I think "Anonymous Access" (not "Anonymous Authentication Allowed") and "Allow computers which successfully authenticate to relay" settings belong in different contexts. One context is about *simply being able to connect to the SMTP virtual server*, the other context is about being able to relay.
I think you are extrapolating too much. Somehow it never dawned on me to merge these two contexts. Maybe because I had seen similar setting in many other SMTP server packages before. Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion P.S. if you turn off Anonymous Access, expect to never receive any mail from the Internet. -----Original Message----- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 2:19 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I'm right there with you on this one. Since I do not know for an absolute FACT one way or the other it may indeed be the case that a guest account was used or that an account was compromised. And God forbid that I even merely hint or suggest that this is a problem with Microsoft's software or in any way a design flaw, etc. because we all know that storm that would cause. But, that being said, I would like to implore to the MVP gods on this list that they might possibly want to maybe suggest to Microsoft that they take a look at this for no other reason than to at least modify the wording on the check boxes. I mean "Anonymous Authentication allowed" and "Allow computers which successfully authenticate..." on the surface seems to indicate that yes, you can anonymously authenticate and relay messages, which I cannot imagine would ever really be very useful to anyone except a spammer. I mean, change the wording or add a checkbox to specifically allow, not allow relaying by anonymous authentication. Who knows, I don't want to start another freaking firestorm about how much I hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY an issue specifically in a lot of small 1-50 person shops that use a single Exchange server for everything. This is where I have come in and seen it as a problem. There are exactly the people that don't generally have qualified IT help, thus because the default configuration seems to allow this kind of relaying issue it is a "feature" of the product that is adding to the overall spam problem on the Internet. Maybe the MVP gods and Microsoft care, maybe not, but I want to be absolutely clear that I do not care one iota, because if I did everyone would just tell me how stupid and ignorant and a wife beater I am. So, I don't care and please do not mistakenly believe that I care. God help us all if an MVP reads this, thinks I care and starts another massive thread of pointless arguing. > It is possible that a user account was compromised ... but here is the > scenario I had and what "worked" to fix it ... > > Setup: > Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user > group (noted through ips in the relay tab ...) ; guest account disabled; > SMTP Virtual Server Properties/Access Tab/Relay ... "Allow all computers > which successfully authenticate to relay, regardless of the list above." > was checked ... > > Issue: > My cues were huge; relaying may not have been going on (I did have a > couple of external complaints that I was allowing relaying; but never > made it on a list --- whew), but we were accepting the mail and then > processing it internally; it was becoming a performance issue .... this > internal processing is alluded to at > http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = > then > we were getting our own NDR's back ... etc .. > > Solution: > Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... "Allow all > computers which successfully authenticate to relay, regardless of the > list above." ... all the relaying (or attempt at it stopped) > > Comment: > BTW, for external servers to communicate with you, it is the SMTP > Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab > that must be checked .... > > P.S.: > I tell users they can still pop their mail from outside our closed user > group; but they must use their ISP's SMTP relay for sending mail or use > OWA ... > > > Mike > > > > -----Original Message----- > From: Ken Cornetet [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 18, 2003 12:18 PM > To: Exchange Discussions > Subject: RE: Open Relay/Spamcop > > > Exchange WILL relay for authenticated users (by default), and it doesn't > have to be the guest account (though that is a common attack). > > Have you left your Administrator account named Administrator? Do you > "leak" user IDs to the outside world? Web pages? Email addresses? IM > aliases? Backups run under the user ID "backup"? > > Dictionary password attack. Spammers have lots of patience. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler > Sent: Thursday, December 18, 2003 12:11 PM > To: Exchange Discussions > Subject: RE: Open Relay/Spamcop > > > This may very well be the case. I cannot say one way or another. When I > have seen this, it has always been the case that I am there fixing > something else and happen upon this problem, fix it and move on. I DO > know that I have seen it on boxes where the Guest account is disabled, > but that does not rule out the possibility that some other account was > compromised. > > > However, I would welcome any information that proves me otherwise. > > i.e. configure these settings, with the guest account disabled, and=20 > > prove that it actually will relay - not authenticated relay, that=20 > > doesn't count. If it is authenticated relay, it is because a password > > > was compromised.=3D20 > >=20 > >=20 > > Ben Winzenz > > Network Engineer > > Gardner & White > > (317) 581-1580 ext 418 > >=20 > >=20 > > -----Original Message----- > > From: Ben Winzenz=3D20 > > Posted At: Thursday, December 18, 2003 11:48 AM > > Posted To: Exchange (Swynk) > > Conversation: Open Relay/Spamcop > > Subject: RE: Open Relay/Spamcop > >=20 > >=20 > > I still think you are smoking crack on this, Greg. I have never seen > > a properly configured Exchange 2000 server relay UNLESS a user account > > > was compromised, or the guest account was enabled. I've tested it and > > > tested again, and never found Exchange to relay with those > > settings.=3D20 > >=20 > >=20 > > Ben Winzenz > > Network Engineer > > Gardner & White > > (317) 581-1580 ext 418 > >=20 > >=20 > > -----Original Message----- > > From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, > > December 18, 2003 11:37 AM Posted To: Exchange (Swynk) > > Conversation: Open Relay/Spamcop > > Subject: RE: Open Relay/Spamcop > >=20 > >=20 > > Hey, thanks for the confirmation. People have told me that I am > > smoking crack and that the Exchange servers were horribly=20 > > misconfigured. It's nice to know that I am not smoking crack. > >=20 > > > I concur with greg ... our server had those settings and we were > > > being > >=20 > > > used as a relay ... turned off "Allow all computers which > > > successfully > >=20 > > > authenticate to relay, regardless of the list above." and that > > > stopped > >=20 > > > it ... > > >=3D20 > > > Mike > > >=3D20 > > >=3D20 > > >=3D20 > > > -----Original Message----- > > > From: Greg Deckler [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, December 18, 2003 11:17 AM > > > To: Exchange Discussions > > > Subject: Re: Open Relay/Spamcop > > >=3D20 > > >=3D20 > > > This may or may not be the problem, but I have seen spammers able > > >to=3D20 relay off an Exchange server if the following configuration=20 > > >applies: =3D20 1. If "Anonymous access" is turned on. SMTP Virtual=20 > > >Server properties, > >=20 > > > Access page, Authentication. 2. And, "Allow all computers which=3D20 > > >successfully authenticate to relay, regardless of the list above."=20 > > >is=3D20 checked. SMTP Virtual Server properties, Access page, Relay. = > > > >=3D20 =3D20 > > >=3D20 > > > > Hello All and Happy Holidays! > > > >=3D3D20 > > > > I have a colleague whos Exchange 2000 server is being reported > > > >as=3D20 Open > > >=3D20 > > > > Relay by spamcop for the past month. I have tested his relay =3D > > by=3D3D20 > >=20 > > > >setting up a POP account in Outlook, putting the server that = > is=3D20 > > > >being=3D3D20 reported as Open relay as my Outgoing SMTP server. = > =3D > > =3D3D3D20=3D20 > > > >=3D3D20 When I try to send a message using Outlook, I get a > > > >return=3D20 message > > > that > > > > 550 5.7.1 Unable to relay. I am relieved that it could not > > relay. > > > > That is good, however, why then is spamcop still reporting it > > > >to=3D20 be=3D3D20 open relay? =3D3D3D20 =3D3D20 I have checked = > (over the=20 > > > >phone) =3D > > all his > >=20 > > > >Virtual SMTP Server settings=3D3D20 to verify correct = > configuration. > > > > >=3D20 Everything seems to be "checked" or=3D3D20 "unchecked" as > > > >recommended =3D > > by > >=20 > > > >Microsoft. > > > >=3D3D20 > > > > We have Stopped/Started Services for SMTP =3D3D20 The Exchange > > > >2000=3D20 server is behind a NAT and I have looked into the=3D3D20 = > > > > >possibility =3D > > of=3D20 > > > >this. I have been out on the spamcop site and for the=3D3D20 life > > > >of =3D > > me > >=20 > > > >cannot find a way to make them check the server again to=3D3D20 = > see > > > >if =3D > >=20 > > > >it is closed relay like ORDB does. =3D3D3D20 =3D3D20 Any ideas = > or=3D20 > > > >comments???? =3D3D3D20 =3D3D20 =3D3D20 =3D3D20 Samantha Bridges = > =3D > > Communications=3D20 > > > >Technician Macomb Intermediate School District > > > > 44001 Garfield Road > > > > Clinton Township MI 48038-1100 > > > > (586) 228-3300 > > > >=3D3D20 > > > > [EMAIL PROTECTED] > > > > http://www.misd.net > > > >=3D3D20 > > > >=3D3D20 > > > > CONFIDENTIALITY NOTICE: This email message, including any=3D20 > > > >attachments, > > >=3D20 > > > > is for the sole use of the intended recipient(s) and may =3D > > contain=3D3D20=3D20 > > > > confidential and privileged information. Any unauthorized > > > > review,=3D20 use, > > >=3D20 > > > > disclosure or distribution is prohibited. If you are not the=3D20 > > > >intended=3D3D20 recipient, please contact the sender by reply = > email=20 > > > >=3D > > and=3D20 > > > >destroy all=3D3D20 copies of the original message. > > > >=3D3D20 > > > > =3D3D3D20 > > >=3D20 > > >_________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Web Interface: > > > =3D > > = > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3D3D3Dexchange&text_ > > mo > > > de=3D3D3D=3D3D > > > & > > > lang=3D3D3Denglish > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > >=20 > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > = > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3D3Dexchange&text_mo > > de=3D3D=3D > > & > > lang=3D3Denglish > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > >=20 > >=20 > >=20 > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > = > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3D3Dexchange&text_mo > > de=3D3D=3D > > & > > lang=3D3Denglish > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mode =3D= > & > lang=3Denglish > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mode =3D= > & > lang=3Denglish > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
