RE: Relaying question
- From: "Allen, Chris" <CAllen@xxxxxxxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Fri, 26 Sep 2003 15:53:58 -0400
The firewall is, I believe, store and forward. It passes the internal IP
as the originator on all SMTP traffic. I believe this is due to Natting,
but shutting relay off to it did the trick as far as closing the open
relay. The bluestelnn gang is pounding us with several thousand relay
requests though in an attempt to find a user that they can authenticate
and use. We have blocked their netblocks though and have stopped the
attack, but I want to be prepared for the next gang that tries it. I am
forcing password changes on everyone, enforcing stricter passwords and
possibly turning off the authenticated user override of the relay rule.
I am hoping this will work without breaking our processes, but I guess
only a test will tell. Thanks for the inputs.
-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx]
Sent: Friday, September 26, 2003 3:15 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying question
http://www.MSExchange.org/
Last I checked, yes. You can specify by ip address as I recall. I'm not
near a machine to say exactly which setting path that's down but take a
look.
One issue you need to be aware of is the relay vs. the accept mail. You
want to be able to accept mail inbound but not relay to everywhere on
the internet. Understood. You want internal users' machines to be able
to relay so as long as they have a particular addr block then you should
be able to manage that. That won't prevent address spoofing, but it
might be done at the firewall instead.
As for your firewall being allowed, is your firewall passing the
conversation through or is it store-and-forward (running a SMTP daemon
of sort?)
Al
-----Original Message-----
From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx]
Sent: Friday, September 26, 2003 2:10 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying question
http://www.MSExchange.org/
We actually need it for internal and external smtp traffic, but
only internal relaying. One of our customers has us send email on their
behalf from their domain but relayed from ours. We need that capability
to continue, however, the ones we have the problem with are the external
entities that are relaying through us malicious. We are not an open
relay site, yet they still get in relay by smtp/auth. Is there anyway to
close the door to pass-through relaying while leaving it open to
outbound only and only a specific set of IPs regardless of whether they
are authenticated or not?
-----Original Message-----
From: Golden, James [mailto:jgolden@xxxxxxxxxxxxxxxxxxxxx]
Sent: Friday, September 26, 2003 1:52 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying question
http://www.MSExchange.org/
If you are using exchange for internal email only you can turn
off relaying. The way we have it setup is our exchange box doen's relay
at all. If it is going outbound then we put all that SMTP traffic to a
MTA (we use sendmail on a linux box). Our MTA only accepts smtp traffic
from our exchange server, the firewall and a few specific servers for
applications that need to send out SMTP. On top of that, at our firewall
level we only allow smtp to and from the Linux box and no other SMTP
traffic is allowed through. We don't have any problems with relaying now
that we have this system fully implemented.
I noticed that you said there are some custom apps... In this
instance you can setup the sendmail server to accept SMTP traffic from
the firewall, and whatever the other machines are and that's it. This
will then deny any other SMTP traffic in your internal network. That
should fish them out, so to speak. This will also get around Exchanges
authenticated relay's.
Hope this helps.
James
"Risk more than others think is safe. Care more than others
think is wise. Dream more than others think is practical. Expect more
than others think is possible."
-----Original Message-----
From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx]
Sent: Friday, September 26, 2003 8:34 AM
To: [ExchangeList]
Subject: [exchangelist] Relaying question
http://www.MSExchange.org/ <http://www.MSExchange.org/>
Per SpamCop and SpamHaus, "Spammers are taking advantage of weak
passwords on systems using smtp/auth and brute force finding
name/password combinations that work and then sending spam thru these
servers. There are various characteristic footprints for this and one of
them is the use of a "from" address of the format bluestallnn@some legit
ISP and the "nn" iterates in each successive spam.
bluestelllf@xxxxxxx
bluestellpg@xxxxxxxxxxx
bluestelluf@xxxxxxxxx "
My question is this, if I uncheck "Allow
all computers which successfully authenticate to relay, regardless of
the list above", will this effectively stop brute force attacks on weak
passwords as far as exchange is concerned and what will this break?
I am also taking measure by blocking
their entire block of IPs. The ranges are as follows:
211.158.32.0/20
211.158.48.0/21
211.158.80.0/20
219.153.144.0/20
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion
List as: callen@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion
List as: al.mulnick@xxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
callen@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
