Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

RELAY?? But I fixed it already!..now what? 30

Status
Not open for further replies.
POSAPAY

POSAPAY

IS-IT--Management
Jul 27, 2001
192
0
0
HU
Hey all,

On my Exchange 5.5 I have setup the routing, as well as only except from authenticated sources.
Running McAfee GroupShield5.

yet .. currently the Queues is full with like 400-800 e-mails spinning through it constantly.
Destination is random, origin is "bluestell__@_______.___"
The underscores are random characters.
right after the bluestell, there are two characters that seem to follow the incremental rule with the alphabet.
starts out as "aa" and goes up to "zz" then restarts.
The domain after the @ seems to vary from e-mail to e-mail.
Mostly common domains, such as hotmail, yahoo, att.net..etc.

The headers seem to be missing, I can't figure out what IP or server it is coming from. Simply no header contents.

Anybody have any ideas? My usual daily 1500 e-mail traffic just went over last two days to 9000+ emails.

I just turned off notifications, and disabled outbound responses to reduce the e-mail count and processes...but I'm looking for a way to make sure this person can't connect to my server. Anybody have a similar case before?

Thanks,
-Peter
 
Sort by date Sort by votes
I have the problem with getting a ton of messages in my oubound queues from <>. It seems these are coming from the exchange server itself as replies for non delivereable recipients. Someone was spamming our servers and the exchange server was just replying to them that there was no such mailbox. We turned on accept only mail from approved senders and the messages decreased immediately.
 
Upvote 0 Downvote
use steps in my previous post and then install:

09 - Q326322enui386.EXE 07/24/2002
10 - Exchange5.5-KB818709-x86-enu.EXE 08/02/2003
11 - Exchange5.5-KB829418-x86-enu.EXE 10/07/2003
12 - Exchange5.5-KB829436-x86-enu.EXE 10/13/2003
13 - Exchange5.5-KB828489-v2-x86-enu.EXE 10/21/2003

now Exchange 5.5 shouuld be patched...
 
Upvote 0 Downvote
I'am doing this treatment :
Open Internet Mail Service in Exchange Administrator, click on the routing tab and make sure your setting is REROUTE INCOMING SMTP EMAIL.
'Sent to' should be YOURDOMAIN.COM and 'route to' should be INBOUND.
Then click on ROUTING RESTRICTIONS and UNcheck the box next to 'Hosts and Clients that successfully authenticate'
and CHECK the box next to 'Hosts and Clients with these IP Addresses:'. LEAVE THAT BOX BLANK!

restart the IMS, and everything back normally!!!!
 
Upvote 0 Downvote
aeh, me too solve the problem with your treatment
did u understand why it works?
 
Upvote 0 Downvote
this log was find after the treatment:
Refused to relay <benteski@netzero.net> for 23397.bhz.virtua.com.br (200.167.233.97). Client was authenticated as \backup.

what is \backup?
 
Upvote 0 Downvote
\backup is the local account the hacker is logging in as. Check your machines. find and disable this account.

This process works because you are essentially closing all relay doors by allowing only certain addresses, but adding no addresses to the sucessfully authenticate area.

Hope this helps,
Corie
 
Upvote 0 Downvote
Hello you have an open relay. Go to and search for document id # 7696
Do all things and ensure you do the telnet test to make sure you have set it right.
As well you may notice that you will be blacklisted on DNS and email lists due to this problem. Correct it as fast as you can
peace.
 
Upvote 0 Downvote
Excerpt from the winnetmag article
"What the Microsoft article and online Help don't spell out is that when you select a routing restriction, you can choose not to enter any IP information. The trick is that you can select the Hosts and clients with these IP addresses check box but not specify any IP addresses. Unless you have a specific need to have your Exchange server relay, don't enter any IP addresses on this page. This selection changes the rules that the IMS uses when evaluating the SMTP protocol. Instead of letting the IMS accept the RCPT TO specification blindly, this selection causes the IMS to check for local delivery before letting it upload a message. If the recipient isn't local, the IMS will return 550 Relaying prohibited"

;-)
 
Upvote 0 Downvote
caution.jpg


lol had to do it :)
 
Upvote 0 Downvote
I know this is a litle late because you probably have your problem solved by now but if you still need a little help and have a little money to spend try the Barracuda Spam Firewall. I was having the same problem with the message queues getting thousands of messages a day and since I installed the Barracuda that has stopped. It also has a lot of other great features that are helpful in the age of spamming.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Brent Fletcher
  • Locked
  • Question
Exchange rule to remove &quot;✉&quot; icon when it appears in a subject title from a supplier
Replies
0
Views
567
Brent Fletcher
Brent Fletcher
DrB0b
  • Locked
  • Question
Issue removing large deleted items folder's contents
Replies
1
Views
487
DrB0b
DrB0b
PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
573
PatrickRoggers
PatrickRoggers
microsGuy16
  • Locked
  • Question
Global Address List Names not showing in Outlook OWA 365
Replies
0
Views
649
microsGuy16
microsGuy16
Trevor Gryffyn
  • Locked
  • Question
Removed Accepted Domain, now can't email that (now external) domain
Replies
2
Views
75
AdrianGates
AdrianGates

Part and Inventory Search

Sponsor

Back
Top