Page 2 of 2 First 12
  • Jump to page:
    #16
  1. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    677
    Rep Power
    7
    So, even though nothing defines a local user account, one can log in and provide addresses as though it's not the account that logged in?

    Wouldn't SOMETHING define the account that was logged in?
  2. #17
  3. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    IP addresses are spoofed all the time; just because it doesn't appear to be a local IP address doesn't mean it's not. You can try using Wireshark to see if there's a machine on your LAN spamming info out.
  4. #18
  5. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    677
    Rep Power
    7
    Well, shouldn't be anything internal. I made the server completely independant, and disabled all but my account. I changed my password, and the server appears to still be relaying emails.

    This leaves me at a huge loss. Only 1 account on the server. Account has new password. All tests define the server as NOT an open relay. Yet messages still going thru. :-/
  6. #19
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    I used telnet to access your server on port 25:
    <--- 220 hellzone1.hellzone.local Microsoft ESMTP MAIL Service ready at Wed, 24 Jul 2
    013 10:35:45 -0500
    ---> EHLO me
    <-- 250-hellzone1.hellzone.local Hello [96.xx.xx.xx]
    250-SIZE
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-AUTH NTLM LOGIN
    250-8BITMIME
    250-BINARYMIME
    250 CHUNKING
    ---> MAIL FROM:anyone"at"anywhere.com
    <--- 250 2.1.0 Sender OK
    ---> STARTTLS
    <--- 220 2.0.0 SMTP server ready

    I tried a RCPT TO: one of my own valid email addresses, and like it should, it refused to relay the message. But you can see it accepts any email address on the MAIL FROM:, and as I suspected, your server offers TLS and Authenticated Login. If you don't need it, turn off AUTH LOGIN. Also there is probably a generic administrative login which you should also disable if you don't need it. Or at least change the password on it.

    When examining the header on a message, each server that the message passes through adds it's own "Received" line to the top of the message. So the "Received" lines are in reverse order. Because there is nothing to separate the SMTP header from the body of the message, spoofed received lines can be inserted at the top of the body of the message. This was common at one time, but is rarely used anymore because spammers use botnets from many different IP addresses. To verify that there are no spoofed lines, you have to examine all the received lines for consistency.

    J.A. Coutts

    Addendum: SpamCop offers a number of helpful suggestions on securing your mail server:
    http://www.spamcop.net/fom-serve/cache/372.html
    Last edited by couttsj; July 24th, 2013 at 11:59 AM.
  8. #20
  9. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    677
    Rep Power
    7
    Ok. After some browsing through my Events, I think I may have come across note of a user logging in...
    Code:
    An account was successfully logged on.
    
    Subject:
    	Security ID:		NULL SID
    	Account Name:		-
    	Account Domain:		-
    	Logon ID:		0x0
    
    Logon Type:			3
    
    New Logon:
    	Security ID:		SYSTEM
    	Account Name:		HELLZONE1$
    	Account Domain:		HELLZONE
    	Logon ID:		0x4be403e
    	Logon GUID:		{51b492f7-1274-2b91-a65b-f44ff2c9bbe6}
    
    Process Information:
    	Process ID:		0x0
    	Process Name:		-
    
    Network Information:
    	Workstation Name:	
    	Source Network Address:	::1
    	Source Port:		25843
    
    Detailed Authentication Information:
    	Logon Process:		Kerberos
    	Authentication Package:	Kerberos
    	Transited Services:	-
    	Package Name (NTLM only):	-
    	Key Length:		0
    Replies here have brought up TLS and Authenticated Login. I had these enabled under belief that the whole point was a user HAD to have a local account, and be able to successfully login before accomplishing anything. Am I wrong with this?


    EDIT: Actually, I now see these logins are just local logins by the system. My bad.
    Last edited by Triple_Nothing; July 26th, 2013 at 09:22 AM.
  10. #21
  11. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    677
    Rep Power
    7
    Aight. I have disabled this one Receive Connector, and cleaned out my server's message queue, and have received no more of such into the server. This connector is focused on port 587, and these are really the only 2 screens to configure the rest. I noticed I do have Anonymous checked, but during setup, figured the reason for that is because an external server has no login access to such, so it needs to be as such to pass me my correct e-mails. Is there perhaps anything to be changed on one of these tabs? Thanks greatly for any input.
    Attached Images
  12. #22
  13. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    677
    Rep Power
    7
    I guess I'm wrong. Checked my mail today, n with that connector disabled, server still accepted a few hundred messages.
  14. #23
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    7
    Rep Power
    0

    Spam being sent thru Exchange


    Remember its also possible for someone to guess a weak login password and then send spam. A good mailserver with log who is logged in and sending from each IP so you can just check the log, see who (which login) sent the message and change their password...
  16. #24
  17. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    677
    Rep Power
    7
    Well, I've knocked it down to JUST my account, and plenty strong password, but no help. I can be away from my computer for a couple days to rule out it being a virus on my PC using my e-mail program or something.
  18. #25

  19. Join Date
    Jul 2013
    Location
    Melbourne
    Posts
    43
    Rep Power
    0
    Originally Posted by Triple_Nothing
    I've let this go on too long, and need to figure out how to reject what my server will handle. Simply put, I just want it to accept a messege that has a To or From address ending in a hosted domain. I currently get TONS of messeges attempting to be routed through my server as spam which have nothing to do with any domain under my Accepted Domains. If anyone can help clean this up, that would be awsome! Thanks.
    Hi This can be done by two way either you can block the ip address of the spam mail hosted server. or you can add specific domain with ip address so that you can receive mail mail only from the server which you allow.
    Just follow the specific link

    http://technet.microsoft.com/en-us/l.../dd277329.aspx

    Please reply if its work.
  20. #26
  21. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    677
    Rep Power
    7
    Well, I did have everything set up correct from the begining. I was kinda mistaken when I did not think it was an account thing after I disabled all accounts and changed my password. This did not appear to work, but the errors I continued to get were just for a couple of days, and they were retries of failed items. I did narrow it down to someone gaining access to my account somehow, so the change of my password did correct the problem. I just had to wait for the retries and such to finish and be cleared. Sorry I did not mention this when the issue was resolved.
    Last edited by Triple_Nothing; September 1st, 2013 at 12:08 PM.
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo