close relay port

[prha]

My exchange server is currently being used to route around 5000 spam emails every hour.
Does anyone know what I can do to close the relay port to stop this happening.
I have gone into IMS in Exchange admin and under routing checked the box host and clients that successfully authenticate. But this has had no effect
I have had to stop IMS service all together but this means no-one can send external emails.
Any advice

 

[brontosaurus]

it may not be a relay problem at all...have you tried adding domain names to the Message Filtering option?

 

[Marcs41]

Instead of setting the successfully authenticate, enter the IP range of your LAN as authorised to send. [sub]If 'something' 'somewhere' gives 'some' error, excpect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC! - Marc[/sub]

 

[nocspec]

Taken from Microsofts Knowledge Base:

XFOR: Restricting Routing in the Internet Mail Service
(Q196626)
The information in this article applies to:
· Microsoft Exchange Server, version 5.5
SYMPTOMS
The Exchange Server Internet Mail Service (IMS) allows you to configure the server
to allow mail relaying. When you enable the Mail relaying in the IMS's 'Routing'
property page, all mail will be routed without restrictions. Exchange Server 5.5
Service Pack 1 allows the administrator to impose restrictions on routing.
RESOLUTION
To enable these restrictions on routing functionality, follow these steps:
1. Install Exchange Server 5.5 Server Pack 1 (or later).
2. Open the properties on the Exchange Server Internet Mail Service and select the
Routing page. After the SP1 installation, this page will have an additional button called
<Routing Restrictions...> .
3. Click Routing Restrictions to bring up a dialog box with additional Restrictions.
MORE INFORMATION
Exchange Server 5.5 Service Pack 1 adds &quot;Routing Restrictions&quot; to the Internet Mail
Service. This allows the administrator to specify who can relay mail off of your
Exchange Server computer.
The following Restrictions have been added:
Specify the hosts and clients that can route mail when the following conditions have
been met.
· Hosts and clients that successfully authenticate:
Messages sent from hosts and clients with valid logon information are relayed.
· Hosts and clients with these IP addresses:
Messages sent from host whose IP addresses and subnet mask fall within the range to
be allowed to relay.
To only allow a single host or client, enter in the format, IP=>full IP address of client<
(i.e 1.1.1.1), MASK=255.255.255.255
To allow a range of IP address to relay, enter in the format, IP=>scope to allow< (i.e
1.1.1.0>, MASK=255.255.255.0. This will allow the address range of 1.1.1.1 - 1.1.1.254
to relay.
· Hosts and clients connecting to these internal addresses
Messages sent by hosts and clients that connect to the specified IP address on the
Microsoft Exchange Server computer are relayed. This allows multihomed servers to
restrict message relay based on the IP address to which the client connects. If you select
this option, you must disable IP forwarding on the Networking property pages in Control
Panel .
Specify the hosts and clients that can NEVER route mail.
· Messages sent from the specified IP addresses and subnet mask are NOT relayed.

 

[prha]

Thanks for all the above advice.
However I still have the problem.
I cannot filter the emails as they are all coming from different addresses. I have also tried all the options in the routing restictions and none of them worked. That is to say if I tried putting the range in then I lost outgoing emails or incoming emails all together. I also lef thte IP addresses blank and that had no effect either.
any other ideas.
My ISP says that they have tested and the relay is closed, however when I go into the queue for outboud emails there are always new emails popping in there every two or three seconds.

 

[Marcs41]

Being in the queue does not by default mean spam. You could have a PC on the LAN generating spam, because of a virus, worm, whatever.
Isolate some messages and try to see where they came from, where they go to etc..
Use the full logging if needed (watch out for HD space!). [sub]If 'something' 'somewhere' gives 'some' error, excpect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC! - Marc[/sub]

 

[prha]

is there any way of tracking where they are coming from on the domain,how do you isolate the messages

 

[Zelandakh]

There is an FAQ in this forum on relaying - maybe you should read it.

 

[Marcs41]

prhs, to log the messages:
Exchange System Manager
Servers - servername - Properties - Diagnostics logging
Enable everything and check the Event log after some new messages where queued.

!!! Don't forget to turn it OFF afterwards, it EATS diskspace !!! [sub]If 'something' 'somewhere' gives 'some' error, excpect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC! - Marc[/sub]

 

[Marcs41]

Oops !!

Ignore previous post, it was for Exchange 2000, sorry. [sub]If 'something' 'somewhere' gives 'some' error, excpect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC! - Marc[/sub]

 

[prha]

Hi,

Thanks for all the advice, I did read the FAQ but unfortunatley nothing solved the issue, all the info in the FAQ I found on various other website as well.
I am under the impression that the attack may be coming from somewhere other than my exchange server.
I have tried various websites that test my security but they all come back saying everything is fine.
Any other ideas