Re: Server help!! Possible comprimised over 6000 NDRs!!!! HELP!

  • From: "Allen, Chris" <CAllen@xxxxxxxxxxxxxxxx>
  • To: "KEN MORRIS" <KMORRIS@xxxxxxx>, "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Wed, 24 Sep 2003 12:28:46 -0400

If you right-click the queue, select enumerate 100 messages, then double
click the queue, it should list the first 100 messages. Sort them and
highlight all of the ones you know to be spam. Then right click the
highlighted list and select Delete (Do not send NDR). That should take
care of it.

 

-----Original Message-----
From: KEN MORRIS [mailto:KMORRIS@xxxxxxx] 
Sent: Wednesday, September 24, 2003 8:49 AM
To: [ExchangeList]
Cc: k2keener@xxxxxxxxxxx; Allen, Chris
Subject: RE: [exchangelist] Re: Server help!! Possible comprimised over
6000 NDRs!!!! HELP!

 

Chris,

Having just read your reply, I can safely agree that this is similar!
Thank you, for the extra input.

My next question is, how do I clear the queues, as I was looking at them
before reading this and realized that there are several hundred sitting
there. I have started by freezing them until I can clear them.

Thanks again!

Ken

        -----Original Message----- 
        From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] 
        Sent: Wed 9/24/2003 8:39 AM 
        To: [ExchangeList] 
        Cc: k2keener@xxxxxxxxxxx 
        Subject: [exchangelist] Re: Server help!! Possible comprimised
over 6000 NDRs!!!! HELP!

        http://www.MSExchange.org/

        We had a similar issue. On ours, the firewall was natting all
incoming requests (including SMTP) making them appear to originate from
the internal address of the firewall. In turn this would allow the
relaying as we allow relaying for internal users for programmatic
reason. We resolved the issue, effectively closing external relaying
capabilities by making the following changes:

         

        In exchange system manager, Administrative Groups -> Site ->
Servers -> Server Name -> Protocols -> SMTP ->Default SMTP Virtual
Server, right click and select properties. Select the Access Tab and
then the Relay Button. Change "Only the list below" to "All except the
list below" and add the internal Firewall IP address. Leave the checkbox
at the bottom, checked. Upon doing this, we wound up having to clean up
over 9000 spam messages now trapped in our queues. Once you do this, (if
this mirrors your situation), you will probably need to go to
www.ordb.net <http://www.ordb.net/>  and have them test you for open
relay. The reason you want them to do it is, they probably have you
listed as an open relay site and they only way to be removed from their
list is for them to prove you are no longer an open relay. It then takes
about 2 or 3 days for your site to get off their list as well as a few
other lists.

         

        To verify that it is a natting issue, go to www.ordb.org
<http://www.ordb.org/>  and check your mailserver's external IP against
their database. It will show the last test message that showed up as a
relay on your site. If the originating address of the message is your
firewall's internal IP then this is most likely the issue you are
facing. Let me know if this helps.

         

        Chris Allen

        Systems Administrator

        Metron North America

         

        -----Original Message-----
        From: Wohlgemuth, Mike [mailto:WohlgemuthM@xxxxxxxxxxxxxxxxxxx] 
        Sent: Wednesday, September 24, 2003 7:06 AM
        To: [ExchangeList]
        Subject: RE: [exchangelist] Re: Server help!! Possible
comprimised over 6000 NDRs!!!! HELP!

         

        I had the same problem ...

         

        under the relay on the smtp default server, I needed to uncheck
"allow to relay regardless of the list above" ...

         

        here is what I gathered from microsoft q papers (can't find them
right now ...) .. you have to have anonymous authentication checked, and
IF you also have "allow to relay regardless of the list above" checked,
then spammers authenticate anonymously to your server to relay .... I
think most of the spam is caught (i.e. that is why you have 6000 ndrs)
... but it still ends up that you are processing all those emails ...

         

        mike

                -----Original Message----- 
                From: Craig Weil [mailto:craig_weil@xxxxxxxxxxx] 
                Sent: Tue 9/23/2003 10:14 PM 
                To: [ExchangeList] 
                Cc: 
                Subject: [exchangelist] Re: Server help!! Possible
comprimised over 6000 NDRs!!!! HELP!

                http://www.MSExchange.org/
                
                By "spoofing" do you mean that you're sure that your
server is configured to
                disallow relaying?
                
                Craig A. Weil
                Network Administrator
                
                
                ----- Original Message -----
                From: "KEN MORRIS" <KMORRIS@xxxxxxx>
                To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
                Sent: Tuesday, September 23, 2003 6:51 PM
                Subject: [exchangelist] Server help!! Possible
comprimised over 6000
                NDRs!!!! HELP!
                
                
                > http://www.MSExchange.org/
                >
                >
                > This is a multi-part message in MIME format.
                >
                
                
        
------------------------------------------------------------------------
----
                ----
                
                
                > Hello,
                >
                > As Exchange Admin (with little training unfortunately)
I recieve the
                NDR's.
                > Today I have recieved over 6000 NRD's all with
subjects, email addresses
                both
                > send and recieve that are not a part of our domain.
                > I have checked to ensure that spoofing is disabled,
yet I cannot figure
                out
                > how we are being used.
                >
                > I can forward on one of the NRD's to anyone. I have
not been able to
                figure a
                > way to check the headers on the NDR. Here is a copy of
the text for one of
                > the NDR's:
                >
                > The following recipient(s) could not be reached:
                >
                >   cathyb76@xxxxxxxxxxx on 9/23/2003 9:43 PM
                >   There was a SMTP communication problem with the
recipient's email
                server.
                > Please contact your system administrator.
                >   <server.company #5.5.0 smtp;550 Requested action not
taken: mailbox
                > unavailable>
                >
                > I figure that by morning, my inbox will be once again
filled, could you
                > please forward any questions to k2keener@xxxxxxxxxxx
as well as the list.
                I
                > do not want to loose any responses.
                >
                > Thanks
                >
                > Ken
                >
                >
                
                
        
------------------------------------------------------------------------
----
                ----
                
                
                > ------------------------------------------------------
                > List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
                > Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
                > Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
                > ------------------------------------------------------
                > Other Internet Software Marketing Sites:
                > Leading Network Software Directory:
http://www.serverfiles.com
                > No.1 ISA Server Resource Site:
http://www.isaserver.org
                > Windows Security Resource Site:
http://www.windowsecurity.com/
                > Network Security Library: http://www.secinf.net/
                > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
                > ------------------------------------------------------
                > You are currently subscribed to this MSExchange.org
Discussion List as:
                craig_weil@xxxxxxxxxxx
                > To unsubscribe send a blank email to
                $subst('Email.Unsub')
                >
                
                ------------------------------------------------------
                List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
                Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
                Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
                ------------------------------------------------------
                Other Internet Software Marketing Sites:
                Leading Network Software Directory:
http://www.serverfiles.com
                No.1 ISA Server Resource Site: http://www.isaserver.org
                Windows Security Resource Site:
http://www.windowsecurity.com/
                Network Security Library: http://www.secinf.net/
                Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
                ------------------------------------------------------
                You are currently subscribed to this MSExchange.org
Discussion List as: wohlgemuthm@xxxxxxxxxxxxxxxxxxx
                To unsubscribe send a blank email to
$subst('Email.Unsub')

        ------------------------------------------------------
        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
        Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Other Internet Software Marketing Sites:
        Leading Network Software Directory: http://www.serverfiles.com
        No.1 ISA Server Resource Site: http://www.isaserver.org
        Windows Security Resource Site: http://www.windowsecurity.com/
        Network Security Library: http://www.secinf.net/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------
        You are currently subscribed to this MSExchange.org Discussion
List as: kmorris@xxxxxxx
        To unsubscribe send a blank email to
$subst('Email.Unsub') 

Other related posts: