Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can someone look at this? Spammer communication <>

Status
Not open for further replies.
Dyadmin

Dyadmin

IS-IT--Management
Oct 31, 2002
217
CA
Hi All!

Below is what my log captures for my email server.. I wanted to figure out how the spammer is getting through. He can't relay, so that good, yet I get the NDR's being sent back to him. It ticks me off.

Anyway, look at the bottom, I deleted my server and IP information but I kept everything intact.
=====================
A connection to 207.217.120.79 was established.
10/8/2003 11:15:02 AM : <<< IO: |220 kite EL_3_9_5_1 /EL_3_9_5_1 ESMTP EarthLink SMTP Server Wed, 8 Oct 2003 10:15:28 -0700 (PDT)
|
10/8/2003 11:15:02 AM : <<< 220 kite EL_3_9_5_1 /EL_3_9_5_1 ESMTP EarthLink SMTP Server Wed, 8 Oct 2003 10:15:28 -0700 (PDT)
10/8/2003 11:15:02 AM : >>> EHLO myserver.myemaildomain.com

10/8/2003 11:15:02 AM : <<< IO: |250-kite Hello myserver.myemaildomain.com [*.*.*.*], pleased to meet you
250-8BITMIME
250-SIZE 10485760
250 HELP
|
10/8/2003 11:15:02 AM : <<< 250-kite Hello myserver.myemaildomain.com [*.*.*.*], pleased to meet you
250-8BITMIME
250-SIZE 10485760
250 HELP

10/8/2003 11:15:02 AM : >>> MAIL FROM:<> SIZE=2820

10/8/2003 11:15:02 AM : <<< IO: |250 <> SIZE=2820... Sender ok
|
10/8/2003 11:15:02 AM : <<< 250 <> SIZE=2820... Sender ok
10/8/2003 11:15:02 AM : >>> RCPT TO:<6deyhszpxb@earthlink.com>

10/8/2003 11:15:02 AM : <<< IO: |550 6deyhszpxb@earthlink.com...User unknown
|
10/8/2003 11:15:02 AM : <<< 550 6deyhszpxb@earthlink.com...User unknown
10/8/2003 11:15:02 AM : >>> QUIT

10/8/2003 11:15:02 AM : <<< IO: |221 kite closing connection
|
10/8/2003 11:15:02 AM : <<< 221 kite closing connection
10/8/2003 11:15:32 AM
==================================

The way I see it, the <> is an acceptable address for exchange, anyone know how to make it not acceptable? Anyone agree/disagree?
 
Sort by date Sort by votes
that is definately someoen telnet into your smtp of exchange. i have never seen the <>, but i would assume if you make sure the relaying is shut down on the server it wouldnt work. you might want to set your ims logging to maxinum and then go to the evnet viewer and filter everything but msexchangeimc and see if anything suspicous is coming in or out.
 
Upvote 0 Downvote
I Appreciate the responses!

I've turned on the SMTP and Message Archival to maximum. I've checked relay concerns, and I'm not doing it.

 
Upvote 0 Downvote
Take a look at thread 10-655444. It might help
 
Upvote 0 Downvote
Have you checked to see that Annonymous access is turned off? We had a problem similar to this several years ago and that seemed to fix it... HTH

Joe
 
Upvote 0 Downvote
We were getting the same activity with smtp mail being sent out of our exchange server.

I have tested the server and it shows that it is not an open relay.

When I clicked on the auth tap internaly we were then not able to send email as well.
 
Upvote 0 Downvote
I think these are attempts to relay, rather than a relay itself. What we are seeing is the activity of a telnet session, inside that is the spam message, and then finally we see the relay go to work on an already fake email account, which will create a <> in your outbound queue.

I think this is nothing to worry about, but I would like to know for my personal sanity that this is a normal activity.
 
Upvote 0 Downvote
Spammers have a new means to avoid filters built into many systems. They take advantage of a mail systems sending of a non-delivery report (NDR) when a message cannot be delivered as addressed and returns the original contents.

CMS calls this a &quot;Reverse NDR attack&quot; (RNDR). A few customers have experienced this, some so badly that over 33% of their Internet messages are attributed to this type of spam.

The end result is the spammer has attained a new form of mail relaying. Your server's resources are being stolen to deliver spam.



How does a &quot;Reverse NDR&quot; attack work?

Step 1 Spam email is created with the intended spam victim's address in the sender field and a random, fictitious recipient, at your domain, in the To: field.

Step 2 Your mail server cannot deliver the message and sends an NDR email back to what appears to be the sender of the original message, the spam victim.

Step 3 The return email carries the non-delivery report and possibly the original spam message. Thinking it is email they sent, the spam victim reads the NDR and the included spam.

Here's how to check if you are vulnerable:
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Moved to 365 in cloud, cannot get iPhones default mail app to connect
Replies
2
Views
1K
Priyanka_Chauhan
Priyanka_Chauhan
Beni Santoso
  • Locked
  • Question
pop3 account setup failed at outlook because client was not authenticated to send anonymous mail
Replies
1
Views
106
DrB0b
DrB0b
Trevor Gryffyn
  • Locked
  • Question
Removed Accepted Domain, now can't email that (now external) domain
Replies
2
Views
163
AdrianGates
AdrianGates
dajohnso
  • Locked
  • Question
Outlook POP3 cant connect to exchange 2007
Replies
3
Views
126
BN75
BN75
M
  • Locked
  • Question
[SOLVED] Unable to send TLS emails via Exchange, but can receive
Replies
1
Views
89
member 1677784
M

Part and Inventory Search

Sponsor

Back
Top