RE: Not Open Relay, but...
That's not entirely correct. Go to the properties of your IMS / Connections tab and in the Message Filtering section, add @enterainmentmail.net...then stop/start you IMS service. It will then drop all e-mail from that domain. -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 5:02 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... Your mail system is accepting a mail for an invalid address (i.e. [EMAIL PROTECTED]), and since it couldn't deliver it it's trying to send a message back to the sender telling them it couldn't deliver the message. But in this case, the spammer forged the sender address, so your mail server is sending you NDRs because it can't send the original NDR back to the spoofed address. Make sense? There's not much you can do with Exchange 5.5 to avoid this situation unless the spammer is using a single IP address that you can block from being able to send mail into your system. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Thursday, June 26, 2003 4:26 PM Subject: RE: Not Open Relay, but... Thanks. I've also cut down the Notifications to just 'Host not Found'. One of the NDR's looks like this A mail message could not be sent because the following host is unknown: smdv231.entertainmentmail.net The message that caused this notification was: To: [EMAIL PROTECTED] From: Subject: Undeliverable: Sales manager or Marketing dept - Is this is a Relay, shouldn't I not be accepting it in the first place? Thanks for all the insight so far... Cheers, Tony -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:30 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... They're just using dfg.com. Don't bother your MX record. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:37 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 messages sitting in the IMS queue after 8hrs? I have another site where the IMS has hardly any messages sitting in there so this is why I am concerned. What if I changed the MX record's IP address, would that help slow it down a little or are they just using dfg.com? Cheers, Tony -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 10:10 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... Tony, Open up the properties page of your IMS Connection, go to the Internet Mail tab and click on the Notifications... button. My guess would be that you have the Always send notifications when non-delivery reports are generated radio button clicked. If that is the case, select the second choice and uncheck the options that you don't want. I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to brute force their spam through the system. I track the NDRs to create a spreadsheet for management, showing them the exponential growth of spam and the load it is placing on the servers, in order to justify new servers. Jim -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed
RE: Not Open Relay, but...
Oh well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Thursday, June 26, 2003 12:01 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... boggle You tested someone else's domain at abuse.net without permission? You do realize that if it would have failed other tests, they get put on RBL's? Not a move I would have made. Yikes. - Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED] Posted At: Thursday, June 26, 2003 12:19 PM Posted To: Exchange (Swynk) Conversation: Not Open Relay, but... Subject: RE: Not Open Relay, but... I tested it using abuse.net's relay test. It looks like your good for not being an open relay. So my opinion is that you just have a spammer who's trying to mine for address in your company. From what I understand, there's a new program going around the spammer world, that bruteforce guesses e-mail address and collects the NDR's from that domain to determine what's legit and what isn't. My advise would be for you to trace back the IP address he's using and put it in your host.deny file. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Not Open Relay, but...
I highly recommend going to one of the sites like mailabuse.org and following their directions to verify that you're not an open relay BEFORE you get blacklisted. It can be a real pain to get off all the blacklists, and your users will scream bloody murder. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Not Open Relay, but...
I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Not Open Relay, but...
I tested it using abuse.net's relay test. It looks like your good for not being an open relay. So my opinion is that you just have a spammer who's trying to mine for address in your company. From what I understand, there's a new program going around the spammer world, that bruteforce guesses e-mail address and collects the NDR's from that domain to determine what's legit and what isn't. My advise would be for you to trace back the IP address he's using and put it in your host.deny file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... Importance: High I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M S_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED
RE: Not Open Relay, but...
Tony, Open up the properties page of your IMS Connection, go to the Internet Mail tab and click on the Notifications... button. My guess would be that you have the Always send notifications when non-delivery reports are generated radio button clicked. If that is the case, select the second choice and uncheck the options that you don't want. I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to brute force their spam through the system. I track the NDRs to create a spreadsheet for management, showing them the exponential growth of spam and the load it is placing on the servers, in order to justify new servers. Jim -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL
RE: Not Open Relay, but...
boggle You tested someone else's domain at abuse.net without permission? You do realize that if it would have failed other tests, they get put on RBL's? Not a move I would have made. Yikes. - Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED] Posted At: Thursday, June 26, 2003 12:19 PM Posted To: Exchange (Swynk) Conversation: Not Open Relay, but... Subject: RE: Not Open Relay, but... I tested it using abuse.net's relay test. It looks like your good for not being an open relay. So my opinion is that you just have a spammer who's trying to mine for address in your company. From what I understand, there's a new program going around the spammer world, that bruteforce guesses e-mail address and collects the NDR's from that domain to determine what's legit and what isn't. My advise would be for you to trace back the IP address he's using and put it in your host.deny file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... Importance: High I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M S_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter
RE: Not Open Relay, but...
It's the testing one. Not the one that puts people on the list -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Thursday, June 26, 2003 12:01 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... boggle You tested someone else's domain at abuse.net without permission? You do realize that if it would have failed other tests, they get put on RBL's? Not a move I would have made. Yikes. - Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED] Posted At: Thursday, June 26, 2003 12:19 PM Posted To: Exchange (Swynk) Conversation: Not Open Relay, but... Subject: RE: Not Open Relay, but... I tested it using abuse.net's relay test. It looks like your good for not being an open relay. So my opinion is that you just have a spammer who's trying to mine for address in your company. From what I understand, there's a new program going around the spammer world, that bruteforce guesses e-mail address and collects the NDR's from that domain to determine what's legit and what isn't. My advise would be for you to trace back the IP address he's using and put it in your host.deny file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... Importance: High I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M S_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto
RE: Not Open Relay, but...
It's still not something I would have done. If you are going to test someone else's domain that you don't own, then you really ought to manually test it. If you are using a 3rd party tool, then you don't have any control over whether they send domain names that fail the relay tests to RBL's. - Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED] Posted At: Thursday, June 26, 2003 2:04 PM Posted To: Exchange (Swynk) Conversation: Not Open Relay, but... Subject: RE: Not Open Relay, but... It's the testing one. Not the one that puts people on the list -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Thursday, June 26, 2003 12:01 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... boggle You tested someone else's domain at abuse.net without permission? You do realize that if it would have failed other tests, they get put on RBL's? Not a move I would have made. Yikes. - Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED] Posted At: Thursday, June 26, 2003 12:19 PM Posted To: Exchange (Swynk) Conversation: Not Open Relay, but... Subject: RE: Not Open Relay, but... I tested it using abuse.net's relay test. It looks like your good for not being an open relay. So my opinion is that you just have a spammer who's trying to mine for address in your company. From what I understand, there's a new program going around the spammer world, that bruteforce guesses e-mail address and collects the NDR's from that domain to determine what's legit and what isn't. My advise would be for you to trace back the IP address he's using and put it in your host.deny file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... Importance: High I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M S_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony
RE: Not Open Relay, but...
Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 messages sitting in the IMS queue after 8hrs? I have another site where the IMS has hardly any messages sitting in there so this is why I am concerned. What if I changed the MX record's IP address, would that help slow it down a little or are they just using dfg.com? Cheers, Tony -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 10:10 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... Tony, Open up the properties page of your IMS Connection, go to the Internet Mail tab and click on the Notifications... button. My guess would be that you have the Always send notifications when non-delivery reports are generated radio button clicked. If that is the case, select the second choice and uncheck the options that you don't want. I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to brute force their spam through the system. I track the NDRs to create a spreadsheet for management, showing them the exponential growth of spam and the load it is placing on the servers, in order to justify new servers. Jim -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED
RE: Not Open Relay, but...
Your best solution is to find out the source of those messages, and then block the domain, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony Sent: Thursday, June 26, 2003 1:37 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 messages sitting in the IMS queue after 8hrs? I have another site where the IMS has hardly any messages sitting in there so this is why I am concerned. What if I changed the MX record's IP address, would that help slow it down a little or are they just using dfg.com? Cheers, Tony -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 10:10 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... Tony, Open up the properties page of your IMS Connection, go to the Internet Mail tab and click on the Notifications... button. My guess would be that you have the Always send notifications when non-delivery reports are generated radio button clicked. If that is the case, select the second choice and uncheck the options that you don't want. I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to brute force their spam through the system. I track the NDRs to create a spreadsheet for management, showing them the exponential growth of spam and the load it is placing on the servers, in order to justify new servers. Jim -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M S_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http
RE: Not Open Relay, but...
H...well it would be for me, but then again, I'm not sure I have the qualifications to answer that question. We are a small company (and getting smaller by the day!) of roughly 600 people. If you're a big company, you may be getting significantly larger numbers of messages sitting in you IMS queue. Our current time-out period for attempting delivery is 72 hours. Until that time expires, they WILL sit in the IMS queue awaiting delivery. Then they will generate a non-delivery notification to your Admin mailbox. I would probably get a lot more of those sitting in my queue, if I didn't have so many spam domains in my block list. That and the fact that I delete them at least once a day. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:37 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 messages sitting in the IMS queue after 8hrs? I have another site where the IMS has hardly any messages sitting in there so this is why I am concerned. What if I changed the MX record's IP address, would that help slow it down a little or are they just using dfg.com? Cheers, Tony -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 10:10 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... Tony, Open up the properties page of your IMS Connection, go to the Internet Mail tab and click on the Notifications... button. My guess would be that you have the Always send notifications when non-delivery reports are generated radio button clicked. If that is the case, select the second choice and uncheck the options that you don't want. I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to brute force their spam through the system. I track the NDRs to create a spreadsheet for management, showing them the exponential growth of spam and the load it is placing on the servers, in order to justify new servers. Jim -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot
RE: Not Open Relay, but...
They're just using dfg.com. Don't bother your MX record. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:37 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 messages sitting in the IMS queue after 8hrs? I have another site where the IMS has hardly any messages sitting in there so this is why I am concerned. What if I changed the MX record's IP address, would that help slow it down a little or are they just using dfg.com? Cheers, Tony -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 10:10 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... Tony, Open up the properties page of your IMS Connection, go to the Internet Mail tab and click on the Notifications... button. My guess would be that you have the Always send notifications when non-delivery reports are generated radio button clicked. If that is the case, select the second choice and uncheck the options that you don't want. I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to brute force their spam through the system. I track the NDRs to create a spreadsheet for management, showing them the exponential growth of spam and the load it is placing on the servers, in order to justify new servers. Jim -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm
RE: Not Open Relay, but...
Thanks. I've also cut down the Notifications to just 'Host not Found'. One of the NDR's looks like this A mail message could not be sent because the following host is unknown: smdv231.entertainmentmail.net The message that caused this notification was: To: [EMAIL PROTECTED] From: Subject: Undeliverable: Sales manager or Marketing dept - Is this is a Relay, shouldn't I not be accepting it in the first place? Thanks for all the insight so far... Cheers, Tony -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:30 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... They're just using dfg.com. Don't bother your MX record. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:37 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 messages sitting in the IMS queue after 8hrs? I have another site where the IMS has hardly any messages sitting in there so this is why I am concerned. What if I changed the MX record's IP address, would that help slow it down a little or are they just using dfg.com? Cheers, Tony -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 10:10 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... Tony, Open up the properties page of your IMS Connection, go to the Internet Mail tab and click on the Notifications... button. My guess would be that you have the Always send notifications when non-delivery reports are generated radio button clicked. If that is the case, select the second choice and uncheck the options that you don't want. I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to brute force their spam through the system. I track the NDRs to create a spreadsheet for management, showing them the exponential growth of spam and the load it is placing on the servers, in order to justify new servers. Jim -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit
Re: Not Open Relay, but...
Your mail system is accepting a mail for an invalid address (i.e. [EMAIL PROTECTED]), and since it couldn't deliver it it's trying to send a message back to the sender telling them it couldn't deliver the message. But in this case, the spammer forged the sender address, so your mail server is sending you NDRs because it can't send the original NDR back to the spoofed address. Make sense? There's not much you can do with Exchange 5.5 to avoid this situation unless the spammer is using a single IP address that you can block from being able to send mail into your system. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Thursday, June 26, 2003 4:26 PM Subject: RE: Not Open Relay, but... Thanks. I've also cut down the Notifications to just 'Host not Found'. One of the NDR's looks like this A mail message could not be sent because the following host is unknown: smdv231.entertainmentmail.net The message that caused this notification was: To: [EMAIL PROTECTED] From: Subject: Undeliverable: Sales manager or Marketing dept - Is this is a Relay, shouldn't I not be accepting it in the first place? Thanks for all the insight so far... Cheers, Tony -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:30 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... They're just using dfg.com. Don't bother your MX record. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:37 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 messages sitting in the IMS queue after 8hrs? I have another site where the IMS has hardly any messages sitting in there so this is why I am concerned. What if I changed the MX record's IP address, would that help slow it down a little or are they just using dfg.com? Cheers, Tony -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 10:10 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... Tony, Open up the properties page of your IMS Connection, go to the Internet Mail tab and click on the Notifications... button. My guess would be that you have the Always send notifications when non-delivery reports are generated radio button clicked. If that is the case, select the second choice and uncheck the options that you don't want. I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to brute force their spam through the system. I track the NDRs to create a spreadsheet for management, showing them the exponential growth of spam and the load it is placing on the servers, in order to justify new servers. Jim -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably
RE: Not Open Relay, but...
Thanks, Dave. That's crystal clear. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 4:02 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... Your mail system is accepting a mail for an invalid address (i.e. [EMAIL PROTECTED]), and since it couldn't deliver it it's trying to send a message back to the sender telling them it couldn't deliver the message. But in this case, the spammer forged the sender address, so your mail server is sending you NDRs because it can't send the original NDR back to the spoofed address. Make sense? There's not much you can do with Exchange 5.5 to avoid this situation unless the spammer is using a single IP address that you can block from being able to send mail into your system. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Thursday, June 26, 2003 4:26 PM Subject: RE: Not Open Relay, but... Thanks. I've also cut down the Notifications to just 'Host not Found'. One of the NDR's looks like this A mail message could not be sent because the following host is unknown: smdv231.entertainmentmail.net The message that caused this notification was: To: [EMAIL PROTECTED] From: Subject: Undeliverable: Sales manager or Marketing dept - Is this is a Relay, shouldn't I not be accepting it in the first place? Thanks for all the insight so far... Cheers, Tony -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:30 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... They're just using dfg.com. Don't bother your MX record. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 1:37 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 messages sitting in the IMS queue after 8hrs? I have another site where the IMS has hardly any messages sitting in there so this is why I am concerned. What if I changed the MX record's IP address, would that help slow it down a little or are they just using dfg.com? Cheers, Tony -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 10:10 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... Tony, Open up the properties page of your IMS Connection, go to the Internet Mail tab and click on the Notifications... button. My guess would be that you have the Always send notifications when non-delivery reports are generated radio button clicked. If that is the case, select the second choice and uncheck the options that you don't want. I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to brute force their spam through the system. I track the NDRs to create a spreadsheet for management, showing them the exponential growth of spam and the load it is placing on the servers, in order to justify new servers. Jim -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 9:58 AM To: Exchange Discussions Subject: RE: Not Open Relay, but... I've tested via telnet and from home using Outlook Express and it always replies with 550 so I think I'm good there. Just the amount of mail is insane. I came in this morning at there's over 10,000 in the IMS Queue. I guess eventually it will slow down... Thanks to all. Cheers, Tony -Original Message- From: Dave Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:28 PM To: Exchange Discussions Subject: Re: Not Open Relay, but... For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex change_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony
RE: Not Open Relay, but...
NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Not Open Relay, but...
Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: Not Open Relay, but...
For #3, what you are seeing is spammer trying to find valid addresses @dfg.com by simply guessing addresses and trying them, your best bet would be to turn off the notification on your IMS for E-mail address could not be found. For #2, yes they will sit in the queue until they are delivered or just time out. For #1, are you sure you're not an open relay? See http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Exchange_Server_55.html. - Dave - Original Message - From: Woods, Tony [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:00 PM Subject: RE: Not Open Relay, but... Hi John, Is this in response to my question #3? If so, does everyone receive over 2000 messages every hour in the 'Admin' mailbox with a subject line of 'Notification: Inbound Mail Failure? I understand getting some but over 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or whatever. It's just random letters in front of the domain name @dfg.com and there's just a ton of them. Thanks for any ideas, all. Cheers, Tony -Original Message- From: John Strongosky [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:46 PM To: Exchange Discussions Subject: RE: Not Open Relay, but... NDR's (non-delivery reports) from spammer's probably. -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Subject: Not Open Relay, but... Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Not Open Relay, but...
1. Probably not. If your Exchange faces the Internet, it should reject the relay attempt during the RCPT TO: command, so the messages won't be accepted for delivery and therefore they won't be NDRed. 2. Yes. 3. If dfg.com is your domain then it's normal spam to automatically generated addresses. Ed Crowley MCSE+I MVP There are seldom good technological solutions to behavioral problems. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony Sent: Wednesday, June 25, 2003 3:23 PM To: Exchange Discussions Hello, NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com I've just taken over a site's Exchange server and have noticed something strange. It's been sometime since I had to play with Exchange this deep but the Queues on my IMS keep filling up with 1000's of emails. We're not an Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound Message Awaiting Delivery' with originator and Destination Host of different .com's. There is a ton of Inbound Mail Failures in the 'Admin' mailbox for delivery failures as well. My three questions are: 1) Are these messages that are trying to relay but failing? 2) If so, are they just going to sit in the Queue for the default time? 3) For the Inbound Mail Failures, a lot of them are going to bogus addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming from? Thanks in advance. Cheers, Tony _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]