Hi Ken, Then what you need to do is put an SMTP spam whacking relay in front of the SMTP server thatâs posing the problem for you. The spam whacking SMTP relay will block the spam messages from going outbound before they have a chance of doing any damage. Depending on the spam whacking software you use, you can even be notified of the event and start legal actions against the spammer in less than an hour â HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp ________________________________________ From: KEN MORRIS [mailto:KMORRIS@xxxxxxx] Sent: Friday, September 26, 2003 12:33 PM To: [ExchangeList] Subject: [exchangelist] RE: Relaying question http://www.MSExchange.org/ Chris, I have been having the same problems.... But unchecking that has not stopped our users from relaying. The problem being once they have a user/pswd (which I think is my case), they can still get in and set up more spamming anytime. I have had to freeze queues and delete the spam messages in order to try to keep it clear. So while this may appear as a fix, it will depend on how malicious they want to be. Ken -----Original Message----- From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] Sent: Friday, September 26, 2003 1:25 PM To: [ExchangeList] Subject: [exchangelist] RE: Relaying question http://www.MSExchange.org/ According to Microsoft, my exchange is secure. We are not an open relay and in theory we should have no worries. However, the type of relaying going on here is malicious. It is a brute force attack on our user-base and not a simple IP spoof. The relay options in system manager are to allow all relay traffic except for the following. Then we have added the internal IP of our firewall as the exception since it nats all traffic including SMTP. Therefore, if someone wanted to relay, their email would appear to be from the internal NIC of the firewall and would be stopped. However, the checkbox at the bottom of this same screen says, âAllow all computers which successfully authenticate to relay, regardless of the list above". Therefore, when they manage to get a user/password that works, it doesnât matter where it comes from, they will get relayed. What will happen if I uncheck this box? Will true internal users still be able to relay? Will external relay be stopped using the smtp/Auth method? These are the questions I cannot find answers to. Any help would be appreciated. Thanks.  -----Original Message----- From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx] Sent: Friday, September 26, 2003 10:20 AM To: [ExchangeList] Subject: [exchangelist] RE: Relaying question  http://www.MSExchange.org/ Have you considered having a look at the information on this subject at www.microsoft.com/security ?  There are some articles that discuss how to secure your server that also talks about the trade-offs that go with it. Although Tom's idea of fun is a little skewed ;) you can hurt yourself if you make the changes without a full understanding of what you are doing and what it's effects will be.   ajm -----Original Message----- From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] Sent: Friday, September 26, 2003 9:54 AM To: [ExchangeList] Subject: [exchangelist] RE: Relaying question http://www.MSExchange.org/ The problem is, I need to allow relay internally. I have various custom apps that the users need to email a client upon completion of a workorder. They each do over 500 a day and automation is the only way to do this effectively. So, if I shut off the checkbox in question, will the internal IPs still be able to relay?  -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, September 26, 2003 9:50 AM To: [ExchangeList] Subject: [exchangelist] RE: Relaying question  http://www.MSExchange.org/ Hi Chris,  Yes. If you don't allow relay, then the server will not relay. You can also do other things like prevent the machine from resolving Internet host names (just for fun).  HTH, Tom  Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp  -----Original Message----- From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] Sent: Friday, September 26, 2003 8:34 AM To: [ExchangeList] Subject: [exchangelist] Relaying question http://www.MSExchange.org/  Per SpamCop and SpamHaus, "Spammers are taking advantage of weak passwords on systems using smtp/auth and brute force finding name/password combinations that work and then sending spam thru these servers. There are various characteristic footprints for this and one of them is the use of a "from" address of the format bluestallnn@some legit ISP and the "nn" iterates in each successive spam.  bluestelllf@xxxxxxx bluestellpg@xxxxxxxxxxx bluestelluf@xxxxxxxxx "  My question is this, if I uncheck "Allow all computers which successfully authenticate to relay, regardless of the list above", will this effectively stop brute force attacks on weak passwords as far as exchange is concerned and what will this break?  I am also taking measure by blocking their entire block of IPs. The ranges are as follows:  211.158.32.0/20 211.158.48.0/21 211.158.80.0/20 219.153.144.0/20 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: callen@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to leave-exchangelist-1461389B@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: al.mulnick@xxxxxxxxxx To unsubscribe send a blank email to leave-exchangelist-1461389B@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: callen@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to leave-exchangelist-1461389B@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: kmorris@xxxxxxx To unsubscribe send a blank email to leave-exchangelist-1461389B@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to leave-exchangelist-1461389B@xxxxxxxxxxxxx