The firewall is, I believe, store and forward. It passes the internal IP as the originator on all SMTP traffic. I believe this is due to Natting, but shutting relay off to it did the trick as far as closing the open relay. The bluestelnn gang is pounding us with several thousand relay requests though in an attempt to find a user that they can authenticate and use. We have blocked their netblocks though and have stopped the attack, but I want to be prepared for the next gang that tries it. I am forcing password changes on everyone, enforcing stricter passwords and possibly turning off the authenticated user override of the relay rule. I am hoping this will work without breaking our processes, but I guess only a test will tell. Thanks for the inputs. -----Original Message----- From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx] Sent: Friday, September 26, 2003 3:15 PM To: [ExchangeList] Subject: [exchangelist] RE: Relaying question http://www.MSExchange.org/ Last I checked, yes. You can specify by ip address as I recall. I'm not near a machine to say exactly which setting path that's down but take a look. One issue you need to be aware of is the relay vs. the accept mail. You want to be able to accept mail inbound but not relay to everywhere on the internet. Understood. You want internal users' machines to be able to relay so as long as they have a particular addr block then you should be able to manage that. That won't prevent address spoofing, but it might be done at the firewall instead. As for your firewall being allowed, is your firewall passing the conversation through or is it store-and-forward (running a SMTP daemon of sort?) Al -----Original Message----- From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] Sent: Friday, September 26, 2003 2:10 PM To: [ExchangeList] Subject: [exchangelist] RE: Relaying question http://www.MSExchange.org/ We actually need it for internal and external smtp traffic, but only internal relaying. One of our customers has us send email on their behalf from their domain but relayed from ours. We need that capability to continue, however, the ones we have the problem with are the external entities that are relaying through us malicious. We are not an open relay site, yet they still get in relay by smtp/auth. Is there anyway to close the door to pass-through relaying while leaving it open to outbound only and only a specific set of IPs regardless of whether they are authenticated or not? -----Original Message----- From: Golden, James [mailto:jgolden@xxxxxxxxxxxxxxxxxxxxx] Sent: Friday, September 26, 2003 1:52 PM To: [ExchangeList] Subject: [exchangelist] RE: Relaying question http://www.MSExchange.org/ If you are using exchange for internal email only you can turn off relaying. The way we have it setup is our exchange box doen's relay at all. If it is going outbound then we put all that SMTP traffic to a MTA (we use sendmail on a linux box). Our MTA only accepts smtp traffic from our exchange server, the firewall and a few specific servers for applications that need to send out SMTP. On top of that, at our firewall level we only allow smtp to and from the Linux box and no other SMTP traffic is allowed through. We don't have any problems with relaying now that we have this system fully implemented. I noticed that you said there are some custom apps... In this instance you can setup the sendmail server to accept SMTP traffic from the firewall, and whatever the other machines are and that's it. This will then deny any other SMTP traffic in your internal network. That should fish them out, so to speak. This will also get around Exchanges authenticated relay's. Hope this helps. James "Risk more than others think is safe. Care more than others think is wise. Dream more than others think is practical. Expect more than others think is possible." -----Original Message----- From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] Sent: Friday, September 26, 2003 8:34 AM To: [ExchangeList] Subject: [exchangelist] Relaying question http://www.MSExchange.org/ <http://www.MSExchange.org/> Per SpamCop and SpamHaus, "Spammers are taking advantage of weak passwords on systems using smtp/auth and brute force finding name/password combinations that work and then sending spam thru these servers. There are various characteristic footprints for this and one of them is the use of a "from" address of the format bluestallnn@some legit ISP and the "nn" iterates in each successive spam. bluestelllf@xxxxxxx bluestellpg@xxxxxxxxxxx bluestelluf@xxxxxxxxx " My question is this, if I uncheck "Allow all computers which successfully authenticate to relay, regardless of the list above", will this effectively stop brute force attacks on weak passwords as far as exchange is concerned and what will this break? I am also taking measure by blocking their entire block of IPs. The ranges are as follows: 211.158.32.0/20 211.158.48.0/21 211.158.80.0/20 219.153.144.0/20 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: callen@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: al.mulnick@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: callen@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')