spam - relay
Hi, I had an attack of spam from the email address: svenmodel@ibibo.com I have reviewed the relay to test from the 28 test http://www.test-smtp.com and tell me that All tests succeded, relay not accepted. Not changed anything on the Exchange Server 2003, and was filling with postmaster@mydomain.com queues. How did it happen?, I can tell if some user logged in? Once locked the domain in spam and the Exchange itself has not returned to send mail, but my concern is great. Thanks mates.
December 17th, 2011 5:25am

Hi, Propably it was trying several recipients for your domain. This since you have confirmed your are not an open relay. This will cause several NDR's being delivered to the configured postmaster e-mail address. To prevent this kind of spam I would recommend to have a look at this articles on how to configure several features to prevent spam: Use RBL's: http://support.microsoft.com/kb/823866 Recipient filtering: http://support.microsoft.com/kb/886208 Tarpitting: http://support.microsoft.com/kb/842851 Regards JohanExchange-blog: www.johanveldhuis.nl
Free Windows Admin Tool Kit Click here and download it now
December 17th, 2011 6:56am

Thanks for the reply, but all these measures were already implemented. All courier since yesterday afternoon. It may be that a user is authenticated / internal pwd? Regards
December 17th, 2011 7:13am

On Sat, 17 Dec 2011 10:19:26 +0000, ThorElPoderoso wrote: >Hi, I had an attack of spam from the email address: svenmodel@ibibo.com I have reviewed the relay to test from the 28 test http://www.test-smtp.com and tell me that All tests succeded, relay not accepted. Not changed anything on the Exchange Server 2003, and was filling with postmaster@mydomain.com queues. How did it happen?, I can tell if some user logged in? Once locked the domain in spam and the Exchange itself has not returned to send mail, but my concern is great. Thanks mates. Your SMTP protocol log should show you if AUTH was being used to log in and sent those messages as an authenticated user. Exchange 2003 very nicely puts the account and password into the log files. All you need to do is decode them from base64 to plain text (there are several web sites that offer base64 decoding) to discover the account with the cracked password -- if that's your problem. You may also find those authentication successes in your application log file if you have the diagnostics logging level set sufficiently high. If you don't need SMTP from the Internet you can simply disable the ability of authenticated users to relay. That kills the exploit pretty quickly. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 17th, 2011 5:08pm

If you don't need SMTP from the Internet you can simply disable the ability of authenticated users to relay. How do i do?
December 22nd, 2011 1:05pm

On Thu, 22 Dec 2011 18:04:15 +0000, ThorElPoderoso wrote: >If you don't need SMTP from the Internet you can simply disable the ability of authenticated users to relay. > >How do i do? What release of Exchange are you using? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2011 5:57pm

Exchange 2003
December 23rd, 2011 2:09pm

On Fri, 23 Dec 2011 19:09:02 +0000, ThorElPoderoso wrote: >Exchange 2003 On the property page of the SMTP Virtual Server, select the "Access" tab and click the "Relay..." button. Uncheck the box labeled "Allow all computers which . . .". --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 23rd, 2011 2:25pm

If you disable this option, external users who have configured the POP3, IMAP4 and mobile devices (IPAD, IPHONE, HTC) work properly?
December 26th, 2011 6:56am

On Mon, 26 Dec 2011 11:55:17 +0000, ThorElPoderoso wrote: >If you disable this option, external users who have configured the POP3, IMAP4 and mobile devices (IPAD, IPHONE, HTC) work properly? Not if they depend on using AUTH to enable them to relay. Your alternative is to enforce the use of strong passwords that are changed regularly. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 26th, 2011 10:10pm

Hi, The configuration I have in the STMP Relay Restrictions are: The configuration of authentication are: I have this setup in users: Check Allow Submit Permission and Relay Permission Uncheck Deny Submit Permission and Relay Permission I tried with external configuration POP3/IMAP4/OWA (all with authentication) with HTC android/windows (Exchange) and with IPAD/IPHONE (Exchange) and working properly. That configuration is correct?, Or should I put my server IP in the list of computers... Note: Before you had checked the option: Allow all computers ....
December 27th, 2011 3:19am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics