[THIN] Re: OT: Exchange Server Spamming

• From: "Jeff Durbin" <techlists@xxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Tue, 2 Mar 2004 08:23:49 +1300

  I knew about reverse NDR and thought that would be the case, but when I
switched off NDR's, it still happened. I'm wondering if there wasn't some
backlog that happened on the Exchange server to fill the queue back up once
I had emptied it, thereby leading me to conclude that the problem was
emanating from the Exchange server itself. What I had done was:

- disconnect from the network
- stop Exchange IMC
- rename the IMCDATA folder to IMCDATA.OLD
- start the Exchange IMC

  I downloaded 3 post-SP4 Exchange 5.5 patches and installed them. That
seemed to actually slow it down to maybe one message every few seconds in
the queue, but that could have been coincidence. 
  I downloaded CMS's Praetor eval version, installed it on my laptop, and
routed all mail through my laptop. This software protects you from reverse
NDR by allowing you to specify a list of valid recipients. Once it was in
place, the outbound SMTP queue stopped filling with spam. In looking at the
log, though, it wasn't stopping reverse NDR, but relay off the server. I
know for a fact the relay is closed (there is NO relay, even for
authenticated users, etc.), and as far as I can tell, Exchange is fully
patched, so I don't really know what to make of it. 

JD


> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Nick Smith
> Sent: Monday, 1 March 2004 8:22 p.m.
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: OT: Exchange Server Spamming
> 
> Jeff - It's being used for Reverse Spam. The idea is that you 
> send out a bunch of spam to a server from valid email 
> addresses; your server then sends an NDR  to the addresses, 
> thus delivering the spam. Swithc off NDRs to stop this.
> NIck
> 
> -----Original Message-----
> From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx]=20
> Sent: 01 March 2004 05:26
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] OT: Exchange Server Spamming
> 
> I have a customer with an NT4 Small Business Server with 
> Exchange 5.5 SP4.
> The outbound SMTP queue is filling with undelivered mail, 
> indicating that the server is being used to spam. The server 
> is definitely not an open relay (tested myself and through 
> ORDB.ORG), and doesn't allow *any* SMTP relay.
> I've found that the outbound queue on this server fills up 
> even if it's disconnected from the network, which tells me 
> that the server itself is generating the mail. It's got 
> Norton Antivirus with the latest definitions, and I've 
> scanned it with Trend's online virus scanner. I don't find 
> any viruses at all. I've looked at the processes for 
> processes that are using a bunch of CPU time, but don't see 
> anything obvious. Any ideas? TIA.
> =20
> JD
> 
> ********************************************************
> This weeks sponsor triCerat Inc.
> triCerat makes your job easier by offering essential 
> applications to eliminate your printing, policy and profile, 
> and your application management problems.
> http://www.triCerat.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 
> 
> ********************************************************
> This weeks sponsor triCerat Inc.
> triCerat makes your job easier by offering essential 
> applications to eliminate your printing, policy and profile, 
> and your application management problems.
> http://www.triCerat.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 

********************************************************
This weeks sponsor triCerat Inc.
triCerat makes your job easier by offering essential
applications to eliminate your printing, policy and profile,
and your application management problems.
http://www.triCerat.com 
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

• References:
  • [THIN] Re: OT: Exchange Server Spamming
    • From: Nick Smith

Other related posts:

• » [THIN] OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming

1. Home
2. thin
3. Archive
4. 03-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---