I'll try that. I did run Spybot S&D, but didn't see anything that looked suspicious. > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Philip Walley > Sent: Tuesday, 2 March 2004 4:01 a.m. > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: OT: Exchange Server Spamming > > I've seen this same thing on 5.5. What I found when I looked > into it is = that a 5.5 server can have relaying disabled, > but you are still able to = submit the mail (they just will > not go anywhere). You may want to run = something like > adaware on the server to see if you can find what is = > generating the emails.=20 > > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On > Behalf Of Henry Sieff > Sent: Monday, March 01, 2004 8:50 AM > To: 'thin@xxxxxxxxxxxxx' > Subject: [THIN] Re: OT: Exchange Server Spamming > > > Well, the "reverse Spam" technique doesn't use just > ex-employees email addresses, it uses > randomaddress@xxxxxxxxxx where domain.com is your = domain. > You could (I suppose) continually add addresses to this list > as you see them, but this is impractical (to say the least). > > Turning off NDR is a possibility, as someone else said, but > its a little draconian, imo (not that I haven't considered > it). Bounces are a usueful part of the SMTP, and turning them > off does break RFC. > > The emergence of this technique will probably require some > form of content-based filtering to combat (I hate spam > filtering based on = content, but there may be no choice). > > Another possibility is to only accept mail from servers on a > = "white-list". > There are several companies I have dealt with that forward > the first = email from either a domain or a mail server to > the mail admin. The mail admin = can approve either the > address, the domain, or the server, and only after = that > will email be accepted for delivery. > > Without something like this, there is no technological > defense against = this technique w/o breaking RFC. > > False, tricksy spammers. . . > > Henry > > > -----Original Message----- > > From: Dennis van Turnhout [mailto:turnhout@xxxxxxxxxx] > > Sent: Monday, March 01, 2004 2:29 AM > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] Re: OT: Exchange Server Spamming =20 =20 > If it's spam > >to addresses that used to exist, try this option Works like a charm > >over here. > >=20 > > ----- > >=20 > > Black Holes - not just a space thing! > >=20 > > As users leave your company, you will more than likely > delete their > >mailbox after a certain amount of time. It is then common > for the SMTP > >address of the departed employee to be added to another > mailbox, or a > >public folder, perhaps being monitored by the departed employee's > >manager. The aim is to make sure that any important business > email is > >acknowledged for some amount of time after the user has left. > >=20 > > Clearly there is a long term issue with this method, since > eventually, > >the monitoring of the messages sent to that address will=20 stop. > >Removing the SMTP address from the organisation will > obviously not=20 > >stop messages being sent to that address; there are always > going to be > >those pesky spam messages, and additionally, your Exchange > server has > >to=20 generate a non-delivery report for each message. > >=20 > > One solution to put the issue out of your mind is to > implement what is > >sometimes referred to as the 'black hole' method. This allows your > >Exchange server to simply delete the messages sent to specific SMTP > >addresses, whilst at the same time never generating a non-delivery > >report for these messages. > >=20 > > Here are the 3 simple steps to implement the black hole method: > >=20 > > 1. Create a distribution list (Exchange 5.5) or a mail-enabled > >distribution group (Exchange 2000). > >=20 > > 2. Make sure that there are NO members in this distribution=20 > >list/group. > > This is the key part to this tip. > >=20 > > 3. Add the SMTP addresses of the ex-employees to the distribution > >list/group. Add them as secondary SMTP addresses in exactly=20 the > >same way you would for a mailbox. > >=20 > > Now, when messages are sent to these problematic SMTP addresses, > >Exchange silently deletes them. No non-delivery reports are > generated, > >and the administrator no longer has to be concerned about these > >messages. > >=20 > > Try it. It works well! > >=20 > > Neil Hobson > >=20 > > -----Original Message----- > > From: Nick Smith [mailto:nick@xxxxxxxxxxxxxxx]=3D20 > > Sent: maandag 1 maart 2004 08:22 > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] Re: OT: Exchange Server Spamming =20 =20 > Jeff - It's > >being used for Reverse Spam. The idea is that you=20 send > out a bunch > >of spam to a server from valid email addresses; your server > then sends > >an NDR to the addresses, thus delivering the spam. Swithc > off NDRs to > >stop this. NIck =20 -----Original Message----- > > From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx]=3D3D20 > > Sent: 01 March 2004 05:26 > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] OT: Exchange Server Spamming =20 I have a customer > >with an NT4 Small Business Server with Exchange 5.5 SP4. > The outbound > >SMTP queue is filling with undelivered mail, indicating that the > >server is being used to spam. The server is definitely not an open > >relay (tested myself and through ORDB.ORG), and doesn't allow *any* > >SMTP relay. I've found that the outbound queue on this > server fills up > >even if it's disconnected from the network, which tells me that the > >server itself is generating the mail. It's=20 got Norton Antivirus > >with the latest definitions, and I've scanned it=20 with Trend's > >online virus scanner. I don't find any viruses at all. I've > looked at > >the processes for processes that are using a bunch of CPU time, but > >don't see anything obvious. Any ideas? TIA. =3D3D20 JD =20 > > ******************************************************** > > This weeks sponsor triCerat Inc. > > triCerat makes your job easier by offering essential > applications to > >eliminate your printing, policy and profile, and your application > >management problems. http://www.triCerat.com > > ********************************************************** > > Useful Thin Client Computing Links are available at: > > http://thin.net/links.cfm > > *********************************************************** > > For Archives, to Unsubscribe, Subscribe or set Digest or > Vacation mode > >use the below link: http://thin.net/citrixlist.cfm =20 =20 > > ******************************************************** > > This weeks sponsor triCerat Inc. > > triCerat makes your job easier by offering essential > applications to > >eliminate your printing, policy and profile, and your application > >management problems. http://www.triCerat.com=3D20 > > ********************************************************** > > Useful Thin Client Computing Links are available at: > > http://thin.net/links.cfm > > *********************************************************** > > For Archives, to Unsubscribe, Subscribe or=3D20 set Digest or > >Vacation mode use the below link: > > http://thin.net/citrixlist.cfm > > ******************************************************** > > This weeks sponsor triCerat Inc. > > triCerat makes your job easier by offering essential > applications to > >eliminate your printing, policy and profile, and your application > >management problems. > > http://www.triCerat.com=20 > > ********************************************************** > > Useful Thin Client Computing Links are available at: > > http://thin.net/links.cfm > > *********************************************************** > > For Archives, to Unsubscribe, Subscribe or=20 set Digest > or Vacation > >mode use the below link: > > http://thin.net/citrixlist.cfm > >=20 > ******************************************************** > This weeks sponsor triCerat Inc. > triCerat makes your job easier by offering essential > applications to eliminate your printing, policy and profile, > and your application management problems. > http://www.triCerat.com=20 > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > *********************************************************** > For Archives, to Unsubscribe, Subscribe or=20 set Digest or > Vacation mode use the below link: > http://thin.net/citrixlist.cfm > ******************************************************** > This weeks sponsor triCerat Inc. > triCerat makes your job easier by offering essential > applications to eliminate your printing, policy and profile, > and your application management problems. > http://www.triCerat.com > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > *********************************************************** > For Archives, to Unsubscribe, Subscribe or set Digest or > Vacation mode use the below link: > http://thin.net/citrixlist.cfm > ******************************************************** This weeks sponsor triCerat Inc. triCerat makes your job easier by offering essential applications to eliminate your printing, policy and profile, and your application management problems. http://www.triCerat.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm