Paul
Fri May 09 13:47:47 PDT 2008
Sorry, I forgot to mention those settings:
Submit - Authenticated Users Only
Relay - Nothing checked
After checking some block lists, I am going to have to agree with you. We
may not be sending out anything.
I do get bounce backs from addresses that i (or anyone else) haven't sent
to. Is this a new spamming technique?
Thanks,
Paul Smith
"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:OHWLyvfsIHA.3680@TK2MSFTNGP05.phx.gbl...
> Paul Smith <psmith@newwavecomm.net> wrote:
>> Thanks for the prompt reply Lanwench.
>>
>> I do have all those things enabled
>
> What about disabling authenticated relay? Do that in the properties of
> your VSMTP server.
>
>> and am using 2 blocking services
>> (which does a very good job of limiting inbound spam).
>> So even though spammers addresses show up in Current Sessions, they
>> are not 'Sending Mail Out'?
>
> No. Anyone who is sending mail *to* your recipients will show up in there.
>>
>> How would I find the evidence that they are sending out mail using our
>> server?
>
> Um - find out whether someone out there on the Internets received spam
> sent from your SMTP server :-)
> Seriously, you haven't got any reason to think you're being used as a
> relay. What makes you think you*are*?
>
>>I have used Message Tracking Center and didn't find anything
>> there.
>>
>> Thanks again for all your help,
>> Paul Smith
>>
>>
>> Open Relay Test Results (I had to disable connection filtering to get
>> these results since the site i used (dnsgoodies.com) is reported to
>> Spamhaus as a spammer):
>
> Just FYI, you can test your relay settings without this - just do a telnet
> session. :-)
>>
>> Open SMTP Relay Check: mail.computersmarts.biz
>>
>> << 220 computersmarts.biz Microsoft ESMTP MAIL Service,
>> Version: 6.0.3790.3959 ready at Fri, 9 May 2008 12:01:18 -0500
>> >> HELO 192.168.2.220
>> << 250 computersmarts.biz Hello [206.113.12.220]
>>
>> >> MAIL FROM:<spammer@192.168.2.220>
>> << 250 2.1.0 spammer@192.168.2.220....Sender OK
>> >> RCPT TO:<spammee@70.251.220.81>
>> << 550 5.7.1 Unable to relay for spammee@70.251.220.81
>> >> RSET
>> << 250 2.0.0 Resetting
>>
>> >> MAIL FROM:<spammer@192.168.2.220>
>> << 250 2.1.0 spammer@192.168.2.220....Sender OK
>> >> RCPT TO:<"spammee@70.251.220.81">
>> << 550 5.1.1 User unknown
>> >> RSET
>> << 250 2.0.0 Resetting
>>
>> >> MAIL FROM:<spammer@192.168.2.220>
>> << 250 2.1.0 spammer@192.168.2.220....Sender OK
>> >> RCPT TO:spammee@70.251.220.81
>> << 550 5.7.1 Unable to relay for spammee@70.251.220.81
>> >> RSET
>> << 250 2.0.0 Resetting
>>
>> >> MAIL FROM:<spammer>
>> << 250 2.1.0 spammer@computersmarts.biz....Sender OK
>> >> RCPT TO:<spammee@70.251.220.81>
>> << 550 5.7.1 Unable to relay for spammee@70.251.220.81
>> >> RSET
>> << 250 2.0.0 Resetting
>>
>> >> MAIL FROM:<spammer@192.168.2.220>
>> << 250 2.1.0 spammer@192.168.2.220....Sender OK
>> >> RCPT TO:<spammee%70.251.220.81@mail.computersmarts.biz>
>> << 550 5.1.1 User unknown
>> >> RSET
>> << 250 2.0.0 Resetting
>>
>> >> MAIL FROM:<spammer@192.168.2.220>
>> << 250 2.1.0 spammer@192.168.2.220....Sender OK
>> >> RCPT TO:<spammee@70.251.220.81@mail.computersmarts.biz>
