Open relay issues

2003-09-04 Thread Pat Richard 
Okay, I'm still looking through the archives and stuff, but it's late, so I'll post 
this before I call it a night.
 
Client has a server that suddenly shuts down.
 
I reboot and troubleshoot, to find literally TENS OF THOUSANDS of items in the badmail 
folder. All dated within the last two or three days. The server had shut down because 
the drive ran out of space.
 
So I clear that up and start nosing around..
 
I check for open relay (telnet), and can't find any problem. I start to think maybe 
this is a SoBig.F issue, until I read some of the NDRs.
 
Within fifteen minutes, badmail starts to accumulate again. I look further, and see a 
connection in the OPEN SESSIONS section of System Manager. I kill the connection after 
jotting down some details. Queues are just jammed full of crap - Viagra ads, etc.
I clear this out again, along with badmail, and start watching. Sure enough, a short 
time later, someone from the same IP subnet connects and it starts all over.
I look through a ton of articles on open relay, and everything checks out. Then, I run 
this test: http://tools.appriver.com/openrelay.php 
http://tools.appriver.com/openrelay.php  which basically tries to relay using 
various combinations of addressing formats.
Test #14 fails
Test #16 fails
Test #28 fails
#14 uses a rcpt to format of 
RCPT TO: [EMAIL PROTECTED] 
Notice the quotes.
#16 uses
RCPT TO: relaytest%appriver.com 
Notice the quotes and the %
#28 uses
RCPT TO: appriver.com!relaytest 
notice the format there.
 
I manually tried each on via telnet against the server. Sure enough, the server 
doesn't complain. But every one bounces back with an NDR complaining about the 
recipient address. So my belief is that they're attempting one (or more) of these 
methods, and all of them are bouncing, causing the badmail problem.
 
My question is, how do I close this hole? Server is Win2k SBS SP4, E2k SP3. Connection 
is firewalled T1.
 
Any help would be greatly appreciated. Thanks!
[EMAIL 
PROTECTED])j¹%ŠË\¢oâŸùr®+)•éíz·±r§ë^ÆuéZž§‚X¬…:.ž±Êâm[h•æ¯yì\…©àz[,Ã)är‰„ÅÈZž‹ŠËZvh§–+-ižÌ2žG(

Re: Open relay issues

2003-09-04 Thread Chris Scharff 
Those aren't relay failures, there's nothing to fix. They are (exclusively I
think) tests for other mail servers which at one point used to incorrectly
relay mail formatted like that. Exchange does not. My server 'fails' the
same tests. If you crank up logging on the SMTP conversation what addresses
is the connecting IP address sending to?

 From: Pat Richard [EMAIL PROTECTED]
 Reply-To: Exchange Discussions [EMAIL PROTECTED]
 Date: Thu, 4 Sep 2003 23:25:10 -0400
 To: Exchange Discussions [EMAIL PROTECTED]
 Subject: Open relay issues
 
 Okay, I'm still looking through the archives and stuff, but it's late, so I'll
 post this before I call it a night.
 
 Client has a server that suddenly shuts down.
 
 I reboot and troubleshoot, to find literally TENS OF THOUSANDS of items in the
 badmail folder. All dated within the last two or three days. The server had
 shut down because the drive ran out of space.
 
 So I clear that up and start nosing around..
 
 I check for open relay (telnet), and can't find any problem. I start to think
 maybe this is a SoBig.F issue, until I read some of the NDRs.
 
 Within fifteen minutes, badmail starts to accumulate again. I look further,
 and see a connection in the OPEN SESSIONS section of System Manager. I kill
 the connection after jotting down some details. Queues are just jammed full of
 crap - Viagra ads, etc.
 I clear this out again, along with badmail, and start watching. Sure enough, a
 short time later, someone from the same IP subnet connects and it starts all
 over.
 I look through a ton of articles on open relay, and everything checks out.
 Then, I run this test: http://tools.appriver.com/openrelay.php
 http://tools.appriver.com/openrelay.php  which basically tries to relay
 using various combinations of addressing formats.
 Test #14 fails
 Test #16 fails
 Test #28 fails
 #14 uses a rcpt to format of
 RCPT TO: [EMAIL PROTECTED]
 Notice the quotes.
 #16 uses
 RCPT TO: relaytest%appriver.com
 Notice the quotes and the %
 #28 uses
 RCPT TO: appriver.com!relaytest
 notice the format there.
 
 I manually tried each on via telnet against the server. Sure enough, the
 server doesn't complain. But every one bounces back with an NDR complaining
 about the recipient address. So my belief is that they're attempting one (or
 more) of these methods, and all of them are bouncing, causing the badmail
 problem.
 
 My question is, how do I close this hole? Server is Win2k SBS SP4, E2k SP3.
 Connection is firewalled T1.
 
 Any help would be greatly appreciated. Thanks!
 


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]