Hi there, this is a pretty serious issue for us. There's a customer with around 21.000 e-mails in the queue, all spam, none of which seem to be coming from a host that is allowed to relay. About 2 weeks ago we had a similar issue (other customer). By the time I saw it my collegues had already been changing settings and I blamed not finding the issue to them already flipping switches like relay. However, everybody here knows not to touch the settings unless they understand them (it concerns SBS 2003, which by default closes relay). Now we have a new case thus. Been going through the exchange log, below there's a sample. As far as I can tell from the (huge) log, it seems to come in through SMTP, without authentication, from an external IP. I checked the relay settings, they're closed. Inbound NAT for port 25 is off (source NAT, destination NAT (port forwarding) must be active otherwise the port forward doesn't work :), I've seen that as an issue before when a collegue had switched the NAT check on in the firewall, but it should have logged the routers internal IP then ...). Anyways, quite afraid there's a hole in the SMTP. On the previous customer we saw 2-3 lines from one IP (like some sort of test), about 2 hours later many IP's (probably botnet) started spamming it like crazy. Here's the piece of log: 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1019 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1019 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1019 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1019 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1019 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1019 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1019 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1019 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1019 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1019 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1025 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1025 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1025 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1025 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1025 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1025 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1025 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1025 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1025 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1025 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1024 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1024 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1024 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1024 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1024 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1024 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1024 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1024 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1024 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1024 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1033 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1033 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1033 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1033 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1033 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1033 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1033 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1033 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1033 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1033 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1034 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1034 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1034 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1034 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1034 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1034 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1034 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1034 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1034 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1034 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1020 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1020 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1020 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1020 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1020 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1020 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1020 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1020 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1020 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1020 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw - 2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675 - - ywpdu@yahoo.com.tw -

Btw, I tried several online relay tests against the server. All fail. Should have mentioned this in the main post. The router is a Fortigate 80C, the server also runs Trend Micro Worry-Free 6.0 with the messaging agent.

this is a pretty serious issue for us. There's a customer with around 21.000 e-mails in the queue, all spam, none of which seem to be coming from a host that is allowed to relay. Does the box host some "web" service/site ? See, it may be possible that the emails you see are coming from some webpage or forum or the like; also notice that if the SMTP is using the "pickup" folder, something may be dropping messages in there and the SMTP will dutifully pick them up and route to destination (or at least, try to); also, it may be due to some badly configured blog/wiki sending comment replies through an AUTH connection to your server or, it may be due to stolen email credentials; you aren't giving enough details to be able to track your issue (and no, the logs didn't really help so much) I'd start by forcing a password change for your clients and ensuring the passwords aren't weak (enforce complexity rules) or empty, done that, ensure that there aren't IP based exceptions and that any host willing to relay through your server will have to authenticate first Then, to ensure you don't have some "clandestine" you may also try setting up a box connecting it to your network so that it will see ALL the traffic (a "mirror port" on the main switch may help) and install this critter http://www.bothunter.net/ on it; let it run for a while and then check the reports to see if there's any "strange traffic" taking place on your network HTH

Hello, Looking at the logs it seems like they are from yahoo.com; rather pretending like comming from yahoo. who is 192.168.121.1? is this your firewal? I would like you to check the following information How can I configure Exchange Server 2003 to block spam? http://www.petri.co.il/block_spam_with_exchange_2003.htm How to prevent unsolicited commercial e-mail in Exchange 2003 http://support.microsoft.com/kb/821746 Arun Kumar | MCSE - 2K3 + Messaging | ITIL-F V3

There is nothing running besides the default SBS websites. Of which only OWA is allowed (inc. mobile sync etc) by the SBS wizard (which then sets rules on the sites in IIS). If they came from the pickup folder, would it log IP's? Seeing the event id's it logs, it really seems to come in through SMTP, but I've never been a big fan of the way exchange logs... For example, the above lines repeat 10 times for every event, due to it being 10 recipients in 1 e-mail. It is just one e-mail however. If it was IIS pushing the e-mail into the queue I would expect to see a localhost host or the internal IP of the server. Is this incorrect? 1019 SMTP submit message to AQ A new message is submitted to Advanced Queuing. 1025 SMTP begin submit message A new message was submitted to Advanced Queuing. 1024 SMTP submit message to cat Advanced Queuing submitted a message to the categorizer. 1033 SMTP message categorized and queued for routing 1034 SMTP message routed and queued for remote delivery 1020 SMTP begin outbound transfer A message is about to be sent over the wire by SMTP. 1031 SMTP end outbound transfer The outgoing message was successfully transferred. Q1: When a message is generated in the system for the first time, what event is associated with that message in the tracking log? A1: There are different events for different message submission paths to Exchange Server 2003. For example, for messages that are submitted through the SMTP component, the first event ID in the tracking log is 1019. For messages that are submitted through the Store component, the first event ID in the tracking log is 1027. From: http://support.microsoft.com/kb/821905 Thanks for the re'.

event id's it logs, it really seems to come in through SMTP, but I've never been a big fan of the way exchange logs... For example, the [...] tracking log is 1019. For messages that are submitted through the Store component, the first event ID in the tracking log is 1027. [...] try using this tool http://www.lizard-labs.net/PageHtml.aspx?lng=2&PageId=18&PageListItemId=17 to parse the SMTP logs to try finding out WHERE those emails do really come from; at any rate, if there's no website running on the box (with some mailform or the like) then it may either be an issue related to stolen credentials or to an infected box spitting out spam through an authenticated connection or through an IP allowed to relay

On Mon, 26 Jul 2010 14:06:24 +0000, FreakyNL wrote: > > >Hi there, > >this is a pretty serious issue for us. There's a customer with around 21.000 e-mails in the queue, all spam, none of which seem to be coming from a host that is allowed to relay. > >About 2 weeks ago we had a similar issue (other customer). By the time I saw it my collegues had already been changing settings and I blamed not finding the issue to them already flipping switches like relay. However, everybody here knows not to touch the settings unless they understand them (it concerns SBS 2003, which by default closes relay). > >Now we have a new case thus. Been going through the exchange log, below there's a sample. As far as I can tell from the (huge) log, it seems to come in through SMTP, without authentication, from an external IP. I checked the relay settings, they're closed. Inbound NAT for port 25 is off (source NAT, destination NAT (port forwarding) must be active otherwise the port forward doesn't work :), I've seen that as an issue before when a collegue had switched the NAT check on in the firewall, but it should have logged the routers internal IP then ...). > >Anyways, quite afraid there's a hole in the SMTP. On the previous customer we saw 2-3 lines from one IP (like some sort of test), about 2 hours later many IP's (probably botnet) started spamming it like crazy. > >Here's the piece of log: I think you're looking at the wrong log file. You want to use the SMTP protocol log (as poor as they are in Exchange 2003). In those log files you see the SMTP conversation (all of it) that will be a big help in undertanding what's happening. There's no "hole in the SMTP". There may be a hole in the way you've secured it, though. If you allow authenticated connections to relay, turn it off. If you allow IP addresses to relay, turn it off. Is the "Guest" account enabled, disable it. On the "Access" tab of the SMTP Cirtual Server, is anything except "Anonymous access" checked on the "Authentication" button? Turn off everything except "Anonymous access". Does the problem go away? http://technet.microsoft.com/en-us/magazine/2006.01.stopspam.aspx --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP