Fixed open relay, still relaying spam

Fixed open relay, still relaying spam

Post by Devon Co » Wed, 14 Apr 2004 01:14:26


Hi, thanks for responding. I tried that and I'm still relaying spam. I've
been trying to shake this spammer for days. What else would you suggest?

thanks,

Devon Cox
 
 
 

Fixed open relay, still relaying spam

Post by Devon Co » Wed, 14 Apr 2004 01:57:32

Hi, I have SBS 2003 standard. I followed the instructions in KB 324958 -
plus the following:

in default smtp virtual server settings: set ip address to 192.168.16.2
only. In Authentication, unchecked 'Anonymous access'. In Relay removed
everything except 192.168.16.2 and unchecked 'allow all computers which
authenticat to relay, regardless of list above'.

I'm still relaying spam! What can I do? I enabled detailed logging as
specified in kb 324958, but there are no event ID's 1708 and no events on
MSExchange transport that indicate an user has been hacked...

Any help is appreciated.

thanks,

Devon Cox

 
 
 

Fixed open relay, still relaying spam

Post by Tony S » Wed, 14 Apr 2004 03:04:58

Try this.

<Enable> SMTP Anonymous authentication (otherwise your
Exchange won't be able to talk to other mailservers)
<Remove> all IP addresses from your permitted relay list.
(This disables all anonymous clients from relaying)
<Enable> the checkbox permitting authenticated Users to
relay.

Tony Su



instructions in KB 324958 -
to 192.168.16.2
In Relay removed
computers which
detailed logging as
and no events on
hacked...
 
 
 

Fixed open relay, still relaying spam

Post by Peter Gall » Wed, 14 Apr 2004 08:08:18

Hello Devon,

Is it possible that your server is sending out Non Delivery Reports as a
function of the open relay? It could be possible that someone is hitting
you with a "mail bomb" where they send email to XXXX@XXXXX.COM .
Your server will send an NDR to the original sender. To tell if they are
NDR's, look at the "from" column in Exchange->queues. If it is
XXXX@XXXXX.COM , then they are likely NDR's.

You can turn off NDR's via Exchange, Global Settings, Internet Message
Formats, Default, Properties, Advanced Tab, uncheck "Allow Non delivery
reports".

Thanks for posting!!

Regards,
Peter Gallagher
Microsoft Product Support
Small Business Server Team


This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

Fixed open relay, still relaying spam

Post by Peter Gall » Wed, 14 Apr 2004 11:04:55

Turn on SMTP protocol logging at the properties of the SMTP Virtual Server,
set the format to Microsoft IIS Logfile Format. The log is located
c:\windows\system32\logfiles\smtpsvc1. This will log in and out port 25
traffic.

Also, are you running standard or premium? Are you "server publishing" SMTP
with ISA?

Attach a copy of one of the smtp logs to your post.

Thanks for posting!!

Regards,
Peter Gallagher
Microsoft Product Support
Small Business Server Team


This posting is provided "AS IS" with no warranties, and confers no rights.






I've
 
 
 

Fixed open relay, still relaying spam

Post by Devon Co » Thu, 15 Apr 2004 22:12:55

i, I'm using sbs 2003 standard. below is a copy of a log. XXXX@XXXXX.COM is
an authorized user, but he's only sending email from the lan. If the log
shows him relay externally, then I guess his account is hacked. (the email
addy's have been changed to protect the presumed innocent).

Thanks very much,

Devon Cox

207.217.125.16, OutboundConnectionResponse, 4/14/2004, 11:47:04, SMTPSVC1,
SERVER01, -, 10000, 0, 101, 0, 0, -, -, 220 eagle EL_3_9_13_6 /EL_3_9_13_6
ESMTP EarthLink SMTP Server Wed, 14 Apr 2004 08:46:19 -0700 (PDT),
207.217.125.16, OutboundConnectionCommand, 4/14/2004, 11:47:04, SMTPSVC1,
SERVER01, -, 10140, 0, 4, 0, 0, EHLO, -, shannons.com,
207.217.125.16, OutboundConnectionResponse, 4/14/2004, 11:47:04, SMTPSVC1,
SERVER01, -, 10718, 0, 65, 0, 0, -, -, 250-eagle Hello shannons.com
[64.252.159.73], pleased to meet you,
207.217.125.16, OutboundConnectionCommand, 4/14/2004, 11:47:04, SMTPSVC1,
SERVER01, -, 10718, 0, 4, 0, 0, MAIL, -, FROM:<user@shann..com>
SIZE=5956434,
207.217.125.16, OutboundConnectionResponse, 4/14/2004, 11:47:06, SMTPSVC1,
SERVER01, -, 11265, 0, 49, 0, 0, -, -, 250 <user@shann..com> SIZE=5956434...
Sender ok,
207.217.125.16, OutboundConnectionCommand, 4/14/2004, 11:47:06, SMTPSVC1,
SERVER01, -, 11265, 0, 4, 0, 0, RCPT, -, TO:< XXXX@XXXXX.COM >,
207.217.125.16, OutboundConnectionResponse, 4/14/2004, 11:47:06, SMTPSVC1,
SERVER01, -, 11906, 0, 44, 0, 0, -, -, 250 < XXXX@XXXXX.COM >...
Recipient ok,
207.217.125.16, OutboundConnectionCommand, 4/14/2004, 11:47:06, SMTPSVC1,
SERVER01, -, 11906, 0, 4, 0, 0, DATA, -, -,
207.217.125.16, OutboundConnectionResponse, 4/14/2004, 11:47:07, SMTPSVC1,
SERVER01, -, 12406, 0, 48, 0, 0, -, -, 354 Enter mail, end with "." on a
line by itself,
207.217.125.27, OutboundConnectionResponse, 4/14/2004, 11:52:19, SMTPSVC1,
SERVER01, -, 11156, 0, 103, 0, 0, -, -, 220 skylark EL_3_9_13_6 /EL_3_9_13_6
ESMTP EarthLink SMTP Server Wed, 14 Apr 2004 08:51:34 -0700 (PDT),
207.217.125.27, OutboundConnectionCommand, 4/14/2004, 11:52:19, SMTPSVC1,
SERVER01, -, 11156, 0, 4, 0, 0, EHLO, -, shannons.com,
207.217.125.27, OutboundConnectionResponse, 4/14/2004, 11:52:19, SMTPSVC1,
SERVER01, -, 11625, 0, 67, 0, 0, -, -, 250-skylark Hello shannons.com
[64.252.159.73], pleased to meet you,
207.217.125.27, OutboundConnectionCommand, 4/14/2004, 11:52:19, SMTPSVC1,
SERVER01, -, 11625, 0, 4, 0, 0, MAIL, -, FROM:<user@shann..com>
SIZE=5956434,
207.217.125.27, OutboundConnectionResponse, 4/14/2004, 11:52:20, SMTPSVC1,
SERVER01, -, 12203, 0, 49, 0, 0, -, -, 250 <user@shann..com> SIZE=5956434...
Sender ok,
207.217.125.27, OutboundConnectionCommand, 4/14/2004, 11:52:20, SMTPSVC1,
SERVER01, -, 12203, 0, 4, 0, 0, RCPT, -, TO:< XXXX@XXXXX.COM >,
207.217.125.27, OutboundConnectionResponse, 4/14/2004, 11:52:20, SMTPSVC1,
SERVER01, -, 12750, 0, 44, 0, 0, -, -, 250 < XXXX@XXXXX.COM >...
Recipient ok,
207.217.125.27, OutboundConnectionCommand, 4/14/2004, 11:52:20, SMTPSVC1,
SERVER01, -, 12750, 0, 4, 0, 0, DATA, -, -,
207.217.125.27, OutboundConnectionResponse, 4/14/2004, 11:52:21, SMTPSVC1,
SERVER01, -, 13219, 0, 48, 0, 0, -, -, 354 Enter mail, end with "." on a
line by itself,
207.217.125.19, OutboundConnectionResponse, 4/14/2004, 11:57:24, SMTPSVC1,
SERVER01, -, 172, 0, 104, 0, 0, -, -, 220 killdeer EL_3_9_13_6 /EL_3_9_13_6
ESMTP EarthLink SMTP Server Wed, 14 Apr 2004 08:56:39 -0700 (PDT),
207.217.125.19, Outb
 
 
 

Fixed open relay, still relaying spam

Post by peterga » Fri, 16 Apr 2004 07:47:09


Hello Devon,

Based on the logs, those are outbound connections which are normal
(internal connections, if you will).

It does not appear that the server is allowing relay. Based on the logs,
it does not appear to be a hacked account.

I need to know specifically why you think you are being used (abused) as an
open relay.

Thanks for posting!!

Regards,
Peter Gallagher
Microsoft Product Support
Small Business Server Team


This posting is provided "AS IS" with no warranties, and confers no rights.