>> << 501 5.5.4 Invalid Address
>> >> RSET
>> << 250 2.0.0 Resetting
>>
>> >> MAIL FROM:<spammer@192.168.2.220>
>> << 250 2.1.0 spammer@192.168.2.220....Sender OK
>> >> RCPT TO:<70.251.220.81!spammee@mail.computersmarts.biz>
>> << 550 5.1.1 User unknown
>> >> RSET
>> << 250 2.0.0 Resetting
>>
>> >> MAIL FROM:<spammer@192.168.2.220>
>> << 250 2.1.0 spammer@192.168.2.220....Sender OK
>> >> RCPT TO:<@mail.computersmarts.biz:spammee@70.251.220.81>
>> << 550 5.7.1 Unable to relay for spammee@70.251.220.81
>> >> RSET
>> << 250 2.0.0 Resetting
>>
>> >> MAIL FROM:<spammer@192.168.2.220>
>> << 250 2.1.0 spammer@192.168.2.220....Sender OK
>> >> RCPT TO:<70.251.220.81!spammee>
>> << 550 5.1.1 User unknown
>> >> RSET
>> << 250 2.0.0 Resetting
>>
>> >> MAIL FROM:<>
>> << 250 2.1.0 <>....Sender OK
>> >> RCPT TO:<spammee@70.251.220.81>
>> << 550 5.7.1 Unable to relay for spammee@70.251.220.81
>> >> RSET
>> << 250 2.0.0 Resetting
>>
>> >> MAIL FROM:<spammer@mail.computersmarts.biz>
>> << 250 2.1.0 spammer@mail.computersmarts.biz....Sender OK
>> >> RCPT TO:<spammee@70.251.220.81>
>> << 550 5.7.1 Unable to relay for spammee@70.251.220.81
>> >> RSET
>>
>>
>> Good News!
>> All tests for an open relay on your mail server failed.
>> Your mail server does not allow open relay.
>
> There you go.
>
> I'd also make sure that your firewall or ISA rules block your workstation
> IPs from connecting to anything out on the web unless using ports 80 or
> 443 so they can't connect to external SMTP servers to send mail (if they
> get hijacked).
>
>
>>
>>
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
>> message news:udxuRsdsIHA.1768@TK2MSFTNGP03.phx.gbl...
>>> Paul <psmith@computersmarts.biz> wrote:
>>>> Greetings,
>>>>
>>>> I am having one hell of a time getting Exchange secured. No matter
>>>> what I do (it seems), I can not keep spammers from connecting to
>>>> Exchange. I have tested for an open relay at several sites and I
>>>> pass with flying colors, but when I look under Default SMTP Virtual
>>>> Server
>>>>> Current Sessions, there are always spammers connected. I also get
>>>> this in the server report: smtpsvc 402 5/8/2008 12:15 PM 13 *
>>>> Virtual Server 1: 77.241.36.5 maximum number of connections has been
>>>> reached. Connection being closed.
>>>>
>>>> I did drop the maximum connections allowed down to 10 until i get
>>>> this resolved, so that might explain that error.
>>>>
>>>> The odd part is that i can't find the mail that they are sending out
>>>> by going to Message Tracking Center. It looks like we (authorized
>>>> users) are the only ones sending mail.
>>>>
>>>> Any help is GREATLY appreciated.
>>>>
>>>> Paul Smith
>>>
>>> You can disable even *authenticated* relay (I never leave this
>>> enabled, just because). Note however that it's most likely that
>>> these connections are spammers trying to send mail *to* you and not
>>> *through* you - and their crap is being filtered out.
>>>
>>> You haven't provided evidence here that you are being used as a
>>> relay....make sure you've got the IMF, recipient / sender filtering &
>>> perhaps also an RBL (zen.spamhaus.org) in your Exchange config.
>
>
>