Exchange Server - Exchange Server Queues Full of Bogus Messages

Asked By Chaplain Doug on 01-Apr-10 10:35 AM

I noticed that my Exchange Server 2003 has hundreds of queues containing
messages from outside our domain TO outside our domain, like some spammer is
using my server to relay messages.

The sender is BANCA POPOLARE DI BARI <securizza@bpr.it>

and the recipients are all in foriegn domains

How can I prevent this and how did this happen?
--
Dr. Doug Pruiett
Good News Jail & Prison Ministry
www.goodnewsjail.org

Lee Derbyshire [MVP] replied to Chaplain Doug on 01-Apr-10 10:43 AM

What settings do you have configured on the Relay tab of the properties of
your Default SMTP Virtual Server?

Lee.


--
______________________________________

Outlook Web Access For PDA , OWA For WAP
www.leederbyshire.com
lee a.t leederbyshire d.o.t c.o.m
______________________________________

Chaplain Doug replied to Chaplain Doug on 01-Apr-10 11:13 AM

Windows Server 2003 R2.  Exchange Server 2003.  I have relaying disabled.
--
Dr. Doug Pruiett
Good News Jail & Prison Ministry
www.goodnewsjail.org

chaplaindoug replied to Lee Derbyshire [MVP] on 01-Apr-10 11:30 AM

What settings do you have configured on the Relay tab of the properties
of
your Default SMTP Virtual Server?

Lee.


Lee:

The relay restictions are set to allow relaying only from the list of
computers.  The list is empty.

Under permissions for submit and relay, authenticated users can submit
but not relay, domain users can submit and relay.


--
chaplaindoug
http://forums.slipstick.com

Lee Derbyshire [MVP] replied to Chaplain Doug on 01-Apr-10 11:24 AM

Try one of the online relay tests, like this one:

http://www.mxtoolbox.com/diagnostic.aspx

Lee.

--
______________________________________

Outlook Web Access For PDA , OWA For WAP
www.leederbyshire.com
lee a.t leederbyshire d.o.t c.o.m
______________________________________

Chaplain Doug replied to Lee Derbyshire [MVP] on 01-Apr-10 11:29 AM

The relay restictions are set to allow relaying only from the list of
computers. The list is empty.

Under permissions for submit and relay, authenticated users can submit but
not relay, domain users can submit and relay.
--
Dr. Doug Pruiett
Good News Jail & Prison Ministry
www.goodnewsjail.org

Jeff Vandervoort replied to Chaplain Doug on 01-Apr-10 12:09 PM

Are they just NDRs for spam sent to non-existent users on your domain?
Provided you are not an open relay, that is likely what they are.

--
Jeff Vandervoort
JRVsystems
http://www.jrvsystems.com

Chaplain Doug replied to Lee Derbyshire [MVP] on 01-Apr-10 12:12 PM

Lee:

Here are the results.  It says, "Not an open relay."  How could this
phenomenon then be happening with an apparent email from an external domain
being sent to other external domains and ending up in my Exchange queues?

220 mail.goodnewsjail.org Microsoft ESMTP MAIL Service, Version:
6.0.3790.3959 ready at Thu, 1 Apr 2010 12:06:29 -0400


Not an open relay.
0 seconds - Good on Connection time
0.218 seconds - Good on Transaction time
OK - 74.94.213.106 resolves to mail.goodnewsjail.org
OK - Reverse DNS matches SMTP Banner

Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 mail.goodnewsjail.org Hello [64.20.227.133] [47 ms]
250 2.1.0 supertool@mxtoolbox.com....Sender OK [62 ms]
550 5.7.1 Unable to relay for test@example.com [47 ms]

--
Dr. Doug Pruiett
Good News Jail & Prison Ministry
www.goodnewsjail.org

Chaplain Doug replied to Lee Derbyshire [MVP] on 01-Apr-10 12:17 PM

Lee:

When I look at one of the messages in an Exchange queue, it has no
recipients on the list that are within my domain.  So again, how might it be
getting in my queues?  My server name is GNServer and domain
goodnewsjail.org.  Here is the message ID, sender, and recipient list for one
message:

Message ID: <GNSERVERbKy5Ekfq79P00011f4a@mail.goodnewsjail.org>

Sender: "BANCA POPOLARE DI BARI"<securizza@bpr.it>

Envelope Recipients:
SMTP:ntoney55@psychosickosonline.com; SMTP:nti@libero.it;
SMTP:nticconi@libero.it; SMTP:ntina.b@libero.it; SMTP:ntnalfr@libero.it;
SMTP:ntnaltieri@libero.it; SMTP:ntonio.albites.coen@libero.it;
SMTP:ntin36@gec-b.rutherford.ac.uk; SMTP:ntmsnc@katamail.com;
SMTP:ntnoif@dpiscv.gh; SMTP:ntonella.romolo@isc.cnr.it;
SMTP:ntravers@medicina.unige.it; SMTP:ntfgpg@yahoo.com;
SMTP:ntibetr@eqenfito.mt; SMTP:ntonley78@getthegoats.nl;
SMTP:ntesterman@sortsoul.com; SMTP:ntffan@tin.it; SMTP:ntinari@unich.it;
SMTP:ntis@ffroovb.pl; SMTP:ntn@ntn.it; SMTP:ntnee@djea.mw;
SMTP:ntrapani@diim.unict.it; SMTP:nteudff@nenseoa.fo;
SMTP:nthompson@fastmail.fm; SMTP:nthornton@gmx.net; SMTP:ntl@fastwebnet.it;
SMTP:ntolio@fmi.it; SMTP:ntonio.scalamonti@uniroma1.it;
SMTP:ntonio_carofaniello@regione.lombardia.it; SMTP:ntovopt@kbimicl.com;
SMTP:ntrrnis58@schule.suedtirol.it; SMTP:ntoporto@gmail.com;
SMTP:ntrueba@gmail.com; SMTP:ntn@tremmismo.it; SMTP:ntpmfj@idretqi.kn;
SMTP:ntevghevfzbgreenzzner@ivetvyvb.vg; SMTP:nti@superhighway.com;
SMTP:ntinupgedrow@zaqkemovoc.com; SMTP:ntgadj@hotmail.com;
SMTP:ntizio@hotmail.com; SMTP:ntnll@yahoo.it; SMTP:ntp@trantor.umd.edu;
SMTP:ntitina@hotmail.it; SMTP:ntpunk@hotmail.it; SMTP:ntr33a@ciaoweb.it;
SMTP:ntma@onthe.net.com.au; SMTP:ntn.russo@alice.it; SMTP:nto@cia.it;
SMTP:nt-planet@nt-planet.com; SMTP:ntrchimi@gnet.tn;

--
Dr. Doug Pruiett
Good News Jail & Prison Ministry
www.goodnewsjail.org

Chaplain Doug replied to Jeff Vandervoort on 01-Apr-10 01:05 PM

No, there is more (and the bulk of them) that are not NDRs.  They are
messages being sent from an email address outside our domain to email
addresses outside our domain (goodnewsjail.org).  I have tested and checked
all settings to ensure I am not an open relay (which is the way I configured
2 years ago).  The following is an example of the foreign messages ending up
in our queues:

Message ID: <GNSERVER0R1hY55ZodT000115f1@mail.goodnewsjail.org>

Sender: "BANCA POPOLARE DI BARI"<securizza@bpr.it>

Recipients:Envelope Recipients:
SMTP:laura_bertolini@er.cgil.it; SMTP:laura_capisani@libero.it;
SMTP:laura@imss.fi.it; SMTP:laura@lafocedeitramonti.com;
SMTP:laura@manzella.it; SMTP:laura@passwordsrl.it; SMTP:laura@somewhere.it;
SMTP:laura@gorilla.it; SMTP:laura@iuav.it; SMTP:laura@quidonline.it;
SMTP:laura@tourist-trend.it; SMTP:laura@ing.univaq.it;
SMTP:laura@prhomosapiens.it; SMTP:laura@rockinthemiddle.com;
SMTP:laura@teatrocargo.it; SMTP:laura@latusanniae.it;
SMTP:laura@mehp1.cineca.it; SMTP:laura@scubaportal.it;
SMTP:laura@spottiautomazioni.it; SMTP:laura@tortiwinepinotnero.com;
SMTP:laura@vocemisena.it; SMTP:laura@live.it; SMTP:laura_4ever@live.it;
SMTP:laura_berardino@regione.lombardia.it; SMTP:laura_capitani@virgilio.it;
SMTP:laura@filarmonicadicavaglia.it; SMTP:laura@giolli.it;
SMTP:laura@paranoici.org; SMTP:laura@viniariis.it; SMTP:laura@fantasidea.it;
SMTP:laura@ferrariodesign.it; SMTP:laura@ilcaminettoantico.com;
SMTP:laura@john-silver.it; SMTP:laura@mercantidiliquore.it;
SMTP:laura@oats.inaf.it; SMTP:laura@thol.it; SMTP:laura@ts.astro.it;
SMTP:laura@vecchiafogolana.it; SMTP:laura_bambolina@hotmail.it;
SMTP:laura_capasso@hotmail.com; SMTP:laura@fabruaria.it;
SMTP:laura@fitosanitario.re.it; SMTP:laura@giannibrunelli.it;
SMTP:laura@jack-russell.it; SMTP:laura@labandia.com;
SMTP:laura@macper.ogs.trieste.it; SMTP:laura@petsfashion.it;
SMTP:laura@xesempio.it; SMTP:laura@laurapietra.it; SMTP:laura@pasettivini.it;
--
Dr. Doug Pruiett
Good News Jail & Prison Ministry
www.goodnewsjail.org

David Kerber replied to Chaplain Doug on 01-Apr-10 02:12 PM

ChaplainDoug@ says...

Maybe somebody guessed a user ID and password, and is authenticating and
using you as a relay?  It happened to me once.

D

Chaplain Doug replied to David Kerber on 01-Apr-10 03:55 PM

David:

I read that elsewhere and it is entirely possible, as we have numerous field
personnal, some with uncomplicated passwords.  If a spammer guessed or stole
a username and password, how would he use it to relay messages?

Also, the offending sender (and domain) is the same with all these bogus
relayed emails.  Is there a way in Exchange that I can block them from ever
getting to a queue until I can change all the passwords?
--
Dr. Doug Pruiett
Good News Jail & Prison Ministry
www.goodnewsjail.org

David Kerber replied to Chaplain Doug on 02-Apr-10 08:07 AM

ChaplainDoug@ says...

If you allow authenticated users to use your system as a relay, then the
attacker could do it as well.  That's not the same as being an OPEN
relay, and is probably a separate setting.



I do not know.  I just disallowed all relays, including authenticated
ones.  It seems like you should be able to block connections from a
specific sending domain, though I do not know how off the top of my head.

D

SG_Dan replied to chaplaindoug on 09-Apr-10 05:59 PM

I cannot say I know for sure, but I encountered a situation similar to this,
and it turned out to be an outside entity using OWA to send bulk SPAM
messages.  These messages were crafted so they looked like they were coming
from another domain, and only after reading the SMTP logs did we determine
what IP's to block.  We are on Exchange 2007 so it made such investigation
easier, but I believe the logic is available for 2003 as well.  Check for
logging.

Good Luck!

ODBC Drivers for QuickBooks, Salesforce, SAP, MSCRM, SharePoint … Free Trial!