OK.... I am reviewing the logs(I am not an SMTP wiz....) and most of it looks normal. However I get blocks in the SMTP logs which look like this.
2008-04-25 01:32:45 64.12.138.88 OutboundConnectionResponse MY-MAIL-SERVER - 25 - 220-rly-me07.mx.aol.com+ESMTP+mail_relay_in-me07.3;+Thu,+24+Apr+2008+21: 32:46+-0400 SMTP - - 2008-04-25 01:32:45 64.12.138.88 OutboundConnectionCommand MY-MAIL-SERVER - 25 EHLO mail.DOMAINNAME.com SMTP - - 2008-04-25 01:32:45 193.17.41.45 OutboundConnectionResponse MY-MAIL-SERVER - 25 - 450+Please+try+later SMTP - - 2008-04-25 01:32:45 193.17.41.45 OutboundConnectionCommand MY-MAIL-SERVER - 25 RSET - SMTP - - 2008-04-25 01:32:45 66.249.83.27 OutboundConnectionResponse MY-MAIL-SERVER - 25 - 250+2.1.0+Flushed+h36si2306851wxd.29 SMTP - - 2008-04-25 01:32:45 64.12.138.88 OutboundConnectionResponse MY-MAIL-SERVER - 25 - 250-rly-me07.mx.aol.com+mail.DOMAINNAME.com SMTP - - 2008-04-25 01:32:45 64.12.138.88 OutboundConnectionCommand MY-MAIL-SERVER - 25 MAIL FROM:<[EMAIL PROTECTED]> SMTP - - 2008-04-25 01:32:45 64.12.138.88 OutboundConnectionResponse MY-MAIL-SERVER - 25 - 250+OK SMTP - - 2008-04-25 01:32:45 64.12.138.88 OutboundConnectionCommand MY-MAIL-SERVER - 25 RCPT TO:<[EMAIL PROTECTED]> SMTP - - 2008-04-25 01:32:45 64.12.138.88 OutboundConnectionResponse MY-MAIL-SERVER - 25 - 550+MAILBOX+NOT+FOUND SMTP - - Obviously it is trying some form of relaying. The actual block is pretty large and then seems to revert back to semi-normal mail traffic. Is there something in particular I should be looking for? You mentioned a web site compromise. Is there something specific that would signify that? Thanks -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim Sent: Friday, April 25, 2008 10:32 AM To: Exchange Discussions Subject: RE: E-mail/Spam blasts on Exch 2003 You need to hit the Exchange logs and see where the message is originating from. Perhaps a web server you have that has been compromised and is relaying through your Exchange server. Or a users Outlook.... Hit the Exchange logs. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:bounce- > [EMAIL PROTECTED] On Behalf Of David Stafford > Sent: Friday, April 25, 2008 10:29 AM > To: Exchange Discussions > Subject: RE: E-mail/Spam blasts on Exch 2003 > > No..I am not an open relay. I have tested and we are not. I also > used > mxtoolbox.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Holstrom, Don > Sent: Friday, April 25, 2008 10:05 AM > To: Exchange Discussions > Subject: RE: E-mail/Spam blasts on Exch 2003 > > I have been using mxtoolbox.com, for, among other things, to test if my > e-mail server allows relays. Has anyone experienced any reason I > shouldn't be using this nice site? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Brett > Fernicola > Sent: Friday, April 25, 2008 9:57 AM > To: Exchange Discussions > Subject: RE: E-mail/Spam blasts on Exch 2003 > > Do you allow relaying; make sure you're not an open relay. Only allow > authenticated Outlook clients to send email from your server. This > will > stop most inside garbage email Trojans, unless the Trojan is smart > enough to piggy back off of outlook. > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Dave > Stafford > Sent: Friday, April 25, 2008 9:45 AM > To: Exchange Discussions > Subject: E-mail/Spam blasts on Exch 2003 > > Hopefully someone can give me some help or guidance. > > I am having a problem with my 2003 Exchange server (on a Win2k3 box) > where I will get a blast of NDR's all with the same subject. This last > 15 -10 minutes and then stops for anywhere from a few hours to 3 days > and then happens again. Thought someone was spoofing me at first but I > was able to match up a lot of the outbound errors in the error log with > messages getting bounced back. It appears to be sending from my mail > server. > > I have done numerous scans with almost everyone's AV package out there > (Symantec, Sophos, Kaspersky etc...) and came up with one or two > little > things but most were easily removed and did not appear to be of the > type > that would fit this kind of activity. Anyone have any thoughts on > what's > going on or how to isolate the issue. > > Thanks in advance > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > dl.sparklis > t.com > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > dl.sparklist > .com > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > dl.sparklist. > com > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to leave-37407564- > [EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] com Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
