Thanks, Dave. That's crystal clear. Cheers, Tony
-----Original Message----- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 4:02 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... Your mail system is accepting a mail for an invalid address (i.e. [EMAIL PROTECTED]), and since it couldn't deliver it it's trying to send a message back to the sender telling them it couldn't deliver the message. But in this case, the spammer forged the sender address, so your mail server is sending you NDRs because it can't send the original NDR back to the spoofed address. Make sense? There's not much you can do with Exchange 5.5 to avoid this situation unless the spammer is using a single IP address that you can block from being able to send mail into your system. - Dave ----- Original Message ----- From: "Woods, Tony" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Thursday, June 26, 2003 4:26 PM Subject: RE: Not Open Relay, but... > Thanks. I've also cut down the Notifications to just 'Host not Found'. > > One of the NDR's looks like this.... > > ---------------- > A mail message could not be sent because the following host is > unknown: > > smdv231.entertainmentmail.net > The message that caused this notification was: > > > To: <[EMAIL PROTECTED]> > From: <> > Subject: Undeliverable: Sales manager or Marketing dept > ----------------- > > Is this is a Relay, shouldn't I not be accepting it in the first > place? > > Thanks for all the insight so far... > > Cheers, > Tony > > > > -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 26, 2003 1:30 PM > To: Exchange Discussions > Subject: RE: Not Open Relay, but... > > > They're just using dfg.com. Don't bother your MX record. > > -----Original Message----- > From: Woods, Tony [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 26, 2003 1:37 PM > To: Exchange Discussions > Subject: RE: Not Open Relay, but... > > > Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 > messages sitting in the IMS queue after 8hrs? I have another site > where the > IMS has hardly any messages sitting in there so this is why I am concerned. > What if I changed the MX record's IP address, would that help slow it > down a > little or are they just using dfg.com? > > Cheers, > Tony > > -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 26, 2003 10:10 AM > To: Exchange Discussions > Subject: RE: Not Open Relay, but... > > > Tony, > > Open up the properties page of your IMS Connection, go to the Internet Mail > tab and click on the Notifications... button. My guess would be that > you have the "Always send notifications when non-delivery reports are generated" > radio button clicked. If that is the case, select the second choice > and uncheck the options that you don't want. > > I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers > trying to > brute force their spam through the system. I track the NDRs to create > a spreadsheet for management, showing them the exponential growth of > spam and > the load it is placing on the servers, in order to justify new > servers. > > Jim > > -----Original Message----- > From: Woods, Tony [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 26, 2003 9:58 AM > To: Exchange Discussions > Subject: RE: Not Open Relay, but... > > > I've tested via telnet and from home using Outlook Express and it > always replies with 550 so I think I'm good there. Just the amount of > mail is insane. I came in this morning at there's over 10,000 in the > IMS Queue. I guess eventually it will slow down... > > Thanks to all. > > Cheers, > Tony > > -----Original Message----- > From: Dave Mills [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 25, 2003 5:28 PM > To: Exchange Discussions > Subject: Re: Not Open Relay, but... > > > For #3, what you are seeing is spammer trying to find valid addresses > @dfg.com by simply guessing addresses and trying them, your best bet > would be to turn off the notification on your IMS for "E-mail address > could not be > found". For #2, yes they will sit in the queue until they are > delivered or > just time out. For #1, are you sure you're not an open relay? See > http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex > change_Server_55.html. > > - Dave > > ----- Original Message ----- > From: "Woods, Tony" <[EMAIL PROTECTED]> > To: "Exchange Discussions" <[EMAIL PROTECTED]> > Sent: Wednesday, June 25, 2003 5:00 PM > Subject: RE: Not Open Relay, but... > > > > Hi John, > > > > Is this in response to my question #3? If so, does everyone receive > > over 2000 messages every hour in the 'Admin' mailbox with a subject > > line of > > 'Notification: Inbound Mail Failure"? I understand getting some but > > over 2000 an hour? Each of these messages is addressed to > > [EMAIL PROTECTED] or whatever. It's just random letters in front of the > > domain name @dfg.com > and > > there's just a ton of them. Thanks for any ideas, all. > > > > Cheers, > > Tony > > > > -----Original Message----- > > From: John Strongosky [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, June 25, 2003 3:46 PM > > To: Exchange Discussions > > Subject: RE: Not Open Relay, but... > > > > > > NDR's (non-delivery reports) from spammer's probably. > > > > -----Original Message----- > > From: Woods, Tony [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, June 25, 2003 3:23 PM > > To: Exchange Discussions > > Subject: Not Open Relay, but... > > > > > > Hello, > > > > NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com > > > > I've just taken over a site's Exchange server and have noticed > > something strange. It's been sometime since I had to play with > > Exchange this deep > but > > the Queues on my IMS keep filling up with 1000's of emails. We're > > not an Open Relay that I can tell (I've tested) but there's just a > > ton of > 'Outbound > > Message Awaiting Delivery' with originator <> and Destination Host > > of different .com's. There is a ton of Inbound Mail Failures in the > > 'Admin' mailbox for delivery failures as well. My three questions > > are: > > > > 1) Are these messages that are trying to relay but failing? > > > > 2) If so, are they just going to sit in the Queue for the default > > time? > > > > 3) For the Inbound Mail Failures, a lot of them are going to bogus > > addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all > > coming from? > > > > Thanks in advance. > > > > Cheers, > > Tony > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > > =english > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > > =english > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
