Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exchange 2003 Open Relay 5

Status
Not open for further replies.

dearingkr

MIS
Feb 13, 2001
656
US
Need some help please.
I don't have any hair left...pulled it all out.

I ahve a brand new clean install of Exchange 2k3 on a new install ow Windows 2k3. I have only added 2 user accounts so far.

My problem is that my server is an Open Relay!

According to MS, it's not supposed to relay by default.
I've tried everything on the MS web site (for Exchange 2k), and nothing helps.
 
What evidence leads you to conclude that it is an open relay? By default, authenticated users are the only ones that can relay through exchange 2003. Precisely because they are authenticated the relay is not, by definition, open.

To test to see if you are an open relay, try ordb.org.

 
1. The SMTP Virtual Server queue is filling up with bounced messages.
2. Many of the emails that are stacking up are to domains I've never heard of.
3. I have been blacklisted by at least one ISP.


FYI...The 2 users I created have only sent about 3 test messages. No other emails have been sent!

Right now I have outbound mail disabled, having ORDB.ORG test while I'm disabled would be inaccurate.
 
This is typical of many of the virii currently in circulation. They spoof the from address and and innocent party gets all the NDRs. The NDRs will be for your domain, but the users may or may not exist. It's annoying, but it doesn't mean you are an open relay. It doesn't even mean that anyone in your org is infected. It does mean that someone in the world that once recieved an email from someone in your org is infected.



Contact the one ISP that has you blacklisted and find out why. Many times it's simply a DNS configuration issue that gets you blacklisted. You can test your DNS at dnsstuff.com.
 
Perhaps you misunderstood me...

My virtual SMTP server queue is filling up.

This queue is for OUTBOUND connections!

There are no users on my network yet, only me. The only 2 accounts that are set up are for testing purposes. And I sure as heck didn't send these emails.
 
The sender spoofs the from addess, and the NDR comes to your domain. Since the spoofed sender doesn't exist in your domain, you send out an NDR to the NDR. I suspect if you look at the messages in your outbound queues, they'll all be NDRs.

 
It is possible that someone has compromised an account on your system. See Thread858-713155 or Thread858-657670 for more information on this.
 
XMSRE,
I see what you're talking about now...
I'll check the messages to see if they are all NDR's.
Although that doesn't explain why RoadRunner blacklisted me.

CROBIN1,
I suspected that before. That is one of the reasons I flat-lined my original installation (Wink2/Exk2, tried upgrading to Win2k/Ex2k3).
 
Run the DNS tests and hopefully you'll find the answer.

 
I've checked my queue, you're right, they are all NDR's.

Now I just have to figure out why RoadRunner has blacklisted me...they have not answered my emails.
 
I was on the phone with a Microsoft tech just the other night for a different issue, but we touched on the NDR spamming subject and he showed me a solution.

Open ESM, and expand Global Settings, go to Message Delivery and display it's property page. On the Recipient Filtering Tab, check the box labeled "Filter recipients who are not in the Directory"

When you click OK you will get a message that you have to manually enable the filter in the SMTP server VS, that's OK, that's the next step.


Go to your SMTP Virtual Server, and open it's property page. On the General Tab, click the Advanced button. Select your server's IP address and click Edit, and check the "Apply Recipient Filter" box. Click OK to close all the property pages.

Now you will need to stop and restart the SMTP service.

If you have a bunch of those NDR spam emails in your SMTP queue, it will take a few minutes for the SMTP Server to start up again. Be patient. Wait at least five minutes before doing anything rash.

This configuration will cause the SMTP server to decline mail to <bogus-user>@yourdomain.dom and relay attempts like anyuser@some-other.domain.

After a few days you should see that the number of SMTP queues is way down! Then check and clear out your badmail folder.

JBL
 
try going to your default SMTP server/Access/relay and take the check mark out of allow all computers which successfully authenticate to relay regardless of the list below. Also go to users and remove any names in the box.
 
Okay after reading the above, I did the fix that jblewis suggested, and then decided to test my brand new out of the box E2K3 server, I went to ORDB.org and submitted a test, this is what they said:

This is an automatically generated mail from ORDB.org.

Your submitted host XXX.XXX.XXX.XXX has been classified as an open relay and is now stored in our database.

If you in any way appreciate this information we welcome donations of any amount, be they small or large, to cover some of the expenses associated with development and maintenance of ORDB. is the place to go.

This email is sent from an unattended mailbox, so please do not reply to it. To find information about how to contact ORDB.org, please visit
Have a nice day, thank you for using ORDB.org.

PS. Need this mail translated? Have a look at:

----

Have a nice day! Not! So now I am not sure why my box would be considered an open relay if I did the above suggestion from jblewis, and E2K3 is supposed to be configured NOT to be an Open Relay from the git go?

Any help would be greatly appreciated. I am now going to try and figure out how I get off their list.

Regards,
Jim
 
I did the test, and failed misserably. They (ORDB.org) are right, I am an OPEN RELAY! I have made no changes to my Server, except the one suggested by jblewis. I am not quite sure why things would be different on my server.

I read the article, it seems that I am going to have to enter filtering for all known addresses?

Help!

TIA,
Jim
 
No, ust the telnet to port 25 test to see if you get the relay denied. If you do get relay denied, sumbit your server to be removed from the database. If not, you have a configuration issue.

 
Sorry, I may have been confusing there, I did the telnet test, and I got 250 2.1.5 advertiser123@yahoo.com - basically there was no "Relay Denied" message.
 
You have issues. If this is a new install, and the defaults have not been modified, then I suspect "Everyone" has been added to the "Authenticated Users" group in AD. Don't do that.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top