Queue Viewer - Strange Domains - should be concerned?
Viewing the Send Connector Log as recommended in another thread, I noticed some strange domains (Polish domain when nobody here speaks Polish) and thought I'd take a look at the Queue-Viewer in the EMC "Tools". Who could be emailing to these domains?
This is what I found (output below). Should I be concerned about these? There is one that refers to a virus.
[PS] C:\>get-queue | ft nexthopdomain
NextHopDomain
-------------
btcentralplus.com
airtelbroadband.in
telesp.net.br
veloxzone.com.br
virtua.com.br
com.ar
ukrtel.net
ne.jp
as43234.net
mailfrom.com
com.au
gvt.net.br
com.tr
embarqhsd.net
unitymediagroup.de
nationalcablenetworks.ru
mindstreamsmailer.com
iam.net.ma
com.pl
com.sg
as9105.com
comcastbusiness.net
vdc.vn
jasico.si
com.tw
ac.jp
strueres.dk
netscope.co.za
pghcernseaerxdaf.telestar.ru
uoc.es
tietoraitti.fi
rdsochterishbctmwjtjmitgjidsj.benoitmichels.com
rdsochterishbctmwjtjmitgjidsj.telestar.ru
cnm.su.se
doedel.nl
kaa.desy.de
acs.ryerson.ca
diddlpost.de
jaczewski.prv.pl
stratford-festival.on.ca
jaeger.dk
kdmmwahdcihlxcjmoa.telestar.ru
ubvkiwhoeujivhjiadwxfa.mc2school.org
rcgslgsbgbrbgtkpcsehrbsd.telestar.ru
kpmgmail.co.za
tiscali.fr
starnet.ph
lbnibfhblcemhdlbanyscnxr.mc2school.org
net-inotel.pl
18992.virus.blogdns.com
mjnrbohmincainkgoyrhenma.sohnut.ru
bps.cc
mtu-net.ru
com.gh
edu.ua
497.ac
123linko.com
adslplus.ch
colemanasia.com.ph
tataidc.co.in
20433.virus.blogdns.com
com.co
rcjtlshftvejfthocjtsajra.telestar.ru
tmcz.cz
pacenet-india.com
edu.tw
media.pl
agendasaude.com.br
cosmosbank.com.tw
pctips.de
foreningssparbanken.se
pp.fi
com.vn
com.bo
tjvrybtfvjqctdvahcgtcvxfb.buhrmann.com
sk.ca
co.il
kdfhlsbcekjajh.buhrmann.com
sdtvdatrcthjcsetmdhsdtr.sfpavocats.ca
spcsdns.net
560.ac
tropolys.de
24x7tel.net
republika.pl
artq.com
nifty.com
mcbbnojnfebowjendintf.sfpavocats.ca
cc-bank.de
jellow.nl
norcontrol.no
jaegermeister.prv.pl
kabel-badenwuerttemberg.de
ewbl.vlaanderen.be
com.cy
orpheus.amdahl.com
vivozap.com.br
net.opel.com
g-it.dk
dlc.fi
marocconnect.net.ma
gfk.stockholm.se
kgfmojfkfmyhckecikg.buhrmann.com
linknetinc.com
co.nz
telemar.net.br
tpssalibandy.fi
nbnaaoygpjniniiombeob.mc2school.org
pdqmcpipfqggparerepharxlb.benoitmichels.com
twins.org.uk
tpt.ee
folksrevolver.com
langnese-iglo.de
com.ua
tx.us
ctbcnetsuper.com.br
mpinet.com
avenet.fi
ipv4ilink.net
brasiltelecom.net.br
41.xmbs.jp
centerforhighered.com
chickenhardworld.com
myvzw.com
greatchickenhard.com
giga.net.tw
edcuation.net
bestleanman.com
email.uophx.edu
29455.virus.blogdns.com
spanishphrasebet.com
dalumts.dk
aster.com.au
farlep.net
ucdwilegfuaudvpifui.buhrmann.com
kblfcmhygltbmphekgmfgammgjkckjk.stertil.de
marton.net.pl
ttn.com.tw
hoffmanrileyarchitects.com
com.cn
dwnet.com.br
pcarp.usp.br
mhdotydiotyidnrfmagoua.benoitmichels.com
lbljnxfdldnpwildnhoilenygdlbnqx.telestar.ru
pd5jwc.myweb.nl
seed.net.tw
ocplhcqrrdeihidj.lsinter.net
kingwhale.com.tw
informatica.com.co
yahoo.com
Submission
December 12th, 2010 3:02pm
Concerned? Maybe.
Do you have recipient filtering turned on? If not then it could just be rejects being sent back to spoofed senders. However a list hanging around like that isn't standard behaviour, so would tend to indicate email has been sent to those domains recently.
Have you got message tracking enabled? You could see if that shows things.
A common posting would be that you have a compromised machine. However I would disagree with that. Most spam trojans will have their own SMTP engine. They will not look to find/use another server to send email out. A corporate system is not the target of
most trojan writers because they will be protected. What they are looking for is the clueless home user.
The usual cause could be either NDR/NDR spam, or an authenticated relay using a compromised account.
NDR/NDR spam is blocked by recipient filtering which is part of the antispam agents in Exchange 2007/2010. Authenticated relaying is usually done through the Client Receive Connector, and would require the second port to be opened, unless you have changed the
configuration of course.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources
Free Windows Admin Tool Kit Click here and download it now
December 12th, 2010 7:31pm
Do you have recipient filtering turned on?
I'm going to say no, because I never recall doing such a thing.
How could I tell?
In general, having to manage many things besides Exchange, I try (I try) to keep things simple and change very little from the default settings.
December 13th, 2010 9:26am
While the default settings allow Exchange to run, they shouldn't be considered anywhere near to optimum. As a bare minimum you should run the Best Practises tool from the Toolbox and correct anything it flags.
Recipient Filtering instructions:
http://www.amset.info/exchange/filter-unknown2.asp
It isn't enabled by default and therefore would cause the list of unknown domains to appear when a spammer does an NDR run using spoofed addresses.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources
Free Windows Admin Tool Kit Click here and download it now
December 13th, 2010 1:13pm
Oh, I've definitely run the EXBPA.
It's never signaled anything serious.
Certain HDW drivers are more than two years old.
1NIC is not connected (only one adapter is cabled).
No "red" alerts, a couple yellow (those above) and lots of blue informational entries.
I run the test-* cmdlets too from time to time.
-------------------------
BTW, would I gain something from connecting both NICs or not?
-------------------------
Lastly. thank you for the link about Recipient Filtering. I can confirm that this was not configured.
December 13th, 2010 1:32pm
Have you got message tracking enabled? You could see if that shows things.
Yes... Well, do you mean in Exchange Tools (EMC) with the other Tools there?
If so, then yes. It's enabled and I've already used in other contexts.
So I'm going to try to see if any messages were actually sent to these domains?
I'm looking at the GUI right now and I'm not sure how I'd filter that.
I need a complete email address for recipient, right? I can't just enter the domain as in:
strangeDomainName.tld
???
Free Windows Admin Tool Kit Click here and download it now
December 13th, 2010 1:54pm
Have you got message tracking enabled? You could see if that shows things.
Yes... Well, do you mean in Exchange Tools (EMC) with the other Tools there?
If so, then yes. It's enabled and I've already used in other contexts.
So I'm going to try to see if any messages were actually sent to these domains?
I'm looking at the GUI right now and I'm not sure how I'd filter that.
December 13th, 2010 9:50pm
Hi Le Pivert,
Per the above information, those seems some spam sender domains, they usually send spam emails to your domain, but the recipeints are not existence in your exchange system, so there are many NDR would be sent to the spam domains.
Did you deploy the edge server in you scenario, and there is a feature "Recipient Fileter" could resolve it.
Some information for you:
http://technet.microsoft.com/en-us/library/bb123891.aspx
If I want to check the email exactly, I would check the tracking log to confirm it.
Regards!
GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
December 15th, 2010 3:43am
Just a follow up to let you guys and other readers now what happened.
As suggested elsewhere, I configured Postini to reject all mail UNLESS it is for someone on the list we established with Postini (installing the antispam agents on the Hub Transport server with recipient filtering enabled was another suggestion - or on the
Edge server if you have one -we do not).
It's like night and day. We went from something like 90 queues to less than 10 and now (just looking) 2!
- myserver.mydomain.org
- submission
Every now and then, another domain appears, but they look legitimate (.edu).
Configuring "Accepted Domains" at the Organizational Level under Hub Transport is NOT enough, because spam could be directed to former employees using an accepted domain name after @.
December 20th, 2010 10:39am