Re: Server help!! Possible comprimised over 6000 NDRs!!!! HELP!

  • From: "Wohlgemuth, Mike" <WohlgemuthM@xxxxxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Wed, 24 Sep 2003 07:06:08 -0400

I had the same problem ...
 
under the relay on the smtp default server, I needed to uncheck "allow to relay 
regardless of the list above" ...
 
here is what I gathered from microsoft q papers (can't find them right now ...) 
.. you have to have anonymous authentication checked, and IF you also have 
"allow to relay regardless of the list above" checked, then spammers 
authenticate anonymously to your server to relay .... I think most of the spam 
is caught (i.e. that is why you have 6000 ndrs) ... but it still ends up that 
you are processing all those emails ...
 
mike

        -----Original Message----- 
        From: Craig Weil [mailto:craig_weil@xxxxxxxxxxx] 
        Sent: Tue 9/23/2003 10:14 PM 
        To: [ExchangeList] 
        Cc: 
        Subject: [exchangelist] Re: Server help!! Possible comprimised over 
6000 NDRs!!!! HELP!
        
        

        http://www.MSExchange.org/
        
        By "spoofing" do you mean that you're sure that your server is 
configured to
        disallow relaying?
        
        Craig A. Weil
        Network Administrator
        
        
        ----- Original Message -----
        From: "KEN MORRIS" <KMORRIS@xxxxxxx>
        To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
        Sent: Tuesday, September 23, 2003 6:51 PM
        Subject: [exchangelist] Server help!! Possible comprimised over 6000
        NDRs!!!! HELP!
        
        
        > http://www.MSExchange.org/
        >
        >
        > This is a multi-part message in MIME format.
        >
        
        
        
----------------------------------------------------------------------------
        ----
        
        
        > Hello,
        >
        > As Exchange Admin (with little training unfortunately) I recieve the
        NDR's.
        > Today I have recieved over 6000 NRD's all with subjects, email 
addresses
        both
        > send and recieve that are not a part of our domain.
        > I have checked to ensure that spoofing is disabled, yet I cannot 
figure
        out
        > how we are being used.
        >
        > I can forward on one of the NRD's to anyone. I have not been able to
        figure a
        > way to check the headers on the NDR. Here is a copy of the text for 
one of
        > the NDR's:
        >
        > The following recipient(s) could not be reached:
        >
        >   cathyb76@xxxxxxxxxxx on 9/23/2003 9:43 PM
        >   There was a SMTP communication problem with the recipient's email
        server.
        > Please contact your system administrator.
        >   <server.company #5.5.0 smtp;550 Requested action not taken: mailbox
        > unavailable>
        >
        > I figure that by morning, my inbox will be once again filled, could 
you
        > please forward any questions to k2keener@xxxxxxxxxxx  as well as the 
list.
        I
        > do not want to loose any responses.
        >
        > Thanks
        >
        > Ken
        >
        >
        
        
        
----------------------------------------------------------------------------
        ----
        
        
        > ------------------------------------------------------
        > List Archives: 
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
        > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
        > ------------------------------------------------------
        > Other Internet Software Marketing Sites:
        > Leading Network Software Directory: http://www.serverfiles.com
        > No.1 ISA Server Resource Site: http://www.isaserver.org
        > Windows Security Resource Site: http://www.windowsecurity.com/
        > Network Security Library: http://www.secinf.net/
        > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        > ------------------------------------------------------
        > You are currently subscribed to this MSExchange.org Discussion List 
as:
        craig_weil@xxxxxxxxxxx
        > To unsubscribe send a blank email to
        leave-exchangelist-1661321N@xxxxxxxxxxxxx
        >
        
        ------------------------------------------------------
        List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
        Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Other Internet Software Marketing Sites:
        Leading Network Software Directory: http://www.serverfiles.com
        No.1 ISA Server Resource Site: http://www.isaserver.org
        Windows Security Resource Site: http://www.windowsecurity.com/
        Network Security Library: http://www.secinf.net/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------
        You are currently subscribed to this MSExchange.org Discussion List as: 
wohlgemuthm@xxxxxxxxxxxxxxxxxxx
        To unsubscribe send a blank email to 
leave-exchangelist-1661321N@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. exchangelist
  3. Archive
  4. 09-2003