Closing Open Relay 1

[victora]

Hello everybody:
We are on MS Exchange server 5.5. I thought I closed my open relay last last year but apparently, its not. I still see a bunch of 'foreign' emails in the outbound. Can somebody tell me how to close my open relay for good? No wonder we are blacklisted on some sites; we cannot send emails.

Thanks

 

[Marcs41]

See faq10-1779

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]

 

[naish84]

well go to the internet mail service, and choose routing (you have to be installed service pack 3 or later) click routing restrictions activate "host and clients with these ip-adresses. the trick is that you don't add any ip adres.
your relay is now closed forever..

 

[victora]

Thank you guys for all your tips. It confirms my relay as 'closed' already. Just wondering why i still get 'foreign emails' waiting on my Outbound messages awaiting delivery. Its not coming from my users because it showing <> in the Originator column. I'm getting like 4-5 of those everyday. Its not a big number but it still look like 'relaying' to me.
Anyway, I'm sure theres a thread somewhere that talk about this. I'll search...

Again, thank u...

 

[cmeagan656]

If it's showing <> as the originator its probably an NDR, delivery receipt, or read receipt, that can't be delivered back to the spammer because he spoofed his address or the address has been shut down by his ISP (it does happen once in a while).

I'm guessing you're seeing different ones every day. What happens is they'll try to be delivered until the time you specified for attempted delivery kicks in, then since whatever receipt it is can't be returned to the originator (it's <>), it just drops.

Cheers.

 

[Marcs41]

Turn OFF NDR to the internet and see if they stay away, then you can eliminate that.
NDR's and Out of Office are never a good idea, for spam reasons.

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]

 

[John0192]

There is also a good possibility that you have a worm or trojan of some sort on your machine. We have exactly the same symptoms as you are experiencing, and we shut down our open relay over a month ago.

We're running a Watchguard Soho firewall and TrendMicro's antivirus software, but it got through anyway.

We enabled SMTP logging, and have learned that somehow this spammer program gets into our machine periodically for about 10-15 minutes and must be downloading a message and a mailing list. The messages showing up in your outbound queue are DNR's, and there's not a lot of them...probably 10-15 per day?....but you clear them out and there's another batch the next day.

We're finding these accesses using accounts we've already changed passwords on (the new passwords are much stronger than the old ones), so changing them doesn't seem to matter much. I'm speculating that it somehow gets access to them or bypasses them (if that's possible). The only unusual thing I notice about the &quot;ghost&quot; logons is that they all log on using &quot;KsecDD&quot;...I don't know if that's meaningful or not.

From what I've been able to determine, these worms have their own SMTP engine, and send out relatively small amounts (as compared to open relays) of spam each day so as to stay &quot;under the radar&quot; of blacklists and such.

I've tried numerous antivirus and anti-trojan software, but nothing is picking this stuff up...maybe its too new. We're to the point we're almost ready to tear down and rebuild the server.

Anyone else have any ideas?

 

[jlmartini]

How do you turn off NDRs to the Internet. We get alot of undeliverables that are addressed to users that don't exist but that have our domain name in them. Or old employees. Can we only accept email to valid email addresses?

Thanks.

 

[Marcs41]

Press the Help key and look for NDr, it is all in there!

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]

 

[jlmartini]

I can turn off the notification of NDRs. Does that mean they still go out but the administrator does not get notified?

 

[Marcs41]

You have to turn OFF the NDR and Ouy of Office to the internet. they are in the internet mail connector.
The admin gets notified.

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]

 

[jlmartini]

I already have Disable Automatic replys to the Internet disabled. I do not see a property box to &quot;Turn OFF NDR&quot; on the Internet Mail connector. I do see how I can eliminate notifications. I have looked in Help and do not see this as an option. Thanks for your help.

 

[muffinresearch]

Something I saw today was relating to a bug found in Exchange server that if you have the guest account enabled spammers can use exchange to send mail without knowing the password! Best plan is to disable the guest account completely.

This doesn't apply to Exchange 2003

see the following for more details:

http://www.silicon.com/management/itpro/0,39024675,39116920,00.htm?nl=d20031118

 

[jlmartini]

Thanks for the info. I will read the article, but the guest account is disabled.

 

[muffinresearch]

Have you tested (double checked) the open relay by using telnet?

http://support.microsoft.com/default.aspx?scid=kb;en-us;324958

1. Click Start, click Run, type telnet, and then click OK.

2. At the Telnet command prompt, type set local_echo, and then press ENTER.

3. At the Telnet command prompt, type open your_mailserver 25, and then press ENTER (where your_mailserver is the external public IP address of the Small Business Server computer).


The output is similar to the following:

220 your_mailserver Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready at &quot;date&quot; -0500


4. Type ehlo anydomain.com, and then press ENTER (where anydomain is not the exchange server's e-mail domain. Make sure that the last line is:

250 OK

5. Type mail from:youremail@anydomain.com, and then press ENTER (where youremail@anydomain is an SMTP address that is not hosted on your exchange server). Make sure that the result is:

250 2.1.0 youremail@anydomain.com....Sender OK

6. Type rcpt to:user@spam.com, and then press ENTER (where user@spam is not your e-mail domain). Make sure that the result is one of the following two responses:

550 5.7.1 Unable to relay for user@spam.com

-or-

250 2.1.5 user@spam.com

Hope fully it is still showing a 550 error.

 

[buztwet]

MochaResearch, I did follow your instructions and I still did get the 550 error at the end. However, my IMS queue in Exchange 5.5 is filling with all sorts of senders I've never heard of. Do I have a problem? On my Routing Tab for the IMS, I have it set to 'Reroute incoming SMTP mail sent to <my domain> with Routing Restrictions set to Hosts and clients that successfully authenticate.

 

[muffinresearch]

Do you have examples of the logs you are seeing (maybe temporarily turn full logging on to gather further information?

One obvious thing here is if you have any accounts on your server with weak passwords. e.g user: test password: test or other weak combinations then spammers may then sucessfully authenticate and use exchange to send mail.

You can use @stake LC4 to do password audits - it's very eye opening make sure you instigate a reasonable password policy.

Let us know how you get on.

 

[fmontalvo]

Hi everybody. My exchange server 5.5. service pack 4 and add-ons is well configured (internet mail service, and choose routing click routing restrictions activate &quot;host and clients with these ip-adresses, I didn't add any ip address). but is still relaying or that is what I think, because using telnet a can send mails from an inexistent mailbox. User Guest is disabled.
Any hint?

 

[rdurant]

Hi naish84 (and all others),

We too seem to be open for relaying, as I see numerous recipients as well, see this example....

--------------------------------------
From: ÀÚ°ÝÁõÃëµæ [license7@yahoo.com]
To: young-jerry@yahoo.co.kr
Cc:
Subject: (±¤°í) °øÀÎÁß°³»ç ¹«·á¼öÇèÁ¤º¸ ¹× ±âÃâ¹®Á¦ Á¦°ø..@ orerw q rbms vj s
--------------------------------------

In the returned NDR, we get....

The following recipients did not receive the attached mail. Reasons are listed with each recipient:

<license7@yahoo.com> license7@yahoo.com
MSEXCH:IMS:Company:Company:MAILSRV 3553 (000B09AA) 553 VS10-RT Possible forgery or deactivated due to abuse (#5.1.1)

The message that caused this notification was:
---------------------------------------

I tried your instructions above...
well go to the internet mail service, and choose routing (you have to be installed service pack 3 or later) click routing restrictions activate &quot;host and clients with these ip-adresses. the trick is that you don't add any ip adres.
your relay is now closed forever..
----------------------------

This worked just fine, but it blocked 'all' inbound mail from the internet, even legitimate email for our employees. Is this what is suppose to happen? Or did I do something wrong or miss something?

I appreciate any replies.

Thanks
Ryan

 

[rdurant]

Hi naish84 (and all others),

We too seem to be open for relaying, as I see numerous unknown senders as well in our NDR's, see this example....

--------------------------------------
From: ÀÚ°ÝÁõÃëµæ [license7@yahoo.com]
To: young-jerry@yahoo.co.kr
Cc:
Subject: (±¤°í) °øÀÎÁß°³»ç ¹«·á¼öÇèÁ¤º¸ ¹× ±âÃâ¹®Á¦ Á¦°ø..@ orerw q rbms vj s
--------------------------------------

In the returned NDR, we get....

The following recipients did not receive the attached mail. Reasons are listed with each recipient:

<license7@yahoo.com> license7@yahoo.com
MSEXCH:IMS:Company:Company:MAILSRV 3553 (000B09AA) 553 VS10-RT Possible forgery or deactivated due to abuse (#5.1.1)

The message that caused this notification was:
---------------------------------------

I tried your instructions above...
well go to the internet mail service, and choose routing (you have to be installed service pack 3 or later) click routing restrictions activate &quot;host and clients with these ip-adresses. the trick is that you don't add any ip adres.
your relay is now closed forever..
----------------------------

This worked just fine, but it blocked 'all' inbound mail from the internet, even legitimate email for our employees. Is this what is suppose to happen? Or did I do something wrong or miss something?

I appreciate any replies.

Thanks
Ryan