If a spammer sends mail to an invalid mailbox at some e-mail domain and spoofs that the mail is coming from your e-mail domain, it is your server that will get the NDRs.
If a spammer sends mail to your e-mail domain to addresses that don't exist, Exchange will reply to whatever address it thinks the mail is coming from, which is almost invariably a forged address, with an NDR that has a blank from address. This is the way it works, and neither situation has anything to do with your server being an open relay. If you post your e-mail domain name, several of us will do some checks to see if you're an open relay and we won't have to have these arguments. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jees Sent: Tuesday, January 06, 2004 3:49 PM To: Exchange Discussions Subject: RE: getting heaps of spams James, few of these emails are directed to my domain, however the large portion of these junkies are going to third part emails, like Yahoo etc. Many thanks. --- "Blunt, James H (Jim)" <[EMAIL PROTECTED]> wrote: > Just because he is getting 4000 NDR's an hour still doesn't indicate > that he is an open relay. It simply means that someone spamming his > domain name is trying to brute-force the spam through in mass > quantities (probably ~50,000 at a time) by appending every combination > they can think of, to the left of his domain name (e.g., > [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], etc.). > > -----Original Message----- > From: Bailey, Matthew [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 06, 2004 6:54 AM > To: Exchange Discussions > Subject: RE: getting heaps of spams > > > Are you dealing with Spam received in the Inbox of your users or 4000 > NDRs per hour? The answer to this question will really tell you what > you need to do. If you are receiving 4000 messages per hour in your > user's mailboxes then you REALLY need a Spam filtering solution (we > use SurfControl's product and love it). If your postmaster mailbox is > filled with 4000 NDR's, then you need to close the open relay. (and > still consider getting a spam filtering product). > > My $0.02, > > - Matt > > -----Original Message----- > From: Jees [mailto:[EMAIL PROTECTED] > Sent: Monday, January 05, 2004 7:16 PM > To: Exchange Discussions > Subject: RE: getting heaps of spams > > > > Ed, thanks for your response. Getting spams on my exchange is a > daily retual to me, however, not as much as 4000 or more spam emails > withing the hour. > > Last time, when i had such a high volume of spam, we had a look at > \\exchange server\tracking.log and figured out that one of the > exchange server within the enterprise had open for relaying. I can't > remember now how we worked it out then, but probably experienced heaps > of entries from the spamming exchange server. > > Hope i am making sense. > > > > > --- "Ed Crowley [MVP]" <[EMAIL PROTECTED]> wrote: > > You can be completely relay secure yet get > bombarded > > with spam. All > > Exchange servers will let spam through. Looking > at > > the Internet headers of > > each message will show the stamps of the servers which handled the > > message. > > > > Ed Crowley MCSE+Internet MVP > > Freelance E-Mail Philosopher > > Protecting the world from PSTs and Bricked > Backups!T > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Jees > > Sent: Sunday, January 04, 2004 5:21 PM > > To: Exchange Discussions > > Subject: getting heaps of spams > > > > i have exchange 5.5 sp4 running on win 2k sp4. We have number of > > exchanges around the globe that has trusts between them. > > > > I am currently getting tens of thausands of spam email, however my > > exchange is tested and has no relying problem. I am > expecting > > one of the exchange > > servers within the global enterprise is open to relying. > > > > Can someone tell me how i can check which exchange server letting > > all these spam email to drain to my server? > > > > thank you all in advance > > > > __________________________________ > > Do you Yahoo!? > > Find out what made the Top Yahoo! Searches of 2003 > > > http://search.yahoo.com/top2003 > > > > > _________________________________________________________________ > > List posting FAQ: > > http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& > lang > > =english > > To unsubscribe: > > mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > _________________________________________________________________ > > List posting FAQ: > > http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& > lang=english > > To unsubscribe: > > mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > __________________________________ > Do you Yahoo!? > Yahoo! Hotjobs: Enter the "Signing Bonus" > Sweepstakes > http://hotjobs.sweepstakes.yahoo.com/signingbonus > > _________________________________________________________________ > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& > lang=english > To unsubscribe: > mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > > > _________________________________________________________________ > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: > mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english > To unsubscribe: > mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.