Re: Server help!! Possible comprimised over 6000 NDRs!!!! HELP!

  • From: "Craig Weil" <craig_weil@xxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Wed, 24 Sep 2003 07:38:31 -0700

Hi Ken,

If you run the System Manager and drill down to your SMTP protocol (where
you previously froze messages), you can right click on the individual queues
and enumerate the messages contained within.  After you enumerate them, you
can right click the queue again and have the option to delete the messages
either with an NDR or not, your choice.

You may have already received a reply regarding this, if so, my apologies.

Craig A. Weil


----- Original Message ----- 
From: "KEN MORRIS" <KMORRIS@xxxxxxx>
To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
Cc: <k2keener@xxxxxxxxxxx>; <CAllen@xxxxxxxxxxxxxxxx>
Sent: Wednesday, September 24, 2003 5:49 AM
Subject: [exchangelist] Re: Server help!! Possible comprimised over 6000
NDRs!!!! HELP!


> http://www.MSExchange.org/
>
>
> This is a multi-part message in MIME format.
>


----------------------------------------------------------------------------
----


> Chris,
> Having just read your reply, I can safely agree that this is similar!
Thank
> you, for the extra input.
> My next question is, how do I clear the queues, as I was looking at them
> before reading this and realized that there are several hundred sitting
> there. I have started by freezing them until I can clear them.
> Thanks again!
> Ken
>
> -----Original Message----- 
> From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx]
> Sent: Wed 9/24/2003 8:39 AM
> To: [ExchangeList]
> Cc: k2keener@xxxxxxxxxxx
> Subject: [exchangelist] Re: Server help!! Possible comprimised over
> 6000 NDRs!!!! HELP!
>
>
> http://www.MSExchange.org/
>
>
> We had a similar issue. On ours, the firewall was natting all
> incoming requests (including SMTP) making them appear to originate from
the
> internal address of the firewall. In turn this would allow the relaying as
we
> allow relaying for internal users for programmatic reason. We resolved the
> issue, effectively closing external relaying capabilities by making the
> following changes:
>
>
>
> In exchange system manager, Administrative Groups -> Site -> Servers
> -> Server Name -> Protocols -> SMTP ->Default SMTP Virtual Server, right
> click and select properties. Select the Access Tab and then the Relay
Button.
> Change â?oOnly the list belowâ?? to â?oAll except the list belowâ?? and
add the
> internal Firewall IP address. Leave the checkbox at the bottom, checked.
Upon
> doing this, we wound up having to clean up over 9000 spam messages now
> trapped in our queues. Once you do this, (if this mirrors your situation),
> you will probably need to go to www.ordb.net <http://www.ordb.net/>  and
have
> them test you for open relay. The reason you want them to do it is, they
> probably have you listed as an open relay site and they only way to be
> removed from their list is for them to prove you are no longer an open
relay.
> It then takes about 2 or 3 days for your site to get off their list as
well
> as a few other lists.
>
>
>
> To verify that it is a natting issue, go to www.ordb.org
> <http://www.ordb.org/>  and check your mailserverâ?Ts external IP against
their
> database. It will show the last test message that showed up as a relay on
> your site. If the originating address of the message is your firewallâ?Ts
> internal IP then this is most likely the issue you are facing. Let me know
if
> this helps.
>
>
>
> Chris Allen
>
> Systems Administrator
>
> Metron North America
>
>
>
> -----Original Message-----
> From: Wohlgemuth, Mike [mailto:WohlgemuthM@xxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, September 24, 2003 7:06 AM
> To: [ExchangeList]
> Subject: RE: [exchangelist] Re: Server help!! Possible comprimised
> over 6000 NDRs!!!! HELP!
>
>
>
> I had the same problem ...
>
>
>
> under the relay on the smtp default server, I needed to uncheck
> "allow to relay regardless of the list above" ...
>
>
>
> here is what I gathered from microsoft q papers (can't find them
> right now ...) .. you have to have anonymous authentication checked, and
IF
> you also have "allow to relay regardless of the list above" checked, then
> spammers authenticate anonymously to your server to relay .... I think
most
> of the spam is caught (i.e. that is why you have 6000 ndrs) ... but it
still
> ends up that you are processing all those emails ...
>
>
>
> mike
>
> -----Original Message----- 
> From: Craig Weil [mailto:craig_weil@xxxxxxxxxxx]
> Sent: Tue 9/23/2003 10:14 PM
> To: [ExchangeList]
> Cc:
> Subject: [exchangelist] Re: Server help!! Possible
> comprimised over 6000 NDRs!!!! HELP!
>
> http://www.MSExchange.org/
>
> By "spoofing" do you mean that you're sure that your server
> is configured to
> disallow relaying?
>
> Craig A. Weil
> Network Administrator
>
>
> ----- Original Message -----
> From: "KEN MORRIS" <KMORRIS@xxxxxxx>
> To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
> Sent: Tuesday, September 23, 2003 6:51 PM
> Subject: [exchangelist] Server help!! Possible comprimised
> over 6000
> NDRs!!!! HELP!
>
>
> > http://www.MSExchange.org/
> >
> >
> > This is a multi-part message in MIME format.
> >
>
>
>
> --------------------------------------------------------------------------
--
> ----
>
>
> > Hello,
> >
> > As Exchange Admin (with little training unfortunately) I
> recieve the
> NDR's.
> > Today I have recieved over 6000 NRD's all with subjects,
> email addresses
> both
> > send and recieve that are not a part of our domain.
> > I have checked to ensure that spoofing is disabled, yet I
> cannot figure
> out
> > how we are being used.
> >
> > I can forward on one of the NRD's to anyone. I have not
> been able to
> figure a
> > way to check the headers on the NDR. Here is a copy of the
> text for one of
> > the NDR's:
> >
> > The following recipient(s) could not be reached:
> >
> >   cathyb76@xxxxxxxxxxx on 9/23/2003 9:43 PM
> >   There was a SMTP communication problem with the
> recipient's email
> server.
> > Please contact your system administrator.
> >   <server.company #5.5.0 smtp;550 Requested action not
> taken: mailbox
> > unavailable>
> >
> > I figure that by morning, my inbox will be once again
> filled, could you
> > please forward any questions to k2keener@xxxxxxxxxxx  as
> well as the list.
> I
> > do not want to loose any responses.
> >
> > Thanks
> >
> > Ken
> >
> >
>
>
>
> --------------------------------------------------------------------------
--
> ----
>
>
> > ------------------------------------------------------
> > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> > Exchange Newsletters:
> http://www.msexchange.org/pages/newsletter.asp
> > Exchange FAQ:
> http://www.msexchange.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory:
> http://www.serverfiles.com
> > No.1 ISA Server Resource Site: http://www.isaserver.org
> > Windows Security Resource Site:
> http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this MSExchange.org
> Discussion List as:
> craig_weil@xxxxxxxxxxx
> > To unsubscribe send a blank email to
> $subst('Email.Unsub')
> >
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters:
> http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ:
> http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory:
> http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSExchange.org
> Discussion List as: wohlgemuthm@xxxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSExchange.org Discussion List
> as: kmorris@xxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>


----------------------------------------------------------------------------
----


> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSExchange.org Discussion List as:
craig_weil@xxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
>


Other related posts: