RE: Relay Nightmare

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 27 Sep 2004 21:27:31 -0500

Hi Steve,

Good idea. I got hit with the same thing a few weeks ago. Couldn't
figure out my queues were so long and why my ISA firewall logs were
getting so large :-)

That's why I was interested in the NetMon traces. In the traces you can
tell that its not a relay at all, but instead just NDRs for bogus users
the criminal spammer is sending stuff to.

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx] 
Sent: Monday, September 27, 2004 4:13 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Relay Nightmare


http://www.MSExchange.org/

Are you sure they aren't spam NDR's??
S 

-----Original Message-----
From: Craig Weil [mailto:craig_weil@xxxxxxxxxxx] 
Sent: Monday, September 27, 2004 6:05 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Relay Nightmare

http://www.MSExchange.org/

Thank you Steve,

Here are the results... seems to me that I'm not an open relay, but
there are many emails that are being queued, mostly undeliverable.
Again, traced the IP addresses of incoming and outgoing traffic and the
only IP address on my network that is being used is the server's.  It's
quite puzzling.

OK, connected to ##.###.###.###...
< 220 exchange.blahblah.org Microsoft ESMTP MAIL Service, Version: 
5.0.2195.6713 ready at  Mon, 27 Sep 2004 13:59:51 -0700
>HELO edit.dnsvr.com
< 250 exchange.blahblah.org Hello [69.72.176.182]
>MAIL FROM:<cweil@xxxxxxxxxxxx>
< 250 2.1.0 cweil@xxxxxxxxxxxxxxxxxxxxxx OK
>RCPT TO:<craig_weil@xxxxxxxxxxx>
< 550 5.7.1 Unable to relay for craig_weil@xxxxxxxxxxx





>From: "Steve Moffat" <steve@xxxxxxxxxx>
>Reply-To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
>To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
>Subject: [exchangelist] RE: Relay Nightmare
>Date: Mon, 27 Sep 2004 17:48:51 -0300
>
>http://www.MSExchange.org/
>
>That's not how you do it....you use you domain email address and see if

>you can relay to other mail addresses.
>
>Steve
>
>-----Original Message-----
>From: Craig Weil [mailto:craig_weil@xxxxxxxxxxx]
>Sent: Monday, September 27, 2004 5:36 PM
>To: [ExchangeList]
>Subject: [exchangelist] RE: Relay Nightmare
>
>http://www.MSExchange.org/
>
>
>
>Hi Tom,
>
>Here are the results, and thanks a ton for your assistance!
>
>OK, connected to ##.###.###.###...
>< 220 exchange.blahblah.org Microsoft ESMTP MAIL Service, Version:
>5.0.2195.6713 ready at  Mon, 27 Sep 2004 13:32:00 -0700
> >HELO edit.dnsvr.com
>< 250 exchange.blahblah.org Hello [69.72.176.182]
> >MAIL FROM:<craig_weil@xxxxxxxxxxx>
>< 250 2.1.0 craig_weil@xxxxxxxxxxxxxxxxxxxxx OK
> >RCPT TO:<it_mhz@xxxxxxxxxxx>
>< 550 5.7.1 Unable to relay for it_mhz@xxxxxxxxxxx
>
>
>
> >From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >Reply-To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
> >To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
> >Subject: [exchangelist] RE: Relay Nightmare
> >Date: Mon, 27 Sep 2004 13:18:14 -0500
> >
> >http://www.MSExchange.org/
> >
> >Hi Craig,
> >
> >Run this http://www.zoneedit.com/smtp.html
> >
> >And let us know what is says.
> >
> >HTH,
> >Tom
> >www.isaserver.org/shinder <http://www.isaserver.org/shinder>
> >Get the book!
> >Tom and Deb Shinder's Configuring ISA Server 2004
> >http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA 
> >Firewalls
> >
> >     -----Original Message-----
> >     From: Craig_Weil [mailto:craig_weil@xxxxxxxxxxx]
> >     Sent: Monday, September 27, 2004 1:11 PM
> >     To: [ExchangeList]
> >     Subject: [exchangelist] RE: Relay Nightmare
> >
> >
> >     http://www.MSExchange.org/
> >
> >     Hi there Tom,
> >
> >     Yeah, that was one of my initial thoughts too.  I ran Ethereal
>on the
> >mail server and filtered by port 25.  The packets I captured would 
> >display the originating and destination email addresses and I then 
> >verified that they were being queued by using the Message Tracking 
> >portion of System Manager.  All IP addresses referenced in the 
> >packets were from outside sources.  It has me stumped!
> >
> >     Craig
> >
> >             ----- Original Message -----
> >             From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>
> >             To: [ExchangeList] <mailto:exchangelist@xxxxxxxxxxxxx>
> >             Sent: Saturday, September 25, 2004 9:54 PM
> >             Subject: [exchangelist] RE: Relay Nightmare
> >
> >             http://www.MSExchange.org/
> >
> >             Hi Craig,
> >
> >             Do a NetMon trace and identify the source IP address of
>the relayed
> >spam. It could be that your users are infected with a spam generator 
> >and the spammer is leveraging their authenticated connections.
> >
> >             HTH,
> >             Tom
> >             www.isaserver.org/shinder
> ><http://www.isaserver.org/shinder>
> >             Get the book!
> >             Tom and Deb Shinder's Configuring ISA Server 2004
> >             http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> >             MVP -- ISA Firewalls
> >
> >                     -----Original Message-----
> >                     From: Craig_Weil [mailto:craig_weil@xxxxxxxxxxx]
> >
> >                     Sent: Friday, September 24, 2004 2:02 PM
> >                     To: [ExchangeList]
> >                     Subject: [exchangelist] Relay Nightmare
> >
> >
> >                     http://www.MSExchange.org/
> >
> >                     Running Exchange 2000, default settings for the
>smtp virtual
> >server... (Anonymous Access - so we can receive outside email, Basic 
> >Authentication, Integrated Windows Authentication all checked, Relay 
> >restrictions set to "Only the list below" which is empty and "Allow 
> >all
>
> >computers which successfully authenticate to relay..."
> >checked so that employees can send mail while connected to another 
> >ISP,
>
> >Outbound Security options set as default - Anonymous Access checked)
> >                     My server is STILL relaying mail.  I can look in
>any number of
> >queues and it's like a clearing house for spam.
> >
> >                     Any ideas?
> >
> >                     Much appreciation!
> >
> >                     Craig
> >
> >------------------------------------------------------
> >                     List Archives:
> >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> >                     Exchange Newsletters:
> >http://www.msexchange.org/pages/newsletter.asp
> >                     Exchange FAQ:
> >http://www.msexchange.org/pages/larticle.asp?type=FAQ
> >
> >------------------------------------------------------
> >                     Other Internet Software Marketing Sites:
> >                     World of Windows Networking:
> >http://www.windowsnetworking.com
> >                     Leading Network Software Directory:
> >http://www.serverfiles.com
> >                     No.1 ISA Server Resource Site:
> >http://www.isaserver.org
> >                     Windows Security Resource Site:
> >http://www.windowsecurity.com/
> >                     Network Security Library: http://www.secinf.net/
> >                     Windows 2000/NT Fax Solutions:
> >http://www.ntfaxfaq.com
> >
> >------------------------------------------------------
> >                     You are currently subscribed to this
>MSEXchange.org Discussion List
> >as: tshinder@xxxxxxxxxxx
> >                     To unsubscribe visit
> >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> >                     Report abuse to listadmin@xxxxxxxxxxxxxx
> >
> >             ------------------------------------------------------
> >             List Archives:
> >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> >             Exchange Newsletters:
> >http://www.msexchange.org/pages/newsletter.asp
> >             Exchange FAQ:
> >http://www.msexchange.org/pages/larticle.asp?type=FAQ
> >             ------------------------------------------------------
> >             Other Internet Software Marketing Sites:
> >             World of Windows Networking:
> >http://www.windowsnetworking.com
> >             Leading Network Software Directory:
> >http://www.serverfiles.com
> >             No.1 ISA Server Resource Site: http://www.isaserver.org
> >             Windows Security Resource Site:
> >http://www.windowsecurity.com/
> >             Network Security Library: http://www.secinf.net/
> >             Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> >             ------------------------------------------------------
> >             You are currently subscribed to this MSEXchange.org
>Discussion List
> >as: craig_weil@xxxxxxxxxxx
> >             To unsubscribe visit
> >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> >             Report abuse to listadmin@xxxxxxxxxxxxxx
> >
> >     ------------------------------------------------------
> >     List Archives:
> >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> >     Exchange Newsletters:
> >http://www.msexchange.org/pages/newsletter.asp
> >     Exchange FAQ:
> >http://www.msexchange.org/pages/larticle.asp?type=FAQ
> >     ------------------------------------------------------
> >     Other Internet Software Marketing Sites:
> >     World of Windows Networking: http://www.windowsnetworking.com
> >     Leading Network Software Directory: http://www.serverfiles.com
> >     No.1 ISA Server Resource Site: http://www.isaserver.org
> >     Windows Security Resource Site: http://www.windowsecurity.com/
> >     Network Security Library: http://www.secinf.net/
> >     Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> >     ------------------------------------------------------
> >     You are currently subscribed to this MSEXchange.org Discussion
>List
> >as: tshinder@xxxxxxxxxxx
> >     To unsubscribe visit
> >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> >     Report abuse to listadmin@xxxxxxxxxxxxxx
> >
> >
> >
> >------------------------------------------------------
> >List Archives: 
> >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> >Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> >Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> >------------------------------------------------------
> >Other Internet Software Marketing Sites:
> >World of Windows Networking: http://www.windowsnetworking.com Leading

> >Network Software Directory: http://www.serverfiles.com
> >No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> >Security Resource Site: http://www.windowsecurity.com/ Network 
> >Security
>
> >Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> >http://www.ntfaxfaq.com
> >------------------------------------------------------
> >You are currently subscribed to this MSEXchange.org Discussion List
as:
>
> >craig_weil@xxxxxxxxxxx
> >To unsubscribe visit
> >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> >Report abuse to listadmin@xxxxxxxxxxxxxx
>s
>
>_________________________________________________________________
>Don't just search. Find. Check out the new MSN Search!
>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
>Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Other Internet Software Marketing Sites:
>World of Windows Networking: http://www.windowsnetworking.com Leading 
>Network Software Directory: http://www.serverfiles.com
>No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
>Security Resource Site: http://www.windowsecurity.com/ Network Security
Library:
>http://www.secinf.net/ Windows 2000/NT Fax Solutions:
>http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this MSEXchange.org Discussion List as:
>steve@xxxxxxxxxx To unsubscribe visit
>http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Report abuse to listadmin@xxxxxxxxxxxxxx
>
>This E-Mail is confidential. It is not intended to be read, copied, 
>disclosed or used by any person other than the recipient named above.
>
>Unauthorised use, disclosure, or copying is strictly prohibited and may

>be unlawful. Optimum IT Solutions Ltd disclaims any liability for any 
>action taken in connection of this E-Mail. The comments or statements 
>expressed in this E-Mail are not necessarily those of Optimum IT 
>Solutions Ltd or its subsidiaries or affiliates.
>
>administrator@xxxxxxxxxx
>
>
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
>Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Other Internet Software Marketing Sites:
>World of Windows Networking: http://www.windowsnetworking.com Leading 
>Network Software Directory: http://www.serverfiles.com
>No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
>Security Resource Site: http://www.windowsecurity.com/ Network Security

>Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: 
>http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this MSEXchange.org Discussion List as:

>craig_weil@xxxxxxxxxxx
>To unsubscribe visit
>http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Report abuse to listadmin@xxxxxxxxxxxxxx

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's
FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
steve@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

This E-Mail is confidential. It is not intended to be read, copied,
disclosed or used by any person other than the recipient named above.

Unauthorised use, disclosure, or copying is strictly prohibited and may
be unlawful. Optimum IT Solutions Ltd disclaims any liability for any
action taken in connection of this E-Mail. The comments or statements
expressed in this E-Mail are not necessarily those of Optimum IT
Solutions Ltd or its subsidiaries or affiliates.

administrator@xxxxxxxxxx 



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
tshinder@xxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx


Other related posts: