RELAY?? But I fixed it already!..now what? 30

[POSAPAY]

Hey all,

On my Exchange 5.5 I have setup the routing, as well as only except from authenticated sources.
Running McAfee GroupShield5.

yet .. currently the Queues is full with like 400-800 e-mails spinning through it constantly.
Destination is random, origin is "bluestell__@_______.___"
The underscores are random characters.
right after the bluestell, there are two characters that seem to follow the incremental rule with the alphabet.
starts out as "aa" and goes up to "zz" then restarts.
The domain after the @ seems to vary from e-mail to e-mail.
Mostly common domains, such as hotmail, yahoo, att.net..etc.

The headers seem to be missing, I can't figure out what IP or server it is coming from. Simply no header contents.

Anybody have any ideas? My usual daily 1500 e-mail traffic just went over last two days to 9000+ emails.

I just turned off notifications, and disabled outbound responses to reduce the e-mail count and processes...but I'm looking for a way to make sure this person can't connect to my server. Anybody have a similar case before?

Thanks,
-Peter

 

[Nuerodancer]

Actually I do have POP accounts outside of the building. And unfortunately if veloxzone.com.br was the only domain hitting us I'd just ban them. But unfortunately I'm getting hit from about 50000000 directions at once. I've been watching carefully, the messages are all the same, so they are coming from the same place but are bouncing their way through to me differently.

devastator (IS/IT--Manageme) Dec 2, 2003
Sorry if you may have stated this before but i don't see it. Do you have POP accounts outside? If not you can unselect the option for successful authentication. If you do use POP have you tried to block or not allow relaying to 200.223.8.81 which is veloxzone.com.br? Is this the domain that is alway authenticating?

 

[tahoe2]

Check these settings:
Open Internet Mail Service in Exchange Administrator, click on the routing tab and make sure your setting is REROUTE INCOMING SMTP EMAIL.
'Sent to' should be YOURDOMAIN.COM and 'route to' should be INBOUND.
Then click on ROUTING RESTRICTIONS and UNcheck the box next to 'Hosts and Clients that successfully authenticate'
and CHECK the box next to 'Hosts and Clients with these IP Addresses:'. LEAVE THAT BOX BLANK!

Restart IMS and that should end the relaying problem you're having.

Next you need to find that account. Check every server in your domain for local and network accounts, it's somewhere.

Open a telnet session and test your setting for relaying.
You can test by typing the following at a command prompt:

telnet [servername] [25]

where [servername] is the name of your Exchange server and [25] is the port it runs on. The Exchange server will respond with a message similar to '220 host.domain.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2650.10) ready'.

Then enter the following commands. The commands are case-sensitive, and the punctuation (e.g., colons, angle brackets—< >) is important, so include all the marks.

1 type
HELO me
The server will respond with 250 OK and possibly identify your IP address and your host name.

2 type
MAIL FROM: someaddress@somedomain.com
Again, the server will respond with 250 OK.

3 type
RCPT TO: nobody@afakedomain.com
The server will respond with 550 Relaying prohibited.

Using a valid address from your GAL, type
RCPT TO: thegaladdress@yourdomain
The IMS will reply with 250 OK when it accepts the address.

To close the session, type
QUIT


If you do not get the 550 RELAYING PROHIBITED message, you need to try again.


Hope this helps,

Corie

 

[devastator]

that will stop the relaying but his pop accounts won't be able to authenticate and logon.

 

[Mottster1]

I'm having a similar problem.. I have made sure of all those settings, but now I'm getting spammers who are typing abcd@mydomain.com and trying to send spam that way.

Below is taken from the log file.

12:37 PM 12/3/0312/3/03 12:34:31 PM : A connection was accepted from u1056535.ul.warwick.net.
12/3/03 12:34:32 PM : <<< IO: |HELO u1056535.ul.warwick.net
|
12/3/03 12:34:32 PM : <<< HELO u1056535.ul.warwick.net
12/3/03 12:34:32 PM : >>> 250 OK

12/3/03 12:34:33 PM : <<< IO: |MAIL FROM: <bb5zilaed@yahoo.com>
|
12/3/03 12:34:33 PM : <<< MAIL FROM: <bb5zilaed@yahoo.com>
12/3/03 12:34:33 PM : >>> 250 OK - mail from <bb5zilaed@yahoo.com>

12/3/03 12:34:33 PM : <<< IO: |RCPT TO: <mlegare@mydomain.com>
|
12/3/03 12:34:34 PM : <<< RCPT TO: <mlegare@mydomain.com>
12/3/03 12:34:34 PM : >>> 250 OK - Recipient <mlegare@mydomain.com>

12/3/03 12:34:34 PM : <<< IO: |RCPT TO: <vimal@mydomain.com>
|
12/3/03 12:34:34 PM : <<< RCPT TO: <vimal@mydomain.com>
12/3/03 12:34:34 PM : >>> 250 OK - Recipient <vimal@mydomain.com>

12/3/03 12:34:35 PM : <<< IO: |RCPT TO: <sill@mydomain.com>
|
12/3/03 12:34:35 PM : <<< RCPT TO: <sill@mydomain.com>
12/3/03 12:34:35 PM : >>> 250 OK - Recipient <sill@mydomain.com>

12/3/03 12:34:36 PM : <<< IO: |DATA
|
12/3/03 12:34:36 PM : <<< DATA
12/3/03 12:34:36 PM : >>> 354 Send data. End with CRLF.CRLF

12/3/03 12:34:37 PM : <<< IO: |Received: from [173.239.220.205] by u1056535.ul.warwick.net SMTP id UNwRco6FIjJRC5; Wed, 03 Dec 2003 21:42:21 +0100
Message-ID: <rx$bzw$v9z$95-p$74-l@qtc.a.dtl.0aq>
From: &quot;Frank Bradford&quot; <bb5zilaed@yahoo.com>
Reply-To: &quot;Frank Bradford&quot; <bb5zilaed@yahoo.com>
To:
Subject: NEW Soma.a Vicodin.n Valium.m Xanax.x ynxkiae ry
Date: Wed, 03 Dec 03 21:42:21 GMT
X-Mailer: MIME-tools 5.503 (Entity 5.501)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=&quot;.6331A9A619E_A7..26_CCFD&quot;
X-Priority: 3
X-MSMail-Priority: Normal
|
12/3/03 12:34:38 PM : <<< IO: |

--.6331A9A619E_A7..26_CCFD
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

Many Specials running this week

(Blah Blah Blah normal spam message)

|12/3/03 12:34:38 PM : >>> 250 OK
12/3/03 12:34:39 PM : <<< IO: |QUIT
|12/3/03 12:34:39 PM : <<< QUIT
12/3/03 12:34:39 PM : >>> 221 closing connection


** These recipients are not vaild on my servers nor exchange server. So they are coming back as invaild addresses. This then creates a ton of NDRs, i've gone through and disabled them. But they still fill up the outbound queue. Since the outbound queue is getting backed up this prevents any normal outbound messages from being delivered. How can I stop this on my server?**

 

[devastator]

Your server will accept everything to your domain including false addresses. Your only options are to turn of NDR's in Exchange or find a 3rd party software where you can plug in just your valid addresses on your exchange server or upgrade to Exchange 2003 which now allows this and some other filtering.

 

[SamovarovV]

Try Open Relay Filter from Vampsoft, it can work with AD and prevent SMTP sessions to non-existing users.

 

[Mottster1]

But isn't the open relay filter only work with 2000 and higher? I'm running 5.5.

 

[Mottster1]

Ignor the previous post, I found the information on the vampsoft site talking about using the program with 5.5. But one other question, I've been seeing others talking about exchange verifying the recepients address by looking at the GAL list? Where is this setup within exchange? If I could prevent messages from coming in to users who aren't on the list, this would help reduce my problem.

Thanks,
Sean

 

[rubby2003]

Are you hosting your own smtp mail or are you using pop3 connector?

 

[Nuerodancer]

I'm hosting my own.

Now I'm also on Spamcop.net's blacklist.

I migrated completely to Exchange 2003 last night & managed to find the \backup account in question, it was actually a old BackupExec service account that was set up on one of our remote branches (Trusted Domain with VPN access). I've disabled the account now & no new mail seems to be coming in but I've still got this MASSIVE queue to empty.

Does anyone know of any quick ways to get off of everyones blacklists?

Nuerodancer

 

[rubby2003]

go to

http://www.winnetmag.com

and search out document id 7696.
Follow all steps that start after heading Making the changes to the letter (in the last paragraph there is a section that refers to checking a box in the routing restrictions DO THIS!! it will cause the MTA to check the local GAL for local delivery) Microsoft fails to mention the last point.

Test it with Confirming the configuration section of the document > Important!!
Once you confirm and get the same results and pass the telnet test then visit the site below. Key in ip address of your server and search. you will have to visit each and every site and request removal from open relay and dns blacklists.

http://www.openrbl.org/

 

[Mottster1]

I've read Doc 7696 on winnetmag.com and have made sure that the settings are correct. But when I do test for seeing if GAL is being check, if I type blah@mydomain.com it still comes back with 250 OK message.

I need 5.5 to basically reject a message that is being sent to a vaild recepient. Maybe this isn't possible with 5.5.

Thanks,
Sean

 

[josephcoffman]

I have solved this, at least temporarily, on my system. I used the tools mentioned here, and one important additional idea. You may need to know our system configuration.

We host our own email server, but not our web site. We do NOT use OWA for outside emails. Our remote folks authenticate using ports 110 and 25 for the mail server.

Our firewall had been allowing port 80 to be used by the spammer to put outbound emails on our Exchange system. I don't understand how they could have done this using port 80, but read on. So, I closed port 80 from all traffic initiated from OUTSIDE our network. Anything that is initiated from INSIDE our system OUTBOUND goes without a hitch. However, anything that ORIGINATES from an external IP address is refused and effectively killed.

We've been spam free for the past 2 days now, and it was like I flipped a switch. There are no longer thousands of emails in the outbound queue. Only those that have JUST been sent by our authenticated users.

The disclaimer is this. It may not work for you as well as it did for me, but this is just another way you can try to stop the flood...

Hope this helps someone.....

 

[jasallan]

hi
i have the same problem with alot of outbound from my exchange server 5.5. i have already removed few thousand queues. however now i am facing the worst situration. it is that the internet mail service failed to start. which means i cant even get into the queue in the internet mail service at all. i cant remove queues anymore and there is still alot of outbound via the exchange server according to the Microsoft Exchange Server IMS Queues status chart. can anyone help please help me out?? i tried everything to bring up the internet mail service such as, change administrator password, disable unuse accounts, reinstalled windows service packs and reinstalled exchange server 5.5 service packs 4. none of them help at all. how i just sit here and hope anyone could help me to clean up the queue.

HELP~~~~

 

[tahoe2]

What error is showing up in your event log?
If you're getting error 4003 or 4020, do this:

RESOLUTION
To resolve this behavior, remove the TCP/IP protocol, reinstall the TCP/IP protocol, and then reapply the latest Microsoft Windows NT 4.0 service pack and the latest Exchange Server 5.5 service pack:
1 On the Windows taskbar, click Start, point to Settings, and then click Control Panel.
2 In Control Panel, double-click Network, and then click the Protocols tab.
3 In the Protocols properties page, click TCP/IP Protocols, and then click Properties. Record the settings from the TCP/IP properties page.
4 In the Protocols properties page, click TCP/IP Protocols, click Remove, click OK, and then restart the Exchange Server computer.
5 On the Windows taskbar, click Start, point to Settings, and then click Control Panel.
6 In Control Panel, double-click Network, and then click the Protocols tab.
7 In the Protocols properties page, click Add, click TCP/IP, and then click OK.
8 Configure the TCP/IP protocol, using the settings you noted in Step 3, and then restart the Exchange Server computer.
9 Apply the latest Windows NT 4.0 service pack and the latest Exchange Server 5.5 service pack. Restart the Exchange Server computer.
10 If IMS does not restart, in Control Panel, double-click Services, click Microsoft Exchange Internet Mail Service, and then click Start.


Also, there seems to be a problem with Exchange SP4.
This article gives more info.

http://support.microsoft.com/?kbid=279798

hope this helps!

Corie

 

[jasallan]

thanks tahoe2!!!

i am going to try those steps see if it help. well.. let me explain more. it tries to start the service but it hung during the startup. and i have tried to start the service in contral panel -> service. it takes like 5 mins and then came out the error. even if i remove the IMS in exchange administration. and reinstall it, then it will try to start the service during the IMS installation. it also hangs in that step too.. let see your steps will help or you have a better idea of fixing this??

thanks.

 

[tahoe2]

I had to get the fix from MS to help me resolve the issue. For several weeks, the Internet Messaging Service wouldn't start when the server was restarted (Event log error 7001). It would take me an hour of shutting down and restarting various services before it would start, and finally one day, nothing I did would start the service.
I got the patch from MS and no more worries. I hope it's that easy for you!

Corie

 

[jasallan]

oh.. nice.. thats exactly what happen to me here. so can you give me the link for that patch? i hope it wont take me few days for this problem. i will be dead for that much of time.. thanks again tahoe2.

 

[Psingh]

Hi All,

I had faced the same problem earlier of getting tons of mails in IMC queue and IMC not getting started after rebotting the server but now I had got it fixed. Solution in my case is :

During installtion of WinNT for our Exchange Server we had left the loacl admin password blank. After changing this password we are not facing this problem.

Just check if u had done the same.

Best of Luck.

PSingh

 

[banovec]

hi all, I think I've found solution. I don§t know where is it from, but it really works. If you can't find patches mail me: banovec@nbc.sk

RE: Sara's Comment...I have tried all the options given and suggested in the forum and in the article and I still can't stop relaying in Exchange 5.5 SP4 (we use POP3 and IMAP4)...

Well, Sara found the fix and helped me out as well. I did not have to apply all these fixes myself, as we do not need to relay at all. However, for most of you who do, here's the fix:

First, for those that don’t have a need to relay, don’t. Select “Do Not Reroute Incoming SMTP Mail&quot;.

If you realize you need to allow relaying, I suggest going through the fix I sent:

Must backup first. Then install (or reinstall) Exchange 5.5sp4 followed by:

1. 09/04/2001 01:01 AM 1,624,280 Q289606engi386.EXE
2. 08/06/2001 01:01 AM 567,680 Q301361i386.EXE
3. 19/07/2001 01:01 AM 7,162,240 Q304062engi386.EXE
4. 09/08/2001 01:01 AM 3,209,600 Q283238engi386.EXE
5. 05/09/2001 01:01 AM 588,176 Q307195engi386.EXE
6. 22/10/2001 01:01 AM 1,153,408 Q289258engi386.EXE *
7. 05/12/2001 01:01 AM 1,218,960 Q313576engi386.EXE
8. 16/05/2002 01:01 AM 1,161,560 Q312273engi386.EXE

Go to

http://support.microsoft.com/default.aspx?scid=fh;en-us;kbinfo

and down the bottom of the page, enter the name of the .exe file, and you will find a patch to download.

You must apply them to your Exchange server in this order.

[Of the 8 files to download and install, all are available except the 6th one. When you go to the Q Article it says to contact Microsoft for it and obviously you have to pay. Go around that by downloading Q289258engi386.EXE here:

http://online.securityfocus.com/bid/4205/solution/

(free to download).]

Once this is done and reboots are complete. Go to Connections, Internet Mail Connector, Routing, and make changes accordingly.

The changes I made to my routing restrictions were to allow Hosts and Clients that Authenticate, and also Hosts and Clients with these IP Addresses (with the IP and the Mask in the box). I looked through my logs in “imcdata” and found that it was sending “550 Rerouting is Prohibited” messages to people who were attempting to use my exchange server.

In regards to the mail queues, you will need to delete those occasionally because sometimes they still manage to connect to your server and will attempt to send mail, and it gets refused, but it will sit in queues. Just delete the queues when you remember. You'll probably find a lot of them come from an originator with &quot;<>&quot; as the name. I also suggest turning up your Diagnostic Logging up to the maximum for all the options, just for a few weeks. It can take up a bit of space, but it's worth going to the “imcdata” folder and having a look to see if Exchange doing what it's supposed to be doing.

Don't forget you have to apply those patches in that order...otherwise it won't work, some of the preceding ones have bugs and applying the patches in order fixes the previously installed bugged patches!