Re: Server help!! Possible comprimised over 6000 NDRs!!!! HELP!

  • From: "KEN MORRIS" <KMORRIS@xxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Wed, 24 Sep 2003 08:49:09 -0400

Chris,
Having just read your reply, I can safely agree that this is similar! Thank
you, for the extra input.
My next question is, how do I clear the queues, as I was looking at them
before reading this and realized that there are several hundred sitting
there. I have started by freezing them until I can clear them.
Thanks again!
Ken

        -----Original Message----- 
        From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] 
        Sent: Wed 9/24/2003 8:39 AM 
        To: [ExchangeList] 
        Cc: k2keener@xxxxxxxxxxx 
        Subject: [exchangelist] Re: Server help!! Possible comprimised over
6000 NDRs!!!! HELP!
        
        
        http://www.MSExchange.org/
        

        We had a similar issue. On ours, the firewall was natting all
incoming requests (including SMTP) making them appear to originate from the
internal address of the firewall. In turn this would allow the relaying as we
allow relaying for internal users for programmatic reason. We resolved the
issue, effectively closing external relaying capabilities by making the
following changes:

         

        In exchange system manager, Administrative Groups -> Site -> Servers
-> Server Name -> Protocols -> SMTP ->Default SMTP Virtual Server, right
click and select properties. Select the Access Tab and then the Relay Button.
Change âOnly the list belowâ to âAll except the list belowâ and add the
internal Firewall IP address. Leave the checkbox at the bottom, checked. Upon
doing this, we wound up having to clean up over 9000 spam messages now
trapped in our queues. Once you do this, (if this mirrors your situation),
you will probably need to go to www.ordb.net <http://www.ordb.net/>  and have
them test you for open relay. The reason you want them to do it is, they
probably have you listed as an open relay site and they only way to be
removed from their list is for them to prove you are no longer an open relay.
It then takes about 2 or 3 days for your site to get off their list as well
as a few other lists.

         

        To verify that it is a natting issue, go to www.ordb.org
<http://www.ordb.org/>  and check your mailserverâs external IP against their
database. It will show the last test message that showed up as a relay on
your site. If the originating address of the message is your firewallâs
internal IP then this is most likely the issue you are facing. Let me know if
this helps.

         

        Chris Allen

        Systems Administrator

        Metron North America

         

        -----Original Message-----
        From: Wohlgemuth, Mike [mailto:WohlgemuthM@xxxxxxxxxxxxxxxxxxx] 
        Sent: Wednesday, September 24, 2003 7:06 AM
        To: [ExchangeList]
        Subject: RE: [exchangelist] Re: Server help!! Possible comprimised
over 6000 NDRs!!!! HELP!

         

        I had the same problem ...

         

        under the relay on the smtp default server, I needed to uncheck
"allow to relay regardless of the list above" ...

         

        here is what I gathered from microsoft q papers (can't find them
right now ...) .. you have to have anonymous authentication checked, and IF
you also have "allow to relay regardless of the list above" checked, then
spammers authenticate anonymously to your server to relay .... I think most
of the spam is caught (i.e. that is why you have 6000 ndrs) ... but it still
ends up that you are processing all those emails ...

         

        mike

                -----Original Message----- 
                From: Craig Weil [mailto:craig_weil@xxxxxxxxxxx] 
                Sent: Tue 9/23/2003 10:14 PM 
                To: [ExchangeList] 
                Cc: 
                Subject: [exchangelist] Re: Server help!! Possible
comprimised over 6000 NDRs!!!! HELP!

                http://www.MSExchange.org/
                
                By "spoofing" do you mean that you're sure that your server
is configured to
                disallow relaying?
                
                Craig A. Weil
                Network Administrator
                
                
                ----- Original Message -----
                From: "KEN MORRIS" <KMORRIS@xxxxxxx>
                To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
                Sent: Tuesday, September 23, 2003 6:51 PM
                Subject: [exchangelist] Server help!! Possible comprimised
over 6000
                NDRs!!!! HELP!
                
                
                > http://www.MSExchange.org/
                >
                >
                > This is a multi-part message in MIME format.
                >
                
                
        
----------------------------------------------------------------------------
                ----
                
                
                > Hello,
                >
                > As Exchange Admin (with little training unfortunately) I
recieve the
                NDR's.
                > Today I have recieved over 6000 NRD's all with subjects,
email addresses
                both
                > send and recieve that are not a part of our domain.
                > I have checked to ensure that spoofing is disabled, yet I
cannot figure
                out
                > how we are being used.
                >
                > I can forward on one of the NRD's to anyone. I have not
been able to
                figure a
                > way to check the headers on the NDR. Here is a copy of the
text for one of
                > the NDR's:
                >
                > The following recipient(s) could not be reached:
                >
                >   cathyb76@xxxxxxxxxxx on 9/23/2003 9:43 PM
                >   There was a SMTP communication problem with the
recipient's email
                server.
                > Please contact your system administrator.
                >   <server.company #5.5.0 smtp;550 Requested action not
taken: mailbox
                > unavailable>
                >
                > I figure that by morning, my inbox will be once again
filled, could you
                > please forward any questions to k2keener@xxxxxxxxxxx  as
well as the list.
                I
                > do not want to loose any responses.
                >
                > Thanks
                >
                > Ken
                >
                >
                
                
        
----------------------------------------------------------------------------
                ----
                
                
                > ------------------------------------------------------
                > List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
                > Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
                > Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
                > ------------------------------------------------------
                > Other Internet Software Marketing Sites:
                > Leading Network Software Directory:
http://www.serverfiles.com
                > No.1 ISA Server Resource Site: http://www.isaserver.org
                > Windows Security Resource Site:
http://www.windowsecurity.com/
                > Network Security Library: http://www.secinf.net/
                > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
                > ------------------------------------------------------
                > You are currently subscribed to this MSExchange.org
Discussion List as:
                craig_weil@xxxxxxxxxxx
                > To unsubscribe send a blank email to
                leave-exchangelist-501652C@xxxxxxxxxxxxx
                >
                
                ------------------------------------------------------
                List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
                Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
                Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
                ------------------------------------------------------
                Other Internet Software Marketing Sites:
                Leading Network Software Directory:
http://www.serverfiles.com
                No.1 ISA Server Resource Site: http://www.isaserver.org
                Windows Security Resource Site:
http://www.windowsecurity.com/
                Network Security Library: http://www.secinf.net/
                Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
                ------------------------------------------------------
                You are currently subscribed to this MSExchange.org
Discussion List as: wohlgemuthm@xxxxxxxxxxxxxxxxxxx
                To unsubscribe send a blank email to
leave-exchangelist-501652C@xxxxxxxxxxxxx

        ------------------------------------------------------
        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
        Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Other Internet Software Marketing Sites:
        Leading Network Software Directory: http://www.serverfiles.com
        No.1 ISA Server Resource Site: http://www.isaserver.org
        Windows Security Resource Site: http://www.windowsecurity.com/
        Network Security Library: http://www.secinf.net/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------
        You are currently subscribed to this MSExchange.org Discussion List
as: kmorris@xxxxxxx
        To unsubscribe send a blank email to
leave-exchangelist-501652C@xxxxxxxxxxxxx 

Other related posts: