Mail relays yet relay is looks closed!

[ReddLefty]

I have a client that has the following problem, yet I'm stumped. I need some input from more knowledgable people in EX2k.

- This server is being used as a relay. The relay queue shows constant traffic.


- The server settings for relaying are set as follows:
= I the SMTP Virtual Server Setting Authentication setting are set to Anonymous, Basic and Intergrated Windows account (all Checked ON)
= The connection Control is All except the list below
= The relay is set to 'Only the list below' and the list is blank. The checkmark for "Allow all computers which successfully authenticate to relay .... " is Checked ON.

Somehow, mail is still being relayed. Any clues what to check? Should we remove the Anonymous in the Access Control Authentication Methods?

All input is welcomed.







"In space, nobody can hear you click..."

 

[Davetoo]

Your settings are correct to prevent relaying.

My question is, what is the source of the mail in your queues?

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[ReddLefty]

The source is what we are trying to find out. The emails all come threw queue "Messages waiting to be routed"... the number just climbs into the thousands and then the Badmail accumulates.

The logs show many NDR reports. What are the chances that there is an attempted relay being done, but all is failing?




"In space, nobody can hear you click..."

 

[Davetoo]

Open up your SMTP Queues and see who is the source on the messages.

It's quite possible that your server is accepting the mails, but refusing to relay them.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[ReddLefty]

Ok, will do, but if this source is spamming so much that the relaying (even refusal) is chewing up the Exchange Server. If the source is listed, it's most probably a spoofed domain... how do we stop this source from pouding the server with all this spam mail to relay?



"In space, nobody can hear you click..."

 

[ReddLefty]

I guess I'll have them look at the firewall and track port 25 to their server. Hopefull pin point the IP it's coming from and ban it from the firewall. Then I'll have them report the block to the provider.



"In space, nobody can hear you click..."

 

[ReddLefty]

Great, there are a slew of IPs in the firewall flooding port 25, which means the IPs are masked also.



"In space, nobody can hear you click..."

 

[doomhamur]

If you disconnect from the exhcange box from the network, you will find that you still get the spam coming into the ques. This is because sombody got to the server and put a spam bot on it. the spam application is on your exchange server. - some of the domains will look like yahoo.tw (or other domains with tw - sender will probably be Administrator.

I have seen this, but do not know the fix. or even how to find the spam app.

Good luck

Doomhamur
Network Engineer
"Certifications? we dont need no stinking certifiaction."
yahoo IM handle: greater_vortex

 

[edwados]

Had the exact same problem. Here is how I worked around it. Rename and stop the virtual SMTP server and misconfigure it. Create a new virtual SMTP server and the problem will go away. The only problem I am having is I am unable to delete the original SMTP server. The problem came back after about 5 months when someone rebotted the server. somehow it restarted and reconfigured the original SMTP server and reverted to it. The flood of relays started again. I had to manually stop it. Hope it helps, and if anyone knows how to delete the original virtual SMTP server, please let me know.

 

[ReddLefty]

Spam bot would sound right... I'll look into it and keep you posted.



"In space, nobody can hear you click..."

 

[edwados]

If you stop the virtual SMTP server and disconnect from the network, you will see that the queues will all clear once you restart it. Plug back into the network and the flood starts again. Something is srewed up in the virtual SMTP server, just don't know what and don't know how to delete the freggin thing.

 

[JP2003IT]

Dear folks,

I have the same problem of ReddLefty. Our server is listed in ORDB, our virtual
server configuration is in exactly accordance with Microsoft Tech Net document,
and the traffic is high. The relay test made with various test sites result in
open. Please inform me if have another check and configuration, that isn't
described in the Microsoft document. We are received 500 messages by minute with
virus, it seems attack. What do I do ?

The helps are WELCOME.

Thank you.

 

[evildik]

I am having the same issue... Seems to be a system compromise somehow... Interesting problem cause in hopes of thinking maybe a system file or files got comprised ive reinstalled both the Exchange 2000 SP3 and Windows Service pack3 this has not fixed the problem however... The SMTP Virtual server settings have been applied to NOT allow relaying but the server continues to relay... This is the strangest thing ive seen in a while... Feels like someone is actually reseting the SMTP server to allow relaying...


FRUSTRATED in LA

 

[peterpark]

If you have other Exchange Servers having open relays it will also allow relaying. You could try at the cmd prompt "net stop smtpsvc" and net start smtpsvc after closing all relays. From my experience, it seems to take sometime for the closed relay to take effect. I search thru all the NDRs in the BADMAIL folder relating to the spam mails to check on the IP address they come from. I then block the source IP at the firewall. Spam Bot? That's a scary thought. Glad it haven't happened to me.

 

[ReddLefty]

JP2003IT and evildik,

You are probably being hit by the SoBig.F virus. What you are getting is Non-Delivery Reports that are trying to be delivered and on top of that, replies from remote servers telling you that you are sending a virus, even if your not, cause someone is spoofing email addresses of yours, maybe even to a person that is no longer with the company, creating an additionnal NDR.... There isn't much you can do besides either turning on the Reverse DNS lookup, or emptying out your queue of all the emails that have no originator or destination... basically a <> in the fields. The virus ends on Sept 10th but you will have NDR reports for days to come after that as emails timeout from all over the place.



&quot;In space, nobody can hear you click...&quot;

 

[evildik]

Ive run the SoBig.F@MM Removal tool from Symantec its not that... its amazing irritating SPAMBot makes sense but where would you find it locally? its not in the registry as a startup process and its nowhere to be found... Also stopping the smtp service does not fully stop the problem, a reboot of the server will disallow relaying but after 5 to 10 minutes MAGICALLY it starts relaying again....

 

[ReddLefty]

The removal tool will not help. The problem is not on your server. That is the issue with this virus is that you can't do much to stop it cause it's not your end that is propagating it. Your recieving non-delivery reports (NDRs) because someone is immitating your email addresses (spoofing). When the email gets to the destination, it gets rejected for having a virus and / or have a non-existant reciepient. Most email servers send back a Non-Delivery report to the sender, which is what your getting since it's a spoofed address with your email addresses on it... you get the non-delivery report of something you never sent, but the destination server does not know that... What's even worse, is that the NDR you recieve on a user that does not exist will send ANOTHER NDR to the sender saying that THAT user doesn't exist.... that is why I turned mine off, so it doesn't do that.

In fact, I turned off ALL my automatic replies and delivery reports on my mail servers to try and reduce traffic on both my servers and other company email servers that have been affected by this.



&quot;In space, nobody can hear you click...&quot;

 

[evildik]

Ok I understand that but the I check relaying with a Outlook Express Client. I find it interesting that when i specifically turn off relaying and test relaying with the client RELAYING DOES NOT work... But after about 10 minutes or so I check again with the Outlook Express Client and relaying is magically turned again.. I go into the SMTP Virtual Server Properties and everything is checked accordingly not to allow RELAYING... even more funnier is that when i reboot the server it reverts back to NO RELAYING

 

[ReddLefty]

I do not work with the SMTP Virtual server with IIS, so unfortunatly, I don't know the right settings to keep it from relaying. If you say that you have it set up properly, then that's fine... for the spam bot, an anti-virus software will not pick it up since it's not anything bad as far as viruses or worms go. Make sure that you don't have any easy username / passwords in your local and domain users.

I had a friend that was getting used as a relay and his relay was closed. After searching, we figured out that he had a user / password that matched the companies name (Ex: User:ACMECORP@ACMECORP.COM Pass:ACMECORP). It was easily hacked and used to send out spam. After changing the password and waiting a few hours, the traffic reduced remarkably to eventually stop, after all the NDR reports and stuff came back.

Sorry I can't be of more help.



&quot;In space, nobody can hear you click...&quot;

 

[cajuntank]

I have found a good and cheap MX filtering serive that will filter for both virus and spam before it ever hits you server. Let me know if anyone is interested in pricing.