Open Relay or Not?
I am getting several thousand messages the last couple of days that make me think someone is relaying mail through my Exchange 2003 server. Every time I test the server it says I am not running an open relay, and I have made every effort to not run an open relay. Anyway, here is the failure, with the recipient modified just in case the address is or will be real: Your message Subject: Verify Your Identity Sent: Thu, 24 Jul 2008 16:41:30 -0500did not reach the following recipient(s):example@aol.com on Thu, 24 Jul 2008 20:13:47 -0500 There was a SMTP communication problem with the recipient's emailserver. Please contact your system administrator. <MAILSERVER.servername.com #5.5.0 smtp;550 MAILBOX NOT FOUND> Sometimes there are several email addresses listed that failed. Thisis an obvious phishing scam trying to get the user to believe there is a problem with their paypal account, in order that they will login to their phony site and enter their username and password. I have my SMTP server set to only allow internal addresses to relay, but to allow those who authenticate to relay regardless of IP address. Is this just a case of someone having one of my user's information and actually are authenticating? Are their other ways of relaying? Thanks for anyone's help.
July 25th, 2008 4:20pm

I guess I'll reply to my own post. Since there are noreplies is my original post too vague? Just curious. If so please let me know. Thanks.
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2008 8:03pm

If the relay test says that you are not running an open relay, then you are not running an open relay period. Recently spammers have started to target servers that send notifications, like in the example you give. As the spammessagehas a return address in your mail organisation, the targeted server sends the notification to you. Some smtp servers on the internet send notificationswith theoriginal message attached (including viruses). I have seen notifications like: "Your message was found to contain a virus, therefore I send it back to you". If you think that is stupid, you are right! Nevertheless it appears to be RFC-compliant. I became aware of this a month or so ago when certain recipients started to receive hundreds of notifications (500 in one hour in one case). The horror of this is that spamfilters don'tknow how to handle this. The only thing I could do is filteroutall notifications, throwing genuine ones out into the bargain. If you are still worried about the open relay, study the headers of the notification mail. Look at the ip-addresses mentioned and find that none correspond with yours. Hope this helps.
July 27th, 2008 2:57pm

I forgot to mention that if your server sends notifications, spammers could use it in the way I mentioned in the previous post. The effect is that your server acts as an open relay (being totally RFC-compliant). I use a separate server for receiving mail (surfcontrol). The firewall settings are such that it can receive on port 25, but not send on port 25. Perhaps Exchange can be configured not to send notifications, but that would be a first because every email server I have seen does it. Surfcontrol can be configured is such a way that it doesn't feel the need to do so, but it still doesn't have a setting "DO NOT SEND NOTIFICATIONS FOR WHATEVER REASON!!!!!", so I cannot be absolutely sure it doesn't. I have yet to find email software that is just right.
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2008 8:44pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics