Hi All, First post here, and I am not an expert on exchange. Please bear with me :) I have been using a smart host to send our emails instead of using our own exchange 2003 as smtp server. And then last week the ISP notify me that spams have been detected on their smtp server, and therefore they asked me to check the exchange server to disable open relay. I know that our exchange server is not open relay. Question: How come spammer can still get access to our exchange server even though is not open relay? The spammer IP address is originated in Florida USA and my office is in Sydney Australia. What I did then, change back to exchange as smtp server, and look into the queue no activity... I know this is not a proper solution... I need your expertise to help me out. Any advice would be appreciated alot. Regards, Andi

I think you should consider Sender Policy Framework, Please see the link below http://www.msexchange.org/tutorials/sender-policy-framework.html http://www.msexchange.org/articles/SPF-support-Exchange-freeware.htmlRegards, Pushkal MishrA

It's possible you have a compromised account and that is what is spamming. Check logs and see if one user has been sending out a lot of emails. You can try telnet-ing into both your smart host and exchange server on port 25, and see if you can send emails to a non-exchange email address, without authenticating (do this from a computer not on your exchange network). To do that, follow the steps below. 1. Download Putty http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html 2. For "Host Name" type in the external ip or dns name of your SMTP server 3. Change connection type to "Telnet" 4. Change "Port" to 25, click "Open" 5. When connected you should see something like "220 yoursmtpserver ESTMP exchange" 6. Type "helo blah.com" -> Enter -> Type "mail from: someemailaddress" -> Enter -> Type "rcpt to: someoffsiteemailaddress" -> If the telnet window comes back with "OK" then you are open relay, if it says "Relay Access Denied", then you will have to chase down another angle.dave

I think you should consider Sender Policy Framework, Please see the link below http://www.msexchange.org/tutorials/sender-policy-framework.html http://www.msexchange.org/articles/SPF-support-Exchange-freeware.html Regards, Pushkal MishrA Hi Pushkal I'll have a look into it. Thanks!

It's possible you have a compromised account and that is what is spamming. Check logs and see if one user has been sending out a lot of emails. You can try telnet-ing into both your smart host and exchange server on port 25, and see if you can send emails to a non-exchange email address, without authenticating (do this from a computer not on your exchange network). To do that, follow the steps below. 1. Download Putty http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html 2. For "Host Name" type in the external ip or dns name of your SMTP server 3. Change connection type to "Telnet" 4. Change "Port" to 25, click "Open" 5. When connected you should see something like "220 yoursmtpserver ESTMP exchange" 6. Type "helo blah.com" -> Enter -> Type "mail from: someemailaddress" -> Enter -> Type "rcpt to: someoffsiteemailaddress" -> If the telnet window comes back with "OK" then you are open relay, if it says "Relay Access Denied", then you will have to chase down another angle. dave Hi Dave, I've running the steps as you suggested. result: 550 5.7.1 Unable to relay for offsiteuser@yahoo.com So it is not open relay. What I don't understand is the ISP said the spams keep coming to their smtp, but when I change to our own there's no spam activity on the queues. The smtp log unfortunately is not turned on before this happened. I just turned it on yesterday.(C:\WINDOWS\system32\LogFiles\SMTPSVC1) Checked it this morning and it seems no excessive emails sent out during 24 hours... Queues still not showing any spams. -Andi

SPF isn't going to do anything to stop your Spam. Waste of time in my opinion. Ask the ISP to provide evidence of the spam. Do you have a single IP address? It could be that you have a compromised system that is sending email directly and not through your server. Blocking port 25 through the firewall for everything but the Exchange server will stop that. Not sure why Putty was suggested above, when Telnet is built in to all versions of Windows (or can be easily installed) and is all you need to test. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Hi Simon, Yes single IP address. And the ISP send the proof as well. I'll check the firewall setting Thanks

Hi, Did you prevent anonymous access on the SMTP virtual server? You could add the spammer IP address into block list of SMTP virtual server. Related information: Securing Your Exchange Server You could also configure connection filtering to use Real time Block Lists (RBLs). Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Simon, Yes single IP address. And the ISP send the proof as well. I'll check the firewall setting Thanks If the ISP provided proof, does it show the message coming from the Exchange server in the headers? Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.