spams on smart host - exchange 2003 is not open relay
Hi All,
First post here, and I am not an expert on exchange.
Please bear with me :)
I have been using a smart host to send our emails instead of using our
own exchange 2003 as smtp server.
And then last week the ISP notify me that spams have been detected on
their smtp server, and therefore they asked me to check the exchange
server to disable open relay.
I know that our exchange server is not open relay.
Question: How come spammer can still get access to our exchange server
even though is not open relay? The spammer IP address is originated in
Florida USA and my office is in Sydney Australia.
What I did then, change back to exchange as smtp server, and look into the queue no activity...
I know this is not a proper solution...
I need your expertise to help me out.
Any advice would be appreciated alot.
Regards,
Andi
June 2nd, 2011 9:24am
I think you should consider Sender Policy Framework, Please see the link below
http://www.msexchange.org/tutorials/sender-policy-framework.html
http://www.msexchange.org/articles/SPF-support-Exchange-freeware.htmlRegards, Pushkal MishrA
Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2011 9:48am
It's possible you have a compromised account and that is what is spamming. Check logs and see if one user has been sending out a lot of emails.
You can try telnet-ing into both your smart host and exchange server on port 25, and see if you can send emails to a non-exchange email address, without authenticating (do this from a computer not on your exchange network). To do that, follow
the steps below.
1. Download Putty http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
2. For "Host Name" type in the external ip or dns name of your SMTP server
3. Change connection type to "Telnet"
4. Change "Port" to 25, click "Open"
5. When connected you should see something like "220 yoursmtpserver ESTMP exchange"
6. Type "helo blah.com" -> Enter -> Type "mail from: someemailaddress" -> Enter -> Type "rcpt to:
someoffsiteemailaddress" -> If the telnet window comes back with "OK" then you are open relay, if it says "Relay Access Denied", then you will have to chase down another angle.dave
June 2nd, 2011 9:34pm
I think you should consider Sender Policy Framework, Please see the link below
http://www.msexchange.org/tutorials/sender-policy-framework.html
http://www.msexchange.org/articles/SPF-support-Exchange-freeware.html
Regards, Pushkal MishrA
Hi Pushkal
I'll have a look into it.
Thanks!
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2011 2:16am
It's possible you have a compromised account and that is what is spamming. Check logs and see if one user has been sending out a lot of emails.
You can try telnet-ing into both your smart host and exchange server on port 25, and see if you can send emails to a non-exchange email address, without authenticating (do this from a computer not on your exchange network). To do that, follow
the steps below.
1. Download Putty http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
2. For "Host Name" type in the external ip or dns name of your SMTP server
3. Change connection type to "Telnet"
4. Change "Port" to 25, click "Open"
5. When connected you should see something like "220 yoursmtpserver ESTMP exchange"
6. Type "helo blah.com" -> Enter -> Type "mail from: someemailaddress" -> Enter -> Type "rcpt to:
someoffsiteemailaddress" -> If the telnet window comes back with "OK" then you are open relay, if it says "Relay Access Denied", then you will have to chase down another angle.
dave
Hi Dave,
I've running the steps as you suggested.
result: 550 5.7.1 Unable to relay for offsiteuser@yahoo.com
So it is not open relay.
What I don't understand is the ISP said the spams keep coming to their smtp, but when I change to our own there's no spam activity on the queues.
The smtp log unfortunately is not turned on before this happened. I just turned it on yesterday.(C:\WINDOWS\system32\LogFiles\SMTPSVC1)
Checked it this morning and it seems no excessive emails sent out during 24 hours... Queues still not showing any spams.
-Andi
June 3rd, 2011 2:22am
SPF isn't going to do anything to stop your Spam. Waste of time in my opinion.
Ask the ISP to provide evidence of the spam.
Do you have a single IP address? It could be that you have a compromised system that is sending email directly and not through your server. Blocking port 25 through the firewall for everything but the Exchange server will stop that.
Not sure why Putty was suggested above, when Telnet is built in to all versions of Windows (or can be easily installed) and is all you need to test.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2011 2:41am
Hi Simon,
Yes single IP address.
And the ISP send the proof as well.
I'll check the firewall setting
Thanks
June 3rd, 2011 5:00am
Hi,
Did you prevent anonymous access on the SMTP virtual server?
You could add the
spammer IP address into block list of SMTP virtual server.
Related information:
Securing Your Exchange
Server
You could also
configure connection filtering to use Real time Block Lists (RBLs).
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2011 9:38am
Hi Simon,
Yes single IP address.
And the ISP send the proof as well.
I'll check the firewall setting
Thanks
If the ISP provided proof, does it show the message coming from the Exchange server in the headers?
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
June 3rd, 2011 11:37am