Hi, I had an attack of spam from the email address: svenmodel@ibibo.com I have reviewed the relay to test from the 28 test http://www.test-smtp.com and tell me that All tests succeded, relay not accepted. Not changed anything on the Exchange Server 2003, and was filling with postmaster@mydomain.com queues. How did it happen?, I can tell if some user logged in? Once locked the domain in spam and the Exchange itself has not returned to send mail, but my concern is great. Thanks mates.

Hi, Propably it was trying several recipients for your domain. This since you have confirmed your are not an open relay. This will cause several NDR's being delivered to the configured postmaster e-mail address. To prevent this kind of spam I would recommend to have a look at this articles on how to configure several features to prevent spam: Use RBL's: http://support.microsoft.com/kb/823866 Recipient filtering: http://support.microsoft.com/kb/886208 Tarpitting: http://support.microsoft.com/kb/842851 Regards JohanExchange-blog: www.johanveldhuis.nl

Thanks for the reply, but all these measures were already implemented. All courier since yesterday afternoon. It may be that a user is authenticated / internal pwd? Regards

On Sat, 17 Dec 2011 10:19:26 +0000, ThorElPoderoso wrote: >Hi, I had an attack of spam from the email address: svenmodel@ibibo.com I have reviewed the relay to test from the 28 test http://www.test-smtp.com and tell me that All tests succeded, relay not accepted. Not changed anything on the Exchange Server 2003, and was filling with postmaster@mydomain.com queues. How did it happen?, I can tell if some user logged in? Once locked the domain in spam and the Exchange itself has not returned to send mail, but my concern is great. Thanks mates. Your SMTP protocol log should show you if AUTH was being used to log in and sent those messages as an authenticated user. Exchange 2003 very nicely puts the account and password into the log files. All you need to do is decode them from base64 to plain text (there are several web sites that offer base64 decoding) to discover the account with the cracked password -- if that's your problem. You may also find those authentication successes in your application log file if you have the diagnostics logging level set sufficiently high. If you don't need SMTP from the Internet you can simply disable the ability of authenticated users to relay. That kills the exploit pretty quickly. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

If you don't need SMTP from the Internet you can simply disable the ability of authenticated users to relay. How do i do?

On Thu, 22 Dec 2011 18:04:15 +0000, ThorElPoderoso wrote: >If you don't need SMTP from the Internet you can simply disable the ability of authenticated users to relay. > >How do i do? What release of Exchange are you using? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Exchange 2003

On Fri, 23 Dec 2011 19:09:02 +0000, ThorElPoderoso wrote: >Exchange 2003 On the property page of the SMTP Virtual Server, select the "Access" tab and click the "Relay..." button. Uncheck the box labeled "Allow all computers which . . .". --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

If you disable this option, external users who have configured the POP3, IMAP4 and mobile devices (IPAD, IPHONE, HTC) work properly?

On Mon, 26 Dec 2011 11:55:17 +0000, ThorElPoderoso wrote: >If you disable this option, external users who have configured the POP3, IMAP4 and mobile devices (IPAD, IPHONE, HTC) work properly? Not if they depend on using AUTH to enable them to relay. Your alternative is to enforce the use of strong passwords that are changed regularly. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi, The configuration I have in the STMP Relay Restrictions are: The configuration of authentication are: I have this setup in users: Check Allow Submit Permission and Relay Permission Uncheck Deny Submit Permission and Relay Permission I tried with external configuration POP3/IMAP4/OWA (all with authentication) with HTC android/windows (Exchange) and with IPAD/IPHONE (Exchange) and working properly. That configuration is correct?, Or should I put my server IP in the list of computers... Note: Before you had checked the option: Allow all computers ....