Is my Exchange still a spammer?
Hi,
I have searched high and low and I have asked at many places, I have done many checks, but basically the problem has not gone away (or at least I think it did not). I still suspect my exchange 2003 server (SBS 2003 SP2) is being used as relay.
Why do I think so?
1 . My fortnightly Server Usage Report informed me that mine 14 users have sent 17000 email in the last fortnight, which is impossible (out of the 14, there are only about 5 who use emails regularly, but not on such a scale).
2. I also get a lot of ID 7002 450/451 errors, like the one below (about 100/hour)
This is an SMTP protocol warning log for virtual server ID 1, connection #4789. The remote host "202.142.142.20", responded to the SMTP command "rcpt" with "450 <submersed@windows_lastone.cpe.telmex.com.cl>: Sender address rejected: Domain not found ". The full command sent was "RCPT TO:<eastgipps.ssaa@wideband.net.au> ". This may cause the connection to fail.
ID 7004 550/553 errors, like the one below (about 50/hour)
This is an SMTP protocol error log for virtual server ID 1, connection #7071. The remote host "220.244.226.66", responded to the SMTP command "rcpt" with "550 5.7.1 <Blairy@netconnect.com.au>... recipient denied, because MX 10 'mail.ssaavic.com.au.' [61.9.141.42] for <ng@ssaavic.com.au> rejected address saying: User unknown ". The full command sent was "RCPT TO:<Blairy@netconnect.com.au> ". This will probably cause the connection to fail.
ID 7010 550 errors, like the one below (about 15/hour)
This is an SMTP protocol log for virtual server ID 1, connection #2413. The client at "203.12.160.181" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for SECNUOB-CIVAASS6@mail.ssaavic.com.au ". The full command sent was "rcpt TO:<SECNUOB-CIVAASS6@mail.ssaavic.com.au>". This will probably cause the connection to fail.
How can I verify where do these 17000 emails come from and how can I stop it.
I have done the Check Whether the Exchange Server is an Open SMTP Relay using a Telnet Test, and no problem there. Where should I look now? OR what should I do now?
here are my current settingshttp://www.bolivianexperience.com/car/EX1.jpgand here is the email reporthttp://www.bolivianexperience.com/car/ex2.JPGThanks
September 8th, 2009 4:20am
On Tue, 8-Sep-09 01:20:54 GMT, Borec wrote:>I have searched high and low and I have asked at many places, I have done many checks, but basically the problem has not gone away (or at least I think it did not). I still suspect my exchange 2003 server (SBS 2003 SP2) is being used as relay. >>Why do I think so? >>1 . My fortnightly Server Usage Report informed me that mine 14 users have sent 17000 email in the last fortnight, which is impossible (out of the 14, there are only about 5 who use emails regularly, but not on such a scale). thin your organization? Are any of themachines infected with viruses or worms or other malware? [ snip ]> This is an SMTP protocol log for virtual server ID 1, connection #2413. The client at "203.12.160.181" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for SECNUOB-CIVAASS6@mail.ssaavic.com.au ". The full command sent was "rcpt TO:". This will probably cause the connection to fail. This is a good thing -- assuming 203.12.160.181 isn't your server andthat event didn't come from someone elses server. :-)The IP address has a good reputation, but that doesn't mean that therearen't some infected machines there:http://www.trustedsource.org/query/203.12.160.181mail.ssaavic.com.au is the name of (your?) server. Is it possible thatsomeone sends email using that name instead of the domain name?>How can I verify where do these 17000 emails come from and how can I stop it. ther the Exchange Server is an Open SMTP Relay using a Telnet Test, and no problem there. Where should I look now? OR what should I do now? Your SMTP protocol logs will show you if those messages areoriginating from within, or from outside, your organization.While relay tests are good (sort of), did the one you used check tosee if you reject RCPT TO commands for addresses that don't exist inyour organization? You could be being used to send NDR spam.---Rich MatheisenMCSE+I, Exchange MVP---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2009 4:49am
Are any of the machines infected with viruses or worms or other malware?I would like to think no, I have checked all machiens with Malwarebytes Antimalware and found nothing. Server is running PureMessage and whole network Sophos antivirus.mail.ssaavic.com.au is the name of (your?) server. Is it possible thatsomeone sends email using that name instead of the domain name?Not sure what you mean there, all email goes out through the exchange server, and it is not 203.12.160.181Your SMTP protocol logs will show you if those messages areoriginating from within, or from outside, your organization.Well here are few lines from the log, and to tell the truth I have no idea what it means, all I can say that nearly all of those @ssaavic.com.au are users that do not exist at my organization.90.177.226.99, 99.226.broadband10.iol.cz, 7/09/2009, 0:00:00, SMTPSVC1, SERVER, 192.168.0.2, 5250, 30, 0, 550, 0, RCPT, -, TO:<gtreu@ssaavic.com.au>,90.177.226.99, 99.226.broadband10.iol.cz, 7/09/2009, 0:00:00, SMTPSVC1, SERVER, 192.168.0.2, 0, 4, 68, 240, 7453, QUIT, -, 99.226.broadband10.iol.cz,83.11.61.240, acth240.neoplus.adsl.tpnet.pl, 7/09/2009, 0:00:02, SMTPSVC1, SERVER, 192.168.0.2, 5343, 33, 0, 550, 0, RCPT, -, TO:<hamilton@ssaavic.com.au>,83.11.61.240, acth240.neoplus.adsl.tpnet.pl, 7/09/2009, 0:00:02, SMTPSVC1, SERVER, 192.168.0.2, 0, 4, 68, 240, 7750, QUIT, -, acth240.neoplus.adsl.tpnet.pl,84.229.246.124, [84.229.246.124], 7/09/2009, 0:00:04, SMTPSVC1, SERVER, 192.168.0.2, 5328, 32, 0, 550, 0, RCPT, -, TO:<officen@ssaavic.com.au>,84.229.246.124, [84.229.246.124], 7/09/2009, 0:00:04, SMTPSVC1, SERVER, 192.168.0.2, 0, 4, 68, 240, 14078, QUIT, -, [84.229.246.124],222.253.217.230, localhost, 7/09/2009, 0:00:05, SMTPSVC1, SERVER, 192.168.0.2, 663656, 4, 68, 121, 3873045982, TIMEOUT, -, localhost,222.253.217.230, localhost, 7/09/2009, 0:00:05, SMTPSVC1, SERVER, 192.168.0.2, 663656, 4, 68, 240, 674781, QUIT, -, localhost,124.121.164.27, ppp-124-121-164-27.revip2.asianet.co.th, 7/09/2009, 0:00:07, SMTPSVC1, SERVER, 192.168.0.2, 265, 44, 0, 250, 0, EHLO, -, ppp-124-121-164-27.revip2.asianet.co.th,124.121.164.27, ppp-124-121-164-27.revip2.asianet.co.th, 7/09/2009, 0:00:07, SMTPSVC1, SERVER, 192.168.0.2, 0, 44, 47, 250, 0, MAIL, -, FROM:<amilton@ssaavic.com.au>,124.121.164.27, ppp-124-121-164-27.revip2.asianet.co.th, 7/09/2009, 0:00:13, SMTPSVC1, SERVER, 192.168.0.2, 5344, 32, 0, 550, 0, RCPT, -, TO:<amilton@ssaavic.com.au>,124.121.164.27, ppp-124-121-164-27.revip2.asianet.co.th, 7/09/2009, 0:00:13, SMTPSVC1, SERVER, 192.168.0.2, 0, 4, 68, 240, 7203, QUIT, -, ppp-124-121-164-27.revip2.asianet.co.th,117.36.197.42, [117.36.197.42], 7/09/2009, 0:00:23, SMTPSVC1, SERVER, 192.168.0.2, 2312, 20, 0, 250, 0, EHLO, -, [117.36.197.42],117.36.197.42, [117.36.197.42], 7/09/2009, 0:00:23, SMTPSVC1, SERVER, 192.168.0.2, 0, 42, 55, 250, 0, MAIL, -, FROM:<rolex_sportsModels@zfree.co.nz>,190.0.79.100, cbl-sd-79-100.aster.com.do, 7/09/2009, 0:00:29, SMTPSVC1, SERVER, 192.168.0.2, 329, 31, 0, 250, 0, EHLO, -, cbl-sd-79-100.aster.com.do,117.36.197.42, [117.36.197.42], 7/09/2009, 0:00:29, SMTPSVC1, SERVER, 192.168.0.2, 5312, 32, 0, 550, 0, RCPT, -, TO:<thirdmd@ssaavic.com.au>,190.0.79.100, cbl-sd-79-100.aster.com.do, 7/09/2009, 0:00:29, SMTPSVC1, SERVER, 192.168.0.2, 0, 43, 46, 250, 0, MAIL, -, FROM:<erdown@ssaavic.com.au>,117.36.197.42, [117.36.197.42], 7/09/2009, 0:00:29, SMTPSVC1, SERVER, 192.168.0.2, 0, 4, 68, 240, 10266, QUIT, -, [117.36.197.42],203.153.222.14, RJAHJBRA, 7/09/2009, 0:00:30, SMTPSVC1, SERVER, 192.168.0.2, 2266, 13, 0, 250, 0, EHLO, -, RJAHJBRA,203.153.222.14, RJAHJBRA, 7/09/2009, 0:00:31, SMTPSVC1, SERVER, 192.168.0.2, 0, 37, 49, 250, 0, MAIL, -, FROM: <flaying9@harvey-home.com>,93.74.63.70, girtless-lasso.volia.net, 7/09/2009, 0:00:33, SMTPSVC1, SERVER, 192.168.0.2, 0, 30, 42, 250, 0, MAIL, -, FROM: <simplyg@aikema.nl>,190.0.79.100, cbl-sd-79-100.aster.com.do, 7/09/2009, 0:00:35, SMTPSVC1, SERVER, 192.168.0.2, 5234, 31, 0, 550, 0, RCPT, -, TO:<erdown@ssaavic.com.au>,78.231.227.18, romuald9801925, 7/09/2009, 0:00:35, SMTPSVC1, SERVER, 192.168.0.2, 2266, 19, 0, 250, 0, EHLO, -, romuald9801925,190.0.79.100, cbl-sd-79-100.aster.com.do, 7/09/2009, 0:00:35, SMTPSVC1, SERVER, 192.168.0.2, 0, 4, 68, 240, 7125, QUIT, -, cbl-sd-79-100.aster.com.do,78.231.227.18, romuald9801925, 7/09/2009, 0:00:35, SMTPSVC1, SERVER, 192.168.0.2, 0, 40, 52, 250, 0, MAIL, -, FROM: <awotwiaudley@ssaavic.com.au>,203.153.222.14, RJAHJBRA, 7/09/2009, 0:00:36, SMTPSVC1, SERVER, 192.168.0.2, 5016, 31, 0, 550, 0, RCPT, -, TO: <coned@ssaavic.com.au>,203.153.222.14, RJAHJBRA, 7/09/2009, 0:00:36, SMTPSVC1, SERVER, 192.168.0.2, 0, 4, 0, 503, 0, DATA, -, -,93.74.63.70, girtless-lasso.volia.net, 7/09/2009, 0:00:38, SMTPSVC1, SERVER, 192.168.0.2, 5187, 33, 0, 550, 0, RCPT, -, TO: <pbrownd@ssaavic.com.au>,93.74.63.70, girtless-lasso.volia.net, 7/09/2009, 0:00:38, SMTPSVC1, SERVER, 192.168.0.2, 0, 4, 0, 503, 0, DATA, -, -,78.231.227.18, romuald9801925, 7/09/2009, 0:00:42, SMTPSVC1, SERVER, 192.168.0.2, 5344, 35, 0, 550, 0, RCPT, -, TO: <hamiltoni@ssaavic.com.au>,203.153.222.14, RJAHJBRA, 7/09/2009, 0:00:42, SMTPSVC1, SERVER, 192.168.0.2, 5719, 4, 30, 240, 15157, QUIT, -, RJAHJBRA,78.231.227.18, romuald9801925, 7/09/2009, 0:00:42, SMTPSVC1, SERVER, 192.168.0.2, 5797, 35, 59, 240, 9500, QUIT, -, romuald9801925,93.74.63.70, girtless-lasso.volia.net, 7/09/2009, 0:00:44, SMTPSVC1, SERVER, 192.168.0.2, 0, 4, 68, 240, 104343, QUIT, -, girtless-lasso.volia.net,221.2.241.173, wangdj, 7/09/2009, 0:00:44, SMTPSVC1, SERVER, 192.168.0.2, 2281, 11, 0, 250, 0, EHLO, -, wangdj,221.2.241.173, wangdj, 7/09/2009, 0:00:44, SMTPSVC1, SERVER, 192.168.0.2, 2281, 11, 0, 250, 0, EHLO, -, wangdj,While relay tests are good (sort of), did the one you used check to see if you reject RCPT TO commands for addresses that don't exist in your organization? You could be being used to send NDR spam.Yes it rejected the RCPT TO command, i used this test here:http://www.amset.info/exchange/spam-cleanup.asp
September 8th, 2009 10:05am
I would ask you to check if your Server is acting as Open Relay. Please follow below article for same. http://support.microsoft.com/kb/895853/en-us Also check the Antispam/Antivirus S/w has been configured properly in order to acting as open relay. Run the Exchange Best Practices Analyser and check the health of server http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-4BEE-4943-AC22-E2DDBD258DF3&displaylang=en Vinod
|CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2009 1:11pm
On Tue, 8-Sep-09 07:05:06 GMT, Borec wrote: [ snip ]Sorry for the big 'snip', but there was a lot of "stuff" in the threadthat wasn't really pertinant any more.Okay, your server rejects unnown addresses. That's a "good thing". :-)It also accepts mail from its own domain. That's not such a goodthing. :-(As an example, here (one of the lines from your log file) you have anIP address that's got a really crappy reputation (seehttp://www.trustedsource.org/query/124.121.164.27), and appears inDNSBLstoolbox.com/SuperTool.aspx?action=blacklist%3a124.121.164.27).It's not a server you manage, yet its sending email /FROM/ you domain_to_ your domain. This is almost certainly a caser of addressspoofing.124.121.164.27, ppp-124-121-164-27.revip2.asianet.co.th, 7/09/2009,0:00:07, SMTPSVC1, SERVER, 192.168.0.2, 0, 44, 47, 250, 0, MAIL, -,FROM:,Your most effective defense against this (assuming you have a separateserver that deals with inbound email from the Internet) is to blockmail from that domain.Your second best defense is to create a SPF record in your externalDNS. Assuming you have only one server that delivers email to theInternet it can be as simple as this: ssaavic.com.au IN TXT "v=spfv1 ip4:61.9.141.42 -all"See http://www.openspf.org for an explanation.Be sure to set the Exchange "Perimeter IP List and Internel IP RangeConfiguration" on the "General" tab of the "Message Delivery" objectdes the thing -- Iknow it loves to use wizards even for simple tasks like this). Youwant to make sure your internal network is listed.Also click the "Sender ID Filtering" tab and select an appropriateaction for the server to take when spoofing is detected.If you have POP3/IMAP users that must use your SMTP server as a relayyou must make sure they authenticate and don't use anonymousconnections. Otherwise their email will be rejected (or whatever elseyou want).On the SMTP Virtual Server, Click the "Advanced..." button on the"General" tab. Then click the "Edit..." button. Then check the "ApplySender ID Filter" box.If you're not already using IMF I'd suggest that you start using it,too.I'm not a big fan of using DNSBLs (they block connections, not spam),but you might consider using one. Pick a reputable one and keep an eyeon legitimate connections not being able to send you email.Configure the DNSBL on the "Connection Fitering" tab on the "MessageDon't forget to enable it on the SMTP VirtualServer, too.---Rich MatheisenMCSE+I, Exchange MVP---
Rich Matheisen
MCSE+I, Exchange MVP
September 12th, 2009 4:00am