Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    693
    Rep Power
    7

    How-to define what Microsoft Exchange 2007 accepts...?


    I've let this go on too long, and need to figure out how to reject what my server will handle. Simply put, I just want it to accept a messege that has a To or From address ending in a hosted domain. I currently get TONS of messeges attempting to be routed through my server as spam which have nothing to do with any domain under my Accepted Domains. If anyone can help clean this up, that would be awsome! Thanks.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Sounds like your server is setup as an open relay mail server, is start by ensuring that is not the case.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    693
    Rep Power
    7
    Well, the tools out there seem to tell me I'm not an open relay, but I still get errors messeges to my inbox making it appear my server accepted the messege from the sender, but failed to get it to its destination. Most are Undeliverable right away, but I do also get things saying that Exchange failed to connect to get messege to a server, will try again later...

    As far as the mxtoolbox test, it appeared fine, but after my server hung up on it since the sender/receiver wasn't a domain of mine, it printed the error near end:
    Code:
    220 hellzone1.hellzone.local Microsoft ESMTP MAIL Service ready at Wed, 10 Jul 2013 12:26:59 -0500 [655 ms]
     EHLO please-read-policy.mxtoolbox.com
     250-hellzone1.hellzone.local Hello [64.20.227.133]
     250-SIZE
     250-PIPELINING
     250-DSN
     250-ENHANCEDSTATUSCODES
     250-STARTTLS
     250-AUTH NTLM LOGIN
     250-8BITMIME
     250-BINARYMIME
     250 CHUNKING [686 ms]
     MAIL FROM: <supertool@mxtoolbox.com>
     250 2.1.0 Sender OK [686 ms]
     RCPT TO: <test@example.com>
     550 5.7.1 Unable to relay [5678 ms]
     QUIT
     
    SendSMTPCommand: You hung up on us after we connected. Please whitelist us. (connection lost)
     
    MXTB-PWS3v2 8611ms
    Last edited by Triple_Nothing; July 11th, 2013 at 01:47 AM.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    I am not familiar with Exchange Server, but it looks like it is doing what it is supposed to do. Mail servers generally do not care what the sending domain is, but if set up properly, they do care what the sending IP is because it is about the only thing that cannot be spoofed. The IP above is belongs to MXToolBox, and your server refused to relay the message. My mail server can get thousands of such attempts per day, and if your server is generating messages back to you for each such attempt, then set it up so that it doesn't. Handling spam attempts are a normal part of operating a mail server.

    J.A. Coutts
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    693
    Rep Power
    7
    Well, that doesn't sound right. Unless an open relay, a mail server should be rejecting incoming mail if not to a supported domain, or from a logged in user. Mine is accepting a random message and appears to be trying to relay it. The definition of errors are in reference to a third party.

    Code:
    kc8460@msn.com
    An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.
    The following organization rejected your message: COL0-MC4-F1.Col0.hotmail.com.
    Code:
    info@kb-rbds.ru
    Microsoft Exchange has been trying to deliver this message without success and has stopped trying. Please try sending this message again, or provide the following diagnostic text to your system administrator.
    Code:
    This is an automatically generated Delivery Status Notification
    
    THIS IS A WARNING MESSAGE ONLY.
    
    YOU DO NOT NEED TO RESEND YOUR MESSAGE.
    
    Delivery to the following recipient has been delayed:
    
         daprix103@gmail.com
    
    Message will be retried for 1 more day(s)
    That's 3 different messages. None of which are attempted by a local user, or to a domain of a supported account.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    --> Connection from Sender (IP address recovered from TCP/IP data)
    <-- 220 hellzone1.hellzone.local Microsoft ESMTP MAIL Service ready at Wed, 10 Jul 2013 12:26:59 -0500 [655 ms]
    (Server Greeting)
    --> EHLO please-read-policy.mxtoolbox.com (sender HELO/EHLO)
    <-- 250-hellzone1.hellzone.local Hello [64.20.227.133] (Server response to sender EHLO)
    250-SIZE
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-AUTH NTLM LOGIN
    250-8BITMIME
    250-BINARYMIME
    250 CHUNKING [686 ms]
    --> MAIL FROM: <supertool@mxtoolbox.com> (Can be any valid domain address)
    <-- 250 2.1.0 Sender OK [686 ms] (Server Response)
    --> RCPT TO: <test@example.com>
    <-- 250 2.1.5 Ok (if domain address is local and valid it gets delivered
    (if domain address is not local and sender IP address is authorized, it gets relayed)
    (If domain address is not local and sender IP address is not authorized,
    then a 500 level error message is sent and the connection terminated)
    <-- 550 5.7.1 Unable to relay [5678 ms]
    <-- QUIT

    J.A. Coutts
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Is it possible a computer on your network is infected and sending out spam email? All someone would need is a domain user's credentials (pretty easy to get if it's infected I would think) and they could spam away.

    What's the originating IP for those rogue messages; same thing for the originating sender (granted these can be spoofed)?
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    693
    Rep Power
    7
    IPs are not local of any kind. Sets of messages hold the same IP. Overall I see maybe 6-7 sets of IPs making the initial connection. All remote.
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    693
    Rep Power
    7
    One thing I did just now notice. Half the errors end up in my inbox, while other half ends up in my Junk Mail. The ones in my Junk Mail may have the From: or the Return-Path as my Admin@hellzoneinc.com address on that account.
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    You could try blocking those IPs and see what happens....are they in the same block? You can post them and maybe we can track where they are coming from.
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    693
    Rep Power
    7
    Well, the handful of messages I looked thru seem to have different IPs and domain/computer names. IPs appear totally random, but if there's something I'm overlooking, here's a small few of today's set:

    A full header:
    Code:
    Original message headers:
    Received: from inpgserver05.inpg.matriz.com (201.23.89.210) by
     hellzone1.hellzone.local (75.129.129.179) with Microsoft SMTP Server (TLS) id
     8.3.83.0; Tue, 16 Jul 2013 17:08:31 -0500
    MIME-Version: 1.0
    Date: Tue, 16 Jul 2013 19:12:04 -0300
    X-Priority: 3 (Normal)
    X-Mailer: Ximian Evolution 1.9.1 (3.1.1-8)
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    More 'Received: from':
    Code:
    rm10 (190.123.193.102)
    Server (200.146.104.173)
    servidor (88.26.221.41)
    inpgserver05.inpg.matriz.com (201.23.89.210)
    terminal01 (213.123.199.120)
    acer1 (178.182.49.4)
    serwer.esco.pl (83.13.27.66)
    Servidor (95.120.34.178)
    Sebastian-PC (46.148.0.164)
    Sebastian-PC (46.148.0.164)
    ds1012 (190.123.200.154)
    llcctss-1.LibertyCasketCompany.local (72.215.50.56)
    servidor (85.48.192.203)
    One thing I did notice as going thru these is that there is only like 3-4 To: addresses. It says received from different IPs, but going to same address.
  22. #12
  23. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    693
    Rep Power
    7
    Sorry to bump this. I was just wondering if there was any more input. I've set this off more n more since each attempt I make at cleaning it up seems to fail, I just give up and prolong its true fix.
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Do you have any spam filtering software installed on your Exchange server; or a separate spam box setup within your network? You can try adjusting the SCL (spam confidence level) up on your server to limit what mail it accepts.
  26. #14
  27. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    Again, I would be guessing, but some servers offer authenticated login, which allows a full connection to the server from outside of the normal authorized IP addresses. The clue is in the line:
    -----------------------------------------------
    Received: from inpgserver05.inpg.matriz.com (201.23.89.210) by
    hellzone1.hellzone.local (75.129.129.179) with Microsoft SMTP Server (TLS) id
    8.3.83.0; Tue, 16 Jul 2013 17:08:31 -0500
    -----------------------------------------------
    which shows that TLS is being offered. TLS is short for Transport Layer Security, and is usually associated with authenticated login. It is entirely possible that an account on the server has been hacked, and is being used to send spam. Given the originating IP addresses you have listed:
    201.23.89.210 country: BR (Brazil)
    190.123.193.102 country: PA(Panama)
    200.146.104.173 country: BR(Brazil)
    88.26.221.41 country: ES(Spain)
    201.23.89.210 country: BR(Brazil)
    213.123.199.120 country: GB(Great Britain)
    178.182.49.4 country: PL(Poland)
    83.13.27.66 country: PL(Poland)
    95.120.34.178 country: ES(Spain)
    46.148.0.164 country: PL(Poland)
    46.148.0.164 country: PL(Poland)
    190.123.200.154 country: PA(Panama)
    72.215.50.56 Cox Communications country: (US)
    85.48.192.203 country: ES(Spain)
    it would appear that spam is being sent from a widely distributed botnet. The far East, eastern Europe, and South America are the most common places for hijacked computers. Unfortunately, my limited knowledge of Exchange Server does not allow me to offer any suggestions on how to track down the hacked account.

    J.A. Coutts

    Comments on this post

    • seack79 agrees
  28. #15
  29. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    I would agree with couttsj; hence my original question about if it was possible a machine in the organization was infected; allowing someone's logon credentials to be stolen.
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo