RE: Open Relay Help

  • From: "Bob Fronk" <bfronk@xxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 8 Apr 2004 14:37:09 -0400

Sounds like one of your user accounts has been hijacked.  Turn on
auditing and figure out which account he is using and change the
password or disable the account.




Bob Fronk






From: Bill Matthews 
Posted At: Thursday, April 08, 2004 2:02 PM
Posted To: exchangelist
Conversation: Open Relay Help
Subject: Open Relay Help 


Esteemed Exchange Gurus,

I've got a problem that has me stumped. Exchange2K, W2K sp4. ~120
mailboxes, single store, single server. W2k network with AD. Antigen 6.5
with NAI, Sophos and Norman engines.

We have relay only allowed for one box (our web server) coming in on a
dedicated line and allowed by it's specific IP address. Otherwise relay
not allowed even for authenticated users. Our own testing from outside
the firewall can not initiate a relay.

Some time between 10PM and 2AM each night a spammer from mainland China
comes in through a hijacked IP, connects to port 25 on our exchange
server and sends out 700-800 spams. I've got firewall logs, SMTP logs
and message tracking logs, and copies of the Internet headers from the
spam sent to people outside of our organization that show exactly what
and when he does it.

What I don't have is a way to stop this guy. 

Any and all help and wild guesses appreciated.

Bill Matthews
Manager, Information Technology
International Reading Association

Other related posts:

  • » RE: Open Relay Help