I've seen this same thing on 5.5. What I found when I looked into it is = that a 5.5 server can have relaying disabled, but you are still able to = submit the mail (they just will not go anywhere). You may want to run = something like adaware on the server to see if you can find what is = generating the emails.=20 -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Henry Sieff Sent: Monday, March 01, 2004 8:50 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: OT: Exchange Server Spamming Well, the "reverse Spam" technique doesn't use just ex-employees email addresses, it uses randomaddress@xxxxxxxxxx where domain.com is your = domain. You could (I suppose) continually add addresses to this list as you see them, but this is impractical (to say the least). Turning off NDR is a possibility, as someone else said, but its a little draconian, imo (not that I haven't considered it). Bounces are a usueful part of the SMTP, and turning them off does break RFC. The emergence of this technique will probably require some form of content-based filtering to combat (I hate spam filtering based on = content, but there may be no choice). Another possibility is to only accept mail from servers on a = "white-list". There are several companies I have dealt with that forward the first = email from either a domain or a mail server to the mail admin. The mail admin = can approve either the address, the domain, or the server, and only after = that will email be accepted for delivery. Without something like this, there is no technological defense against = this technique w/o breaking RFC. False, tricksy spammers. . . Henry > -----Original Message----- > From: Dennis van Turnhout [mailto:turnhout@xxxxxxxxxx] > Sent: Monday, March 01, 2004 2:29 AM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: OT: Exchange Server Spamming >=20 >=20 > If it's spam to addresses that used to exist, try this option > Works like a charm over here. >=20 > ----- >=20 > Black Holes - not just a space thing! >=20 > As users leave your company, you will more than likely delete their > mailbox after a certain amount of time. It is then common for the SMTP > address of the departed employee to be added to another mailbox, or a > public folder, perhaps being monitored by the departed employee's > manager. The aim is to make sure that any important business email is > acknowledged for some amount of time after the user has left. >=20 > Clearly there is a long term issue with this method, since eventually, > the monitoring of the messages sent to that address will=20 > stop. Removing > the SMTP address from the organisation will obviously not=20 > stop messages > being sent to that address; there are always going to be those pesky > spam messages, and additionally, your Exchange server has to=20 > generate a > non-delivery report for each message. >=20 > One solution to put the issue out of your mind is to implement what is > sometimes referred to as the 'black hole' method. This allows your > Exchange server to simply delete the messages sent to specific SMTP > addresses, whilst at the same time never generating a non-delivery > report for these messages. >=20 > Here are the 3 simple steps to implement the black hole method: >=20 > 1. Create a distribution list (Exchange 5.5) or a mail-enabled > distribution group (Exchange 2000). >=20 > 2. Make sure that there are NO members in this distribution=20 > list/group. > This is the key part to this tip. >=20 > 3. Add the SMTP addresses of the ex-employees to the distribution > list/group. Add them as secondary SMTP addresses in exactly=20 > the same way > you would for a mailbox. >=20 > Now, when messages are sent to these problematic SMTP addresses, > Exchange silently deletes them. No non-delivery reports are generated, > and the administrator no longer has to be concerned about these > messages. >=20 > Try it. It works well! >=20 > Neil Hobson >=20 > -----Original Message----- > From: Nick Smith [mailto:nick@xxxxxxxxxxxxxxx]=3D20 > Sent: maandag 1 maart 2004 08:22 > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: OT: Exchange Server Spamming >=20 >=20 > Jeff - It's being used for Reverse Spam. The idea is that you=20 > send out a > bunch of spam to a server from valid email addresses; your server then > sends an NDR to the addresses, thus delivering the spam. Swithc off > NDRs to stop this. NIck >=20 > -----Original Message----- > From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx]=3D3D20 > Sent: 01 March 2004 05:26 > To: thin@xxxxxxxxxxxxx > Subject: [THIN] OT: Exchange Server Spamming >=20 > I have a customer with an NT4 Small Business Server with Exchange 5.5 > SP4. The outbound SMTP queue is filling with undelivered mail, > indicating that the server is being used to spam. The server is > definitely not an open relay (tested myself and through ORDB.ORG), and > doesn't allow *any* SMTP relay. I've found that the outbound queue on > this server fills up even if it's disconnected from the network, which > tells me that the server itself is generating the mail. It's=20 > got Norton > Antivirus with the latest definitions, and I've scanned it=20 > with Trend's > online virus scanner. I don't find any viruses at all. I've looked at > the processes for processes that are using a bunch of CPU time, but > don't see anything obvious. Any ideas? TIA. =3D3D20 JD >=20 > ******************************************************** > This weeks sponsor triCerat Inc. > triCerat makes your job easier by offering essential applications to > eliminate your printing, policy and profile, and your application > management problems. http://www.triCerat.com > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > *********************************************************** > For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode > use the below link: http://thin.net/citrixlist.cfm >=20 >=20 > ******************************************************** > This weeks sponsor triCerat Inc. > triCerat makes your job easier by offering essential applications to > eliminate your printing, policy and profile, and your application > management problems. http://www.triCerat.com=3D20 > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > *********************************************************** > For Archives, to Unsubscribe, Subscribe or=3D20 > set Digest or Vacation mode use the below link: > http://thin.net/citrixlist.cfm > ******************************************************** > This weeks sponsor triCerat Inc. > triCerat makes your job easier by offering essential > applications to eliminate your printing, policy and profile, > and your application management problems. > http://www.triCerat.com=20 > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > *********************************************************** > For Archives, to Unsubscribe, Subscribe or=20 > set Digest or Vacation mode use the below link: > http://thin.net/citrixlist.cfm >=20 ******************************************************** This weeks sponsor triCerat Inc. triCerat makes your job easier by offering essential applications to eliminate your printing, policy and profile, and your application management problems. http://www.triCerat.com=20 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor triCerat Inc. triCerat makes your job easier by offering essential applications to eliminate your printing, policy and profile, and your application management problems. http://www.triCerat.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm