Urgent help needed ! OWA

[R121]

I am new to exchange 5.5 and i believe someone has hacked in and is sending messages from my server via OWA in my mail logs i get the following message over 3000 times a day 7 days a week.

Wed Jul 30 11:39:56 2003 MAIL RECEIVED:
Received from IP address: 192.168.0.1 (Internal)
Sender: <>
Recipient list: <c2r7lo@owa.mydomain.com>
MessageID: 1059561578265
Size: 14139165 bytes

Wed Jul 30 11:39:56 2003 MAIL SENT:
Sender: <>
Recipient list: <c2r7lo@owa.mydomain.com>
MessageID: 105956154315
Size: 14139067 bytes

I cant explain who or where these messages are coming from. I have disabled OWA from IIS but the messages still keep coming. I am completely confused and any help would be greatly appreciated.

THANKS in advance

 

[ReddLefty]

Sounds like your relay is open and your relaying mail.

See faq10-1779



&quot;In space, nobody can hear you click...&quot;

 

[R121]

Thanks for your quick reply ReddLefty

that is what i first tought as well be I have NA webshield SMTP and that is supposed to stop the server becoming a relay.

 

[AnotherNetAdmin]

R121 --

It's easy to verify that you are not a relay...

Follow the steps at

http://www.yuki-onna.co.uk/email/smtp.html

Be sure to use an &quot;External&quot; email address in the &quot;RCPT TO:&quot; Line and see if you get an &quot;Error 550 - Relaying is prohibited&quot;

Mike

 

[theecleaner]

I would have agreed with Reddlefty but there is something fishy about the size of those emails. For sure oyu should check your vs1\badmail folder and see how many items are in there on a daily basis. Then go here and make sure you are/were not a relay:

http://www.dnsstuff.com

Test it yourself if you follow the link in the previous post but make sure you go through the motions.

Lastly, if you have the capabilities, perform reverse DNS on all incoming emails.

Hope that helps.

 

[R121]

Thanks for your help guys I really appreciate it.

http://www.yuki-onna.co.uk/email/smtp.html

is not working.
dnsstuff seems ok except for my domain has no reverse DNS entry.

Thecleaner I have tried to find the bad mail folder but i cant locate it could you please tell me where it would be I am a total newbe to exchange 5.5.

are there any more FAQs or links on how to stop open relays.

thanks
R121

 

[ReddLefty]

You can test it with this service:

http://spamblock.outblaze.com/your_IP_HERE

Also, you mentionned you have no reverse lookup. It would be good to check into this with your ISP to make sure you DO have a reverve DNS for your MX record. More and more mails servers do a reverse lookup on your mail server when reciveing mail from it to reduce chances of the incoming mail being spam. If it doesn't find it, it will refuse it.



&quot;In space, nobody can hear you click...&quot;

 

[R121]

OK now its getting SUPER WEIRD. I unplugged the server for 10 mins to see what it would do and there are all these messages in my out que and the keep coming so i may have some type of virus for some reason my own server is generating these e-amils and sending them all by its self how can this be possable? even with the server unplugged the que's gets shorter and then it regenerates !!!!


I AM going MAD !!!

does anybody know what this can be ?

R121