250 OK - Reset
:Relay test: #Test 8
>>> mail from: <spamtest@myserver.mycorp.com>
<<< 250 OK - mail from <spamtest@myserver.mycorp.com>
>>> rcpt to: <nobody%mail-abuse.org@myserver.mycorp.com>
<<< 250 OK - Recipient <nobody%mail-abuse.org@myserver.mycorp.com>
>>> QUIT
<<< 221 closing connection
Tested host banner: 220 myserver.mycorp.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready
System appeared to accept 1 relay attempts

Shack,
The third step was to set accept/reject IP addresses in the &quot;Protocol&quot; properties area (not in IMC.) I did this under the &quot;Protocol&quot; connector, but I am not sure what this was supposed to do...I thought maybe you need to include addresses that are permitted to forward outgoing mail through the server, because in the IMC you are restricting an empty host list. After your post I went in and removed that because I wanted to see what would happen, and it doesn't seem to make any difference...just doing step #1 and #2 has prevented the relay. So I left this out...anyone know why these addresses should be included in the protocol tab?

I also use dynamic NAT routing for outbound connections but I had no problems using the telnet test. You have a static inbound route from your public IP port 25 to your internal Exchange server IP port 25 (through any firewall/packet filtering that you might have?) The telnet test just triggers the mail-abuse.org to begin issuing commands to your public IP address port 25. I am able to telnet from any workstation (since we have only one IP we map to) and they read my public IP and start issuing commands...

Alex
 
Upvote 0 Downvote
seems like a popular problem today. ;] i too, am trying to close my open relay problem, followed the three steps above, and failed the eigth test when telneting to mail abuse. What do I have to check for now? Where was that option allowing one to turn off notifications of inbound mail failures, mentioned above in reference to passing the eight test?
 
Upvote 0 Downvote
ShackDaddy - Once your domain get on the open-relay lists my experences are that you'll see more people trying to hack in, trying to get into your VPN etc. Must be they see port 25 not secured and look to see what else might not be locked down. I would close the open relay ASAP.

Jim.
 
Upvote 0 Downvote
Could you guys Caustic Jim and AlexIT tells me how you guys do all these test
cuz i am lost testing it

thanks
Hung
 
Upvote 0 Downvote
Hung - One way is to telnet to relay-test.mail-abuse.org from your mail server. This will run 19 mail relay tests. If you are running NT4 capture the output to a file (I will provide more on this if needed). I got this from Caustic and it appears to be a good and complete test.

A second method is to telnet into your mail server. The test must be done from outside of your NAT/Firewall to be accurate. Telnet into your exchange server from the outside. Once you're connected on port 25:
1. Enter &quot;HELO me&quot;
The server will respond with 250 OK and identify your IP address and possibly your host name.
2. Enter &quot;MAIL FROM: someaddress@somedomain.com&quot;
Again, the server will respond with 250 OK.
3. Enter &quot;RCPT TO: nobody@afakedomain.com&quot;
The server will respond with 550 Relaying prohibited!.
4. Using a valid address from your GAL, enter
&quot;RCPT TO: thegaladdress@yourdomain&quot;
The IMS will reply with 250 OK when it accepts the address.

If you specify which part you are having problems with I can give more detail. Maybe we can then add something to the FAQ.
 
Upvote 0 Downvote
thanks Jim
will try it out tonight sometimes and update you guys later before i make a ip and mx-record change

Hung
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Trevor Gryffyn
  • Locked
  • Question
Removed Accepted Domain, now can't email that (now external) domain
Replies
2
Views
162
AdrianGates
AdrianGates
intel233
  • Locked
  • Question
Mulitple SMTP
Replies
1
Views
86
markdmac
markdmac
kzn
  • Locked
  • Question
Allow internal lync users to communicate with external skype users say from gmail hotmail etc
Replies
0
Views
48
kzn
kzn
fortage
  • Locked
  • Question
Looking for relay events in SMTP Logs
Replies
0
Views
51
fortage
fortage
atverre
  • Locked
  • Question
Error incoming calls from external
Replies
1
Views
79
huddleto
huddleto

Part and Inventory Search

Sponsor

Back
Top