Spam mails never come back again 1

[Andy888]

*****Spam mails never come back again*****

Dear all,

Thanks for all of you to share the experience to us on this forum. Now I want to share my experience to the one who hates the spam mails.

As far, I have spent a whole week to find out how can I let my Exchange 2000 server to get rid of a thousands spam emails during a day. Originally, I reset the administrator password, disable guest account and changed the smtp port, disable relay function, but still has a lot of spam mails through my server to relay and sent out the spam emails. I doubt MS Exchange 2000 SMTP server relay disable function is work or not. Finally, I found out a solution to get out of spam mails. The steps is as follow:

1. You should have two network cards on your MS exchange 2000 server. (One for inbound mail, one for outbound mail. if outbound network card is internal IP, but it can be routed to another external IP address router for seccond smtp virtal server that is ok.)

2. Go to Start->Programs->Microsoft Exchange->System Manager->administrative group->Server->Protocol->SMTP->Default STMP Virtual server->[right clik]->Perproties->Delivery tag->(change all fields to 1 or 1 MINUTE on delivery page)->click Outbound Connections button to change TCP port to 1.

3. Above 2nd procedure let outside email to deliver to a wrong port if it is a relay email and retry time out for one minute. It it is an organization email, it will deliver to the mailbox.

4. Add Second SMTP Virtural Server by using right click on SMTP object. On General tag, select second IP address network card on your server and change the port number to any other different from 25 (not conflit with any port number) in the Advice button. On Access tag's Authencation button, uncheck Anonymous Access.

5. Above 4th procedure to let internal users can send out emails through second network card.

6. Change all Outlook Express SMTP IP address and Port number setting to match second network card's configuration in order to send out the email.

7. The spam emails will not be dilivered via your STMP email server successfully. They will never come back again.

ANDY (MIS)

 

[Andy888]

I thought it is a best way I had tried. No any spammer uses my two location SMTP servers so far. If you want to use someone's SMTP server, don't you want test it work or not before using it? Once spammer tests failure. They couldn't receive the email they send back to himself/herself, I thought they will give up to use this IP. Someone in Experts-Exchange.com forums(nickname: Goldwing) said that it is not the *good* way of doing this. Can anyboby tell me the better way?

 

[Marcs41]

The number of NIC's have absolutely no effect on spammail.
A spammer does not spend time on testing your server, they just send bulk emails.
Several methods are then used to determine if you become a 'good target'.
- They have HTML mails with some reporting code in it when viewed or pre-viewed.
- They use an 'unsubscribe' link in their mail, but if you do that, you actually confirm your address exists.
- You reply to the spammed mail to report your annoyance, same thing, you just confirmed.
- Your server sends an NDR for non-existing addresses, you then confirm the existance of your server AND those mails that do not get an NDR are then considered 'real'.
- You allow users to Autoreply or use Out-Of-Office messages to the internet, again a confirmation of a real address.

In all cases, BINGO, they got you.

There are 2 major things you can do:
1: Users Education!!!!!!
2: Install a third party Anti-Spam as

http://www.gfi.com

has.

Besides all that, what you are describing is relaying and there s some thruth in how you tackled it but again it won't stop the die-hards. If you allow relay from outside they will use YOUR server to spam others and you won't even know ... until after a while.


Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]

 

[Andy888]

Hello! Dear all,

I just received two same Open Relay Black List test emails from Taiwan as below.

********************************************************
Hello
This is an open relay test mail.
If your SMTP Server relay this mail.
I will add your SMTP Server IP to my Open Relay Black List.
You can contact me 26490723@mail.apol.com.tw to remove it.
Thanks !!
MAILINFO:[???/?:/???/???****
MAILINF2:[???/???/???/??****
********************************************************
The above information is test Open Relay Black List email's content. I had modified digits to "?" and charactors to "*".


*********************************************************
Reporting-MTA: dns; myhost.mydomain.com

Final-Recipient: RFC822; orbl@seed.net.tw
Action: failed
Status: 4.4.7
X-Supplementary-Info: <myhost.mydomain.com #4.4.7>
X-Display-Name: orbl@seed.net.tw
*******************************************************
The above information is my server generated report. I had modified XXX.XXXXX.COM to &quot;myhost.mydomain.com&quot;.

Once the SMTP server IP is on the Black List. The spam emails will fly into the server.

I am very satisfy with my way to get rid of all spam mails so far.

 

[Marcs41]

Again, sorry but I need to point out that this is NOT spam!
This is a relay test and is not the same. You are in good condition if you block that of course, but do not confuse it with spam!
Anyone anywhere can send you spam-mails as much as they want once they have an address, and there is nothing you can do to stop that, beside filter it out!

