Thanks for this. The docs were for an older version, and things have been moved, but I found it and implemented it.
Mark -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Thursday, April 10, 2014 9:18 PM To: [email protected] Subject: Re: [Exchange] Relaying Search for Active Directory on this page: http://www.xwall.net/xwallconfig.htm On Thu, Apr 10, 2014 at 5:51 PM, Kennedy, Jim <[email protected]> wrote: > What does XWall do then? I would guess it tries to email an NDR back > to the 'sending' address? That is where your problem lies. Got to be a > way to get Xwall to talk to Exchange/AD in real time. Poke around and > look for an AD connector via LDAP, that is how most of them do it. > > > ________________________________ > From: [email protected] [[email protected]] > on behalf of Reimer, Mark [[email protected]] > Sent: Thursday, April 10, 2014 6:46 PM > To: '[email protected]' > Subject: RE: [Exchange] Relaying > > Xwall accepts the email. The error comes when it communicates with my > Exchange server. I get the 550 error in the conversation between XWall > and my Exchange server. > > > > Mark > > > > From: [email protected] > [mailto:[email protected]] > On Behalf Of Kennedy, Jim > Sent: Thursday, April 10, 2014 11:14 AM > To: '[email protected]' > Subject: RE: [Exchange] Relaying > > > > You verify that the XWall does this in realtime….while the sending > server is still sending the email to you? If snoop the smtp > conversation it would look like this: > > > > > > 220 mail.elyriaschools.org > > HELO my.fake.domain.com > > 250 spamkiller.elyriaschools.org Hello w8desktopjdk.edunet.local > [10.55.235.1], > > pleased to meet you > > mail from: [email protected] > > 250 Sender <[email protected]> OK > > rcpt to: [email protected] > > 550 No such user ([email protected]) > > Quit > > > > You can do this manually yourself, telnet to your Xwall on port 25 and > just type the commands. > > > > http://www.yuki-onna.co.uk/email/smtp.html > > > > > > The question is, does your XWall do it as my example above….or does it > accept the email then generate an outgoing email…an NDR. Because what > is happening above isn’t called an NDR, it’s a 550 fatal error during > the conversation. So no backscatter from you, the sending server > takes responsibility at that point for the NDR. > > > > > > From: [email protected] > [mailto:[email protected]] > On Behalf Of Reimer, Mark > Sent: Thursday, April 10, 2014 1:03 PM > To: '[email protected]' > Subject: RE: [Exchange] Relaying > > > > I did turn on recipient filtering. I have a mail filter (XWall) in > front of the Exchange server. From what I can see/understand in the > logs, XWALL opens up a connection to the exchange server. The exchange > server says there is no recipient, and XWall sends the NDR, not Exchange. > > > > The emails have a consistent subject line, so I’ve been watching it, > and filtering the email out by subject line. > > > > Mark > > > > From: [email protected] > [mailto:[email protected]] > On Behalf Of Steve Ens > Sent: Thursday, April 10, 2014 10:27 AM > To: [email protected] > Subject: Re: [Exchange] Relaying > > > > Thanks Jim, I set that up on Tuesday. > > > > On Thu, Apr 10, 2014 at 9:13 AM, Kennedy, Jim > <[email protected]> > wrote: > > If these are because of non-existent accounts, which is usually the > cause, turn on recipient filtering. That way your server rejects them > during the smtp phase. What you are probably doing now is accepting > then realizing they are invalid addresses….and generating the ndr. > > > > http://www.gn.apc.org/support/minimising-backscatter-your-office-serve > r > > > > > > From: [email protected] > [mailto:[email protected]] > On Behalf Of Steve Ens > Sent: Thursday, April 10, 2014 10:07 AM > > > To: [email protected] > Subject: Re: [Exchange] Relaying > > > > I think that is exactly what is going on here. I can't see any other > traffic out of the network besides the NDR's.... > > Mark what did you end up doing in the end? > > > > On Thu, Apr 10, 2014 at 8:09 AM, Reimer, Mark > <[email protected]> > wrote: > > Blue host caught me too. I was getting spammed (to non-existant > accounts), and my server was sending NDR’s. Of course, the NDR’s were > going to people who didn’t exist, and they blocked our email. And as > in Steve’s case, we weren’t listed on mxtoolbox. > > > > My two cents. > > > Mark > > > > From: [email protected] > [mailto:[email protected]] > On Behalf Of Steve Ens > Sent: Wednesday, April 09, 2014 3:06 PM > > > To: [email protected] > Subject: Re: [Exchange] Relaying > > > > It was a site called bluehost. If I went to mxtoolbox, we weren't > listed anywhere. > > > > On Wed, Apr 9, 2014 at 4:04 PM, J- P <[email protected]> wrote: > > When you were blacklisted do you see what RBL you were listed on, or > why you were listed? > I had a site where there was a lone workstation in the far end of the > warehouse used only for checking schedules, sure enough that was the > affected/infected PC that was part of bot-net causing the blacklisting. > > > Jean-Paul Natola > > > ________________________________ > > Date: Wed, 9 Apr 2014 11:54:11 -0500 > > > Subject: Re: [Exchange] Relaying > From: [email protected] > To: [email protected] > > I've also put a firewall rule into the default domain policy to block > all port 25 traffic between clients. I'll see if that helps. > > > > On Wed, Apr 9, 2014 at 11:49 AM, J- P <[email protected]> wrote: > > You can get blacklisted without SMTP traffic, simply by machines > trying to access certain websites known as sinkhole servers > http://www.spamhaus.org/faq/section/Spamhaus%20XBL > > > > > > ________________________________ > > Date: Tue, 8 Apr 2014 21:55:27 -0500 > Subject: Re: [Exchange] Relaying > From: [email protected] > To: [email protected] > > > > I think Don has not been in this conversation yet, and i do use Vipre > for backscatter and spam protection. I don't think having 600 > messages undelivered in the queue is reasonable. We have been > blacklisted a couple of times and been delisted so far. I also have > all traffic on port 25 blocked out of the firewall except for the > Exchange box. I'm looking at the smtp logs and can;t seem anything off yet. > > > > On Tue, Apr 8, 2014 at 7:07 PM, Richard Stovall <[email protected]> wrote: > > I think this answer is correct in some circumstances, but not > universally by any means. Don, do you have any backscatter protection > enabled? This would eliminate these as NDRs resulting from spam from spoofed > addresses you own. > If you don't have backscatter protection, my guess is that spam which > does spoof existing addresses would be far more problematic than that > which does not. > > > > On Tue, Apr 8, 2014 at 7:13 PM, Mike Tavares <[email protected]> > wrote: > > the sender <> is normal exchange NDR’s being delivered. Since your > exchange server is authoritative for you domain any messages addressed > to non existent email address will cause these, since a lot of spam > has bogus address you tend to see them sitting in your ques for a > while. They will eventually time out and go away on their own. > > > > Nothing to worry about. > > > > > > From: Steve Ens > > Sent: Tuesday, April 08, 2014 4:30 PM > > To: [email protected] > > Subject: [Exchange] Relaying > > > > I'm running exchange 2010 here with all the service packs. I think > that I must have misconfigured one of my receive connectors. I know I > am not an open relay from the outside, but I think I have a machine > inside my network that is compromised and using exchange to send out > since I have many messages sitting in my queue that are undeliverable. > Any suggestions as to how I'd determine from which IP these messages > are originating? The sender always looks like <> I've opened up the > message tracking logs, but can't find any incriminating evidence there. > > > > > > > > > > > >
