Hi,
I have a huge problem here (doesn't everyone?!) - I think my Exchange Server is being used to relay spam messages. I have been blocked by various spam filters (ie: SpamCop) and am having a nightmare trying to find out the source.
In my SMTP message queues I can see lots of messages trying to be sent out to mail@fbi.gov etc from my postmaster. I think this tells me that some spammer is sending email with a 'from address' of mail@fbi.gov via my server to their intended victims. When the recipient address is wrong, my email server generates an NDR and tries to deliver it back to the from address (which is also fake).
My mail server is not set as open relay but I don't really know where to look from here. Some advice is telling me to enable logging on the Exchange Transport service and look for 1708 events (user authentication) in the security log. This is with the thinking that someone has correctly guessed a user account/password on my server and is relaying with authentication. Possible I suppose, but I cannot see any 1708 events yet!
I do not have ANY users connecting remotely, it's a very simple set up - Is there any way I can disable any kind of relaying at all? So only bog-standard locally-connected users can send mail out?
Any advice or advice where to look next would be GREATLY appreciated!
Thanks in advance!
David
Dave Bennett
I have a huge problem here (doesn't everyone?!) - I think my Exchange Server is being used to relay spam messages. I have been blocked by various spam filters (ie: SpamCop) and am having a nightmare trying to find out the source.
In my SMTP message queues I can see lots of messages trying to be sent out to mail@fbi.gov etc from my postmaster. I think this tells me that some spammer is sending email with a 'from address' of mail@fbi.gov via my server to their intended victims. When the recipient address is wrong, my email server generates an NDR and tries to deliver it back to the from address (which is also fake).
My mail server is not set as open relay but I don't really know where to look from here. Some advice is telling me to enable logging on the Exchange Transport service and look for 1708 events (user authentication) in the security log. This is with the thinking that someone has correctly guessed a user account/password on my server and is relaying with authentication. Possible I suppose, but I cannot see any 1708 events yet!
I do not have ANY users connecting remotely, it's a very simple set up - Is there any way I can disable any kind of relaying at all? So only bog-standard locally-connected users can send mail out?
Any advice or advice where to look next would be GREATLY appreciated!
Thanks in advance!
David
Dave Bennett