Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

RELAY?? But I fixed it already!..now what? 30

Status
Not open for further replies.

POSAPAY

IS-IT--Management
Jul 27, 2001
192
HU
Hey all,

On my Exchange 5.5 I have setup the routing, as well as only except from authenticated sources.
Running McAfee GroupShield5.

yet .. currently the Queues is full with like 400-800 e-mails spinning through it constantly.
Destination is random, origin is "bluestell__@_______.___"
The underscores are random characters.
right after the bluestell, there are two characters that seem to follow the incremental rule with the alphabet.
starts out as "aa" and goes up to "zz" then restarts.
The domain after the @ seems to vary from e-mail to e-mail.
Mostly common domains, such as hotmail, yahoo, att.net..etc.

The headers seem to be missing, I can't figure out what IP or server it is coming from. Simply no header contents.

Anybody have any ideas? My usual daily 1500 e-mail traffic just went over last two days to 9000+ emails.

I just turned off notifications, and disabled outbound responses to reduce the e-mail count and processes...but I'm looking for a way to make sure this person can't connect to my server. Anybody have a similar case before?

Thanks,
-Peter
 
I have the problem with getting a ton of messages in my oubound queues from <>. It seems these are coming from the exchange server itself as replies for non delivereable recipients. Someone was spamming our servers and the exchange server was just replying to them that there was no such mailbox. We turned on accept only mail from approved senders and the messages decreased immediately.
 
use steps in my previous post and then install:

09 - Q326322enui386.EXE 07/24/2002
10 - Exchange5.5-KB818709-x86-enu.EXE 08/02/2003
11 - Exchange5.5-KB829418-x86-enu.EXE 10/07/2003
12 - Exchange5.5-KB829436-x86-enu.EXE 10/13/2003
13 - Exchange5.5-KB828489-v2-x86-enu.EXE 10/21/2003

now Exchange 5.5 shouuld be patched...
 
I'am doing this treatment :
Open Internet Mail Service in Exchange Administrator, click on the routing tab and make sure your setting is REROUTE INCOMING SMTP EMAIL.
'Sent to' should be YOURDOMAIN.COM and 'route to' should be INBOUND.
Then click on ROUTING RESTRICTIONS and UNcheck the box next to 'Hosts and Clients that successfully authenticate'
and CHECK the box next to 'Hosts and Clients with these IP Addresses:'. LEAVE THAT BOX BLANK!

restart the IMS, and everything back normally!!!!
 
aeh, me too solve the problem with your treatment
did u understand why it works?
 
this log was find after the treatment:
Refused to relay <benteski@netzero.net> for 23397.bhz.virtua.com.br (200.167.233.97). Client was authenticated as \backup.

what is \backup?
 
\backup is the local account the hacker is logging in as. Check your machines. find and disable this account.

This process works because you are essentially closing all relay doors by allowing only certain addresses, but adding no addresses to the sucessfully authenticate area.

Hope this helps,
Corie
 
Hello you have an open relay. Go to and search for document id # 7696
Do all things and ensure you do the telnet test to make sure you have set it right.
As well you may notice that you will be blacklisted on DNS and email lists due to this problem. Correct it as fast as you can
peace.
 
Excerpt from the winnetmag article
"What the Microsoft article and online Help don't spell out is that when you select a routing restriction, you can choose not to enter any IP information. The trick is that you can select the Hosts and clients with these IP addresses check box but not specify any IP addresses. Unless you have a specific need to have your Exchange server relay, don't enter any IP addresses on this page. This selection changes the rules that the IMS uses when evaluating the SMTP protocol. Instead of letting the IMS accept the RCPT TO specification blindly, this selection causes the IMS to check for local delivery before letting it upload a message. If the recipient isn't local, the IMS will return 550 Relaying prohibited"

;-)
 
caution.jpg


lol had to do it :)
 
I know this is a litle late because you probably have your problem solved by now but if you still need a little help and have a little money to spend try the Barracuda Spam Firewall. I was having the same problem with the message queues getting thousands of messages a day and since I installed the Barracuda that has stopped. It also has a lot of other great features that are helpful in the age of spamming.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top