Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SPAM's got me! 1

Status
Not open for further replies.
KMcDermott

KMcDermott

IS-IT--Management
Aug 8, 2002
24
US
somehow, a spammer is sending out from he, but not through open relay. I've checked ORDB, and I'm clean, but I'm getting huge numbers of emails being sent (I assume via SMTP) showing up in my IMS outbound Queue.

Destination hosts are random, but the Originator shows up as an outside address, rather than one from my domain.

In the meantime/quickfix, I've specified host domains for the offenders in my message filter setting on the Connections tab, but there must be a more general setting that can be enabled... should I specify by host for my internal IP scheme?

HELP!!!!

TIA!

Kevin McD
 
Sort by date Sort by votes
Check for infected clients inside your network.

LZ
 
Upvote 0 Downvote
I've been running spybot on the majority of my machines (obviously this should limit the variables), but is there an event somewhere I can check to find the offending IP address on my network?

Kevin
 
Upvote 0 Downvote
. click properties of the IMS connections
2. click routing tab.
3. click routing restrictions.
4. check 1st two boxes. do not add anything into the 2nd
box.
5. stop the IMS SERVICE
6. rename the imcdata folder to imcdata.old
7. Start the IMS service , it creates the imcdata folder
automatically.
8. monitor the situation for a day.
9. SPAM mails will stop.

If it causes problems rename imcdata.old back to imcdata
 
Upvote 0 Downvote
Are you sure you are not generating NDR's?

If that is the case, turn off NDR to the internet, which should be OFF anyway for spam reasons.

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]
How Do I Get Great Answers To my Tek-Tips Questions? See faq219-2884
 
Upvote 0 Downvote
How do you turn off NDR's "just" to the internet and what is the effect of that on the user experience?

Storm
IT Director
XConcepts
 
Upvote 0 Downvote
In the Internet amil connector.

The effect is simple: anyone sending to a non-existing address of your domain will NOT get an NDR.

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]
How Do I Get Great Answers To my Tek-Tips Questions? See faq219-2884
 
Upvote 0 Downvote
Lushone... thanks very much for your post... seems to have helped significantly!

Kevin
 
Upvote 0 Downvote
Marcs41... Where specifically to turn off NDR's to the net?

Found (IMS Properties-Internet Mail-Advanced Options):
Disable Out of Office to internet
Disable Autoreplies to internet
Disable Display Names to internet

Kevin
 
Upvote 0 Downvote
Kevin, disable them all, that is still the safest option.

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]
How Do I Get Great Answers To my Tek-Tips Questions? See faq219-2884
 
Upvote 0 Downvote
Disabling the notification of NDRs to the Admin mailbox won't disable the generation of an NDR back to the sender - it'll still send the NDR, it just won't tell you it's doing it!

I keep "Multiple matched for an email address" ticked, I figure I want to know when this happens.
 
Upvote 0 Downvote
I followed the directions above for turning off NDR and I still get an NDR when I send a test mail from another exchanger server to an invalid box on my exchange server.

Is the originating exchange server creating the NDR?

Storm
 
Upvote 0 Downvote
Depends, WHERE is the other Exchange Server? On your LAN or elsewhere on the internet?

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]
How Do I Get Great Answers To my Tek-Tips Questions? See faq219-2884
 
Upvote 0 Downvote
Well it is on my lan but it has a different NT domain, handles different mail domains and is not in a trusted relationship. So for all intents and purposes it is somewhere else on the internet.

Storm
 
Upvote 0 Downvote
I've tried to turn off NDR on my exchange servers before when suffering a NDR spam attack. I've gone and turned them off and the thing still generates them. Stopped all services, rebooted, checked and unchecked. Still an issue. I ended up getting a different smtp server to handle the first leg of incoming emails in order to stop this.

I really just need to upgrade out of Exchange 5.5..
 
Upvote 0 Downvote
It always amazes me when these old threads from ages ago suddenly pop up, like everyone blinked and 13 months zip by.

In the intervening period MS issued a hotfix to actually enable you to turn off NDRs properly on 5.5 - it's all mentioned in faq10-5018
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

fredmartinmaine
  • Locked
  • Question
Missing incoming messages
Replies
2
Views
92
fredmartinmaine
fredmartinmaine
rrmcguire
  • Locked
  • Question
exchange 2010 running high physical memory
Replies
1
Views
100
ntinlin
ntinlin
drsmith45
  • Locked
  • Question
Installing Audio codes Mediant for Skype in China
Replies
0
Views
58
drsmith45
drsmith45
tmar
  • Locked
  • Question
Managing subscriptions for Office 365 Merger
Replies
1
Views
69
Jon
Jon
demanding
  • Locked
  • Question
Unified Messaging in Exchange 2013
Replies
0
Views
44
demanding
demanding

Part and Inventory Search

Sponsor

Back
Top