 

[compgirlfhredi]

SPAM WATCH : PROTECTING YOUR TURF
Spam senders are pretty smart--they've figured out how to relay their unsolicited messages through well-known Internet servers to trick the ultimate recipient into believing that the mail is from a trusted host. Fortunately, Internet Mail Service includes several features that let your server sort the spam from legitimate Internet mail. (If you want more details on any of the tactics described here, check out the Readme files that come with the Exchange Server CD.)
PROTECTING YOUR TURF: The first step in protecting your server from spam is to set a list of sender domains that you want to block messages from and the place where you want to redirect this offensive mail. The blacklist for mail senders is called TurfList; blocked messages are sent to TurfDir. NOTE: When mail is blocked in this fashion, the sender does not receive a notice from your server. Setting up this level of protection requires you to edit the Exchange server's registry. Navigate to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIMC\Parameter s and add the following values: TurfDir REG_SZ This specifies the directory where aborted messages are moved. Microsoft suggests that you send the messages to Exchsrvr\Imcdata\Turfdir, where Exchsrvr is the directory where the Microsoft Exchange Server files are located. TurfTable REG_MULTI_SZ specifies the masks that filter spam messages. You can filter by domain or by user. If you don't specify a TurfDir value, the server permanently deletes aborted messages. Before these settings take effect, you must stop or restart the Internet Mail Service and the Information Store service using Control Panel's Services applet.
TRACKING DELETED MESSAGES: I mentioned that if you don't set up a directory where aborted spam should be routed, Exchange Server automatically deletes these messages. But even if you elect not to archive all that spam, you may sometimes want to get a glimpse of who's sending what to your users. Regardless of your Internet Mail Service diagnostics logging settings, Exchange logs an event to the Application Event Log that details aborted file senders and message filenames. If you're using the Diagnostics Logging property page for Internet Mail archiving, you can locate automatically deleted files in the Internet Mail Service archive directory (Exchsrvr\Imcdata\In\Archive). For more information, see Microsoft Knowledge Base article Q155683.

http://support.microsoft.com/support/kb/articles/Q155/6/83.ASP

What YOU are doing is:

BLOCKING RELAY REQUESTS: As mentioned, spammers not only send your users undesirable mail, they can also use your reputable servers as a relay to mask their messages' true nature. If your Internet Mail Service allows rerouting for POP3 or IMAP4 clients, it relays mail to non-local recipients. However, you can edit the server's registry to refuse RCPT commands specifying a non-local recipient. Open the registry for editing and navigate to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\MSExchangeIMC\Parameters and add the following values: RelayFlags, REG_DWORD This defines which relay control rules are in effect. RelayDenyList, REG_MULTI_SZ This specifies hosts that cannot relay messages through your server. RelayAllowList, REG_MULTI_SZ This specifies hosts that can relay messages through your server. RelayLocalIPList, REG_MULTI_SZ This specifies the local IP addresses of the server to which an SMTP client can connect and relay mail. This is useful for multi-homed servers that have internal and external interfaces. Enabling IP forwarding disables this feature. RelayDenyList, RelayAllowList, and RelayLocalIPList consist of a net and optional mask per line. The exact syntax for editing RelayFlags and the other registry settings discussed here can be quite complex. For more information, check out Microsoft Knowledge Base article Q193922.

http://support.microsoft.com/support/kb/articles/Q193/9/22.ASP

USE THE TURFTABLE TO STOP SPAM Spam, the unavoidable plague of unsolicited e-mail messages from the Internet, is something that every Exchange administrator must eventually deal with. I remember that Exchange Server 5.5 includes the TurfTable, a primitive spam filter. While this tool doesn't have the sophisticated features that some third-party tools have, it will get the job done in a pinch. To enable this tool, you must modify the registry of the Exchange server that runs your Internet Mail Service (IMS). Use REGEDT32.EXE to open the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ MSExchangeIMC\Parameters and add this REG_MULTI_SZ value: TurfTable In the Multi-String Editor dialog box, enter the mask entries, one per line, which identify the offending spammers. Use the following format to generate mask entries: #@spamdomain.com - flags all messages sent by spamdomain.com @spamdomain.com - flags all messages sent by spamdomain.com and its subdomains user@spamdomain.com - flags all messages sent by user@spamdomain.com When you stop and restart your IMS, it will automatically discard all messages flagged by the TurfTable's mask entries. For more information on the TurfTable, see the Microsoft Exchange Server 5.5 Release Notes in the README.doc file in the root directory of your Exchange Server 5.5 Installation CD-ROM.

 

[compgirlfhredi]

Security?
MONITORING YOUR TRAFFIC:
Most Exchange administrators are curious about how much traffic their servers actually handle. Luckily there's a fairly easy way to find out. Performance Monitor includes several counters that you can use to measure your total or average message throughput. Within the Private Information store, you can check out Messages Submitted or Messages Submitted/Min to monitor total traffic. Want to monitor your Internet Mail Service traffic? Depending on whether you prefer to see it measured in bytes, messages, or connections, you can find a counter to suit your needs in the MSExchangeIMC object (e.g., Outbound Messages/Hr and Inbound Messages/Hr). You can also monitor the number of concurrent clients you're supporting at any given time by checking the MSExchangeIS Private object's Client Logons object, which tells you how many clients (including system processes) are currently logged on. The Peak Client Logons object will tell you the maximum number of concurrent logons you've had since the service was started.

&quot;HASHING&quot; OUT SECURITY(memo to self)
Although sending a message is as simple as clicking a button on the client toolbar, Exchange is busy in the background ensuring, through a process called hashing, that your message reaches its destination unaltered. Hashing is a mathematical function that converts a message to a unique 128-bit number. The same message always hashes out to the same number, but if you change any part of the message it will hash to a different value. Exchange performs the hash function on both the sending and the receiving ends and compares the values to make sure the message contents are the same. But keep in mind, this process requires a great deal of processing power, so most organizations only set up this level of security for a few departments, such as legal and human resources.

I could go on and on, but marcs41 has made two excellent points!