I'm thinking its the Linux box that's an open relay, not Exchange. ------------------------------------------------------ Roger D. Seielstad - MCSE MCT Senior Systems Administrator Peregrine Systems Atlanta, GA http://www.peregrine.com
> -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 30, 2001 1:45 PM > To: Exchange Discussions > Subject: RE: Internet Mail Header Investigation > > > No...it's not an open relay...double-checked the Exchange > Server settings > and the RBL (Realtime Blackhole List). > > And yes, that REALLY is just one mail header. It takes 2-1/2 > pages to print > it out in it's entirety. > > In the process of triple-checking my relay settings again by > reading the > article below. > > Jim Blunt > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 30, 2001 10:30 AM > To: Exchange Discussions > Subject: RE: Internet Mail Header Investigation > > > Is your server an open relay? > > <http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696> > > also available here: > <http://downloads.members.tripod.com/ladysun1969/misc/relay.tif> > > > ps. are you sure that's all from one message? It looks like > 3 different > message headers.... > > -Michèle > Immigration site: <http://LadySun1969.tripod.com> > The Miata: <http://members.cardomain.com/bpituley> > Tiggercam: <http://www.tiggercam.co.uk> > --------------------------------------------------------- > Every old idea will be proposed again with a different name > and a different > presentation, regardless of whether it works. - RFC1925 > --------------------------------------------------------- > > > -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 30, 2001 1:17 PM > To: Exchange Discussions > Subject: RE: Internet Mail Header Investigation > > > There you have it...that's the header file. You actually > want to start > reading the header file from the bottom of this post up... > > TIA for the help. > > JB > > -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 30, 2001 10:14 AM > To: Exchange Discussions > Subject: RE: Internet Mail Header Investigation > > > Part 3... > > Message-ID: <[EMAIL PROTECTED]> > From: fellow_american@pride_of_america > To: > Subject: FREE American Flag Pin - No purchase necessary 15615 > Date: Tue, 27 Nov 2001 23:33:37 -0800 > MIME-Version: 1.0 > X-Mailer: Internet Mail Service (5.5.2653.19) > X-MS-Embedded-Report: > Content-Type: text/plain; > charset="iso-8859-1" > > ------_=_NextPart_000_01C1780F.8D84D950-- > > --==IFJRGLKFGIR46408UHRUHIHD-- > > -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 30, 2001 10:12 AM > To: Exchange Discussions > Subject: FW: Internet Mail Header Investigation > > > Part 2... > > Received: from IMS.ourcompany.gov ([xxx.xxx.xxx.xxx]) > by nis.lapha.com (Lotus Domino Release 5.0.6a) > with ESMTP id 2001112822195643:24 ; > Wed, 28 Nov 2001 22:19:56 +0900 > Received: by IMS.ourcompany.gov with Internet Mail Service > (5.5.2653.19) > id <XVZ0JKH3>; Wed, 28 Nov 2001 05:21:14 -0800 > Message-ID: > <[EMAIL PROTECTED]> > From: System Administrator <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Undeliverable: FREE American Flag Pin - No purchase > necessary > 15615 > Date: Wed, 28 Nov 2001 05:21:13 -0800 > MIME-Version: 1.0 > X-Mailer: Internet Mail Service (5.5.2653.19) > X-MS-Embedded-Report: > X-MIMETrack: Itemize by SMTP Server on nis/Lapha(Release > 5.0.6a |January 17, > 2001) at > 2001-11-28 10:19:58 PM, > Serialize by Router on nis/Lapha(Release 5.0.6a > |January 17, 2001) > at 2001-11-29 > 11:02:11 AM, > Serialize complete at 2001-11-29 11:02:11 AM > > This message is in MIME format. Since your mail reader does > not understand > this format, some or all of this message may not be legible. > > -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 30, 2001 10:05 AM > To: Exchange Discussions > Subject: RE: Internet Mail Header Investigation > > > Ok...let's try sending this in pieces... > > Received: from mr.ourcompany.com ([xxx.xxx.xxx.xxx]) by > IMS.ourcompany.gov > with SMTP (Microsoft Exchange Internet Mail Service Version > 5.5.2653.13) > id XVZ0J31D; Wed, 28 Nov 2001 18:03:42 -0800 > Received: (qmail 4027 invoked by uid 104); 29 Nov 2001 00:34:16 -0000 > Received: from by mr-new.ourcompany.com with > qmail-scanner-0.94 (. Clean. > Processed in 9.100323 secs); 28/11/2001 16:34:07 > Received: from unknown (HELO nis.lapha.com) (211.52.19.18) > by mr.ourcompany.com with SMTP; 29 Nov 2001 00:34:06 -0000 > Received: from IMS.ourcompany.gov ([xxx.xxx.xxx.xxx]) > by nis.lapha.com (Lotus Domino Release 5.0.6a) > with ESMTP id 2001112822195643:24 ; > Wed, 28 Nov 2001 22:19:56 +0900 > Received: by IMS.ourcompany.gov with Internet Mail Service > (5.5.2653.19) > id <XVZ0JKH3>; Wed, 28 Nov 2001 05:21:14 -0800 > Message-ID: > <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] > To: System Administrator <[EMAIL PROTECTED]> > Subject: > =?euc-kr?B?uei03iC9x8bQOiBVc2VyIGZlbGxvd19hbWVyaWNhbiVwcmlkZV9vZg==?= > =?us-ascii?Q?=5Famerica?= > ([EMAIL PROTECTED]) not > listed in public Name & Address Book > Date: Wed, 28 Nov 2001 05:21:13 -0800 > MIME-Version: 1.0 > X-Mailer: Internet Mail Service (5.5.2653.19) > X-MS-Embedded-Report: > X-MIMETrack: Itemize by SMTP Server on nis/Lapha(Release > 5.0.6a |January 17, > 2001) at > 2001-11-28 10:19:58 PM, > Serialize by Router on nis/Lapha(Release 5.0.6a > |January 17, 2001) > at 2001-11-29 > 11:02:11 AM, > Serialize complete at 2001-11-29 11:02:11 AM > Content-Type: multipart/report; report-type=delivery-status; > boundary="==IFJRGLKFGIR46408UHRUHIHD" > > -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 30, 2001 8:56 AM > To: Exchange Discussions > Subject: Internet Mail Header Investigation > > > Folks, > > I have a slight SPAM problem I would like some help with if > possible, so put > on your thinking caps. I have read several RFC's and Technet > articles about > how things are supposed to work, but none of them seem to > cover interpreting > the sequence of events. Also, several things just don't make > sense to me. > I've only been an MS Exchange Admin for about 1-1/2 years, so > I still have a > lot to learn. This message is a little long, but you folks are always > clamoring for details, so I thought I would be as detailed as I could. > > The header for the e-mail in question is going to come in the > next post > (having problems posting). Three copies of this e-mail were > sent directly > to my postmaster mailbox from an account in Japan (+0900 GMT > puts it in this > timezone). This didn't concern me that much, because RFC822 > states that all > mail orgs are supposed to have a postmaster account that > people can send > complaints to, so it would be easy to guess. If one person > in our mail org > got themselves on a list they shouldn't, then they just had to add the > postmaster account to the front of the domain name. However, > when I started > taking a closer look, that's when I began to get worried. > > Let me explain our configuration here: > 1. The ISP has an MX record that says our mail server is located at > ourcompany.com or IMS.ourcompany.com > 2. Our MX record states that ourcompany.com is equal to > internal addresses > of ourcompany.gov or IMS.ourcompany.gov. > 3. Internet mail comes in through a boundary router, through > the firewall > to the Mail Relayer (named mr.ourcompany.com in the header below). > 4. MR is a Linux 7.0 workstation, running Qmail 1.03 and > QmailScanner 0.94. > 5. MR checks to make sure that mail is being sent to a > legitimate domain > extension. If legit, sends it on to the IMS. If not, drops it in a > holdmail queue. It also blocks mail based on attachment or > subject type. > 6. Once to the IMS, delivered to client. Client mail goes > from client to > IMS, IMS to Proxy Server and out through the boundary router. > 7. Mail servers are Win2k, SP2 servers running Ex5.5, SP4+3 > (MTA, IS and > Q282533). > > Here are my concerns: > 1. In the 5th and 6th "Received:" lines down, it looks like > the IMS was the > first machine to process this mail. The original IP address > next to the > name was actually the external interface to the Proxy Server. > This would > suggest to me, that it actually took the reverse route in through the > Proxy/IMS, instead of through the Firewall/MR. How is this possible? > 2. In the first "From:" field of the header, it shows as coming from > [EMAIL PROTECTED] However, in the second "From:" field > of the header, > it shows as coming from [EMAIL PROTECTED] Is > this guy spamming > thousands of people and making it look like it came from me? > 3. In the original header, the IMS.ourcompany.com contained > the actual > internal server name of our IMS. How does someone in Japan > find out the > internal name of one of our servers, without a security leak > on our end? > > I appreciate any help you folks can give me...please don't > flame me too bad. > I have to be recognizable to my wife and kids when I get > home, or they won't > let me in the door to eat dinner...and I'm starved! ;O) > > Thanks in advance, > > James H (Jim) Blunt > Network / Exchange Admin > Network & Infrastructure Group > Bechtel Hanford, Inc. > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]