Re: Server help!! Possible comprimised over 6000 NDRs!!!! HELP!

  • From: "Allen, Chris" <CAllen@xxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Wed, 24 Sep 2003 08:39:05 -0400

We had a similar issue. On ours, the firewall was natting all incoming
requests (including SMTP) making them appear to originate from the
internal address of the firewall. In turn this would allow the relaying
as we allow relaying for internal users for programmatic reason. We
resolved the issue, effectively closing external relaying capabilities
by making the following changes:

 

In exchange system manager, Administrative Groups -> Site -> Servers ->
Server Name -> Protocols -> SMTP ->Default SMTP Virtual Server, right
click and select properties. Select the Access Tab and then the Relay
Button. Change "Only the list below" to "All except the list below" and
add the internal Firewall IP address. Leave the checkbox at the bottom,
checked. Upon doing this, we wound up having to clean up over 9000 spam
messages now trapped in our queues. Once you do this, (if this mirrors
your situation), you will probably need to go to www.ordb.net
<http://www.ordb.net/>  and have them test you for open relay. The
reason you want them to do it is, they probably have you listed as an
open relay site and they only way to be removed from their list is for
them to prove you are no longer an open relay. It then takes about 2 or
3 days for your site to get off their list as well as a few other lists.

 

To verify that it is a natting issue, go to www.ordb.org
<http://www.ordb.org/>  and check your mailserver's external IP against
their database. It will show the last test message that showed up as a
relay on your site. If the originating address of the message is your
firewall's internal IP then this is most likely the issue you are
facing. Let me know if this helps.

 

Chris Allen

Systems Administrator

Metron North America

 

-----Original Message-----
From: Wohlgemuth, Mike [mailto:WohlgemuthM@xxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, September 24, 2003 7:06 AM
To: [ExchangeList]
Subject: RE: [exchangelist] Re: Server help!! Possible comprimised over
6000 NDRs!!!! HELP!

 

I had the same problem ...

 

under the relay on the smtp default server, I needed to uncheck "allow
to relay regardless of the list above" ...

 

here is what I gathered from microsoft q papers (can't find them right
now ...) .. you have to have anonymous authentication checked, and IF
you also have "allow to relay regardless of the list above" checked,
then spammers authenticate anonymously to your server to relay .... I
think most of the spam is caught (i.e. that is why you have 6000 ndrs)
... but it still ends up that you are processing all those emails ...

 

mike

        -----Original Message----- 
        From: Craig Weil [mailto:craig_weil@xxxxxxxxxxx] 
        Sent: Tue 9/23/2003 10:14 PM 
        To: [ExchangeList] 
        Cc: 
        Subject: [exchangelist] Re: Server help!! Possible comprimised
over 6000 NDRs!!!! HELP!

        http://www.MSExchange.org/
        
        By "spoofing" do you mean that you're sure that your server is
configured to
        disallow relaying?
        
        Craig A. Weil
        Network Administrator
        
        
        ----- Original Message -----
        From: "KEN MORRIS" <KMORRIS@xxxxxxx>
        To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
        Sent: Tuesday, September 23, 2003 6:51 PM
        Subject: [exchangelist] Server help!! Possible comprimised over
6000
        NDRs!!!! HELP!
        
        
        > http://www.MSExchange.org/
        >
        >
        > This is a multi-part message in MIME format.
        >
        
        
        
------------------------------------------------------------------------
----
        ----
        
        
        > Hello,
        >
        > As Exchange Admin (with little training unfortunately) I
recieve the
        NDR's.
        > Today I have recieved over 6000 NRD's all with subjects, email
addresses
        both
        > send and recieve that are not a part of our domain.
        > I have checked to ensure that spoofing is disabled, yet I
cannot figure
        out
        > how we are being used.
        >
        > I can forward on one of the NRD's to anyone. I have not been
able to
        figure a
        > way to check the headers on the NDR. Here is a copy of the
text for one of
        > the NDR's:
        >
        > The following recipient(s) could not be reached:
        >
        >   cathyb76@xxxxxxxxxxx on 9/23/2003 9:43 PM
        >   There was a SMTP communication problem with the recipient's
email
        server.
        > Please contact your system administrator.
        >   <server.company #5.5.0 smtp;550 Requested action not taken:
mailbox
        > unavailable>
        >
        > I figure that by morning, my inbox will be once again filled,
could you
        > please forward any questions to k2keener@xxxxxxxxxxx  as well
as the list.
        I
        > do not want to loose any responses.
        >
        > Thanks
        >
        > Ken
        >
        >
        
        
        
------------------------------------------------------------------------
----
        ----
        
        
        > ------------------------------------------------------
        > List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        > Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
        > Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
        > ------------------------------------------------------
        > Other Internet Software Marketing Sites:
        > Leading Network Software Directory: http://www.serverfiles.com
        > No.1 ISA Server Resource Site: http://www.isaserver.org
        > Windows Security Resource Site: http://www.windowsecurity.com/
        > Network Security Library: http://www.secinf.net/
        > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        > ------------------------------------------------------
        > You are currently subscribed to this MSExchange.org Discussion
List as:
        craig_weil@xxxxxxxxxxx
        > To unsubscribe send a blank email to
        $subst('Email.Unsub')
        >
        
        ------------------------------------------------------
        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
        Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Other Internet Software Marketing Sites:
        Leading Network Software Directory: http://www.serverfiles.com
        No.1 ISA Server Resource Site: http://www.isaserver.org
        Windows Security Resource Site: http://www.windowsecurity.com/
        Network Security Library: http://www.secinf.net/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------
        You are currently subscribed to this MSExchange.org Discussion
List as: wohlgemuthm@xxxxxxxxxxxxxxxxxxx
        To unsubscribe send a blank email to
$subst('Email.Unsub')

Other related posts: