subject:"open relay"

Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's nice
to know that I am not smoking crack.

 I concur with greg ... our server had those settings and we were being
 used as a relay ... turned off Allow all computers which successfully
 authenticate to relay, regardless of the list above. and that stopped
 it ...
 
 Mike
 
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 11:17 AM
 To: Exchange Discussions
 Subject: Re: Open Relay/Spamcop
 
 
 This may or may not be the problem, but I have seen spammers able to
 relay off an Exchange server if the following configuration applies:
 
 1. If Anonymous access is turned on. SMTP Virtual Server properties,
 Access page, Authentication. 2. And, Allow all computers which
 successfully authenticate to relay, regardless of the list above. is
 checked. SMTP Virtual Server properties, Access page, Relay.
 
 
 
  Hello All and Happy Holidays!
 =20
  I have a colleague whos Exchange 2000 server is being reported as Open
 
  Relay by spamcop for the past month.  I have tested his relay by=20
  setting up a POP account in Outlook, putting the server that is being=20
  reported as Open relay as my Outgoing SMTP server. =3D20
 =20
  When I try to send a message using Outlook, I get a return message
 that
  550 5.7.1 Unable to relay.  I am relieved that it could not relay.
  That is good, however, why then is spamcop still reporting it to be=20
  open relay? =3D20
 =20
  I have checked (over the phone) all his Virtual SMTP Server settings=20
  to verify correct configuration.  Everything seems to be checked or=20
  unchecked as recommended by Microsoft.
 =20
  We have Stopped/Started Services for SMTP
 =20
  The Exchange 2000 server is behind a NAT and I have looked into the=20
  possibility of this.  I have been out on the spamcop site and for the=20
  life of me cannot find a way to make them check the server again to=20
  see if it is closed relay like ORDB does. =3D20
 =20
  Any ideas or comments =3D20
 =20
 =20
 =20
  Samantha Bridges
  Communications Technician
  Macomb Intermediate School District
  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
 =20
  [EMAIL PROTECTED]
  http://www.misd.net
 =20
 =20
  CONFIDENTIALITY NOTICE: This email message, including any attachments,
 
  is for the sole use of the intended recipient(s) and may contain=20
  confidential and privileged information. Any unauthorized review, use,
 
  disclosure or distribution is prohibited. If you are not the intended=20
  recipient, please contact the sender by reply email and destroy all=20
  copies of the original message.
 =20
  =3D20
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mode=3D=
 
 lang=3Denglish
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

I'm gonna comment on this one again.  This type of vulnerability should
only be an issue if your Guest account is enabled.  You HAVE to leave
anonymous access on if you want other mail systems to communicate with
you.  If you have POP3 and/or IMAP clients, you must leave the box
checked to allow all computers which successfully relay  I have
never seen a case where the server truly was an open relay with these
settings.

If your configuration was like this, than likely what happened is one of
your accounts was compromised.  Exchange WILL NOT relay with those
settings unless you successfully authenticate, such as you do when you
specify that the outgoing smtp server requires authentication.  Also, if
this is the case, it is NOT a case where you were an open relay, it is a
case where an account was compromised and allowed to relay off the
server.  Configuring user accounts with strong passwords, and
configuring them to lock out after x number of unsuccessful logins
should mitigate any risk of SMTP Auth attacks, aside from a user
revealing their password.


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Wohlgemuth, Mike [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 11:23 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I concur with greg ... our server had those settings and we were being
used as a relay ... turned off Allow all computers which successfully
authenticate to relay, regardless of the list above. and that stopped
it ...

Mike



-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 18, 2003 11:17 AM
To: Exchange Discussions
Subject: Re: Open Relay/Spamcop


This may or may not be the problem, but I have seen spammers able to
relay off an Exchange server if the following configuration applies:

1. If Anonymous access is turned on. SMTP Virtual Server properties,
Access page, Authentication. 2. And, Allow all computers which
successfully authenticate to relay, regardless of the list above. is
checked. SMTP Virtual Server properties, Access page, Relay.



 Hello All and Happy Holidays!
 
 I have a colleague whos Exchange 2000 server is being reported as Open

 Relay by spamcop for the past month.  I have tested his relay by 
 setting up a POP account in Outlook, putting the server that is being 
 reported as Open relay as my Outgoing SMTP server. =20
 
 When I try to send a message using Outlook, I get a return message
that
 550 5.7.1 Unable to relay.  I am relieved that it could not relay.
 That is good, however, why then is spamcop still reporting it to be 
 open relay? =20
 
 I have checked (over the phone) all his Virtual SMTP Server settings 
 to verify correct configuration.  Everything seems to be checked or 
 unchecked as recommended by Microsoft.
 
 We have Stopped/Started Services for SMTP
 
 The Exchange 2000 server is behind a NAT and I have looked into the 
 possibility of this.  I have been out on the spamcop site and for the 
 life of me cannot find a way to make them check the server again to 
 see if it is closed relay like ORDB does. =20
 
 Any ideas or comments =20
 
 
 
 Samantha Bridges
 Communications Technician
 Macomb Intermediate School District
 44001 Garfield Road
 Clinton Township  MI  48038-1100
 (586) 228-3300
 
 [EMAIL PROTECTED]
 http://www.misd.net
 
 
 CONFIDENTIALITY NOTICE: This email message, including any attachments,

 is for the sole use of the intended recipient(s) and may contain 
 confidential and privileged information. Any unauthorized review, use,

 disclosure or distribution is prohibited. If you are not the intended 
 recipient, please contact the sender by reply email and destroy all 
 copies of the original message.
 
 =20

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 11:37 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice to know that I am not smoking crack.

 I concur with greg ... our server had those settings and we were being

 used as a relay ... turned off Allow all computers which successfully

 authenticate to relay, regardless of the list above. and that stopped

 it ...
 
 Mike
 
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 11:17 AM
 To: Exchange Discussions
 Subject: Re: Open Relay/Spamcop
 
 
 This may or may not be the problem, but I have seen spammers able to 
 relay off an Exchange server if the following configuration applies:
 
 1. If Anonymous access is turned on. SMTP Virtual Server properties,

 Access page, Authentication. 2. And, Allow all computers which 
 successfully authenticate to relay, regardless of the list above. is 
 checked. SMTP Virtual Server properties, Access page, Relay.
 
 
 
  Hello All and Happy Holidays!
 =20
  I have a colleague whos Exchange 2000 server is being reported as 
 Open
 
  Relay by spamcop for the past month.  I have tested his relay by=20

 setting up a POP account in Outlook, putting the server that is 
 being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
 =20  When I try to send a message using Outlook, I get a return 
 message
 that
  550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
  That is good, however, why then is spamcop still reporting it to 
 be=20  open relay? =3D20 =20  I have checked (over the phone) all his

 Virtual SMTP Server settings=20  to verify correct configuration.  
 Everything seems to be checked or=20  unchecked as recommended by

 Microsoft.
 =20
  We have Stopped/Started Services for SMTP =20  The Exchange 2000 
 server is behind a NAT and I have looked into the=20  possibility of 
 this.  I have been out on the spamcop site and for the=20  life of me

 cannot find a way to make them check the server again to=20  see if 
 it is closed relay like ORDB does. =3D20 =20  Any ideas or 
 comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
 Technician  Macomb Intermediate School District
  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
 =20
  [EMAIL PROTECTED]
  http://www.misd.net
 =20
 =20
  CONFIDENTIALITY NOTICE: This email message, including any 
 attachments,
 
  is for the sole use of the intended recipient(s) and may contain=20 
  confidential and privileged information. Any unauthorized review, 
  use,
 
  disclosure or distribution is prohibited. If you are not the 
 intended=20  recipient, please contact the sender by reply email and 
 destroy all=20  copies of the original message.
 =20
  =3D20
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo
 de=3D=
 
 lang=3Denglish
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

However, I would welcome any information that proves me otherwise.  i.e.
configure these settings, with the guest account disabled, and prove
that it actually will relay - not authenticated relay, that doesn't
count.  If it is authenticated relay, it is because a password was
compromised. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Ben Winzenz 
Posted At: Thursday, December 18, 2003 11:48 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice to know that I am not smoking crack.

 I concur with greg ... our server had those settings and we were being

 used as a relay ... turned off Allow all computers which successfully

 authenticate to relay, regardless of the list above. and that stopped

 it ...
 
 Mike
 
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 11:17 AM
 To: Exchange Discussions
 Subject: Re: Open Relay/Spamcop
 
 
 This may or may not be the problem, but I have seen spammers able to 
 relay off an Exchange server if the following configuration applies:
 
 1. If Anonymous access is turned on. SMTP Virtual Server properties,

 Access page, Authentication. 2. And, Allow all computers which 
 successfully authenticate to relay, regardless of the list above. is 
 checked. SMTP Virtual Server properties, Access page, Relay.
 
 
 
  Hello All and Happy Holidays!
 =20
  I have a colleague whos Exchange 2000 server is being reported as 
 Open
 
  Relay by spamcop for the past month.  I have tested his relay by=20

 setting up a POP account in Outlook, putting the server that is 
 being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
 =20  When I try to send a message using Outlook, I get a return 
 message
 that
  550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
  That is good, however, why then is spamcop still reporting it to 
 be=20  open relay? =3D20 =20  I have checked (over the phone) all his

 Virtual SMTP Server settings=20  to verify correct configuration.  
 Everything seems to be checked or=20  unchecked as recommended by

 Microsoft.
 =20
  We have Stopped/Started Services for SMTP =20  The Exchange 2000 
 server is behind a NAT and I have looked into the=20  possibility of 
 this.  I have been out on the spamcop site and for the=20  life of me

 cannot find a way to make them check the server again to=20  see if 
 it is closed relay like ORDB does. =3D20 =20  Any ideas or 
 comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
 Technician  Macomb Intermediate School District
  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
 =20
  [EMAIL PROTECTED]
  http://www.misd.net
 =20
 =20
  CONFIDENTIALITY NOTICE: This email message, including any 
 attachments,
 
  is for the sole use of the intended recipient(s) and may contain=20 
  confidential and privileged information. Any unauthorized review, 
  use,
 
  disclosure or distribution is prohibited. If you are not the 
 intended=20  recipient, please contact the sender by reply email and 
 destroy all=20  copies of the original message.
 =20
  =3D20
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo
 de=3D=
 
 lang=3Denglish
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting

RE: Open Relay/Spamcop

2003-12-18 Thread Eric Fretz

I agree with Ben.  My Exchange 2000 box at my last company was setup to
allow realaying after sucessfuly authentication because I had POP3 clients
at other offices that had no other SMTP gateway.  Disabling the Guest
account and forcing the users to change passwords every 30 days kept our
risk at a minimum.  We got tagged as a relay once, but forcing user password
changes on the spot fixed the problem.   

Eric Fretz

L-3 Communications
ComCept Division
2800 Discovery Blvd.
Rockwall, TX 75032
tel:   972.772.7501
fax:  972.772.7510



-Original Message-
From: Ben Winzenz [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 10:48 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and tested
again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 11:37 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's nice
to know that I am not smoking crack.

 I concur with greg ... our server had those settings and we were being

 used as a relay ... turned off Allow all computers which successfully

 authenticate to relay, regardless of the list above. and that stopped

 it ...
 
 Mike
 
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 11:17 AM
 To: Exchange Discussions
 Subject: Re: Open Relay/Spamcop
 
 
 This may or may not be the problem, but I have seen spammers able to
 relay off an Exchange server if the following configuration applies:
 
 1. If Anonymous access is turned on. SMTP Virtual Server properties,

 Access page, Authentication. 2. And, Allow all computers which
 successfully authenticate to relay, regardless of the list above. is 
 checked. SMTP Virtual Server properties, Access page, Relay.
 
 
 
  Hello All and Happy Holidays!
 =20
  I have a colleague whos Exchange 2000 server is being reported as
 Open
 
  Relay by spamcop for the past month.  I have tested his relay by=20

 setting up a POP account in Outlook, putting the server that is
 being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
 =20  When I try to send a message using Outlook, I get a return 
 message
 that
  550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
  That is good, however, why then is spamcop still reporting it to
 be=20  open relay? =3D20 =20  I have checked (over the phone) all his

 Virtual SMTP Server settings=20  to verify correct configuration.
 Everything seems to be checked or=20  unchecked as recommended by

 Microsoft.
 =20
  We have Stopped/Started Services for SMTP =20  The Exchange 2000
 server is behind a NAT and I have looked into the=20  possibility of 
 this.  I have been out on the spamcop site and for the=20  life of me

 cannot find a way to make them check the server again to=20  see if
 it is closed relay like ORDB does. =3D20 =20  Any ideas or 
 comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
 Technician  Macomb Intermediate School District
  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
 =20
  [EMAIL PROTECTED]
  http://www.misd.net
 =20
 =20
  CONFIDENTIALITY NOTICE: This email message, including any 
 attachments,
 
  is for the sole use of the intended recipient(s) and may contain=20
  confidential and privileged information. Any unauthorized review, 
  use,
 
  disclosure or distribution is prohibited. If you are not the
 intended=20  recipient, please contact the sender by reply email and 
 destroy all=20  copies of the original message.
 =20
  =3D20
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface: 
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo
 de=3D=
 
 lang=3Denglish
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe

RE: Open Relay/Spamcop

2003-12-18 Thread Candee Vaglica

What do you get when you telnet into the server and try to send mail to a
bogus address?



 
 
 
  Hello All and Happy Holidays!
 =20
  I have a colleague whos Exchange 2000 server is being reported as
 Open
 
  Relay by spamcop for the past month.  I have tested his relay by=20

 setting up a POP account in Outlook, putting the server that is
 being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
 =20  When I try to send a message using Outlook, I get a return 
 message
 that
  550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
  That is good, however, why then is spamcop still reporting it to
 be=20  open relay? =3D20 =20  I have checked (over the phone) all his

 Virtual SMTP Server settings=20  to verify correct configuration.
 Everything seems to be checked or=20  unchecked as recommended by

 Microsoft.
 =20
  We have Stopped/Started Services for SMTP =20  The Exchange 2000
 server is behind a NAT and I have looked into the=20  possibility of 
 this.  I have been out on the spamcop site and for the=20  life of me

 cannot find a way to make them check the server again to=20  see if
 it is closed relay like ORDB does. =3D20 =20  Any ideas or 
 comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
 Technician  Macomb Intermediate School District
  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
 =20
  [EMAIL PROTECTED]
  http://www.misd.net
 =20
 =20
  CONFIDENTIALITY NOTICE: This email message, including any 
 attachments,
 
  is for the sole use of the intended recipient(s) and may contain=20
  confidential and privileged information. Any unauthorized review, 
  use,
 
  disclosure or distribution is prohibited. If you are not the
 intended=20  recipient, please contact the sender by reply email and 
 destroy all=20  copies of the original message.
 =20
  =3D20
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface: 
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo
 de=3D=
 
 lang=3Denglish
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

This may very well be the case. I cannot say one way or another. When I
have seen this, it has always been the case that I am there fixing
something else and happen upon this problem, fix it and move on. I DO know
that I have seen it on boxes where the Guest account is disabled, but that
does not rule out the possibility that some other account was compromised.

 However, I would welcome any information that proves me otherwise.  i.e.
 configure these settings, with the guest account disabled, and prove
 that it actually will relay - not authenticated relay, that doesn't
 count.  If it is authenticated relay, it is because a password was
 compromised.=20
 
 
 Ben Winzenz
 Network Engineer
 Gardner  White
 (317) 581-1580 ext 418
 
 
 -Original Message-
 From: Ben Winzenz=20
 Posted At: Thursday, December 18, 2003 11:48 AM
 Posted To: Exchange (Swynk)
 Conversation: Open Relay/Spamcop
 Subject: RE: Open Relay/Spamcop
 
 
 I still think you are smoking crack on this, Greg.  I have never seen a
 properly configured Exchange 2000 server relay UNLESS a user account was
 compromised, or the guest account was enabled.  I've tested it and
 tested again, and never found Exchange to relay with those settings.=20
 
 
 Ben Winzenz
 Network Engineer
 Gardner  White
 (317) 581-1580 ext 418
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
 December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
 Conversation: Open Relay/Spamcop
 Subject: RE: Open Relay/Spamcop
 
 
 Hey, thanks for the confirmation. People have told me that I am smoking
 crack and that the Exchange servers were horribly misconfigured. It's
 nice to know that I am not smoking crack.
 
  I concur with greg ... our server had those settings and we were being
 
  used as a relay ... turned off Allow all computers which successfully
 
  authenticate to relay, regardless of the list above. and that stopped
 
  it ...
 =20
  Mike
 =20
 =20
 =20
  -Original Message-
  From: Greg Deckler [mailto:[EMAIL PROTECTED]
  Sent: Thursday, December 18, 2003 11:17 AM
  To: Exchange Discussions
  Subject: Re: Open Relay/Spamcop
 =20
 =20
  This may or may not be the problem, but I have seen spammers able to=20
  relay off an Exchange server if the following configuration applies:
 =20
  1. If Anonymous access is turned on. SMTP Virtual Server properties,
 
  Access page, Authentication. 2. And, Allow all computers which=20
  successfully authenticate to relay, regardless of the list above. is=20
  checked. SMTP Virtual Server properties, Access page, Relay.
 =20
 =20
 =20
   Hello All and Happy Holidays!
  =3D20
   I have a colleague whos Exchange 2000 server is being reported as=20
  Open
 =20
   Relay by spamcop for the past month.  I have tested his relay =
 by=3D20
 
  setting up a POP account in Outlook, putting the server that is=20
  being=3D20  reported as Open relay as my Outgoing SMTP server. =
 =3D3D20=20
  =3D20  When I try to send a message using Outlook, I get a return=20
  message
  that
   550 5.7.1 Unable to relay.  I am relieved that it could not
 relay.
   That is good, however, why then is spamcop still reporting it to=20
  be=3D20  open relay? =3D3D20 =3D20  I have checked (over the phone) =
 all his
 
  Virtual SMTP Server settings=3D20  to verify correct configuration. =20
  Everything seems to be checked or=3D20  unchecked as recommended =
 by
 
  Microsoft.
  =3D20
   We have Stopped/Started Services for SMTP =3D20  The Exchange 2000=20
  server is behind a NAT and I have looked into the=3D20  possibility =
 of=20
  this.  I have been out on the spamcop site and for the=3D20  life of =
 me
 
  cannot find a way to make them check the server again to=3D20  see if =
 
  it is closed relay like ORDB does. =3D3D20 =3D20  Any ideas or=20
  comments =3D3D20 =3D20 =3D20 =3D20  Samantha Bridges  =
 Communications=20
  Technician  Macomb Intermediate School District
   44001 Garfield Road
   Clinton Township  MI  48038-1100
   (586) 228-3300
  =3D20
   [EMAIL PROTECTED]
   http://www.misd.net
  =3D20
  =3D20
   CONFIDENTIALITY NOTICE: This email message, including any=20
  attachments,
 =20
   is for the sole use of the intended recipient(s) and may =
 contain=3D20=20
   confidential and privileged information. Any unauthorized review,=20
   use,
 =20
   disclosure or distribution is prohibited. If you are not the=20
  intended=3D20  recipient, please contact the sender by reply email =
 and=20
  destroy all=3D20  copies of the original message.
  =3D20
   =3D3D20
 =20
  _
  List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
  Web Interface:
  =
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3D3Dexchangetext_mo
  de=3D3D=3D
  
  lang=3D3Denglish
  To unsubscribe: mailto:[EMAIL PROTECTED]
  Exchange List admin:[EMAIL PROTECTED

RE: Open Relay/Spamcop

2003-12-18 Thread Ken Cornetet

Exchange WILL relay for authenticated users (by default), and it doesn't
have to be the guest account (though that is a common attack).

Have you left your Administrator account named Administrator? Do you
leak user IDs to the outside world? Web pages? Email addresses? IM
aliases? Backups run under the user ID backup?

Dictionary password attack. Spammers have lots of patience.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 12:11 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


This may very well be the case. I cannot say one way or another. When I
have seen this, it has always been the case that I am there fixing
something else and happen upon this problem, fix it and move on. I DO
know that I have seen it on boxes where the Guest account is disabled,
but that does not rule out the possibility that some other account was
compromised.

 However, I would welcome any information that proves me otherwise.  
 i.e. configure these settings, with the guest account disabled, and 
 prove that it actually will relay - not authenticated relay, that 
 doesn't count.  If it is authenticated relay, it is because a password

 was compromised.=20
 
 
 Ben Winzenz
 Network Engineer
 Gardner  White
 (317) 581-1580 ext 418
 
 
 -Original Message-
 From: Ben Winzenz=20
 Posted At: Thursday, December 18, 2003 11:48 AM
 Posted To: Exchange (Swynk)
 Conversation: Open Relay/Spamcop
 Subject: RE: Open Relay/Spamcop
 
 
 I still think you are smoking crack on this, Greg.  I have never seen 
 a properly configured Exchange 2000 server relay UNLESS a user account

 was compromised, or the guest account was enabled.  I've tested it and

 tested again, and never found Exchange to relay with those 
 settings.=20
 
 
 Ben Winzenz
 Network Engineer
 Gardner  White
 (317) 581-1580 ext 418
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, 
 December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
 Conversation: Open Relay/Spamcop
 Subject: RE: Open Relay/Spamcop
 
 
 Hey, thanks for the confirmation. People have told me that I am 
 smoking crack and that the Exchange servers were horribly 
 misconfigured. It's nice to know that I am not smoking crack.
 
  I concur with greg ... our server had those settings and we were 
  being
 
  used as a relay ... turned off Allow all computers which 
  successfully
 
  authenticate to relay, regardless of the list above. and that 
  stopped
 
  it ...
 =20
  Mike
 =20
 =20
 =20
  -Original Message-
  From: Greg Deckler [mailto:[EMAIL PROTECTED]
  Sent: Thursday, December 18, 2003 11:17 AM
  To: Exchange Discussions
  Subject: Re: Open Relay/Spamcop
 =20
 =20
  This may or may not be the problem, but I have seen spammers able 
 to=20  relay off an Exchange server if the following configuration 
 applies: =20  1. If Anonymous access is turned on. SMTP Virtual 
 Server properties,
 
  Access page, Authentication. 2. And, Allow all computers which=20  
 successfully authenticate to relay, regardless of the list above. 
 is=20  checked. SMTP Virtual Server properties, Access page, Relay. 
 =20 =20
 =20
   Hello All and Happy Holidays!
  =3D20
   I have a colleague whos Exchange 2000 server is being reported 
  as=20 Open
 =20
   Relay by spamcop for the past month.  I have tested his relay =
 by=3D20
 
  setting up a POP account in Outlook, putting the server that is=20 
  being=3D20  reported as Open relay as my Outgoing SMTP server. =
 =3D3D20=20
  =3D20  When I try to send a message using Outlook, I get a 
  return=20 message
  that
   550 5.7.1 Unable to relay.  I am relieved that it could not
 relay.
   That is good, however, why then is spamcop still reporting it 
  to=20 be=3D20  open relay? =3D3D20 =3D20  I have checked (over the 
  phone) =
 all his
 
  Virtual SMTP Server settings=3D20  to verify correct configuration.

  =20 Everything seems to be checked or=3D20  unchecked as 
  recommended =
 by
 
  Microsoft.
  =3D20
   We have Stopped/Started Services for SMTP =3D20  The Exchange 
  2000=20 server is behind a NAT and I have looked into the=3D20  
  possibility =
 of=20
  this.  I have been out on the spamcop site and for the=3D20  life 
  of =
 me
 
  cannot find a way to make them check the server again to=3D20  see 
  if =
 
  it is closed relay like ORDB does. =3D3D20 =3D20  Any ideas or=20 
  comments =3D3D20 =3D20 =3D20 =3D20  Samantha Bridges  =
 Communications=20
  Technician  Macomb Intermediate School District
   44001 Garfield Road
   Clinton Township  MI  48038-1100
   (586) 228-3300
  =3D20
   [EMAIL PROTECTED]
   http://www.misd.net
  =3D20
  =3D20
   CONFIDENTIALITY NOTICE: This email message, including any=20 
  attachments,
 =20
   is for the sole use of the intended recipient(s) and may =
 contain=3D20=20
   confidential and privileged information. Any unauthorized 
   review,=20 use,
 =20

RE: Open Relay/Spamcop

2003-12-18 Thread Ken Cornetet

I seem to recall that there was a bug (fixed in sp3 maybe?) where if an
SMTP packet had a forged source address of 127.0.0.1, SMTP would relay
it regardless of relay settings.

I may be misremembering the details.

Also, no even half-way correctly firewall would let this type of packet
in.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, December 18, 2003 11:51 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


However, I would welcome any information that proves me otherwise.  i.e.
configure these settings, with the guest account disabled, and prove
that it actually will relay - not authenticated relay, that doesn't
count.  If it is authenticated relay, it is because a password was
compromised. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Ben Winzenz 
Posted At: Thursday, December 18, 2003 11:48 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice to know that I am not smoking crack.

 I concur with greg ... our server had those settings and we were being

 used as a relay ... turned off Allow all computers which successfully

 authenticate to relay, regardless of the list above. and that stopped

 it ...
 
 Mike
 
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 11:17 AM
 To: Exchange Discussions
 Subject: Re: Open Relay/Spamcop
 
 
 This may or may not be the problem, but I have seen spammers able to
 relay off an Exchange server if the following configuration applies:
 
 1. If Anonymous access is turned on. SMTP Virtual Server properties,

 Access page, Authentication. 2. And, Allow all computers which
 successfully authenticate to relay, regardless of the list above. is 
 checked. SMTP Virtual Server properties, Access page, Relay.
 
 
 
  Hello All and Happy Holidays!
 =20
  I have a colleague whos Exchange 2000 server is being reported as
 Open
 
  Relay by spamcop for the past month.  I have tested his relay by=20

 setting up a POP account in Outlook, putting the server that is
 being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
 =20  When I try to send a message using Outlook, I get a return 
 message
 that
  550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
  That is good, however, why then is spamcop still reporting it to
 be=20  open relay? =3D20 =20  I have checked (over the phone) all his

 Virtual SMTP Server settings=20  to verify correct configuration.
 Everything seems to be checked or=20  unchecked as recommended by

 Microsoft.
 =20
  We have Stopped/Started Services for SMTP =20  The Exchange 2000
 server is behind a NAT and I have looked into the=20  possibility of 
 this.  I have been out on the spamcop site and for the=20  life of me

 cannot find a way to make them check the server again to=20  see if
 it is closed relay like ORDB does. =3D20 =20  Any ideas or 
 comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
 Technician  Macomb Intermediate School District
  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
 =20
  [EMAIL PROTECTED]
  http://www.misd.net
 =20
 =20
  CONFIDENTIALITY NOTICE: This email message, including any 
 attachments,
 
  is for the sole use of the intended recipient(s) and may contain=20
  confidential and privileged information. Any unauthorized review, 
  use,
 
  disclosure or distribution is prohibited. If you are not the
 intended=20  recipient, please contact the sender by reply email and 
 destroy all=20  copies of the original message.
 =20
  =3D20
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface: 
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo
 de=3D=
 
 lang=3Denglish
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english

RE: Open Relay/Spamcop

But that is my point.  I know Exchange relays for authenticated users by
default.  It is turned on to allow POP3/SMTP and IMAP accounts the
ability to send using your Exchange server as the outgoing server.
However, it won't relay for a spammer UNLESS an account has been
compromised, at which point someone has in essence hacked your system.
If you set up your environment correctly, the ONLY way an account will
get compromised is if someone leaks their password.  Dictionary attacks
won't work because the account will get locked out after 3 attempts, and
it is awfully hard to dictionary guess a complex password in 3 tries :-)



Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 12:18 PM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Exchange WILL relay for authenticated users (by default), and it doesn't
have to be the guest account (though that is a common attack).

Have you left your Administrator account named Administrator? Do you
leak user IDs to the outside world? Web pages? Email addresses? IM
aliases? Backups run under the user ID backup?

Dictionary password attack. Spammers have lots of patience.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 12:11 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


This may very well be the case. I cannot say one way or another. When I
have seen this, it has always been the case that I am there fixing
something else and happen upon this problem, fix it and move on. I DO
know that I have seen it on boxes where the Guest account is disabled,
but that does not rule out the possibility that some other account was
compromised.

 However, I would welcome any information that proves me otherwise.  
 i.e. configure these settings, with the guest account disabled, and 
 prove that it actually will relay - not authenticated relay, that 
 doesn't count.  If it is authenticated relay, it is because a password

 was compromised.=20
 
 
 Ben Winzenz
 Network Engineer
 Gardner  White
 (317) 581-1580 ext 418
 
 
 -Original Message-
 From: Ben Winzenz=20
 Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange 
 (Swynk)
 Conversation: Open Relay/Spamcop
 Subject: RE: Open Relay/Spamcop
 
 
 I still think you are smoking crack on this, Greg.  I have never seen 
 a properly configured Exchange 2000 server relay UNLESS a user account

 was compromised, or the guest account was enabled.  I've tested it and

 tested again, and never found Exchange to relay with those 
 settings.=20
 
 
 Ben Winzenz
 Network Engineer
 Gardner  White
 (317) 581-1580 ext 418
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, 
 December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
 Conversation: Open Relay/Spamcop
 Subject: RE: Open Relay/Spamcop
 
 
 Hey, thanks for the confirmation. People have told me that I am 
 smoking crack and that the Exchange servers were horribly 
 misconfigured. It's nice to know that I am not smoking crack.
 
  I concur with greg ... our server had those settings and we were 
  being
 
  used as a relay ... turned off Allow all computers which 
  successfully
 
  authenticate to relay, regardless of the list above. and that 
  stopped
 
  it ...
 =20
  Mike
 =20
 =20
 =20
  -Original Message-
  From: Greg Deckler [mailto:[EMAIL PROTECTED]
  Sent: Thursday, December 18, 2003 11:17 AM
  To: Exchange Discussions
  Subject: Re: Open Relay/Spamcop
 =20
 =20
  This may or may not be the problem, but I have seen spammers able 
 to=20  relay off an Exchange server if the following configuration
 applies: =20  1. If Anonymous access is turned on. SMTP Virtual 
 Server properties,
 
  Access page, Authentication. 2. And, Allow all computers which=20 
 successfully authenticate to relay, regardless of the list above.
 is=20  checked. SMTP Virtual Server properties, Access page, Relay. 
 =20 =20
 =20
   Hello All and Happy Holidays!
  =3D20
   I have a colleague whos Exchange 2000 server is being reported 
  as=20 Open
 =20
   Relay by spamcop for the past month.  I have tested his relay =
 by=3D20
 
  setting up a POP account in Outlook, putting the server that is=20 
  being=3D20  reported as Open relay as my Outgoing SMTP server. =
 =3D3D20=20
  =3D20  When I try to send a message using Outlook, I get a 
  return=20 message
  that
   550 5.7.1 Unable to relay.  I am relieved that it could not
 relay.
   That is good, however, why then is spamcop still reporting it 
  to=20 be=3D20  open relay? =3D3D20 =3D20  I have checked (over the
  phone) =
 all his
 
  Virtual SMTP Server settings=3D20  to verify correct configuration.

  =20 Everything seems to be checked or=3D20  unchecked as 
  recommended =
 by
 
  Microsoft.
  =3D20
   We

RE: Open Relay/Spamcop

Please post if you recall the article.  I'll dig around and see if I can
find it. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 12:23 PM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I seem to recall that there was a bug (fixed in sp3 maybe?) where if an
SMTP packet had a forged source address of 127.0.0.1, SMTP would relay
it regardless of relay settings.

I may be misremembering the details.

Also, no even half-way correctly firewall would let this type of packet
in.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, December 18, 2003 11:51 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


However, I would welcome any information that proves me otherwise.  i.e.
configure these settings, with the guest account disabled, and prove
that it actually will relay - not authenticated relay, that doesn't
count.  If it is authenticated relay, it is because a password was
compromised. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Ben Winzenz
Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange
(Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice to know that I am not smoking crack.

 I concur with greg ... our server had those settings and we were being

 used as a relay ... turned off Allow all computers which successfully

 authenticate to relay, regardless of the list above. and that stopped

 it ...
 
 Mike
 
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 11:17 AM
 To: Exchange Discussions
 Subject: Re: Open Relay/Spamcop
 
 
 This may or may not be the problem, but I have seen spammers able to
 relay off an Exchange server if the following configuration applies:
 
 1. If Anonymous access is turned on. SMTP Virtual Server properties,

 Access page, Authentication. 2. And, Allow all computers which
 successfully authenticate to relay, regardless of the list above. is 
 checked. SMTP Virtual Server properties, Access page, Relay.
 
 
 
  Hello All and Happy Holidays!
 =20
  I have a colleague whos Exchange 2000 server is being reported as
 Open
 
  Relay by spamcop for the past month.  I have tested his relay by=20

 setting up a POP account in Outlook, putting the server that is
 being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
 =20  When I try to send a message using Outlook, I get a return 
 message
 that
  550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
  That is good, however, why then is spamcop still reporting it to
 be=20  open relay? =3D20 =20  I have checked (over the phone) all his

 Virtual SMTP Server settings=20  to verify correct configuration.
 Everything seems to be checked or=20  unchecked as recommended by

 Microsoft.
 =20
  We have Stopped/Started Services for SMTP =20  The Exchange 2000
 server is behind a NAT and I have looked into the=20  possibility of 
 this.  I have been out on the spamcop site and for the=20  life of me

 cannot find a way to make them check the server again to=20  see if
 it is closed relay like ORDB does. =3D20 =20  Any ideas or 
 comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
 Technician  Macomb Intermediate School District
  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
 =20
  [EMAIL PROTECTED]
  http://www.misd.net
 =20
 =20
  CONFIDENTIALITY NOTICE: This email message, including any 
 attachments,
 
  is for the sole use of the intended recipient(s) and may contain=20
  confidential and privileged information. Any unauthorized review, 
  use,
 
  disclosure or distribution is prohibited. If you are not the
 intended=20  recipient, please contact the sender by reply email and 
 destroy all=20  copies of the original message.
 =20
  =3D20
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface: 
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter

RE: Open Relay/Spamcop

2003-12-18 Thread Roger Seielstad

One of the reasons I like SpamCop (and actually use it myself) is because
you can look up the actual reason a box is on the list:
http://www.spamcop.net/bl.shtml

Put the IP address in and it will show an example of exactly why they're
listed.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


 -Original Message-
 From: Bridges, Samantha [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, December 18, 2003 10:59 AM
 To: Exchange Discussions
 Subject: Open Relay/Spamcop
 
 
 Hello All and Happy Holidays!
 
 I have a colleague whos Exchange 2000 server is being reported as Open
 Relay by spamcop for the past month.  I have tested his relay 
 by setting
 up a POP account in Outlook, putting the server that is being reported
 as Open relay as my Outgoing SMTP server.  
 
 When I try to send a message using Outlook, I get a return 
 message that
 550 5.7.1 Unable to relay.  I am relieved that it could not relay.
 That is good, however, why then is spamcop still reporting it 
 to be open
 relay?  
 
 I have checked (over the phone) all his Virtual SMTP Server 
 settings to
 verify correct configuration.  Everything seems to be checked or
 unchecked as recommended by Microsoft.
 
 We have Stopped/Started Services for SMTP
 
 The Exchange 2000 server is behind a NAT and I have looked into the
 possibility of this.  I have been out on the spamcop site and for the
 life of me cannot find a way to make them check the server 
 again to see
 if it is closed relay like ORDB does.  
 
 Any ideas or comments  
 
 
 
 Samantha Bridges
 Communications Technician
 Macomb Intermediate School District
 44001 Garfield Road
 Clinton Township  MI  48038-1100
 (586) 228-3300
 
 [EMAIL PROTECTED]
 http://www.misd.net
 
 
 CONFIDENTIALITY NOTICE: This email message, including any attachments,
 is for the sole use of the intended recipient(s) and may contain
 confidential and privileged information. Any unauthorized review, use,
 disclosure or distribution is prohibited. If you are not the intended
 recipient, please contact the sender by reply email and destroy all
 copies of the original message.
 
  
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface: 
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
ext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Randal, Phil

Looking at http://openrbl.org/#dodgy ip address is also very revealing.

Cheers,

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of 
 Roger Seielstad
 Sent: 18 December 2003 17:50
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 
 
 One of the reasons I like SpamCop (and actually use it 
 myself) is because
 you can look up the actual reason a box is on the list:
 http://www.spamcop.net/bl.shtml
 
 Put the IP address in and it will show an example of exactly 
 why they're
 listed.
 
 --
 Roger D. Seielstad - MTS MCSE MS-MVP
 Sr. Systems Administrator
 Inovis Inc.
 
 
  -Original Message-
  From: Bridges, Samantha [mailto:[EMAIL PROTECTED] 
  Sent: Thursday, December 18, 2003 10:59 AM
  To: Exchange Discussions
  Subject: Open Relay/Spamcop
  
  
  Hello All and Happy Holidays!
  
  I have a colleague whos Exchange 2000 server is being 
 reported as Open
  Relay by spamcop for the past month.  I have tested his relay 
  by setting
  up a POP account in Outlook, putting the server that is 
 being reported
  as Open relay as my Outgoing SMTP server.  
  
  When I try to send a message using Outlook, I get a return 
  message that
  550 5.7.1 Unable to relay.  I am relieved that it could 
 not relay.
  That is good, however, why then is spamcop still reporting it 
  to be open
  relay?  
  
  I have checked (over the phone) all his Virtual SMTP Server 
  settings to
  verify correct configuration.  Everything seems to be checked or
  unchecked as recommended by Microsoft.
  
  We have Stopped/Started Services for SMTP
  
  The Exchange 2000 server is behind a NAT and I have looked into the
  possibility of this.  I have been out on the spamcop site 
 and for the
  life of me cannot find a way to make them check the server 
  again to see
  if it is closed relay like ORDB does.  
  
  Any ideas or comments  
  
  
  
  Samantha Bridges
  Communications Technician
  Macomb Intermediate School District
  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
  
  [EMAIL PROTECTED]
  http://www.misd.net
  
  
  CONFIDENTIALITY NOTICE: This email message, including any 
 attachments,
  is for the sole use of the intended recipient(s) and may contain
  confidential and privileged information. Any unauthorized 
 review, use,
  disclosure or distribution is prohibited. If you are not 
 the intended
  recipient, please contact the sender by reply email and destroy all
  copies of the original message.
  
   
  
  _
  List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
  Web Interface: 
  http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
 ext_mode=lang=english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface: 
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
ext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Roger Seielstad

But the point is that if you're listed on Spamcop, they'll tell you EXACTLY
why. None of the other RBL's I've seen do that.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


 -Original Message-
 From: Randal, Phil [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, December 18, 2003 12:52 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 
 
 Looking at http://openrbl.org/#dodgy ip address is also 
 very revealing.
 
 Cheers,
 
 Phil
 
 -
 Phil Randal
 Network Engineer
 Herefordshire Council
 Hereford, UK 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] Behalf Of 
  Roger Seielstad
  Sent: 18 December 2003 17:50
  To: Exchange Discussions
  Subject: RE: Open Relay/Spamcop
  
  
  One of the reasons I like SpamCop (and actually use it 
  myself) is because
  you can look up the actual reason a box is on the list:
  http://www.spamcop.net/bl.shtml
  
  Put the IP address in and it will show an example of exactly 
  why they're
  listed.
  
  --
  Roger D. Seielstad - MTS MCSE MS-MVP
  Sr. Systems Administrator
  Inovis Inc.
  
  
   -Original Message-
   From: Bridges, Samantha [mailto:[EMAIL PROTECTED] 
   Sent: Thursday, December 18, 2003 10:59 AM
   To: Exchange Discussions
   Subject: Open Relay/Spamcop
   
   
   Hello All and Happy Holidays!
   
   I have a colleague whos Exchange 2000 server is being 
  reported as Open
   Relay by spamcop for the past month.  I have tested his relay 
   by setting
   up a POP account in Outlook, putting the server that is 
  being reported
   as Open relay as my Outgoing SMTP server.  
   
   When I try to send a message using Outlook, I get a return 
   message that
   550 5.7.1 Unable to relay.  I am relieved that it could 
  not relay.
   That is good, however, why then is spamcop still reporting it 
   to be open
   relay?  
   
   I have checked (over the phone) all his Virtual SMTP Server 
   settings to
   verify correct configuration.  Everything seems to be checked or
   unchecked as recommended by Microsoft.
   
   We have Stopped/Started Services for SMTP
   
   The Exchange 2000 server is behind a NAT and I have 
 looked into the
   possibility of this.  I have been out on the spamcop site 
  and for the
   life of me cannot find a way to make them check the server 
   again to see
   if it is closed relay like ORDB does.  
   
   Any ideas or comments  
   
   
   
   Samantha Bridges
   Communications Technician
   Macomb Intermediate School District
   44001 Garfield Road
   Clinton Township  MI  48038-1100
   (586) 228-3300
   
   [EMAIL PROTECTED]
   http://www.misd.net
   
   
   CONFIDENTIALITY NOTICE: This email message, including any 
  attachments,
   is for the sole use of the intended recipient(s) and may contain
   confidential and privileged information. Any unauthorized 
  review, use,
   disclosure or distribution is prohibited. If you are not 
  the intended
   recipient, please contact the sender by reply email and 
 destroy all
   copies of the original message.
   

   
   _
   List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
   Web Interface: 
   http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
  ext_mode=lang=english
  To unsubscribe: mailto:[EMAIL PROTECTED]
  Exchange List admin:[EMAIL PROTECTED]
  
  _
  List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
  Web Interface: 
  http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
 ext_mode=lang=english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface: 
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
ext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Kevin Wilkie

Uhm A ham sandwich?

Maybe a limp fish?

-Original Message-
From: Candee Vaglica [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 11:59 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

What do you get when you telnet into the server and try to send mail to
a bogus address?

  Hello All and Happy Holidays!
 =20
  I have a colleague whos Exchange 2000 server is being reported as 
 Open

  Relay by spamcop for the past month.  I have tested his relay by=20

 setting up a POP account in Outlook, putting the server that is 
 being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
 =20  When I try to send a message using Outlook, I get a return 
 message
 that
  550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
  That is good, however, why then is spamcop still reporting it to 
 be=20  open relay? =3D20 =20  I have checked (over the phone) all his

 Virtual SMTP Server settings=20  to verify correct configuration. 
 Everything seems to be checked or=20  unchecked as recommended by

 Microsoft.
 =20
  We have Stopped/Started Services for SMTP =20  The Exchange 2000 
 server is behind a NAT and I have looked into the=20  possibility of 
 this.  I have been out on the spamcop site and for the=20  life of me

 cannot find a way to make them check the server again to=20  see if 
 it is closed relay like ORDB does. =3D20 =20  Any ideas or 
 comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
 Technician  Macomb Intermediate School District  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
 =20
  [EMAIL PROTECTED]
  http://www.misd.net
 =20
 =20
  CONFIDENTIALITY NOTICE: This email message, including any 
 attachments,

  is for the sole use of the intended recipient(s) and may contain=20 
  confidential and privileged information. Any unauthorized review, 
  use,

  disclosure or distribution is prohibited. If you are not the 
 intended=20  recipient, please contact the sender by reply email and 
 destroy all=20  copies of the original message. =20
  =3D20

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo
 de=3D=

 lang=3Denglish
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Wohlgemuth, Mike

It is possible that a user account was compromised ... but here is the
scenario I had and what worked to fix it ...

Setup:
Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user
group (noted through ips in the relay tab ...) ; guest account disabled;
SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers
which successfully authenticate to relay, regardless of the list above.
was checked ...

Issue:
My cues were huge; relaying may not have been going on (I did have a
couple of external complaints that I was allowing relaying; but never
made it on a list --- whew), but we were accepting the mail and then
processing it internally; it was becoming a performance issue  this
internal processing is alluded to at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;304897 ... then
we were getting our own NDR's back ... etc ..

Solution:
Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow all
computers which successfully authenticate to relay, regardless of the
list above. ... all the relaying (or attempt at it stopped)

Comment:
BTW, for external servers to communicate with you, it is the SMTP
Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab
that must be checked 

P.S.:
I tell users they can still pop their mail from outside our closed user
group; but they must use their ISP's SMTP relay for sending mail or use
OWA ...


Mike



-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 12:18 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


Exchange WILL relay for authenticated users (by default), and it doesn't
have to be the guest account (though that is a common attack).

Have you left your Administrator account named Administrator? Do you
leak user IDs to the outside world? Web pages? Email addresses? IM
aliases? Backups run under the user ID backup?

Dictionary password attack. Spammers have lots of patience.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 12:11 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


This may very well be the case. I cannot say one way or another. When I
have seen this, it has always been the case that I am there fixing
something else and happen upon this problem, fix it and move on. I DO
know that I have seen it on boxes where the Guest account is disabled,
but that does not rule out the possibility that some other account was
compromised.

 However, I would welcome any information that proves me otherwise.
 i.e. configure these settings, with the guest account disabled, and 
 prove that it actually will relay - not authenticated relay, that 
 doesn't count.  If it is authenticated relay, it is because a password

 was compromised.=20
 
 
 Ben Winzenz
 Network Engineer
 Gardner  White
 (317) 581-1580 ext 418
 
 
 -Original Message-
 From: Ben Winzenz=20
 Posted At: Thursday, December 18, 2003 11:48 AM
 Posted To: Exchange (Swynk)
 Conversation: Open Relay/Spamcop
 Subject: RE: Open Relay/Spamcop
 
 
 I still think you are smoking crack on this, Greg.  I have never seen
 a properly configured Exchange 2000 server relay UNLESS a user account

 was compromised, or the guest account was enabled.  I've tested it and

 tested again, and never found Exchange to relay with those
 settings.=20
 
 
 Ben Winzenz
 Network Engineer
 Gardner  White
 (317) 581-1580 ext 418
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
 December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
 Conversation: Open Relay/Spamcop
 Subject: RE: Open Relay/Spamcop
 
 
 Hey, thanks for the confirmation. People have told me that I am
 smoking crack and that the Exchange servers were horribly 
 misconfigured. It's nice to know that I am not smoking crack.
 
  I concur with greg ... our server had those settings and we were
  being
 
  used as a relay ... turned off Allow all computers which
  successfully
 
  authenticate to relay, regardless of the list above. and that
  stopped
 
  it ...
 =20
  Mike
 =20
 =20
 =20
  -Original Message-
  From: Greg Deckler [mailto:[EMAIL PROTECTED]
  Sent: Thursday, December 18, 2003 11:17 AM
  To: Exchange Discussions
  Subject: Re: Open Relay/Spamcop
 =20
 =20
  This may or may not be the problem, but I have seen spammers able
 to=20  relay off an Exchange server if the following configuration 
 applies: =20  1. If Anonymous access is turned on. SMTP Virtual 
 Server properties,
 
  Access page, Authentication. 2. And, Allow all computers which=20
 successfully authenticate to relay, regardless of the list above. 
 is=20  checked. SMTP Virtual Server properties, Access page, Relay. 
 =20 =20
 =20
   Hello All and Happy Holidays!
  =3D20
   I have a colleague whos Exchange 2000 server is being reported
  as=20 Open
 =20
   Relay by spamcop for the past month.  I have

RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an absolute
FACT one way or the other it may indeed be the case that a guest account
was used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we all
know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this list
that they might possibly want to maybe suggest to Microsoft that they take
a look at this for no other reason than to at least modify the wording on
the check boxes. I mean Anonymous Authentication allowed and Allow
computers which successfully authenticate... on the surface seems to
indicate that yes, you can anonymously authenticate and relay messages,
which I cannot imagine would ever really be very useful to anyone except a
spammer. I mean, change the wording or add a checkbox to specifically
allow, not allow relaying by anonymous authentication. Who knows, I don't
want to start another freaking firestorm about how much I hate Microsoft,
yadda, yadda. I guess my point is that it is OBVIOUSLY an issue
specifically in a lot of small 1-50 person shops that use a single
Exchange server for everything. This is where I have come in and seen it
as a problem. There are exactly the people that don't generally have
qualified IT help, thus because the default configuration seems to allow
this kind of relaying issue it is a feature of the product that is
adding to the overall spam problem on the Internet. Maybe the MVP gods and
Microsoft care, maybe not, but I want to be absolutely clear that I do not
care one iota, because if I did everyone would just tell me how stupid and
ignorant and a wife beater I am. So, I don't care and please do not
mistakenly believe that I care. God help us all if an MVP reads this,
thinks I care and starts another massive thread of pointless arguing.

 It is possible that a user account was compromised ... but here is the
 scenario I had and what worked to fix it ...
 
 Setup:
 Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user
 group (noted through ips in the relay tab ...) ; guest account disabled;
 SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers
 which successfully authenticate to relay, regardless of the list above.
 was checked ...
 
 Issue:
 My cues were huge; relaying may not have been going on (I did have a
 couple of external complaints that I was allowing relaying; but never
 made it on a list --- whew), but we were accepting the mail and then
 processing it internally; it was becoming a performance issue  this
 internal processing is alluded to at
 http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... =
 then
 we were getting our own NDR's back ... etc ..
 
 Solution:
 Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow all
 computers which successfully authenticate to relay, regardless of the
 list above. ... all the relaying (or attempt at it stopped)
 
 Comment:
 BTW, for external servers to communicate with you, it is the SMTP
 Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab
 that must be checked 
 
 P.S.:
 I tell users they can still pop their mail from outside our closed user
 group; but they must use their ISP's SMTP relay for sending mail or use
 OWA ...
 
 
 Mike
 
 
 
 -Original Message-
 From: Ken Cornetet [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 12:18 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 
 
 Exchange WILL relay for authenticated users (by default), and it doesn't
 have to be the guest account (though that is a common attack).
 
 Have you left your Administrator account named Administrator? Do you
 leak user IDs to the outside world? Web pages? Email addresses? IM
 aliases? Backups run under the user ID backup?
 
 Dictionary password attack. Spammers have lots of patience.
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
 Sent: Thursday, December 18, 2003 12:11 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 
 
 This may very well be the case. I cannot say one way or another. When I
 have seen this, it has always been the case that I am there fixing
 something else and happen upon this problem, fix it and move on. I DO
 know that I have seen it on boxes where the Guest account is disabled,
 but that does not rule out the possibility that some other account was
 compromised.
 
  However, I would welcome any information that proves me otherwise.
  i.e. configure these settings, with the guest account disabled, and=20
  prove that it actually will relay - not authenticated relay, that=20
  doesn't count.  If it is authenticated relay, it is because a password
 
  was compromised.=3D20
 =20
 =20
  Ben Winzenz
  Network Engineer
  Gardner  White
  (317) 581-1580 ext 418
 =20
 =20

RE: Open Relay/Spamcop

2003-12-18 Thread Clemens, Rick

Me thinks thou dost protest t much!!!  :-) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Posted At: Thursday, December 18, 2003 1:19 PM
Posted To: Exchange Discussion
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an
absolute FACT one way or the other it may indeed be the case that a
guest account was used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we
all know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this
list that they might possibly want to maybe suggest to Microsoft that
they take a look at this for no other reason than to at least modify the
wording on the check boxes. I mean Anonymous Authentication allowed
and Allow computers which successfully authenticate... on the surface
seems to indicate that yes, you can anonymously authenticate and relay
messages, which I cannot imagine would ever really be very useful to
anyone except a spammer. I mean, change the wording or add a checkbox to
specifically allow, not allow relaying by anonymous authentication. Who
knows, I don't want to start another freaking firestorm about how much I
hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY
an issue specifically in a lot of small 1-50 person shops that use a
single Exchange server for everything. This is where I have come in and
seen it as a problem. There are exactly the people that don't generally
have qualified IT help, thus because the default configuration seems to
allow this kind of relaying issue it is a feature of the product that
is adding to the overall spam problem on the Internet. Maybe the MVP
gods and Microsoft care, maybe not, but I want to be absolutely clear
that I do not care one iota, because if I did everyone would just tell
me how stupid and ignorant and a wife beater I am. So, I don't care and
please do not mistakenly believe that I care. God help us all if an MVP
reads this, thinks I care and starts another massive thread of pointless
arguing.

 It is possible that a user account was compromised ... but here is the

 scenario I had and what worked to fix it ...

 Setup:
 Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed 
 user group (noted through ips in the relay tab ...) ; guest account 
 disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow 
 all computers which successfully authenticate to relay, regardless of
the list above.
 was checked ...

 Issue:
 My cues were huge; relaying may not have been going on (I did have a 
 couple of external complaints that I was allowing relaying; but never 
 made it on a list --- whew), but we were accepting the mail and then 
 processing it internally; it was becoming a performance issue  
 this internal processing is alluded to at
 http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... =

 then we were getting our own NDR's back ... etc ..

 Solution:
 Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow 
 all computers which successfully authenticate to relay, regardless of 
 the list above. ... all the relaying (or attempt at it stopped)

 Comment:
 BTW, for external servers to communicate with you, it is the SMTP 
 Virtual Server Properties/Access Tab/Authentication/Anonymous Access 
 tab that must be checked 

 P.S.:
 I tell users they can still pop their mail from outside our closed 
 user group; but they must use their ISP's SMTP relay for sending mail 
 or use OWA ...

 Mike

 -Original Message-
 From: Ken Cornetet [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 12:18 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop

 Exchange WILL relay for authenticated users (by default), and it 
 doesn't have to be the guest account (though that is a common attack).

 Have you left your Administrator account named Administrator? Do you 
 leak user IDs to the outside world? Web pages? Email addresses? IM 
 aliases? Backups run under the user ID backup?

 Dictionary password attack. Spammers have lots of patience.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
 Sent: Thursday, December 18, 2003 12:11 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop

 This may very well be the case. I cannot say one way or another. When 
 I have seen this, it has always been the case that I am there fixing 
 something else and happen upon this problem, fix it and move on. I DO 
 know that I have seen it on boxes where the Guest account is disabled,

 but that does not rule out the possibility that some other account was

 compromised.

  However, I would welcome any information that proves me otherwise.
  i.e. configure

RE: Open Relay/Spamcop

2003-12-18 Thread Fyodorov, Andrey

That probably was the case because someone guessed a username/password
combination and they were able to successfully authenticate and relay
mail.

Sincerely,

Andrey Fyodorov, Exchange MVP
Systems Engineer
Messaging and Collaboration
Spherion

-Original Message-
From: Wohlgemuth, Mike [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 11:23 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I concur with greg ... our server had those settings and we were being
used as a relay ... turned off Allow all computers which successfully
authenticate to relay, regardless of the list above. and that stopped
it ...

Mike



-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 11:17 AM
To: Exchange Discussions
Subject: Re: Open Relay/Spamcop


This may or may not be the problem, but I have seen spammers able to
relay off an Exchange server if the following configuration applies:

1. If Anonymous access is turned on. SMTP Virtual Server properties,
Access page, Authentication. 2. And, Allow all computers which
successfully authenticate to relay, regardless of the list above. is
checked. SMTP Virtual Server properties, Access page, Relay.



 Hello All and Happy Holidays!
 
 I have a colleague whos Exchange 2000 server is being reported as Open

 Relay by spamcop for the past month.  I have tested his relay by 
 setting up a POP account in Outlook, putting the server that is being 
 reported as Open relay as my Outgoing SMTP server. =20
 
 When I try to send a message using Outlook, I get a return message
that
 550 5.7.1 Unable to relay.  I am relieved that it could not relay.
 That is good, however, why then is spamcop still reporting it to be 
 open relay? =20
 
 I have checked (over the phone) all his Virtual SMTP Server settings 
 to verify correct configuration.  Everything seems to be checked or 
 unchecked as recommended by Microsoft.
 
 We have Stopped/Started Services for SMTP
 
 The Exchange 2000 server is behind a NAT and I have looked into the 
 possibility of this.  I have been out on the spamcop site and for the 
 life of me cannot find a way to make them check the server again to 
 see if it is closed relay like ORDB does. =20
 
 Any ideas or comments =20
 
 
 
 Samantha Bridges
 Communications Technician
 Macomb Intermediate School District
 44001 Garfield Road
 Clinton Township  MI  48038-1100
 (586) 228-3300
 
 [EMAIL PROTECTED]
 http://www.misd.net
 
 
 CONFIDENTIALITY NOTICE: This email message, including any attachments,

 is for the sole use of the intended recipient(s) and may contain 
 confidential and privileged information. Any unauthorized review, use,

 disclosure or distribution is prohibited. If you are not the intended 
 recipient, please contact the sender by reply email and destroy all 
 copies of the original message.
 
 =20

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Fyodorov, Andrey

Usually something simple like a Webmaster account with password
password is a target of spammers.

Sincerely,

Andrey Fyodorov, Exchange MVP
Systems Engineer
Messaging and Collaboration
Spherion


-Original Message-
From: Eric Fretz [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 11:49 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I agree with Ben.  My Exchange 2000 box at my last company was setup to
allow realaying after sucessfuly authentication because I had POP3
clients
at other offices that had no other SMTP gateway.  Disabling the Guest
account and forcing the users to change passwords every 30 days kept our
risk at a minimum.  We got tagged as a relay once, but forcing user
password
changes on the spot fixed the problem.   

Eric Fretz

L-3 Communications
ComCept Division
2800 Discovery Blvd.
Rockwall, TX 75032
tel:   972.772.7501
fax:  972.772.7510



-Original Message-
From: Ben Winzenz [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 10:48 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested
again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 11:37 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice
to know that I am not smoking crack.

 I concur with greg ... our server had those settings and we were being

 used as a relay ... turned off Allow all computers which successfully

 authenticate to relay, regardless of the list above. and that stopped

 it ...
 
 Mike
 
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 11:17 AM
 To: Exchange Discussions
 Subject: Re: Open Relay/Spamcop
 
 
 This may or may not be the problem, but I have seen spammers able to
 relay off an Exchange server if the following configuration applies:
 
 1. If Anonymous access is turned on. SMTP Virtual Server properties,

 Access page, Authentication. 2. And, Allow all computers which
 successfully authenticate to relay, regardless of the list above. is 
 checked. SMTP Virtual Server properties, Access page, Relay.
 
 
 
  Hello All and Happy Holidays!
 =20
  I have a colleague whos Exchange 2000 server is being reported as
 Open
 
  Relay by spamcop for the past month.  I have tested his relay by=20

 setting up a POP account in Outlook, putting the server that is
 being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
 =20  When I try to send a message using Outlook, I get a return 
 message
 that
  550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
  That is good, however, why then is spamcop still reporting it to
 be=20  open relay? =3D20 =20  I have checked (over the phone) all his

 Virtual SMTP Server settings=20  to verify correct configuration.
 Everything seems to be checked or=20  unchecked as recommended by

 Microsoft.
 =20
  We have Stopped/Started Services for SMTP =20  The Exchange 2000
 server is behind a NAT and I have looked into the=20  possibility of 
 this.  I have been out on the spamcop site and for the=20  life of me

 cannot find a way to make them check the server again to=20  see if
 it is closed relay like ORDB does. =3D20 =20  Any ideas or 
 comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
 Technician  Macomb Intermediate School District
  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
 =20
  [EMAIL PROTECTED]
  http://www.misd.net
 =20
 =20
  CONFIDENTIALITY NOTICE: This email message, including any 
 attachments,
 
  is for the sole use of the intended recipient(s) and may contain=20
  confidential and privileged information. Any unauthorized review, 
  use,
 
  disclosure or distribution is prohibited. If you are not the
 intended=20  recipient, please contact the sender by reply email and 
 destroy all=20  copies of the original message.
 =20
  =3D20
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface: 
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo
 de=3D=
 
 lang=3Denglish
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter

RE: Open Relay/Spamcop

2003-12-18 Thread Jim Helfer



 Well, I'm certainly glad we aren't resorting to any of them thar
unprofessional personal attacks.  That would be just terrible.  

 Jim H

-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 2:19 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an absolute
FACT one way or the other it may indeed be the case that a guest account was
used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we all
know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this list
that they might possibly want to maybe suggest to Microsoft that they take a
look at this for no other reason than to at least modify the wording on the
check boxes. I mean Anonymous Authentication allowed and Allow computers
which successfully authenticate... on the surface seems to indicate that
yes, you can anonymously authenticate and relay messages, which I cannot
imagine would ever really be very useful to anyone except a spammer. I mean,
change the wording or add a checkbox to specifically allow, not allow
relaying by anonymous authentication. Who knows, I don't want to start
another freaking firestorm about how much I hate Microsoft, yadda, yadda. I
guess my point is that it is OBVIOUSLY an issue specifically in a lot of
small 1-50 person shops that use a single Exchange server for everything.
This is where I have come in and seen it as a problem. There are exactly the
people that don't generally have qualified IT help, thus because the default
configuration seems to allow this kind of relaying issue it is a feature
of the product that is adding to the overall spam problem on the Internet.
Maybe the MVP gods and Microsoft care, maybe not, but I want to be
absolutely clear that I do not care one iota, because if I did everyone
would just tell me how stupid and ignorant and a wife beater I am. So, I
don't care and please do not mistakenly believe that I care. God help us all
if an MVP reads this, thinks I care and starts another massive thread of
pointless arguing.

 It is possible that a user account was compromised ... but here is the 
 scenario I had and what worked to fix it ...
 
 Setup:
 Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed 
 user group (noted through ips in the relay tab ...) ; guest account 
 disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow 
 all computers which successfully authenticate to relay, regardless of the
list above.
 was checked ...
 
 Issue:
 My cues were huge; relaying may not have been going on (I did have a 
 couple of external complaints that I was allowing relaying; but never 
 made it on a list --- whew), but we were accepting the mail and then 
 processing it internally; it was becoming a performance issue  
 this internal processing is alluded to at
 http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = 
 then we were getting our own NDR's back ... etc ..
 
 Solution:
 Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow 
 all computers which successfully authenticate to relay, regardless of 
 the list above. ... all the relaying (or attempt at it stopped)
 
 Comment:
 BTW, for external servers to communicate with you, it is the SMTP 
 Virtual Server Properties/Access Tab/Authentication/Anonymous Access 
 tab that must be checked 
 
 P.S.:
 I tell users they can still pop their mail from outside our closed 
 user group; but they must use their ISP's SMTP relay for sending mail 
 or use OWA ...
 
 
 Mike
 
 
 
 -Original Message-
 From: Ken Cornetet [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 12:18 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 
 
 Exchange WILL relay for authenticated users (by default), and it 
 doesn't have to be the guest account (though that is a common attack).
 
 Have you left your Administrator account named Administrator? Do you 
 leak user IDs to the outside world? Web pages? Email addresses? IM 
 aliases? Backups run under the user ID backup?
 
 Dictionary password attack. Spammers have lots of patience.
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
 Sent: Thursday, December 18, 2003 12:11 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 
 
 This may very well be the case. I cannot say one way or another. When 
 I have seen this, it has always been the case that I am there fixing 
 something else and happen upon this problem, fix it and move on. I DO 
 know that I have seen it on boxes where the Guest account is disabled, 
 but that does not rule out the possibility that some other account was 
 compromised.
 
  However, I would welcome any information that proves me otherwise.
  i.e

RE: Open Relay/Spamcop

2003-12-18 Thread Fyodorov, Andrey

I think Anonymous Access (not Anonymous Authentication Allowed) and
Allow computers which successfully authenticate to relay settings
belong in different contexts. One context is about *simply being able to
connect to the SMTP virtual server*, the other context is about being
able to relay.

I think you are extrapolating too much.

Somehow it never dawned on me to merge these two contexts. Maybe because
I had seen similar setting in many other SMTP server packages before.

Sincerely,

Andrey Fyodorov, Exchange MVP
Systems Engineer
Messaging and Collaboration
Spherion

P.S. if you turn off Anonymous Access, expect to never receive any mail
from the Internet.


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 2:19 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an
absolute
FACT one way or the other it may indeed be the case that a guest account
was used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we
all
know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this
list
that they might possibly want to maybe suggest to Microsoft that they
take
a look at this for no other reason than to at least modify the wording
on
the check boxes. I mean Anonymous Authentication allowed and Allow
computers which successfully authenticate... on the surface seems to
indicate that yes, you can anonymously authenticate and relay messages,
which I cannot imagine would ever really be very useful to anyone except
a
spammer. I mean, change the wording or add a checkbox to specifically
allow, not allow relaying by anonymous authentication. Who knows, I
don't
want to start another freaking firestorm about how much I hate
Microsoft,
yadda, yadda. I guess my point is that it is OBVIOUSLY an issue
specifically in a lot of small 1-50 person shops that use a single
Exchange server for everything. This is where I have come in and seen it
as a problem. There are exactly the people that don't generally have
qualified IT help, thus because the default configuration seems to allow
this kind of relaying issue it is a feature of the product that is
adding to the overall spam problem on the Internet. Maybe the MVP gods
and
Microsoft care, maybe not, but I want to be absolutely clear that I do
not
care one iota, because if I did everyone would just tell me how stupid
and
ignorant and a wife beater I am. So, I don't care and please do not
mistakenly believe that I care. God help us all if an MVP reads this,
thinks I care and starts another massive thread of pointless arguing.

 It is possible that a user account was compromised ... but here is the
 scenario I had and what worked to fix it ...
 
 Setup:
 Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed
user
 group (noted through ips in the relay tab ...) ; guest account
disabled;
 SMTP Virtual Server Properties/Access Tab/Relay ... Allow all
computers
 which successfully authenticate to relay, regardless of the list
above.
 was checked ...
 
 Issue:
 My cues were huge; relaying may not have been going on (I did have a
 couple of external complaints that I was allowing relaying; but never
 made it on a list --- whew), but we were accepting the mail and then
 processing it internally; it was becoming a performance issue 
this
 internal processing is alluded to at
 http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... =
 then
 we were getting our own NDR's back ... etc ..
 
 Solution:
 Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow
all
 computers which successfully authenticate to relay, regardless of the
 list above. ... all the relaying (or attempt at it stopped)
 
 Comment:
 BTW, for external servers to communicate with you, it is the SMTP
 Virtual Server Properties/Access Tab/Authentication/Anonymous Access
tab
 that must be checked 
 
 P.S.:
 I tell users they can still pop their mail from outside our closed
user
 group; but they must use their ISP's SMTP relay for sending mail or
use
 OWA ...
 
 
 Mike
 
 
 
 -Original Message-
 From: Ken Cornetet [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 12:18 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 
 
 Exchange WILL relay for authenticated users (by default), and it
doesn't
 have to be the guest account (though that is a common attack).
 
 Have you left your Administrator account named Administrator? Do you
 leak user IDs to the outside world? Web pages? Email addresses? IM
 aliases? Backups run under the user ID backup?
 
 Dictionary password attack. Spammers have lots of patience.
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
 Sent: Thursday, December 18, 2003 12:11 PM

RE: Open Relay/Spamcop

Not in this thread, anyway.  The authentication hole exists when someone
hacks a password.  If you need to allow authentication, you should consider
doing this with a virtual server that is not exposed to the Internet.  If
you do expose your SMTP to the Internet with authentication, you should, at
a minimum, restrict the accounts that can use it, force the use of SSL, and
enforce strong password policies.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 8:37 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's nice
to know that I am not smoking crack.

 I concur with greg ... our server had those settings and we were being 
 used as a relay ... turned off Allow all computers which successfully 
 authenticate to relay, regardless of the list above. and that stopped 
 it ...
 
 Mike
 
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 11:17 AM
 To: Exchange Discussions
 Subject: Re: Open Relay/Spamcop
 
 
 This may or may not be the problem, but I have seen spammers able to 
 relay off an Exchange server if the following configuration applies:
 
 1. If Anonymous access is turned on. SMTP Virtual Server properties, 
 Access page, Authentication. 2. And, Allow all computers which 
 successfully authenticate to relay, regardless of the list above. is 
 checked. SMTP Virtual Server properties, Access page, Relay.
 
 
 
  Hello All and Happy Holidays!
 =20
  I have a colleague whos Exchange 2000 server is being reported as 
 Open
 
  Relay by spamcop for the past month.  I have tested his relay by=20  
 setting up a POP account in Outlook, putting the server that is 
 being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
 =20  When I try to send a message using Outlook, I get a return 
 message
 that
  550 5.7.1 Unable to relay.  I am relieved that it could not relay.
  That is good, however, why then is spamcop still reporting it to 
 be=20  open relay? =3D20 =20  I have checked (over the phone) all his 
 Virtual SMTP Server settings=20  to verify correct configuration.  
 Everything seems to be checked or=20  unchecked as recommended by 
 Microsoft.
 =20
  We have Stopped/Started Services for SMTP =20  The Exchange 2000 
 server is behind a NAT and I have looked into the=20  possibility of 
 this.  I have been out on the spamcop site and for the=20  life of me 
 cannot find a way to make them check the server again to=20  see if 
 it is closed relay like ORDB does. =3D20 =20  Any ideas or 
 comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
 Technician  Macomb Intermediate School District
  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
 =20
  [EMAIL PROTECTED]
  http://www.misd.net
 =20
 =20
  CONFIDENTIALITY NOTICE: This email message, including any 
 attachments,
 
  is for the sole use of the intended recipient(s) and may contain=20 
  confidential and privileged information. Any unauthorized review, 
  use,
 
  disclosure or distribution is prohibited. If you are not the 
 intended=20  recipient, please contact the sender by reply email and 
 destroy all=20  copies of the original message.
 =20
  =3D20
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo
 de=3D=
 
 lang=3Denglish
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

Strong passwords mean much more than forced changes.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz
Sent: Thursday, December 18, 2003 8:49 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I agree with Ben.  My Exchange 2000 box at my last company was setup to
allow realaying after sucessfuly authentication because I had POP3 clients
at other offices that had no other SMTP gateway.  Disabling the Guest
account and forcing the users to change passwords every 30 days kept our
risk at a minimum.  We got tagged as a relay once, but forcing user password
changes on the spot fixed the problem.   

Eric Fretz

L-3 Communications
ComCept Division
2800 Discovery Blvd.
Rockwall, TX 75032
tel:   972.772.7501
fax:  972.772.7510



-Original Message-
From: Ben Winzenz [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 18, 2003 10:48 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and tested
again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 11:37 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's nice
to know that I am not smoking crack.

 I concur with greg ... our server had those settings and we were being

 used as a relay ... turned off Allow all computers which successfully

 authenticate to relay, regardless of the list above. and that stopped

 it ...
 
 Mike
 
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 11:17 AM
 To: Exchange Discussions
 Subject: Re: Open Relay/Spamcop
 
 
 This may or may not be the problem, but I have seen spammers able to
 relay off an Exchange server if the following configuration applies:
 
 1. If Anonymous access is turned on. SMTP Virtual Server properties,

 Access page, Authentication. 2. And, Allow all computers which
 successfully authenticate to relay, regardless of the list above. is 
 checked. SMTP Virtual Server properties, Access page, Relay.
 
 
 
  Hello All and Happy Holidays!
 =20
  I have a colleague whos Exchange 2000 server is being reported as
 Open
 
  Relay by spamcop for the past month.  I have tested his relay by=20

 setting up a POP account in Outlook, putting the server that is
 being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
 =20  When I try to send a message using Outlook, I get a return 
 message
 that
  550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
  That is good, however, why then is spamcop still reporting it to
 be=20  open relay? =3D20 =20  I have checked (over the phone) all his

 Virtual SMTP Server settings=20  to verify correct configuration.
 Everything seems to be checked or=20  unchecked as recommended by

 Microsoft.
 =20
  We have Stopped/Started Services for SMTP =20  The Exchange 2000
 server is behind a NAT and I have looked into the=20  possibility of 
 this.  I have been out on the spamcop site and for the=20  life of me

 cannot find a way to make them check the server again to=20  see if
 it is closed relay like ORDB does. =3D20 =20  Any ideas or 
 comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
 Technician  Macomb Intermediate School District
  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
 =20
  [EMAIL PROTECTED]
  http://www.misd.net
 =20
 =20
  CONFIDENTIALITY NOTICE: This email message, including any 
 attachments,
 
  is for the sole use of the intended recipient(s) and may contain=20
  confidential and privileged information. Any unauthorized review, 
  use,
 
  disclosure or distribution is prohibited. If you are not the
 intended=20  recipient, please contact the sender by reply email and 
 destroy all=20  copies of the original message.
 =20
  =3D20
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface: 
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo
 de=3D=
 
 lang=3Denglish
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter

RE: Open Relay/Spamcop

Weak passwords.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, December 18, 2003 8:51 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

However, I would welcome any information that proves me otherwise.  i.e.
configure these settings, with the guest account disabled, and prove that it
actually will relay - not authenticated relay, that doesn't count.  If it is
authenticated relay, it is because a password was compromised. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Ben Winzenz
Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice to know that I am not smoking crack.

 I concur with greg ... our server had those settings and we were being

 used as a relay ... turned off Allow all computers which successfully

 authenticate to relay, regardless of the list above. and that stopped

 it ...
 
 Mike
 
 
 
 -Original Message-
 From: Greg Deckler [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 11:17 AM
 To: Exchange Discussions
 Subject: Re: Open Relay/Spamcop
 
 
 This may or may not be the problem, but I have seen spammers able to 
 relay off an Exchange server if the following configuration applies:
 
 1. If Anonymous access is turned on. SMTP Virtual Server properties,

 Access page, Authentication. 2. And, Allow all computers which 
 successfully authenticate to relay, regardless of the list above. is 
 checked. SMTP Virtual Server properties, Access page, Relay.
 
 
 
  Hello All and Happy Holidays!
 =20
  I have a colleague whos Exchange 2000 server is being reported as 
 Open
 
  Relay by spamcop for the past month.  I have tested his relay by=20

 setting up a POP account in Outlook, putting the server that is 
 being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
 =20  When I try to send a message using Outlook, I get a return 
 message
 that
  550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
  That is good, however, why then is spamcop still reporting it to 
 be=20  open relay? =3D20 =20  I have checked (over the phone) all his

 Virtual SMTP Server settings=20  to verify correct configuration.  
 Everything seems to be checked or=20  unchecked as recommended by

 Microsoft.
 =20
  We have Stopped/Started Services for SMTP =20  The Exchange 2000 
 server is behind a NAT and I have looked into the=20  possibility of 
 this.  I have been out on the spamcop site and for the=20  life of me

 cannot find a way to make them check the server again to=20  see if 
 it is closed relay like ORDB does. =3D20 =20  Any ideas or 
 comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
 Technician  Macomb Intermediate School District
  44001 Garfield Road
  Clinton Township  MI  48038-1100
  (586) 228-3300
 =20
  [EMAIL PROTECTED]
  http://www.misd.net
 =20
 =20
  CONFIDENTIALITY NOTICE: This email message, including any 
 attachments,
 
  is for the sole use of the intended recipient(s) and may contain=20 
  confidential and privileged information. Any unauthorized review, 
  use,
 
  disclosure or distribution is prohibited. If you are not the 
 intended=20  recipient, please contact the sender by reply email and 
 destroy all=20  copies of the original message.
 =20
  =3D20
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo
 de=3D=
 
 lang=3Denglish
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List

RE: Open Relay/Spamcop

Rest assured that this topic has been discussed by us vendor whores.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 11:19 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an absolute
FACT one way or the other it may indeed be the case that a guest account was
used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we all
know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this list
that they might possibly want to maybe suggest to Microsoft that they take a
look at this for no other reason than to at least modify the wording on the
check boxes. I mean Anonymous Authentication allowed and Allow computers
which successfully authenticate... on the surface seems to indicate that
yes, you can anonymously authenticate and relay messages, which I cannot
imagine would ever really be very useful to anyone except a spammer. I mean,
change the wording or add a checkbox to specifically allow, not allow
relaying by anonymous authentication. Who knows, I don't want to start
another freaking firestorm about how much I hate Microsoft, yadda, yadda. I
guess my point is that it is OBVIOUSLY an issue specifically in a lot of
small 1-50 person shops that use a single Exchange server for everything.
This is where I have come in and seen it as a problem. There are exactly the
people that don't generally have qualified IT help, thus because the default
configuration seems to allow this kind of relaying issue it is a feature
of the product that is adding to the overall spam problem on the Internet.
Maybe the MVP gods and Microsoft care, maybe not, but I want to be
absolutely clear that I do not care one iota, because if I did everyone
would just tell me how stupid and ignorant and a wife beater I am. So, I
don't care and please do not mistakenly believe that I care. God help us all
if an MVP reads this, thinks I care and starts another massive thread of
pointless arguing.

 It is possible that a user account was compromised ... but here is the 
 scenario I had and what worked to fix it ...
 
 Setup:
 Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed 
 user group (noted through ips in the relay tab ...) ; guest account 
 disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow 
 all computers which successfully authenticate to relay, regardless of the
list above.
 was checked ...
 
 Issue:
 My cues were huge; relaying may not have been going on (I did have a 
 couple of external complaints that I was allowing relaying; but never 
 made it on a list --- whew), but we were accepting the mail and then 
 processing it internally; it was becoming a performance issue  
 this internal processing is alluded to at
 http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = 
 then we were getting our own NDR's back ... etc ..
 
 Solution:
 Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow 
 all computers which successfully authenticate to relay, regardless of 
 the list above. ... all the relaying (or attempt at it stopped)
 
 Comment:
 BTW, for external servers to communicate with you, it is the SMTP 
 Virtual Server Properties/Access Tab/Authentication/Anonymous Access 
 tab that must be checked 
 
 P.S.:
 I tell users they can still pop their mail from outside our closed 
 user group; but they must use their ISP's SMTP relay for sending mail 
 or use OWA ...
 
 
 Mike
 
 
 
 -Original Message-
 From: Ken Cornetet [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 12:18 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 
 
 Exchange WILL relay for authenticated users (by default), and it 
 doesn't have to be the guest account (though that is a common attack).
 
 Have you left your Administrator account named Administrator? Do you 
 leak user IDs to the outside world? Web pages? Email addresses? IM 
 aliases? Backups run under the user ID backup?
 
 Dictionary password attack. Spammers have lots of patience.
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
 Sent: Thursday, December 18, 2003 12:11 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 
 
 This may very well be the case. I cannot say one way or another. When 
 I have seen this, it has always been the case that I am there fixing 
 something else and happen upon this problem, fix it and move on. I DO 
 know that I have seen it on boxes where the Guest account is disabled, 
 but that does not rule out the possibility that some other account was 
 compromised.
 
  However

RE: Open Relay/Spamcop

2003-12-18 Thread Wohlgemuth, Mike

talking dirty like that just gets me pumped up for the weekend ... yum
...

thanks for all the input (all puns intended that relate to vendor
whores)

Mike



-Original Message-
From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 4:35 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


Rest assured that this topic has been discussed by us vendor whores.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 11:19 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an
absolute FACT one way or the other it may indeed be the case that a
guest account was used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we
all know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this
list that they might possibly want to maybe suggest to Microsoft that
they take a look at this for no other reason than to at least modify the
wording on the check boxes. I mean Anonymous Authentication allowed
and Allow computers which successfully authenticate... on the surface
seems to indicate that yes, you can anonymously authenticate and relay
messages, which I cannot imagine would ever really be very useful to
anyone except a spammer. I mean, change the wording or add a checkbox to
specifically allow, not allow relaying by anonymous authentication. Who
knows, I don't want to start another freaking firestorm about how much I
hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY
an issue specifically in a lot of small 1-50 person shops that use a
single Exchange server for everything. This is where I have come in and
seen it as a problem. There are exactly the people that don't generally
have qualified IT help, thus because the default configuration seems to
allow this kind of relaying issue it is a feature of the product that
is adding to the overall spam problem on the Internet. Maybe the MVP
gods and Microsoft care, maybe not, but I want to be absolutely clear
that I do not care one iota, because if I did everyone would just tell
me how stupid and ignorant and a wife beater I am. So, I don't care and
please do not mistakenly believe that I care. God help us all if an MVP
reads this, thinks I care and starts another massive thread of pointless
arguing.

 It is possible that a user account was compromised ... but here is the
 scenario I had and what worked to fix it ...
 
 Setup:
 Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed
 user group (noted through ips in the relay tab ...) ; guest account 
 disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow 
 all computers which successfully authenticate to relay, regardless of
the
list above.
 was checked ...
 
 Issue:
 My cues were huge; relaying may not have been going on (I did have a
 couple of external complaints that I was allowing relaying; but never 
 made it on a list --- whew), but we were accepting the mail and then 
 processing it internally; it was becoming a performance issue  
 this internal processing is alluded to at
 http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... =

 then we were getting our own NDR's back ... etc ..
 
 Solution:
 Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow
 all computers which successfully authenticate to relay, regardless of 
 the list above. ... all the relaying (or attempt at it stopped)
 
 Comment:
 BTW, for external servers to communicate with you, it is the SMTP
 Virtual Server Properties/Access Tab/Authentication/Anonymous Access 
 tab that must be checked 
 
 P.S.:
 I tell users they can still pop their mail from outside our closed
 user group; but they must use their ISP's SMTP relay for sending mail 
 or use OWA ...
 
 
 Mike
 
 
 
 -Original Message-
 From: Ken Cornetet [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 12:18 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 
 
 Exchange WILL relay for authenticated users (by default), and it
 doesn't have to be the guest account (though that is a common attack).
 
 Have you left your Administrator account named Administrator? Do you
 leak user IDs to the outside world? Web pages? Email addresses? IM 
 aliases? Backups run under the user ID backup?
 
 Dictionary password attack. Spammers have lots of patience.
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
 Sent: Thursday, December 18, 2003 12:11 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 
 
 This may very well be the case. I cannot say one way

RE: Open Relay/Spamcop

2003-12-18 Thread Jim Helfer


 Excuse me, I have to go yell at the posters over in the IPCop mailing list.
They keep mailing to the list, even though I haven't read it in weeks! Of
all the nerve.


 Jim H
 

-Original Message-
From: Wohlgemuth, Mike [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 5:19 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

talking dirty like that just gets me pumped up for the weekend ... yum ...

thanks for all the input (all puns intended that relate to vendor
whores)

Mike



-Original Message-
From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 18, 2003 4:35 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


Rest assured that this topic has been discussed by us vendor whores.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 11:19 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an
absolute FACT one way or the other it may indeed be the case that a
guest account was used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we
all know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this
list that they might possibly want to maybe suggest to Microsoft that
they take a look at this for no other reason than to at least modify the
wording on the check boxes. I mean Anonymous Authentication allowed
and Allow computers which successfully authenticate... on the surface
seems to indicate that yes, you can anonymously authenticate and relay
messages, which I cannot imagine would ever really be very useful to
anyone except a spammer. I mean, change the wording or add a checkbox to
specifically allow, not allow relaying by anonymous authentication. Who
knows, I don't want to start another freaking firestorm about how much I
hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY
an issue specifically in a lot of small 1-50 person shops that use a
single Exchange server for everything. This is where I have come in and
seen it as a problem. There are exactly the people that don't generally
have qualified IT help, thus because the default configuration seems to
allow this kind of relaying issue it is a feature of the product that
is adding to the overall spam problem on the Internet. Maybe the MVP
gods and Microsoft care, maybe not, but I want to be absolutely clear
that I do not care one iota, because if I did everyone would just tell
me how stupid and ignorant and a wife beater I am. So, I don't care and
please do not mistakenly believe that I care. God help us all if an MVP
reads this, thinks I care and starts another massive thread of pointless
arguing.

 It is possible that a user account was compromised ... but here is the
 scenario I had and what worked to fix it ...
 
 Setup:
 Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed
 user group (noted through ips in the relay tab ...) ; guest account 
 disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow 
 all computers which successfully authenticate to relay, regardless of
the
list above.
 was checked ...
 
 Issue:
 My cues were huge; relaying may not have been going on (I did have a
 couple of external complaints that I was allowing relaying; but never 
 made it on a list --- whew), but we were accepting the mail and then 
 processing it internally; it was becoming a performance issue  
 this internal processing is alluded to at
 http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... =

 then we were getting our own NDR's back ... etc ..
 
 Solution:
 Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow
 all computers which successfully authenticate to relay, regardless of 
 the list above. ... all the relaying (or attempt at it stopped)
 
 Comment:
 BTW, for external servers to communicate with you, it is the SMTP
 Virtual Server Properties/Access Tab/Authentication/Anonymous Access 
 tab that must be checked 
 
 P.S.:
 I tell users they can still pop their mail from outside our closed
 user group; but they must use their ISP's SMTP relay for sending mail 
 or use OWA ...
 
 
 Mike
 
 
 
 -Original Message-
 From: Ken Cornetet [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 18, 2003 12:18 PM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 
 
 Exchange WILL relay for authenticated users (by default), and it
 doesn't have to be the guest account (though that is a common attack).
 
 Have you left your Administrator account named Administrator? Do you
 leak user IDs to the outside world? Web pages? Email addresses? IM 
 aliases? Backups run

RE: Open Relay/Spamcop

And...

 Rest assured that this topic has been discussed by us vendor whores.
 
 Ed Crowley MCSE+Internet MVP
 Freelance E-Mail Philosopher
 Protecting the world from PSTs and Bricked Backups!T
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
 Sent: Thursday, December 18, 2003 11:19 AM
 To: Exchange Discussions
 Subject: RE: Open Relay/Spamcop
 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Re: Spam Clogging the IMC Queue -- Feigning Open Relay

2003-11-03 Thread Jay Kulsh

Let me answer my own question. Those spammers were using authentication to
logon to SMTP server of our Exchange. Once we saw what user account was
being used and disabled it, problem went away. (Due to POP3 users, we have
to allow routing thru authentication.)

Jay Kulsh

Please visit http://www.cancer-treatment.net

- Original Message - 
From: Jay Kulsh
To: Exchange Discussions
Sent: Sunday, November 02, 2003 9:17 PM
Subject: Spam Clogging the IMC Queue -- Feigning Open Relay



Hi folks,

We do not have open relay on our two Exchange servers (5.5 SP4) as tested by
various tools. However in the queue of IMC, there are thousand of messages
that have outside domains in both source and destination addresses. The
addresses of originators are obviously computer generated with words like
[EMAIL PROTECTED], [EMAIL PROTECTED] etc. We have no proof yet that any of these
messages are actually delivered -- as if we were open realy -- to the
destination domain but that is a possibility.

Symantec techsupport stated that they are not aware of any virus or worm
that can do this.

If we are not allowing open-relay what is causing these messages to get to
our IMC queue? Please help!

Jay
__
Jay Kulsh
iLAN
Pasadena, CA


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Re: Spam Clogging the IMC Queue -- Feigning Open Relay

2003-11-03 Thread AliAdmin

Hi

I had a similar problem as we have a lot of mobile users. Unfortunately the
authentication seemed temperamental depending on which ISP you were using,
so forced everybody to use the VPN and restricted routing to internal IP's
only.

I think that did the trick, but I wouldn't be surprised if the spammers find
a way around it.

Bye

Ali

- Original Message - 
From: Jay Kulsh [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Monday, November 03, 2003 12:11 PM
Subject: Re: Spam Clogging the IMC Queue -- Feigning Open Relay


 Let me answer my own question. Those spammers were using authentication to
 logon to SMTP server of our Exchange. Once we saw what user account was
 being used and disabled it, problem went away. (Due to POP3 users, we have
 to allow routing thru authentication.)

 Jay Kulsh

 Please visit http://www.cancer-treatment.net

 - Original Message - 
 From: Jay Kulsh
 To: Exchange Discussions
 Sent: Sunday, November 02, 2003 9:17 PM
 Subject: Spam Clogging the IMC Queue -- Feigning Open Relay



 Hi folks,

 We do not have open relay on our two Exchange servers (5.5 SP4) as tested
by
 various tools. However in the queue of IMC, there are thousand of messages
 that have outside domains in both source and destination addresses. The
 addresses of originators are obviously computer generated with words like
 [EMAIL PROTECTED], [EMAIL PROTECTED] etc. We have no proof yet that any of
these
 messages are actually delivered -- as if we were open realy -- to the
 destination domain but that is a possibility.

 Symantec techsupport stated that they are not aware of any virus or worm
 that can do this.

 If we are not allowing open-relay what is causing these messages to get to
 our IMC queue? Please help!

 Jay
 __
 Jay Kulsh
 iLAN
 Pasadena, CA


 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]


 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Spam Clogging the IMC Queue -- Feigning Open Relay

2003-11-03 Thread Couch, Nate

Excuse me.  Symantec said they weren't aware of any virus that can put dummy
addresses in the To and From fields?  I find that hard to believe since the
Klez virus, among others, does this very thing and they are certainly aware
of that virus.

As for your original issue about the spam delete the messages that you know
are spam and re-check your open relay situation.  It sounds like there is a
hole somewhere that you didn't plug.  Check Q articles 

Q260973
Q265293
Q313395

Nate Couch
EDS Messaging

 --
 From: Jay Kulsh
 Reply To: Exchange Discussions
 Sent: Sunday, November 2, 2003 11:17 PM
 To:   Exchange Discussions
 Subject:  Spam Clogging the IMC Queue -- Feigning Open Relay
 
 Hi folks,
 
 We do not have open relay on our two Exchange servers (5.5 SP4) as tested
 by
 various tools. However in the queue of IMC, there are thousand of messages
 that have outside domains in both source and destination addresses. The
 addresses of originators are obviously computer generated with words like
 [EMAIL PROTECTED], [EMAIL PROTECTED] etc. We have no proof yet that any of
 these
 messages are actually delivered -- as if we were open realy -- to the
 destination domain but that is a possibility.
 
 Symantec techsupport stated that they are not aware of any virus or worm
 that can do this.
 
 If we are not allowing open-relay what is causing these messages to get to
 our IMC queue? Please help!
 
 Jay
 __
 Jay Kulsh
 iLAN
 Pasadena, CA
 
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=la
 ng=english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]
 
 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Spam Clogging the IMC Queue -- Feigning Open Relay

2003-11-02 Thread Jay Kulsh

Hi folks,

We do not have open relay on our two Exchange servers (5.5 SP4) as tested by
various tools. However in the queue of IMC, there are thousand of messages
that have outside domains in both source and destination addresses. The
addresses of originators are obviously computer generated with words like
[EMAIL PROTECTED], [EMAIL PROTECTED] etc. We have no proof yet that any of these
messages are actually delivered -- as if we were open realy -- to the
destination domain but that is a possibility.

Symantec techsupport stated that they are not aware of any virus or worm
that can do this.

If we are not allowing open-relay what is causing these messages to get to
our IMC queue? Please help!

Jay
__
Jay Kulsh
iLAN
Pasadena, CA


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Open relay issues

2003-09-04 Thread Pat Richard

Okay, I'm still looking through the archives and stuff, but it's late, so I'll post
this before I call it a night.

Client has a server that suddenly shuts down.

I reboot and troubleshoot, to find literally TENS OF THOUSANDS of items in the badmail
folder. All dated within the last two or three days. The server had shut down because
the drive ran out of space.

So I clear that up and start nosing around..

I check for open relay (telnet), and can't find any problem. I start to think maybe
this is a SoBig.F issue, until I read some of the NDRs.

Within fifteen minutes, badmail starts to accumulate again. I look further, and see a
connection in the OPEN SESSIONS section of System Manager. I kill the connection after
jotting down some details. Queues are just jammed full of crap - Viagra ads, etc.
I clear this out again, along with badmail, and start watching. Sure enough, a short
time later, someone from the same IP subnet connects and it starts all over.
I look through a ton of articles on open relay, and everything checks out. Then, I run
this test: http://tools.appriver.com/openrelay.php
http://tools.appriver.com/openrelay.php which basically tries to relay using
various combinations of addressing formats.
Test #14 fails
Test #16 fails
Test #28 fails
#14 uses a rcpt to format of
RCPT TO: [EMAIL PROTECTED]
Notice the quotes.
#16 uses
RCPT TO: relaytest%appriver.com
Notice the quotes and the %
#28 uses
RCPT TO: appriver.com!relaytest
notice the format there.

I manually tried each on via telnet against the server. Sure enough, the server
doesn't complain. But every one bounces back with an NDR complaining about the
recipient address. So my belief is that they're attempting one (or more) of these
methods, and all of them are bouncing, causing the badmail problem.

My question is, how do I close this hole? Server is Win2k SBS SP4, E2k SP3. Connection
is firewalled T1.

Any help would be greatly appreciated. Thanks!
[EMAIL
PROTECTED])j¹%Ë\¢oâùr®+)éíz·±r§ë^ÆuéZ§X¬:.±Êâm[hæ¯yì\©àz[,Ã)ärÅÈZËZvh§+-iÌ2G(

Re: Open relay issues

2003-09-04 Thread Chris Scharff

Those aren't relay failures, there's nothing to fix. They are (exclusively I
think) tests for other mail servers which at one point used to incorrectly
relay mail formatted like that. Exchange does not. My server 'fails' the
same tests. If you crank up logging on the SMTP conversation what addresses
is the connecting IP address sending to?

 From: Pat Richard [EMAIL PROTECTED]
 Reply-To: Exchange Discussions [EMAIL PROTECTED]
 Date: Thu, 4 Sep 2003 23:25:10 -0400
 To: Exchange Discussions [EMAIL PROTECTED]
 Subject: Open relay issues

 Okay, I'm still looking through the archives and stuff, but it's late, so I'll
 post this before I call it a night.

 Client has a server that suddenly shuts down.

 I reboot and troubleshoot, to find literally TENS OF THOUSANDS of items in the
 badmail folder. All dated within the last two or three days. The server had
 shut down because the drive ran out of space.

 So I clear that up and start nosing around..

 I check for open relay (telnet), and can't find any problem. I start to think
 maybe this is a SoBig.F issue, until I read some of the NDRs.

 Within fifteen minutes, badmail starts to accumulate again. I look further,
 and see a connection in the OPEN SESSIONS section of System Manager. I kill
 the connection after jotting down some details. Queues are just jammed full of
 crap - Viagra ads, etc.
 I clear this out again, along with badmail, and start watching. Sure enough, a
 short time later, someone from the same IP subnet connects and it starts all
 over.
 I look through a ton of articles on open relay, and everything checks out.
 Then, I run this test: http://tools.appriver.com/openrelay.php
 http://tools.appriver.com/openrelay.php  which basically tries to relay
 using various combinations of addressing formats.
 Test #14 fails
 Test #16 fails
 Test #28 fails
 #14 uses a rcpt to format of
 RCPT TO: [EMAIL PROTECTED]
 Notice the quotes.
 #16 uses
 RCPT TO: relaytest%appriver.com
 Notice the quotes and the %
 #28 uses
 RCPT TO: appriver.com!relaytest
 notice the format there.

 I manually tried each on via telnet against the server. Sure enough, the
 server doesn't complain. But every one bounces back with an NDR complaining
 about the recipient address. So my belief is that they're attempting one (or
 more) of these methods, and all of them are bouncing, causing the badmail
 problem.

 My question is, how do I close this hole? Server is Win2k SBS SP4, E2k SP3.
 Connection is firewalled T1.

 Any help would be greatly appreciated. Thanks!

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

2003-06-30 Thread Blunt, James H (Jim)

That's not entirely correct.

Go to the properties of your IMS / Connections tab and in the Message
Filtering section, add @enterainmentmail.net...then stop/start you IMS
service.

It will then drop all e-mail from that domain.

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 5:02 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


Your mail system is accepting a mail for an invalid address (i.e.
[EMAIL PROTECTED]), and since it couldn't deliver it it's trying to send a
message back to the sender telling them it couldn't deliver the message. But
in this case, the spammer forged the sender address, so your mail server is
sending you NDRs because it can't send the original NDR back to the spoofed
address.  Make sense?  There's not much you can do with Exchange 5.5 to
avoid this situation unless the spammer is using a single IP address that
you can block from being able to send mail into your system.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Thursday, June 26, 2003 4:26 PM
Subject: RE: Not Open Relay, but...


 Thanks. I've also cut down the Notifications to just 'Host not Found'.

 One of the NDR's looks like this

 
 A mail message could not be sent because the following host is 
 unknown:

 smdv231.entertainmentmail.net
 The message that caused this notification was:


   To:   [EMAIL PROTECTED]
   From: 
   Subject:  Undeliverable: Sales manager or Marketing dept
 -

 Is this is a Relay, shouldn't I not be accepting it in the first 
 place?

 Thanks for all the insight so far...

 Cheers,
 Tony



 -Original Message-
 From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 1:30 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 They're just using dfg.com.  Don't bother your MX record.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 1:37 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 
 messages sitting in the IMS queue after 8hrs? I have another site 
 where
the
 IMS has hardly any messages sitting in there so this is why I am
concerned.
 What if I changed the MX record's IP address, would that help slow it 
 down
a
 little or are they just using dfg.com?

 Cheers,
 Tony

 -Original Message-
 From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 10:10 AM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 Tony,

 Open up the properties page of your IMS Connection, go to the Internet
Mail
 tab and click on the Notifications... button.  My guess would be that 
 you have the Always send notifications when non-delivery reports are
generated
 radio button clicked.  If that is the case, select the second choice 
 and uncheck the options that you don't want.

 I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers 
 trying
to
 brute force their spam through the system.  I track the NDRs to create 
 a spreadsheet for management, showing them the exponential growth of 
 spam
and
 the load it is placing on the servers, in order to justify new 
 servers.

 Jim

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 9:58 AM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 I've tested via telnet and from home using Outlook Express and it 
 always replies with 550 so I think I'm good there. Just the amount of 
 mail is insane. I came in this morning at there's over 10,000 in the 
 IMS Queue. I guess eventually it will slow down...

 Thanks to all.

 Cheers,
 Tony

 -Original Message-
 From: Dave Mills [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 5:28 PM
 To: Exchange Discussions
 Subject: Re: Not Open Relay, but...


 For #3, what you are seeing is spammer trying to find valid addresses 
 @dfg.com by simply guessing addresses and trying them, your best bet 
 would be to turn off the notification on your IMS for E-mail address 
 could not
be
 found.  For #2, yes they will sit in the queue until they are 
 delivered
or
 just time out.  For #1, are you sure you're not an open relay?  See

http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
 change_Server_55.html.

 - Dave

 - Original Message -
 From: Woods, Tony [EMAIL PROTECTED]
 To: Exchange Discussions [EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 5:00 PM
 Subject: RE: Not Open Relay, but...


  Hi John,
 
  Is this in response to my question #3? If so, does everyone receive 
  over 2000 messages every hour in the 'Admin' mailbox with a subject 
  line of
  'Notification: Inbound Mail Failure? I understand getting some but 
  over 2000 an hour? Each of these messages is addressed

RE: Not Open Relay, but...

2003-06-27 Thread William Lefkovics

Oh well.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, June 26, 2003 12:01 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

boggle

You tested someone else's domain at abuse.net without permission?  You do
realize that if it would have failed other tests, they get put on RBL's?
Not a move I would have made.  Yikes.
-

Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418

Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] Posted At: Thursday,
June 26, 2003 12:19 PM Posted To: Exchange (Swynk)
Conversation: Not Open Relay, but...
Subject: RE: Not Open Relay, but...

I tested it using abuse.net's relay test. It looks like your good for
not being an open relay. So my opinion is that you just have a spammer
who's trying to mine for address in your company. From what I
understand, there's a new program going around the spammer world, that
bruteforce guesses e-mail address and collects the NDR's from that
domain to determine what's legit and what isn't. My advise would be for
you to trace back the IP address he's using and put it in your host.deny
file.

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

2003-06-26 Thread hawkinsgp

I highly recommend going to one of the sites like mailabuse.org and
following their directions to verify that you're not an open relay BEFORE
you get blacklisted.  It can be a real pain to get off all the blacklists,
and your users will scream bloody murder.

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Open Relay Suggestions

2003-06-26 Thread Chris H

I am using Interscan Virus wall as my incoming smtp server on port 25; which
then forwards my mail to the Exchange IMC on port 6000. I have been testing
against open relay testers and I always fail the one or two tests where they
spam my domain name. I am assuming this is because Interscan cannot look up
usernames to see if the mailbox is valid? For that matter I dont think
Exchange 5.5's IMC does either?

Anyway to close this last hole? Suggestions? I worked hard to get off all
the RBL's the last mail admin had gotten us on  . . .

tia

chris

 RSET
 250 web3: Reset State
 MAIL FROM:[EMAIL PROTECTED]
 250 [EMAIL PROTECTED]: Sender Ok
 RCPT TO:[EMAIL PROTECTED]
 250 [EMAIL PROTECTED]: Recipient Ok


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue. I
guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for E-mail address could not be
found.  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


 Hi John,

 Is this in response to my question #3? If so, does everyone receive 
 over 2000 messages every hour in the 'Admin' mailbox with a subject 
 line of
 'Notification: Inbound Mail Failure? I understand getting some but over
 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or
 whatever. It's just random letters in front of the domain name @dfg.com
and
 there's just a ton of them. Thanks for any ideas, all.

 Cheers,
 Tony

 -Original Message-
 From: John Strongosky [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:46 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 NDR's (non-delivery reports) from spammer's probably.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:23 PM
 To: Exchange Discussions
 Subject: Not Open Relay, but...


 Hello,

 NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

 I've just taken over a site's Exchange server and have noticed 
 something strange. It's been sometime since I had to play with 
 Exchange this deep
but
 the Queues on my IMS keep filling up with 1000's of emails. We're not 
 an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
 Message Awaiting Delivery' with originator  and Destination Host of 
 different .com's. There is a ton of Inbound Mail Failures in the 
 'Admin' mailbox for delivery failures as well. My three questions are:

 1) Are these messages that are trying to relay but failing?

 2) If so, are they just going to sit in the Queue for the default 
 time?

 3) For the Inbound Mail Failures,  a lot of them are going to bogus 
 addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
 coming from?

 Thanks in advance.

 Cheers,
 Tony

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

2003-06-26 Thread Christopher Hummert

I tested it using abuse.net's relay test. It looks like your good for
not being an open relay. So my opinion is that you just have a spammer
who's trying to mine for address in your company. From what I
understand, there's a new program going around the spammer world, that
bruteforce guesses e-mail address and collects the NDR's from that
domain to determine what's legit and what isn't. My advise would be for
you to trace back the IP address he's using and put it in your host.deny
file.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...
Importance: High


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue.
I guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet
would be to turn off the notification on your IMS for E-mail address
could not be found.  For #2, yes they will sit in the queue until they
are delivered or just time out.  For #1, are you sure you're not an open
relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M
S_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


 Hi John,

 Is this in response to my question #3? If so, does everyone receive
 over 2000 messages every hour in the 'Admin' mailbox with a subject 
 line of
 'Notification: Inbound Mail Failure? I understand getting some but
over
 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or
 whatever. It's just random letters in front of the domain name
@dfg.com
and
 there's just a ton of them. Thanks for any ideas, all.

 Cheers,
 Tony

 -Original Message-
 From: John Strongosky [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:46 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 NDR's (non-delivery reports) from spammer's probably.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:23 PM
 To: Exchange Discussions
 Subject: Not Open Relay, but...


 Hello,

 NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

 I've just taken over a site's Exchange server and have noticed
 something strange. It's been sometime since I had to play with 
 Exchange this deep
but
 the Queues on my IMS keep filling up with 1000's of emails. We're not
 an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
 Message Awaiting Delivery' with originator  and Destination Host of
 different .com's. There is a ton of Inbound Mail Failures in the 
 'Admin' mailbox for delivery failures as well. My three questions are:

 1) Are these messages that are trying to relay but failing?

 2) If so, are they just going to sit in the Queue for the default
 time?

 3) For the Inbound Mail Failures,  a lot of them are going to bogus
 addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
 coming from?

 Thanks in advance.

 Cheers,
 Tony

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
=english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED

RE: Not Open Relay, but...

2003-06-26 Thread Blunt, James H (Jim)

Tony,

Open up the properties page of your IMS Connection, go to the Internet Mail
tab and click on the Notifications... button.  My guess would be that you
have the Always send notifications when non-delivery reports are generated
radio button clicked.  If that is the case, select the second choice and
uncheck the options that you don't want.

I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to
brute force their spam through the system.  I track the NDRs to create a
spreadsheet for management, showing them the exponential growth of spam and
the load it is placing on the servers, in order to justify new servers.

Jim

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue. I
guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for E-mail address could not be
found.  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


 Hi John,

 Is this in response to my question #3? If so, does everyone receive
 over 2000 messages every hour in the 'Admin' mailbox with a subject 
 line of
 'Notification: Inbound Mail Failure? I understand getting some but over
 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or
 whatever. It's just random letters in front of the domain name @dfg.com
and
 there's just a ton of them. Thanks for any ideas, all.

 Cheers,
 Tony

 -Original Message-
 From: John Strongosky [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:46 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 NDR's (non-delivery reports) from spammer's probably.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:23 PM
 To: Exchange Discussions
 Subject: Not Open Relay, but...


 Hello,

 NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

 I've just taken over a site's Exchange server and have noticed
 something strange. It's been sometime since I had to play with 
 Exchange this deep
but
 the Queues on my IMS keep filling up with 1000's of emails. We're not
 an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
 Message Awaiting Delivery' with originator  and Destination Host of
 different .com's. There is a ton of Inbound Mail Failures in the 
 'Admin' mailbox for delivery failures as well. My three questions are:

 1) Are these messages that are trying to relay but failing?

 2) If so, are they just going to sit in the Queue for the default
 time?

 3) For the Inbound Mail Failures,  a lot of them are going to bogus
 addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
 coming from?

 Thanks in advance.

 Cheers,
 Tony

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL

RE: Open Relay Suggestions

2003-06-26 Thread Chris Scharff

Those aren't holes. One can legitimately accept mail for those addresses
and as long as it isn't relayed to the final destination the server is
relay secure. The designers of those tests have implemented their
testing criteria improperly.

-Original Message-
From: Chris H [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, June 26, 2003 11:23 AM
Posted To: swynk
Conversation: Open Relay Suggestions
Subject: Open Relay Suggestions


I am using Interscan Virus wall as my incoming smtp server on port 25;
which then forwards my mail to the Exchange IMC on port 6000. I have
been testing against open relay testers and I always fail the one or two
tests where they spam my domain name. I am assuming this is because
Interscan cannot look up usernames to see if the mailbox is valid? For
that matter I dont think Exchange 5.5's IMC does either?

Anyway to close this last hole? Suggestions? I worked hard to get off
all the RBL's the last mail admin had gotten us on  . . .

tia

chris

 RSET
 250 web3: Reset State
 MAIL FROM:[EMAIL PROTECTED]
 250 [EMAIL PROTECTED]: Sender Ok
 RCPT TO:[EMAIL PROTECTED]
 250 [EMAIL PROTECTED]: Recipient Ok


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Suggestions

2003-06-26 Thread Matt Hoffman

We used to use Netscape's mail server back when it was free for educational
use.  At the time, we did have a closed relay system, but since our server
wouldn't respond with a 550, we got blacklisted.  It took us quite a lot of
effort to get the various Anti-relay sites to accept that we were a closed
relay.  

-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 2:22 PM
To: Exchange Discussions
Subject: RE: Open Relay Suggestions

Those aren't holes. One can legitimately accept mail for those addresses and
as long as it isn't relayed to the final destination the server is relay
secure. The designers of those tests have implemented their testing criteria
improperly.

-Original Message-
From: Chris H [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, June 26, 2003 11:23 AM
Posted To: swynk
Conversation: Open Relay Suggestions
Subject: Open Relay Suggestions

I am using Interscan Virus wall as my incoming smtp server on port 25; which
then forwards my mail to the Exchange IMC on port 6000. I have been testing
against open relay testers and I always fail the one or two tests where they
spam my domain name. I am assuming this is because Interscan cannot look up
usernames to see if the mailbox is valid? For that matter I dont think
Exchange 5.5's IMC does either?

Anyway to close this last hole? Suggestions? I worked hard to get off all
the RBL's the last mail admin had gotten us on  . . .

tia

chris

 RSET
 250 web3: Reset State
 MAIL FROM:[EMAIL PROTECTED]
 250 [EMAIL PROTECTED]: Sender Ok
 RCPT TO:[EMAIL PROTECTED]
 250 [EMAIL PROTECTED]: Recipient Ok

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

2003-06-26 Thread Ben Winzenz

boggle

You tested someone else's domain at abuse.net without permission?  You
do realize that if it would have failed other tests, they get put on
RBL's?  Not a move I would have made.  Yikes.
-

Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418

Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, June 26, 2003 12:19 PM
Posted To: Exchange (Swynk)
Conversation: Not Open Relay, but...
Subject: RE: Not Open Relay, but...


I tested it using abuse.net's relay test. It looks like your good for
not being an open relay. So my opinion is that you just have a spammer
who's trying to mine for address in your company. From what I
understand, there's a new program going around the spammer world, that
bruteforce guesses e-mail address and collects the NDR's from that
domain to determine what's legit and what isn't. My advise would be for
you to trace back the IP address he's using and put it in your host.deny
file.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...
Importance: High


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue.
I guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet
would be to turn off the notification on your IMS for E-mail address
could not be found.  For #2, yes they will sit in the queue until they
are delivered or just time out.  For #1, are you sure you're not an open
relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M
S_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


 Hi John,

 Is this in response to my question #3? If so, does everyone receive
 over 2000 messages every hour in the 'Admin' mailbox with a subject 
 line of
 'Notification: Inbound Mail Failure? I understand getting some but
over
 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or
 whatever. It's just random letters in front of the domain name
@dfg.com
and
 there's just a ton of them. Thanks for any ideas, all.

 Cheers,
 Tony

 -Original Message-
 From: John Strongosky [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:46 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 NDR's (non-delivery reports) from spammer's probably.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:23 PM
 To: Exchange Discussions
 Subject: Not Open Relay, but...


 Hello,

 NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

 I've just taken over a site's Exchange server and have noticed
 something strange. It's been sometime since I had to play with 
 Exchange this deep
but
 the Queues on my IMS keep filling up with 1000's of emails. We're not
 an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
 Message Awaiting Delivery' with originator  and Destination Host of
 different .com's. There is a ton of Inbound Mail Failures in the 
 'Admin' mailbox for delivery failures as well. My three questions are:

 1) Are these messages that are trying to relay but failing?

 2) If so, are they just going to sit in the Queue for the default
 time?

 3) For the Inbound Mail Failures,  a lot of them are going to bogus
 addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
 coming from?

 Thanks in advance.

 Cheers,
 Tony

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter

RE: Not Open Relay, but...

2003-06-26 Thread Christopher Hummert

It's the testing one. Not the one that puts people on the list

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, June 26, 2003 12:01 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

boggle

You tested someone else's domain at abuse.net without permission?  You
do realize that if it would have failed other tests, they get put on
RBL's?  Not a move I would have made.  Yikes.
-

Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418

Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, June 26, 2003 12:19 PM
Posted To: Exchange (Swynk)
Conversation: Not Open Relay, but...
Subject: RE: Not Open Relay, but...

I tested it using abuse.net's relay test. It looks like your good for
not being an open relay. So my opinion is that you just have a spammer
who's trying to mine for address in your company. From what I
understand, there's a new program going around the spammer world, that
bruteforce guesses e-mail address and collects the NDR's from that
domain to determine what's legit and what isn't. My advise would be for
you to trace back the IP address he's using and put it in your host.deny
file.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...
Importance: High

I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue.
I guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...

For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet
would be to turn off the notification on your IMS for E-mail address
could not be found.  For #2, yes they will sit in the queue until they
are delivered or just time out.  For #1, are you sure you're not an open
relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M
S_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...

 Hi John,

 Is this in response to my question #3? If so, does everyone receive 
 over 2000 messages every hour in the 'Admin' mailbox with a subject 
 line of
 'Notification: Inbound Mail Failure? I understand getting some but
over
 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or

 whatever. It's just random letters in front of the domain name
@dfg.com
and
 there's just a ton of them. Thanks for any ideas, all.

 Cheers,
 Tony

 -Original Message-
 From: John Strongosky [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:46 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...

 NDR's (non-delivery reports) from spammer's probably.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:23 PM
 To: Exchange Discussions
 Subject: Not Open Relay, but...

 Hello,

 NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

 I've just taken over a site's Exchange server and have noticed 
 something strange. It's been sometime since I had to play with 
 Exchange this deep
but
 the Queues on my IMS keep filling up with 1000's of emails. We're not 
 an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
 Message Awaiting Delivery' with originator  and Destination Host of 
 different .com's. There is a ton of Inbound Mail Failures in the 
 'Admin' mailbox for delivery failures as well. My three questions are:

 1) Are these messages that are trying to relay but failing?

 2) If so, are they just going to sit in the Queue for the default 
 time?

 3) For the Inbound Mail Failures,  a lot of them are going to bogus 
 addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
 coming from?

 Thanks in advance.

 Cheers,
 Tony

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
 =english
 To unsubscribe: mailto

RE: Not Open Relay, but...

2003-06-26 Thread Ben Winzenz

It's still not something I would have done.  If you are going to test
someone else's domain that you don't own, then you really ought to
manually test it.  If you are using a 3rd party tool, then you don't
have any control over whether they send domain names that fail the relay
tests to RBL's.
-

Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418

Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, June 26, 2003 2:04 PM
Posted To: Exchange (Swynk)
Conversation: Not Open Relay, but...
Subject: RE: Not Open Relay, but...


It's the testing one. Not the one that puts people on the list


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, June 26, 2003 12:01 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


boggle

You tested someone else's domain at abuse.net without permission?  You
do realize that if it would have failed other tests, they get put on
RBL's?  Not a move I would have made.  Yikes.
-

Ben Winzenz
Network Engineer
Gardner  White
(317) 581-1580 ext 418

Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] Posted At:
Thursday, June 26, 2003 12:19 PM Posted To: Exchange (Swynk)
Conversation: Not Open Relay, but...
Subject: RE: Not Open Relay, but...


I tested it using abuse.net's relay test. It looks like your good for
not being an open relay. So my opinion is that you just have a spammer
who's trying to mine for address in your company. From what I
understand, there's a new program going around the spammer world, that
bruteforce guesses e-mail address and collects the NDR's from that
domain to determine what's legit and what isn't. My advise would be for
you to trace back the IP address he's using and put it in your host.deny
file.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...
Importance: High


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue.
I guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet
would be to turn off the notification on your IMS for E-mail address
could not be found.  For #2, yes they will sit in the queue until they
are delivered or just time out.  For #1, are you sure you're not an open
relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M
S_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


 Hi John,

 Is this in response to my question #3? If so, does everyone receive 
 over 2000 messages every hour in the 'Admin' mailbox with a subject 
 line of
 'Notification: Inbound Mail Failure? I understand getting some but
over
 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or

 whatever. It's just random letters in front of the domain name
@dfg.com
and
 there's just a ton of them. Thanks for any ideas, all.

 Cheers,
 Tony

 -Original Message-
 From: John Strongosky [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:46 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 NDR's (non-delivery reports) from spammer's probably.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:23 PM
 To: Exchange Discussions
 Subject: Not Open Relay, but...


 Hello,

 NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

 I've just taken over a site's Exchange server and have noticed 
 something strange. It's been sometime since I had to play with 
 Exchange this deep
but
 the Queues on my IMS keep filling up with 1000's of emails. We're not 
 an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
 Message Awaiting Delivery' with originator  and Destination Host of 
 different .com's. There is a ton of Inbound Mail Failures in the 
 'Admin' mailbox for delivery failures as well. My three questions are:

 1) Are these messages that are trying to relay but failing?

 2) If so, are they just going to sit in the Queue for the default 
 time?

 3) For the Inbound Mail Failures,  a lot of them are going to bogus 
 addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
 coming from?

 Thanks in advance.

 Cheers,
 Tony

RE: Not Open Relay, but...

Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000
messages sitting in the IMS queue after 8hrs? I have another site where the
IMS has hardly any messages sitting in there so this is why I am concerned.
What if I changed the MX record's IP address, would that help slow it down a
little or are they just using dfg.com?

Cheers,
Tony

-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 10:10 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


Tony,

Open up the properties page of your IMS Connection, go to the Internet Mail
tab and click on the Notifications... button.  My guess would be that you
have the Always send notifications when non-delivery reports are generated
radio button clicked.  If that is the case, select the second choice and
uncheck the options that you don't want.

I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to
brute force their spam through the system.  I track the NDRs to create a
spreadsheet for management, showing them the exponential growth of spam and
the load it is placing on the servers, in order to justify new servers.

Jim

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue. I
guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for E-mail address could not be
found.  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


 Hi John,

 Is this in response to my question #3? If so, does everyone receive 
 over 2000 messages every hour in the 'Admin' mailbox with a subject 
 line of
 'Notification: Inbound Mail Failure? I understand getting some but 
 over 2000 an hour? Each of these messages is addressed to 
 [EMAIL PROTECTED] or whatever. It's just random letters in front of the 
 domain name @dfg.com
and
 there's just a ton of them. Thanks for any ideas, all.

 Cheers,
 Tony

 -Original Message-
 From: John Strongosky [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:46 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 NDR's (non-delivery reports) from spammer's probably.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:23 PM
 To: Exchange Discussions
 Subject: Not Open Relay, but...


 Hello,

 NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

 I've just taken over a site's Exchange server and have noticed 
 something strange. It's been sometime since I had to play with 
 Exchange this deep
but
 the Queues on my IMS keep filling up with 1000's of emails. We're not 
 an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
 Message Awaiting Delivery' with originator  and Destination Host of 
 different .com's. There is a ton of Inbound Mail Failures in the 
 'Admin' mailbox for delivery failures as well. My three questions are:

 1) Are these messages that are trying to relay but failing?

 2) If so, are they just going to sit in the Queue for the default 
 time?

 3) For the Inbound Mail Failures,  a lot of them are going to bogus 
 addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
 coming from?

 Thanks in advance.

 Cheers,
 Tony

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED

RE: Not Open Relay, but...

2003-06-26 Thread Christopher Hummert

Your best solution is to find out the source of those messages, and then
block the domain,

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony
Sent: Thursday, June 26, 2003 1:37 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000
messages sitting in the IMS queue after 8hrs? I have another site where
the IMS has hardly any messages sitting in there so this is why I am
concerned. What if I changed the MX record's IP address, would that help
slow it down a little or are they just using dfg.com?

Cheers,
Tony

-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 10:10 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

Tony,

Open up the properties page of your IMS Connection, go to the Internet
Mail tab and click on the Notifications... button.  My guess would be
that you have the Always send notifications when non-delivery reports
are generated radio button clicked.  If that is the case, select the
second choice and uncheck the options that you don't want.

I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying
to brute force their spam through the system.  I track the NDRs to
create a spreadsheet for management, showing them the exponential growth
of spam and the load it is placing on the servers, in order to justify
new servers.

Jim

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue.
I guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...

For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet
would be to turn off the notification on your IMS for E-mail address
could not be found.  For #2, yes they will sit in the queue until they
are delivered or just time out.  For #1, are you sure you're not an open
relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M
S_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...

 Hi John,

 Is this in response to my question #3? If so, does everyone receive
 over 2000 messages every hour in the 'Admin' mailbox with a subject 
 line of
 'Notification: Inbound Mail Failure? I understand getting some but 
 over 2000 an hour? Each of these messages is addressed to 
 [EMAIL PROTECTED] or whatever. It's just random letters in front of the 
 domain name @dfg.com
and
 there's just a ton of them. Thanks for any ideas, all.

 Cheers,
 Tony

 -Original Message-
 From: John Strongosky [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:46 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...

 NDR's (non-delivery reports) from spammer's probably.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:23 PM
 To: Exchange Discussions
 Subject: Not Open Relay, but...

 Hello,

 NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

 I've just taken over a site's Exchange server and have noticed
 something strange. It's been sometime since I had to play with 
 Exchange this deep
but
 the Queues on my IMS keep filling up with 1000's of emails. We're not
 an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
 Message Awaiting Delivery' with originator  and Destination Host of
 different .com's. There is a ton of Inbound Mail Failures in the 
 'Admin' mailbox for delivery failures as well. My three questions are:

 1) Are these messages that are trying to relay but failing?

 2) If so, are they just going to sit in the Queue for the default
 time?

 3) For the Inbound Mail Failures,  a lot of them are going to bogus
 addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
 coming from?

 Thanks in advance.

 Cheers,
 Tony

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http

RE: Not Open Relay, but...

2003-06-26 Thread Blunt, James H (Jim)

H...well it would be for me, but then again, I'm not sure I have the
qualifications to answer that question.  We are a small company (and getting
smaller by the day!) of roughly 600 people.  If you're a big company, you
may be getting significantly larger numbers of messages sitting in you IMS
queue.  

Our current time-out period for attempting delivery is 72 hours.  Until that
time expires, they WILL sit in the IMS queue awaiting delivery.  Then they
will generate a non-delivery notification to your Admin mailbox.  I would
probably get a lot more of those sitting in my queue, if I didn't have so
many spam domains in my block list.  That and the fact that I delete them at
least once a day.

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 1:37 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000
messages sitting in the IMS queue after 8hrs? I have another site where the
IMS has hardly any messages sitting in there so this is why I am concerned.
What if I changed the MX record's IP address, would that help slow it down a
little or are they just using dfg.com?

Cheers,
Tony

-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 10:10 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


Tony,

Open up the properties page of your IMS Connection, go to the Internet Mail
tab and click on the Notifications... button.  My guess would be that you
have the Always send notifications when non-delivery reports are generated
radio button clicked.  If that is the case, select the second choice and
uncheck the options that you don't want.

I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to
brute force their spam through the system.  I track the NDRs to create a
spreadsheet for management, showing them the exponential growth of spam and
the load it is placing on the servers, in order to justify new servers.

Jim

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue. I
guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for E-mail address could not be
found.  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


 Hi John,

 Is this in response to my question #3? If so, does everyone receive
 over 2000 messages every hour in the 'Admin' mailbox with a subject 
 line of
 'Notification: Inbound Mail Failure? I understand getting some but 
 over 2000 an hour? Each of these messages is addressed to 
 [EMAIL PROTECTED] or whatever. It's just random letters in front of the 
 domain name @dfg.com
and
 there's just a ton of them. Thanks for any ideas, all.

 Cheers,
 Tony

 -Original Message-
 From: John Strongosky [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:46 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 NDR's (non-delivery reports) from spammer's probably.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:23 PM
 To: Exchange Discussions
 Subject: Not Open Relay, but...


 Hello,

 NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

 I've just taken over a site's Exchange server and have noticed
 something strange. It's been sometime since I had to play with 
 Exchange this deep
but
 the Queues on my IMS keep filling up with 1000's of emails. We're not
 an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
 Message Awaiting Delivery' with originator  and Destination Host of
 different .com's. There is a ton of Inbound Mail Failures in the 
 'Admin' mailbox for delivery failures as well. My three questions are:

 1) Are these messages that are trying to relay but failing?

 2) If so, are they just going to sit in the Queue for the default
 time?

 3) For the Inbound Mail Failures,  a lot

RE: Not Open Relay, but...

2003-06-26 Thread Blunt, James H (Jim)

They're just using dfg.com.  Don't bother your MX record.

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 1:37 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000
messages sitting in the IMS queue after 8hrs? I have another site where the
IMS has hardly any messages sitting in there so this is why I am concerned.
What if I changed the MX record's IP address, would that help slow it down a
little or are they just using dfg.com?

Cheers,
Tony

-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 10:10 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

Tony,

Open up the properties page of your IMS Connection, go to the Internet Mail
tab and click on the Notifications... button.  My guess would be that you
have the Always send notifications when non-delivery reports are generated
radio button clicked.  If that is the case, select the second choice and
uncheck the options that you don't want.

I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to
brute force their spam through the system.  I track the NDRs to create a
spreadsheet for management, showing them the exponential growth of spam and
the load it is placing on the servers, in order to justify new servers.

Jim

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue. I
guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...

For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for E-mail address could not be
found.  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...

 Hi John,

 Is this in response to my question #3? If so, does everyone receive
 over 2000 messages every hour in the 'Admin' mailbox with a subject 
 line of
 'Notification: Inbound Mail Failure? I understand getting some but 
 over 2000 an hour? Each of these messages is addressed to 
 [EMAIL PROTECTED] or whatever. It's just random letters in front of the 
 domain name @dfg.com
and
 there's just a ton of them. Thanks for any ideas, all.

 Cheers,
 Tony

 -Original Message-
 From: John Strongosky [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:46 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...

 NDR's (non-delivery reports) from spammer's probably.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:23 PM
 To: Exchange Discussions
 Subject: Not Open Relay, but...

 Hello,

 NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

 I've just taken over a site's Exchange server and have noticed
 something strange. It's been sometime since I had to play with 
 Exchange this deep
but
 the Queues on my IMS keep filling up with 1000's of emails. We're not
 an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
 Message Awaiting Delivery' with originator  and Destination Host of
 different .com's. There is a ton of Inbound Mail Failures in the 
 'Admin' mailbox for delivery failures as well. My three questions are:

 1) Are these messages that are trying to relay but failing?

 2) If so, are they just going to sit in the Queue for the default
 time?

 3) For the Inbound Mail Failures,  a lot of them are going to bogus
 addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
 coming from?

 Thanks in advance.

 Cheers,
 Tony

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm

RE: Not Open Relay, but...

Thanks. I've also cut down the Notifications to just 'Host not Found'. 

One of the NDR's looks like this


A mail message could not be sent because the following host is unknown:

smdv231.entertainmentmail.net
The message that caused this notification was:


  To:   [EMAIL PROTECTED]
  From: 
  Subject:  Undeliverable: Sales manager or Marketing dept
-

Is this is a Relay, shouldn't I not be accepting it in the first place?

Thanks for all the insight so far...

Cheers,
Tony



-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 1:30 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


They're just using dfg.com.  Don't bother your MX record.

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 1:37 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000
messages sitting in the IMS queue after 8hrs? I have another site where the
IMS has hardly any messages sitting in there so this is why I am concerned.
What if I changed the MX record's IP address, would that help slow it down a
little or are they just using dfg.com?

Cheers,
Tony

-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 10:10 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


Tony,

Open up the properties page of your IMS Connection, go to the Internet Mail
tab and click on the Notifications... button.  My guess would be that you
have the Always send notifications when non-delivery reports are generated
radio button clicked.  If that is the case, select the second choice and
uncheck the options that you don't want.

I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to
brute force their spam through the system.  I track the NDRs to create a
spreadsheet for management, showing them the exponential growth of spam and
the load it is placing on the servers, in order to justify new servers.

Jim

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue. I
guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for E-mail address could not be
found.  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


 Hi John,

 Is this in response to my question #3? If so, does everyone receive
 over 2000 messages every hour in the 'Admin' mailbox with a subject 
 line of
 'Notification: Inbound Mail Failure? I understand getting some but
 over 2000 an hour? Each of these messages is addressed to 
 [EMAIL PROTECTED] or whatever. It's just random letters in front of the 
 domain name @dfg.com
and
 there's just a ton of them. Thanks for any ideas, all.

 Cheers,
 Tony

 -Original Message-
 From: John Strongosky [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:46 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 NDR's (non-delivery reports) from spammer's probably.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:23 PM
 To: Exchange Discussions
 Subject: Not Open Relay, but...


 Hello,

 NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

 I've just taken over a site's Exchange server and have noticed
 something strange. It's been sometime since I had to play with 
 Exchange this deep
but
 the Queues on my IMS keep filling up with 1000's of emails. We're not
 an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
 Message Awaiting Delivery' with originator  and Destination Host of
 different .com's. There is a ton of Inbound Mail Failures in the 
 'Admin' mailbox for delivery failures as well. My three questions are:

 1) Are these messages that are trying to relay but failing?

 2) If so, are they just going to sit

Re: Not Open Relay, but...

2003-06-26 Thread Dave Mills

Your mail system is accepting a mail for an invalid address (i.e.
[EMAIL PROTECTED]), and since it couldn't deliver it it's trying to send a
message back to the sender telling them it couldn't deliver the message.
But in this case, the spammer forged the sender address, so your mail server
is sending you NDRs because it can't send the original NDR back to the
spoofed address.  Make sense?  There's not much you can do with Exchange 5.5
to avoid this situation unless the spammer is using a single IP address that
you can block from being able to send mail into your system.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Thursday, June 26, 2003 4:26 PM
Subject: RE: Not Open Relay, but...


 Thanks. I've also cut down the Notifications to just 'Host not Found'.

 One of the NDR's looks like this

 
 A mail message could not be sent because the following host is unknown:

 smdv231.entertainmentmail.net
 The message that caused this notification was:


   To:   [EMAIL PROTECTED]
   From: 
   Subject:  Undeliverable: Sales manager or Marketing dept
 -

 Is this is a Relay, shouldn't I not be accepting it in the first place?

 Thanks for all the insight so far...

 Cheers,
 Tony



 -Original Message-
 From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 1:30 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 They're just using dfg.com.  Don't bother your MX record.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 1:37 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000
 messages sitting in the IMS queue after 8hrs? I have another site where
the
 IMS has hardly any messages sitting in there so this is why I am
concerned.
 What if I changed the MX record's IP address, would that help slow it down
a
 little or are they just using dfg.com?

 Cheers,
 Tony

 -Original Message-
 From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 10:10 AM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 Tony,

 Open up the properties page of your IMS Connection, go to the Internet
Mail
 tab and click on the Notifications... button.  My guess would be that you
 have the Always send notifications when non-delivery reports are
generated
 radio button clicked.  If that is the case, select the second choice and
 uncheck the options that you don't want.

 I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying
to
 brute force their spam through the system.  I track the NDRs to create a
 spreadsheet for management, showing them the exponential growth of spam
and
 the load it is placing on the servers, in order to justify new servers.

 Jim

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 9:58 AM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 I've tested via telnet and from home using Outlook Express and it always
 replies with 550 so I think I'm good there. Just the amount of mail is
 insane. I came in this morning at there's over 10,000 in the IMS Queue. I
 guess eventually it will slow down...

 Thanks to all.

 Cheers,
 Tony

 -Original Message-
 From: Dave Mills [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 5:28 PM
 To: Exchange Discussions
 Subject: Re: Not Open Relay, but...


 For #3, what you are seeing is spammer trying to find valid addresses
 @dfg.com by simply guessing addresses and trying them, your best bet would
 be to turn off the notification on your IMS for E-mail address could not
be
 found.  For #2, yes they will sit in the queue until they are delivered
or
 just time out.  For #1, are you sure you're not an open relay?  See

http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
 change_Server_55.html.

 - Dave

 - Original Message - 
 From: Woods, Tony [EMAIL PROTECTED]
 To: Exchange Discussions [EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 5:00 PM
 Subject: RE: Not Open Relay, but...


  Hi John,
 
  Is this in response to my question #3? If so, does everyone receive
  over 2000 messages every hour in the 'Admin' mailbox with a subject
  line of
  'Notification: Inbound Mail Failure? I understand getting some but
  over 2000 an hour? Each of these messages is addressed to
  [EMAIL PROTECTED] or whatever. It's just random letters in front of the
  domain name @dfg.com
 and
  there's just a ton of them. Thanks for any ideas, all.
 
  Cheers,
  Tony
 
  -Original Message-
  From: John Strongosky [mailto:[EMAIL PROTECTED]
  Sent: Wednesday, June 25, 2003 3:46 PM
  To: Exchange Discussions
  Subject: RE: Not Open Relay, but...
 
 
  NDR's (non-delivery reports) from spammer's probably

RE: Not Open Relay, but...

Thanks, Dave. That's crystal clear.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 4:02 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...

Your mail system is accepting a mail for an invalid address (i.e.
[EMAIL PROTECTED]), and since it couldn't deliver it it's trying to send a
message back to the sender telling them it couldn't deliver the message. But
in this case, the spammer forged the sender address, so your mail server is
sending you NDRs because it can't send the original NDR back to the spoofed
address.  Make sense?  There's not much you can do with Exchange 5.5 to
avoid this situation unless the spammer is using a single IP address that
you can block from being able to send mail into your system.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Thursday, June 26, 2003 4:26 PM
Subject: RE: Not Open Relay, but...

 Thanks. I've also cut down the Notifications to just 'Host not Found'.

 One of the NDR's looks like this

 A mail message could not be sent because the following host is 
 unknown:

 smdv231.entertainmentmail.net
 The message that caused this notification was:

   To:   [EMAIL PROTECTED]
   From: 
   Subject:  Undeliverable: Sales manager or Marketing dept
 -

 Is this is a Relay, shouldn't I not be accepting it in the first 
 place?

 Thanks for all the insight so far...

 Cheers,
 Tony

 -Original Message-
 From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 1:30 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...

 They're just using dfg.com.  Don't bother your MX record.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 1:37 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...

 Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 
 messages sitting in the IMS queue after 8hrs? I have another site 
 where
the
 IMS has hardly any messages sitting in there so this is why I am
concerned.
 What if I changed the MX record's IP address, would that help slow it 
 down
a
 little or are they just using dfg.com?

 Cheers,
 Tony

 -Original Message-
 From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 10:10 AM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...

 Tony,

 Open up the properties page of your IMS Connection, go to the Internet
Mail
 tab and click on the Notifications... button.  My guess would be that 
 you have the Always send notifications when non-delivery reports are
generated
 radio button clicked.  If that is the case, select the second choice 
 and uncheck the options that you don't want.

 I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers 
 trying
to
 brute force their spam through the system.  I track the NDRs to create 
 a spreadsheet for management, showing them the exponential growth of 
 spam
and
 the load it is placing on the servers, in order to justify new 
 servers.

 Jim

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 9:58 AM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...

 I've tested via telnet and from home using Outlook Express and it 
 always replies with 550 so I think I'm good there. Just the amount of 
 mail is insane. I came in this morning at there's over 10,000 in the 
 IMS Queue. I guess eventually it will slow down...

 Thanks to all.

 Cheers,
 Tony

 -Original Message-
 From: Dave Mills [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 5:28 PM
 To: Exchange Discussions
 Subject: Re: Not Open Relay, but...

 For #3, what you are seeing is spammer trying to find valid addresses 
 @dfg.com by simply guessing addresses and trying them, your best bet 
 would be to turn off the notification on your IMS for E-mail address 
 could not
be
 found.  For #2, yes they will sit in the queue until they are 
 delivered
or
 just time out.  For #1, are you sure you're not an open relay?  See

http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
 change_Server_55.html.

 - Dave

 - Original Message -
 From: Woods, Tony [EMAIL PROTECTED]
 To: Exchange Discussions [EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 5:00 PM
 Subject: RE: Not Open Relay, but...

  Hi John,

  Is this in response to my question #3? If so, does everyone receive 
  over 2000 messages every hour in the 'Admin' mailbox with a subject 
  line of
  'Notification: Inbound Mail Failure? I understand getting some but 
  over 2000 an hour? Each of these messages is addressed to 
  [EMAIL PROTECTED] or whatever. It's just random letters in front of the 
  domain name @dfg.com
 and
  there's just a ton of them. Thanks for any ideas, all.

  Cheers,
  Tony

Not Open Relay, but...

2003-06-25 Thread Woods, Tony

Hello,

NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

I've just taken over a site's Exchange server and have noticed something
strange. It's been sometime since I had to play with Exchange this deep but
the Queues on my IMS keep filling up with 1000's of emails. We're not an
Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound
Message Awaiting Delivery' with originator  and Destination Host of
different .com's. There is a ton of Inbound Mail Failures in the 'Admin'
mailbox for delivery failures as well. My three questions are:

1) Are these messages that are trying to relay but failing? 

2) If so, are they just going to sit in the Queue for the default time?

3) For the Inbound Mail Failures,  a lot of them are going to bogus
addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming
from?

Thanks in advance.

Cheers,
Tony

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

2003-06-25 Thread John Strongosky

NDR's (non-delivery reports) from spammer's probably.

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 3:23 PM
To: Exchange Discussions
Subject: Not Open Relay, but...

Hello,

NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

I've just taken over a site's Exchange server and have noticed something
strange. It's been sometime since I had to play with Exchange this deep but
the Queues on my IMS keep filling up with 1000's of emails. We're not an
Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound
Message Awaiting Delivery' with originator  and Destination Host of
different .com's. There is a ton of Inbound Mail Failures in the 'Admin'
mailbox for delivery failures as well. My three questions are:

1) Are these messages that are trying to relay but failing? 

2) If so, are they just going to sit in the Queue for the default time?

3) For the Inbound Mail Failures,  a lot of them are going to bogus
addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming
from?

Thanks in advance.

Cheers,
Tony

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

2003-06-25 Thread Woods, Tony

Hi John,

Is this in response to my question #3? If so, does everyone receive over
2000 messages every hour in the 'Admin' mailbox with a subject line of
'Notification: Inbound Mail Failure? I understand getting some but over
2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or
whatever. It's just random letters in front of the domain name @dfg.com and
there's just a ton of them. Thanks for any ideas, all.

Cheers,
Tony

-Original Message-
From: John Strongosky [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 3:46 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


NDR's (non-delivery reports) from spammer's probably.

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 3:23 PM
To: Exchange Discussions
Subject: Not Open Relay, but...


Hello,

NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

I've just taken over a site's Exchange server and have noticed something
strange. It's been sometime since I had to play with Exchange this deep but
the Queues on my IMS keep filling up with 1000's of emails. We're not an
Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound
Message Awaiting Delivery' with originator  and Destination Host of
different .com's. There is a ton of Inbound Mail Failures in the 'Admin'
mailbox for delivery failures as well. My three questions are:

1) Are these messages that are trying to relay but failing? 

2) If so, are they just going to sit in the Queue for the default time?

3) For the Inbound Mail Failures,  a lot of them are going to bogus
addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming
from?

Thanks in advance.

Cheers,
Tony

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Re: Not Open Relay, but...

2003-06-25 Thread Dave Mills

For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for E-mail address could not be
found.  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Exchange_Server_55.html.

- Dave

- Original Message - 
From: Woods, Tony [EMAIL PROTECTED]
To: Exchange Discussions [EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


 Hi John,

 Is this in response to my question #3? If so, does everyone receive over
 2000 messages every hour in the 'Admin' mailbox with a subject line of
 'Notification: Inbound Mail Failure? I understand getting some but over
 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or
 whatever. It's just random letters in front of the domain name @dfg.com
and
 there's just a ton of them. Thanks for any ideas, all.

 Cheers,
 Tony

 -Original Message-
 From: John Strongosky [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:46 PM
 To: Exchange Discussions
 Subject: RE: Not Open Relay, but...


 NDR's (non-delivery reports) from spammer's probably.

 -Original Message-
 From: Woods, Tony [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 25, 2003 3:23 PM
 To: Exchange Discussions
 Subject: Not Open Relay, but...


 Hello,

 NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

 I've just taken over a site's Exchange server and have noticed something
 strange. It's been sometime since I had to play with Exchange this deep
but
 the Queues on my IMS keep filling up with 1000's of emails. We're not an
 Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
 Message Awaiting Delivery' with originator  and Destination Host of
 different .com's. There is a ton of Inbound Mail Failures in the 'Admin'
 mailbox for delivery failures as well. My three questions are:

 1) Are these messages that are trying to relay but failing?

 2) If so, are they just going to sit in the Queue for the default time?

 3) For the Inbound Mail Failures,  a lot of them are going to bogus
 addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming
 from?

 Thanks in advance.

 Cheers,
 Tony

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

2003-06-25 Thread Ed Crowley

1.  Probably not.  If your Exchange faces the Internet, it should reject the
relay attempt during the RCPT TO: command, so the messages won't be accepted
for delivery and therefore they won't be NDRed.
2.  Yes.
3.  If dfg.com is your domain then it's normal spam to automatically
generated addresses.

Ed Crowley MCSE+I MVP
There are seldom good technological solutions to behavioral problems.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony
Sent: Wednesday, June 25, 2003 3:23 PM
To: Exchange Discussions

Hello,

NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

I've just taken over a site's Exchange server and have noticed something
strange. It's been sometime since I had to play with Exchange this deep but
the Queues on my IMS keep filling up with 1000's of emails. We're not an
Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound
Message Awaiting Delivery' with originator  and Destination Host of
different .com's. There is a ton of Inbound Mail Failures in the 'Admin'
mailbox for delivery failures as well. My three questions are:

1) Are these messages that are trying to relay but failing? 

2) If so, are they just going to sit in the Queue for the default time?

3) For the Inbound Mail Failures,  a lot of them are going to bogus
addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming
from?

Thanks in advance.

Cheers,
Tony

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

How do I make sure my exchange server is not acting as an Open Relay?

2003-06-13 Thread Romeo

When ever a recipient from my site trying to send an email to a
recipient @aol.com. He/she will receive a message saying Delivery to
the following recipients has been delayed. Then a few days later he/she
will receive another message saying The following recipient(s) could
not be reached: I finally talked to technical support at AOL and they
are telling me that I have been put on the block domain list because AOL
automatically check any IP that sends email to their domain and my IP is
acting as  An open relay, or also known as third-party relay.  How do I
stop this? What is the fix? Any comments or suggestion is truly
appreciated. Thank you

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: How do I make sure my exchange server is not acting as an Open Relay?

2003-06-13 Thread Bob Sadler

I checked, and didn't see that you are running as an open relay.

Perhaps the problem you are having is Reverse DNS?  I know that AOL
requires a Reverse DNS record if you want to talk to it.  I had to add
it into my records before they would talk to me :)



Bob Sadler
City of Leawood, KS, USA
WAN/Internet Specialist
913-339-6700 x194


-Original Message-
From: Romeo [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 13, 2003 1:37 PM
To: Exchange Discussions
Subject: How do I make sure my exchange server is not acting as an Open
Relay?


When ever a recipient from my site trying to send an email to a
recipient @aol.com. He/she will receive a message saying Delivery to
the following recipients has been delayed. Then a few days later he/she
will receive another message saying The following recipient(s) could
not be reached: I finally talked to technical support at AOL and they
are telling me that I have been put on the block domain list because AOL
automatically check any IP that sends email to their domain and my IP is
acting as  An open relay, or also known as third-party relay.  How do I
stop this? What is the fix? Any comments or suggestion is truly
appreciated. Thank you

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: How do I make sure my exchange server is not acting as an Open Relay?

2003-06-13 Thread John Parker

Ditto on that.
The same thing happened to my domain.

John Parker, MCSE
---End of Line---



-Original Message-
From: Bob Sadler [mailto:[EMAIL PROTECTED]
Sent: Friday, June 13, 2003 2:35 PM
To: Exchange Discussions
Subject: RE: How do I make sure my exchange server is not acting as an
Open Relay?


I checked, and didn't see that you are running as an open relay.

Perhaps the problem you are having is Reverse DNS?  I know that AOL
requires a Reverse DNS record if you want to talk to it.  I had to add
it into my records before they would talk to me :)



Bob Sadler
City of Leawood, KS, USA
WAN/Internet Specialist
913-339-6700 x194


-Original Message-
From: Romeo [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 13, 2003 1:37 PM
To: Exchange Discussions
Subject: How do I make sure my exchange server is not acting as an Open
Relay?


When ever a recipient from my site trying to send an email to a
recipient @aol.com. He/she will receive a message saying Delivery to
the following recipients has been delayed. Then a few days later he/she
will receive another message saying The following recipient(s) could
not be reached: I finally talked to technical support at AOL and they
are telling me that I have been put on the block domain list because AOL
automatically check any IP that sends email to their domain and my IP is
acting as  An open relay, or also known as third-party relay.  How do I
stop this? What is the fix? Any comments or suggestion is truly
appreciated. Thank you

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Open Relay Help

Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still get
listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version and
pattern files.

I have been unsuccessful in finding and searching the archives.  Any help
would be greatly appreciated.



Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

2003-05-30 Thread Andy David

You've got to contact them and have them take you out of their database.

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 10:06 AM
To: Exchange Discussions
Subject: Open Relay Help

Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still get
listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version and
pattern files.

I have been unsuccessful in finding and searching the archives.  Any help
would be greatly appreciated.

Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

--
The information contained in this email message is privileged and confidential
information intended only for the use of the individual or entity to whom it
is addressed.  If the reader of this message is not the intended recipient,
you are hereby notified that any dissemination, distribution or copy of this
message is strictly prohibited.  If you have received this email in error,
please immediately notify Veronis Suhler Stevenson by telephone (212)935-4990,
fax (212)381-8168, or email ([EMAIL PROTECTED]) and delete the message.  Thank
you.

==

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

2003-05-30 Thread Chris Scharff

You're still an open relay. Did you restart the IMS after making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:06 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: Open Relay Help


Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still
get listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version
and pattern files.

I have been unsuccessful in finding and searching the archives.  Any
help would be greatly appreciated.



Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

I'm sure I did but restarted once more to make sure.  Can you try again?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:13 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


You're still an open relay. Did you restart the IMS after making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:06 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: Open Relay Help


Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still
get listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version
and pattern files.

I have been unsuccessful in finding and searching the archives.  Any
help would be greatly appreciated.



Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

Still looks to be open

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED]
 Sent: 29 May 2003 15:23
 To: Exchange Discussions
 Subject: RE: Open Relay Help
 
 
 I'm sure I did but restarted once more to make sure.  Can you 
 try again?
 
 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding
 
 
 -Original Message-
 From: Chris Scharff [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:13 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help
 
 
 You're still an open relay. Did you restart the IMS after making the
 changes described in the article?
 
 Describe your settings on this tab as well in detail:
 http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
 
 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
 Posted At: Thursday, May 29, 2003 9:06 AM
 Posted To: swynk
 Conversation: Open Relay Help
 Subject: Open Relay Help
 
 
 Apparently my mail server has been listed as an Open Relay at
 http://njabl.org/.
 
 I've followed the instructions listed in the following FAQ, and still
 get listed as an open relay.
 
 3.73 Q: How can I configure my Exchange server so it can't be 
 used as an
 open relay? 
 A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
  
 
 My server is as follows:
 Windows 2000 SP2
 Exchange 5.5 SP4
 Trend Micro's ScanMail and EManager are installed and current 
 on version
 and pattern files.
 
 I have been unsuccessful in finding and searching the archives.  Any
 help would be greatly appreciated.
 
 
 
 Skip Taylor, MCSE 
 Network Administrator 
 Jordan, Jones, and Goulding 
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
ext_mode=
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

2003-05-30 Thread Chris Scharff

Still open... What's that tab say now exactly?

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:23 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: RE: Open Relay Help

I'm sure I did but restarted once more to make sure.  Can you try again?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding

-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:13 AM
To: Exchange Discussion
Subject: RE: Open Relay Help

You're still an open relay. Did you restart the IMS after making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:06 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: Open Relay Help

Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still
get listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version
and pattern files.

I have been unsuccessful in finding and searching the archives.  Any
help would be greatly appreciated.

Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

On the Routing tab Reroute incoming SMTP mail (required for POP3/IMAP4
support)is checked.
In the field below Sent to: has our domain of jjg.com and Route to: is
inbound

The Routing Restrictions are as follows:
Hosts and clients that successfully authenticate is not checked.
Host and clients with these IP addresses is checked and populated with 3
internal addresses for Canon Image Runner copiers that can send email.
Hosts and clients connecting to these internal addresses is checked with the
Internal IP address of our exchange server.
Specify the hosts and clients that can NEVER route mail is empty.

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:29 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


Still open... What's that tab say now exactly?

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:23 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: RE: Open Relay Help


I'm sure I did but restarted once more to make sure.  Can you try again?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:13 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


You're still an open relay. Did you restart the IMS after making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:06 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: Open Relay Help


Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still
get listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version
and pattern files.

I have been unsuccessful in finding and searching the archives.  Any
help would be greatly appreciated.



Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

I think the Hosts and clients connecting to these internal addresses is
your problem - you don't need it ticked (or I should say it isn't ticked
here and doesn't affect inbound email).

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED]
 Sent: 29 May 2003 15:35
 To: Exchange Discussions
 Subject: RE: Open Relay Help
 
 
 On the Routing tab Reroute incoming SMTP mail (required for 
 POP3/IMAP4
 support)is checked.
 In the field below Sent to: has our domain of jjg.com and Route to: is
 inbound
 
 The Routing Restrictions are as follows:
 Hosts and clients that successfully authenticate is not checked.
 Host and clients with these IP addresses is checked and 
 populated with 3
 internal addresses for Canon Image Runner copiers that can send email.
 Hosts and clients connecting to these internal addresses is 
 checked with the
 Internal IP address of our exchange server.
 Specify the hosts and clients that can NEVER route mail is empty.
 
 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding
 
 
 -Original Message-
 From: Chris Scharff [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:29 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help
 
 
 Still open... What's that tab say now exactly?
 
 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
 Posted At: Thursday, May 29, 2003 9:23 AM
 Posted To: swynk
 Conversation: Open Relay Help
 Subject: RE: Open Relay Help
 
 
 I'm sure I did but restarted once more to make sure.  Can you 
 try again?
 
 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding
 
 
 -Original Message-
 From: Chris Scharff [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:13 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help
 
 
 You're still an open relay. Did you restart the IMS after making the
 changes described in the article?
 
 Describe your settings on this tab as well in detail:
 http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
 
 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
 Posted At: Thursday, May 29, 2003 9:06 AM
 Posted To: swynk
 Conversation: Open Relay Help
 Subject: Open Relay Help
 
 
 Apparently my mail server has been listed as an Open Relay at
 http://njabl.org/.
 
 I've followed the instructions listed in the following FAQ, and still
 get listed as an open relay.
 
 3.73 Q: How can I configure my Exchange server so it can't be 
 used as an
 open relay? 
 A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
  
 
 My server is as follows:
 Windows 2000 SP2
 Exchange 5.5 SP4
 Trend Micro's ScanMail and EManager are installed and current 
 on version
 and pattern files.
 
 I have been unsuccessful in finding and searching the archives.  Any
 help would be greatly appreciated.
 
 
 
 Skip Taylor, MCSE 
 Network Administrator 
 Jordan, Jones, and Goulding 
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
ext_mode=
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

 Host and clients with these IP addresses is checked and populated with 3
 internal addresses for Canon Image Runner copiers that can send email.

I'd bet money that's your problem.  I had my Exchange server setup like this
at one point, for a Mac client with an old version of Eudora that didn't
support SMTP AUTH.  It turned Exchange into an open relay.  Removing the IP
address, but leaving the box checked, solved my problem.

Steven
---
Steven Dickenson [EMAIL PROTECTED]
Network Administrator
The Key School, Annapolis Maryland 

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 10:35 AM
To: Exchange Discussions
Subject: RE: Open Relay Help


On the Routing tab Reroute incoming SMTP mail (required for POP3/IMAP4
support)is checked.
In the field below Sent to: has our domain of jjg.com and Route to: is
inbound

The Routing Restrictions are as follows:
Hosts and clients that successfully authenticate is not checked.
Host and clients with these IP addresses is checked and populated with 3
internal addresses for Canon Image Runner copiers that can send email.
Hosts and clients connecting to these internal addresses is checked with the
Internal IP address of our exchange server.
Specify the hosts and clients that can NEVER route mail is empty.

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:29 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


Still open... What's that tab say now exactly?

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:23 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: RE: Open Relay Help


I'm sure I did but restarted once more to make sure.  Can you try again?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:13 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


You're still an open relay. Did you restart the IMS after making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:06 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: Open Relay Help


Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still
get listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version
and pattern files.

I have been unsuccessful in finding and searching the archives.  Any
help would be greatly appreciated.



Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter

RE: Open Relay Help

Man, I AM tired.  Sorry, wrong entry.

This is the one I was talking about.

 Hosts and clients connecting to these internal addresses is checked
 with the Internal IP address of our exchange server.

Remove that entry.

Steven
---
Steven Dickenson [EMAIL PROTECTED]
Network Administrator
The Key School, Annapolis Maryland 

-Original Message-
From: Dickenson, Steven [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 10:43 AM
To: Exchange Discussions
Subject: RE: Open Relay Help


 Host and clients with these IP addresses is checked and populated with 3
 internal addresses for Canon Image Runner copiers that can send email.

I'd bet money that's your problem.  I had my Exchange server setup like this
at one point, for a Mac client with an old version of Eudora that didn't
support SMTP AUTH.  It turned Exchange into an open relay.  Removing the IP
address, but leaving the box checked, solved my problem.

Steven
---
Steven Dickenson [EMAIL PROTECTED]
Network Administrator
The Key School, Annapolis Maryland 

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 10:35 AM
To: Exchange Discussions
Subject: RE: Open Relay Help


On the Routing tab Reroute incoming SMTP mail (required for POP3/IMAP4
support)is checked.
In the field below Sent to: has our domain of jjg.com and Route to: is
inbound

The Routing Restrictions are as follows:
Hosts and clients that successfully authenticate is not checked.
Host and clients with these IP addresses is checked and populated with 3
internal addresses for Canon Image Runner copiers that can send email.
Hosts and clients connecting to these internal addresses is checked with the
Internal IP address of our exchange server.
Specify the hosts and clients that can NEVER route mail is empty.

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:29 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


Still open... What's that tab say now exactly?

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:23 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: RE: Open Relay Help


I'm sure I did but restarted once more to make sure.  Can you try again?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:13 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


You're still an open relay. Did you restart the IMS after making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:06 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: Open Relay Help


Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still
get listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version
and pattern files.

I have been unsuccessful in finding and searching the archives.  Any
help would be greatly appreciated.



Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED

RE: Open Relay Help

I unchecked Hosts and clients connecting to these internal addresses and
restarted the IMS.  Still relaying?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Paul Hutchings [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:42 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


I think the Hosts and clients connecting to these internal addresses is
your problem - you don't need it ticked (or I should say it isn't ticked
here and doesn't affect inbound email).

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED]
 Sent: 29 May 2003 15:35
 To: Exchange Discussions
 Subject: RE: Open Relay Help
 
 
 On the Routing tab Reroute incoming SMTP mail (required for 
 POP3/IMAP4
 support)is checked.
 In the field below Sent to: has our domain of jjg.com and Route to: is
 inbound
 
 The Routing Restrictions are as follows:
 Hosts and clients that successfully authenticate is not checked.
 Host and clients with these IP addresses is checked and 
 populated with 3
 internal addresses for Canon Image Runner copiers that can send email.
 Hosts and clients connecting to these internal addresses is 
 checked with the
 Internal IP address of our exchange server.
 Specify the hosts and clients that can NEVER route mail is empty.
 
 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding
 
 
 -Original Message-
 From: Chris Scharff [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:29 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help
 
 
 Still open... What's that tab say now exactly?
 
 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
 Posted At: Thursday, May 29, 2003 9:23 AM
 Posted To: swynk
 Conversation: Open Relay Help
 Subject: RE: Open Relay Help
 
 
 I'm sure I did but restarted once more to make sure.  Can you 
 try again?
 
 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding
 
 
 -Original Message-
 From: Chris Scharff [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:13 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help
 
 
 You're still an open relay. Did you restart the IMS after making the
 changes described in the article?
 
 Describe your settings on this tab as well in detail:
 http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
 
 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
 Posted At: Thursday, May 29, 2003 9:06 AM
 Posted To: swynk
 Conversation: Open Relay Help
 Subject: Open Relay Help
 
 
 Apparently my mail server has been listed as an Open Relay at
 http://njabl.org/.
 
 I've followed the instructions listed in the following FAQ, and still
 get listed as an open relay.
 
 3.73 Q: How can I configure my Exchange server so it can't be 
 used as an
 open relay? 
 A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
  
 
 My server is as follows:
 Windows 2000 SP2
 Exchange 5.5 SP4
 Trend Micro's ScanMail and EManager are installed and current 
 on version
 and pattern files.
 
 I have been unsuccessful in finding and searching the archives.  Any
 help would be greatly appreciated.
 
 
 
 Skip Taylor, MCSE 
 Network Administrator 
 Jordan, Jones, and Goulding 
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
ext_mode=
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin

RE: Open Relay Help

Nope, rejects relay attempts using sam spade.

If you've not already done so check your outbound queue - you don't want to
find there's 10,000 spams in there :-)

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED]
 Sent: 29 May 2003 15:44
 To: Exchange Discussions
 Subject: RE: Open Relay Help
 
 
 I unchecked Hosts and clients connecting to these internal 
 addresses and
 restarted the IMS.  Still relaying?
 
 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding
 
 
 -Original Message-
 From: Paul Hutchings [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:42 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help
 
 
 I think the Hosts and clients connecting to these internal 
 addresses is
 your problem - you don't need it ticked (or I should say it 
 isn't ticked
 here and doesn't affect inbound email).
 
 regards,
 Paul
 --
 Paul Hutchings
 Network Administrator, MIRA Ltd.
 Tel: 024 7635 5378, Fax: 024 7635 8378
 mailto:[EMAIL PROTECTED]
 
  -Original Message-
  From: Taylor, Skip [mailto:[EMAIL PROTECTED]
  Sent: 29 May 2003 15:35
  To: Exchange Discussions
  Subject: RE: Open Relay Help
  
  
  On the Routing tab Reroute incoming SMTP mail (required for 
  POP3/IMAP4
  support)is checked.
  In the field below Sent to: has our domain of jjg.com and 
 Route to: is
  inbound
  
  The Routing Restrictions are as follows:
  Hosts and clients that successfully authenticate is not checked.
  Host and clients with these IP addresses is checked and 
  populated with 3
  internal addresses for Canon Image Runner copiers that can 
 send email.
  Hosts and clients connecting to these internal addresses is 
  checked with the
  Internal IP address of our exchange server.
  Specify the hosts and clients that can NEVER route mail is empty.
  
  Skip Taylor, MCSE
  Network Administrator
  Jordan, Jones, and Goulding
  
  
  -Original Message-
  From: Chris Scharff [mailto:[EMAIL PROTECTED]
  Sent: Thursday, May 29, 2003 10:29 AM
  To: Exchange Discussion
  Subject: RE: Open Relay Help
  
  
  Still open... What's that tab say now exactly?
  
  -Original Message-
  From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
  Posted At: Thursday, May 29, 2003 9:23 AM
  Posted To: swynk
  Conversation: Open Relay Help
  Subject: RE: Open Relay Help
  
  
  I'm sure I did but restarted once more to make sure.  Can you 
  try again?
  
  Skip Taylor, MCSE
  Network Administrator
  Jordan, Jones, and Goulding
  
  
  -Original Message-
  From: Chris Scharff [mailto:[EMAIL PROTECTED]
  Sent: Thursday, May 29, 2003 10:13 AM
  To: Exchange Discussion
  Subject: RE: Open Relay Help
  
  
  You're still an open relay. Did you restart the IMS after making the
  changes described in the article?
  
  Describe your settings on this tab as well in detail:
  http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
  
  -Original Message-
  From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
  Posted At: Thursday, May 29, 2003 9:06 AM
  Posted To: swynk
  Conversation: Open Relay Help
  Subject: Open Relay Help
  
  
  Apparently my mail server has been listed as an Open Relay at
  http://njabl.org/.
  
  I've followed the instructions listed in the following FAQ, 
 and still
  get listed as an open relay.
  
  3.73 Q: How can I configure my Exchange server so it can't be 
  used as an
  open relay? 
  A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
   
  
  My server is as follows:
  Windows 2000 SP2
  Exchange 5.5 SP4
  Trend Micro's ScanMail and EManager are installed and current 
  on version
  and pattern files.
  
  I have been unsuccessful in finding and searching the archives.  Any
  help would be greatly appreciated.
  
  
  
  Skip Taylor, MCSE 
  Network Administrator 
  Jordan, Jones, and Goulding 
  
  _
  List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
  Web Interface:
  http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
 ext_mode=
 lang=english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
 ext_mode=
 lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
ext_mode=
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED

RE: Open Relay Help

2003-05-30 Thread Dave Vantine

No

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 10:44 AM
To: Exchange Discussions
Subject: RE: Open Relay Help

I unchecked Hosts and clients connecting to these internal addresses and
restarted the IMS.  Still relaying?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding

-Original Message-
From: Paul Hutchings [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:42 AM
To: Exchange Discussion
Subject: RE: Open Relay Help

I think the Hosts and clients connecting to these internal addresses is
your problem - you don't need it ticked (or I should say it isn't ticked
here and doesn't affect inbound email).

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378 mailto:[EMAIL PROTECTED]

 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED]
 Sent: 29 May 2003 15:35
 To: Exchange Discussions
 Subject: RE: Open Relay Help

 On the Routing tab Reroute incoming SMTP mail (required for
 POP3/IMAP4
 support)is checked.
 In the field below Sent to: has our domain of jjg.com and Route to: is
 inbound

 The Routing Restrictions are as follows:
 Hosts and clients that successfully authenticate is not checked. Host 
 and clients with these IP addresses is checked and populated with 3
 internal addresses for Canon Image Runner copiers that can send email.
 Hosts and clients connecting to these internal addresses is 
 checked with the
 Internal IP address of our exchange server.
 Specify the hosts and clients that can NEVER route mail is empty.

 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding

 -Original Message-
 From: Chris Scharff [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:29 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help

 Still open... What's that tab say now exactly?

 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED]
 Posted At: Thursday, May 29, 2003 9:23 AM
 Posted To: swynk
 Conversation: Open Relay Help
 Subject: RE: Open Relay Help

 I'm sure I did but restarted once more to make sure.  Can you
 try again?

 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding

 -Original Message-
 From: Chris Scharff [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:13 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help

 You're still an open relay. Did you restart the IMS after making the 
 changes described in the article?

 Describe your settings on this tab as well in detail: 
 http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED]
 Posted At: Thursday, May 29, 2003 9:06 AM
 Posted To: swynk
 Conversation: Open Relay Help
 Subject: Open Relay Help

 Apparently my mail server has been listed as an Open Relay at 
 http://njabl.org/.

 I've followed the instructions listed in the following FAQ, and still 
 get listed as an open relay.

 3.73 Q: How can I configure my Exchange server so it can't be
 used as an
 open relay? 
 A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 

 My server is as follows:
 Windows 2000 SP2
 Exchange 5.5 SP4
 Trend Micro's ScanMail and EManager are installed and current
 on version
 and pattern files.

 I have been unsuccessful in finding and searching the archives.  Any 
 help would be greatly appreciated.

 Skip Taylor, MCSE
 Network Administrator 
 Jordan, Jones, and Goulding 

 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface: 
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
ext_mode=
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource

RE: Open Relay Help

Nope, all good now.

Steven
---
Steven Dickenson [EMAIL PROTECTED]
Network Administrator
The Key School, Annapolis Maryland 

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 10:44 AM
To: Exchange Discussions
Subject: RE: Open Relay Help


I unchecked Hosts and clients connecting to these internal addresses and
restarted the IMS.  Still relaying?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Paul Hutchings [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:42 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


I think the Hosts and clients connecting to these internal addresses is
your problem - you don't need it ticked (or I should say it isn't ticked
here and doesn't affect inbound email).

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED]
 Sent: 29 May 2003 15:35
 To: Exchange Discussions
 Subject: RE: Open Relay Help
 
 
 On the Routing tab Reroute incoming SMTP mail (required for 
 POP3/IMAP4
 support)is checked.
 In the field below Sent to: has our domain of jjg.com and Route to: is
 inbound
 
 The Routing Restrictions are as follows:
 Hosts and clients that successfully authenticate is not checked.
 Host and clients with these IP addresses is checked and 
 populated with 3
 internal addresses for Canon Image Runner copiers that can send email.
 Hosts and clients connecting to these internal addresses is 
 checked with the
 Internal IP address of our exchange server.
 Specify the hosts and clients that can NEVER route mail is empty.
 
 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding
 
 
 -Original Message-
 From: Chris Scharff [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:29 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help
 
 
 Still open... What's that tab say now exactly?
 
 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
 Posted At: Thursday, May 29, 2003 9:23 AM
 Posted To: swynk
 Conversation: Open Relay Help
 Subject: RE: Open Relay Help
 
 
 I'm sure I did but restarted once more to make sure.  Can you 
 try again?
 
 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding
 
 
 -Original Message-
 From: Chris Scharff [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:13 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help
 
 
 You're still an open relay. Did you restart the IMS after making the
 changes described in the article?
 
 Describe your settings on this tab as well in detail:
 http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
 
 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
 Posted At: Thursday, May 29, 2003 9:06 AM
 Posted To: swynk
 Conversation: Open Relay Help
 Subject: Open Relay Help
 
 
 Apparently my mail server has been listed as an Open Relay at
 http://njabl.org/.
 
 I've followed the instructions listed in the following FAQ, and still
 get listed as an open relay.
 
 3.73 Q: How can I configure my Exchange server so it can't be 
 used as an
 open relay? 
 A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
  
 
 My server is as follows:
 Windows 2000 SP2
 Exchange 5.5 SP4
 Trend Micro's ScanMail and EManager are installed and current 
 on version
 and pattern files.
 
 I have been unsuccessful in finding and searching the archives.  Any
 help would be greatly appreciated.
 
 
 
 Skip Taylor, MCSE 
 Network Administrator 
 Jordan, Jones, and Goulding 
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
ext_mode=
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED

RE: Open Relay Help

I saw about 50 or so.  I'm still getting items in the queue with a blank
originator.  Is this to be expected?  What happens to these items?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Paul Hutchings [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:46 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


Nope, rejects relay attempts using sam spade.

If you've not already done so check your outbound queue - you don't want to
find there's 10,000 spams in there :-)

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED]
 Sent: 29 May 2003 15:44
 To: Exchange Discussions
 Subject: RE: Open Relay Help
 
 
 I unchecked Hosts and clients connecting to these internal 
 addresses and
 restarted the IMS.  Still relaying?
 
 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding
 
 
 -Original Message-
 From: Paul Hutchings [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:42 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help
 
 
 I think the Hosts and clients connecting to these internal 
 addresses is
 your problem - you don't need it ticked (or I should say it 
 isn't ticked
 here and doesn't affect inbound email).
 
 regards,
 Paul
 --
 Paul Hutchings
 Network Administrator, MIRA Ltd.
 Tel: 024 7635 5378, Fax: 024 7635 8378
 mailto:[EMAIL PROTECTED]
 
  -Original Message-
  From: Taylor, Skip [mailto:[EMAIL PROTECTED]
  Sent: 29 May 2003 15:35
  To: Exchange Discussions
  Subject: RE: Open Relay Help
  
  
  On the Routing tab Reroute incoming SMTP mail (required for 
  POP3/IMAP4
  support)is checked.
  In the field below Sent to: has our domain of jjg.com and 
 Route to: is
  inbound
  
  The Routing Restrictions are as follows:
  Hosts and clients that successfully authenticate is not checked.
  Host and clients with these IP addresses is checked and 
  populated with 3
  internal addresses for Canon Image Runner copiers that can 
 send email.
  Hosts and clients connecting to these internal addresses is 
  checked with the
  Internal IP address of our exchange server.
  Specify the hosts and clients that can NEVER route mail is empty.
  
  Skip Taylor, MCSE
  Network Administrator
  Jordan, Jones, and Goulding
  
  
  -Original Message-
  From: Chris Scharff [mailto:[EMAIL PROTECTED]
  Sent: Thursday, May 29, 2003 10:29 AM
  To: Exchange Discussion
  Subject: RE: Open Relay Help
  
  
  Still open... What's that tab say now exactly?
  
  -Original Message-
  From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
  Posted At: Thursday, May 29, 2003 9:23 AM
  Posted To: swynk
  Conversation: Open Relay Help
  Subject: RE: Open Relay Help
  
  
  I'm sure I did but restarted once more to make sure.  Can you 
  try again?
  
  Skip Taylor, MCSE
  Network Administrator
  Jordan, Jones, and Goulding
  
  
  -Original Message-
  From: Chris Scharff [mailto:[EMAIL PROTECTED]
  Sent: Thursday, May 29, 2003 10:13 AM
  To: Exchange Discussion
  Subject: RE: Open Relay Help
  
  
  You're still an open relay. Did you restart the IMS after making the
  changes described in the article?
  
  Describe your settings on this tab as well in detail:
  http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
  
  -Original Message-
  From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
  Posted At: Thursday, May 29, 2003 9:06 AM
  Posted To: swynk
  Conversation: Open Relay Help
  Subject: Open Relay Help
  
  
  Apparently my mail server has been listed as an Open Relay at
  http://njabl.org/.
  
  I've followed the instructions listed in the following FAQ, 
 and still
  get listed as an open relay.
  
  3.73 Q: How can I configure my Exchange server so it can't be 
  used as an
  open relay? 
  A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
   
  
  My server is as follows:
  Windows 2000 SP2
  Exchange 5.5 SP4
  Trend Micro's ScanMail and EManager are installed and current 
  on version
  and pattern files.
  
  I have been unsuccessful in finding and searching the archives.  Any
  help would be greatly appreciated.
  
  
  
  Skip Taylor, MCSE 
  Network Administrator 
  Jordan, Jones, and Goulding 
  
  _
  List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
  Web Interface:
  http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
 ext_mode=
 lang=english
 To unsubscribe: mailto:[EMAIL PROTECTED]
 Exchange List admin:[EMAIL PROTECTED]
 
 _
 List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
 Web Interface:
 http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget
 ext_mode=
 lang
 =english
 To unsubscribe: mailto:[EMAIL PROTECTED

RE: Open Relay Help

If it's originator is  they're NDRs and the likes - they can be safely
deleted.

You might want to keep an eye on http://www.openrbl.org to make sure you
don't creep onto more DNSBLs as people receive stuff that may have been sent
through your server and report it to Spamcop and the likes.

Some lists you'll be able to get removed from, some you're stuck on simply
for being with QWest.

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED]
 Sent: 29 May 2003 15:52
 To: Exchange Discussions
 Subject: RE: Open Relay Help
 
 
 I saw about 50 or so.  I'm still getting items in the queue 
 with a blank
 originator.  Is this to be expected?  What happens to these items?
 
 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding
 
 
 -Original Message-
 From: Paul Hutchings [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:46 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help
 
 
 Nope, rejects relay attempts using sam spade.
 
 If you've not already done so check your outbound queue - you 
 don't want to
 find there's 10,000 spams in there :-)
 
 regards,
 Paul
 --
 Paul Hutchings
 Network Administrator, MIRA Ltd.
 Tel: 024 7635 5378, Fax: 024 7635 8378
 mailto:[EMAIL PROTECTED]
 
  -Original Message-
  From: Taylor, Skip [mailto:[EMAIL PROTECTED]
  Sent: 29 May 2003 15:44
  To: Exchange Discussions
  Subject: RE: Open Relay Help
  
  
  I unchecked Hosts and clients connecting to these internal 
  addresses and
  restarted the IMS.  Still relaying?
  
  Skip Taylor, MCSE
  Network Administrator
  Jordan, Jones, and Goulding
  
  
  -Original Message-
  From: Paul Hutchings [mailto:[EMAIL PROTECTED]
  Sent: Thursday, May 29, 2003 10:42 AM
  To: Exchange Discussion
  Subject: RE: Open Relay Help
  
  
  I think the Hosts and clients connecting to these internal 
  addresses is
  your problem - you don't need it ticked (or I should say it 
  isn't ticked
  here and doesn't affect inbound email).
  
  regards,
  Paul
  --
  Paul Hutchings
  Network Administrator, MIRA Ltd.
  Tel: 024 7635 5378, Fax: 024 7635 8378
  mailto:[EMAIL PROTECTED]
  
   -Original Message-
   From: Taylor, Skip [mailto:[EMAIL PROTECTED]
   Sent: 29 May 2003 15:35
   To: Exchange Discussions
   Subject: RE: Open Relay Help
   
   
   On the Routing tab Reroute incoming SMTP mail (required for 
   POP3/IMAP4
   support)is checked.
   In the field below Sent to: has our domain of jjg.com and 
  Route to: is
   inbound
   
   The Routing Restrictions are as follows:
   Hosts and clients that successfully authenticate is not checked.
   Host and clients with these IP addresses is checked and 
   populated with 3
   internal addresses for Canon Image Runner copiers that can 
  send email.
   Hosts and clients connecting to these internal addresses is 
   checked with the
   Internal IP address of our exchange server.
   Specify the hosts and clients that can NEVER route mail is empty.
   
   Skip Taylor, MCSE
   Network Administrator
   Jordan, Jones, and Goulding
   
   
   -Original Message-
   From: Chris Scharff [mailto:[EMAIL PROTECTED]
   Sent: Thursday, May 29, 2003 10:29 AM
   To: Exchange Discussion
   Subject: RE: Open Relay Help
   
   
   Still open... What's that tab say now exactly?
   
   -Original Message-
   From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
   Posted At: Thursday, May 29, 2003 9:23 AM
   Posted To: swynk
   Conversation: Open Relay Help
   Subject: RE: Open Relay Help
   
   
   I'm sure I did but restarted once more to make sure.  Can you 
   try again?
   
   Skip Taylor, MCSE
   Network Administrator
   Jordan, Jones, and Goulding
   
   
   -Original Message-
   From: Chris Scharff [mailto:[EMAIL PROTECTED]
   Sent: Thursday, May 29, 2003 10:13 AM
   To: Exchange Discussion
   Subject: RE: Open Relay Help
   
   
   You're still an open relay. Did you restart the IMS after 
 making the
   changes described in the article?
   
   Describe your settings on this tab as well in detail:
   http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
   
   -Original Message-
   From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
   Posted At: Thursday, May 29, 2003 9:06 AM
   Posted To: swynk
   Conversation: Open Relay Help
   Subject: Open Relay Help
   
   
   Apparently my mail server has been listed as an Open Relay at
   http://njabl.org/.
   
   I've followed the instructions listed in the following FAQ, 
  and still
   get listed as an open relay.
   
   3.73 Q: How can I configure my Exchange server so it can't be 
   used as an
   open relay? 
   A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 

   
   My server is as follows:
   Windows 2000 SP2
   Exchange 5.5 SP4
   Trend Micro's ScanMail and EManager are installed and current 
   on version

RE: Open Relay Help

Thank you All for your help on this issue.

btw what's the deal with Qwest?  We just switched to them 2 weeks ago.

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Paul Hutchings [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:58 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


If it's originator is  they're NDRs and the likes - they can be safely
deleted.

You might want to keep an eye on http://www.openrbl.org to make sure you
don't creep onto more DNSBLs as people receive stuff that may have been sent
through your server and report it to Spamcop and the likes.

Some lists you'll be able to get removed from, some you're stuck on simply
for being with QWest.

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED]
 Sent: 29 May 2003 15:52
 To: Exchange Discussions
 Subject: RE: Open Relay Help
 
 
 I saw about 50 or so.  I'm still getting items in the queue 
 with a blank
 originator.  Is this to be expected?  What happens to these items?
 
 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding
 
 
 -Original Message-
 From: Paul Hutchings [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:46 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help
 
 
 Nope, rejects relay attempts using sam spade.
 
 If you've not already done so check your outbound queue - you 
 don't want to
 find there's 10,000 spams in there :-)
 
 regards,
 Paul
 --
 Paul Hutchings
 Network Administrator, MIRA Ltd.
 Tel: 024 7635 5378, Fax: 024 7635 8378
 mailto:[EMAIL PROTECTED]
 
  -Original Message-
  From: Taylor, Skip [mailto:[EMAIL PROTECTED]
  Sent: 29 May 2003 15:44
  To: Exchange Discussions
  Subject: RE: Open Relay Help
  
  
  I unchecked Hosts and clients connecting to these internal 
  addresses and
  restarted the IMS.  Still relaying?
  
  Skip Taylor, MCSE
  Network Administrator
  Jordan, Jones, and Goulding
  
  
  -Original Message-
  From: Paul Hutchings [mailto:[EMAIL PROTECTED]
  Sent: Thursday, May 29, 2003 10:42 AM
  To: Exchange Discussion
  Subject: RE: Open Relay Help
  
  
  I think the Hosts and clients connecting to these internal 
  addresses is
  your problem - you don't need it ticked (or I should say it 
  isn't ticked
  here and doesn't affect inbound email).
  
  regards,
  Paul
  --
  Paul Hutchings
  Network Administrator, MIRA Ltd.
  Tel: 024 7635 5378, Fax: 024 7635 8378
  mailto:[EMAIL PROTECTED]
  
   -Original Message-
   From: Taylor, Skip [mailto:[EMAIL PROTECTED]
   Sent: 29 May 2003 15:35
   To: Exchange Discussions
   Subject: RE: Open Relay Help
   
   
   On the Routing tab Reroute incoming SMTP mail (required for 
   POP3/IMAP4
   support)is checked.
   In the field below Sent to: has our domain of jjg.com and 
  Route to: is
   inbound
   
   The Routing Restrictions are as follows:
   Hosts and clients that successfully authenticate is not checked.
   Host and clients with these IP addresses is checked and 
   populated with 3
   internal addresses for Canon Image Runner copiers that can 
  send email.
   Hosts and clients connecting to these internal addresses is 
   checked with the
   Internal IP address of our exchange server.
   Specify the hosts and clients that can NEVER route mail is empty.
   
   Skip Taylor, MCSE
   Network Administrator
   Jordan, Jones, and Goulding
   
   
   -Original Message-
   From: Chris Scharff [mailto:[EMAIL PROTECTED]
   Sent: Thursday, May 29, 2003 10:29 AM
   To: Exchange Discussion
   Subject: RE: Open Relay Help
   
   
   Still open... What's that tab say now exactly?
   
   -Original Message-
   From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
   Posted At: Thursday, May 29, 2003 9:23 AM
   Posted To: swynk
   Conversation: Open Relay Help
   Subject: RE: Open Relay Help
   
   
   I'm sure I did but restarted once more to make sure.  Can you 
   try again?
   
   Skip Taylor, MCSE
   Network Administrator
   Jordan, Jones, and Goulding
   
   
   -Original Message-
   From: Chris Scharff [mailto:[EMAIL PROTECTED]
   Sent: Thursday, May 29, 2003 10:13 AM
   To: Exchange Discussion
   Subject: RE: Open Relay Help
   
   
   You're still an open relay. Did you restart the IMS after 
 making the
   changes described in the article?
   
   Describe your settings on this tab as well in detail:
   http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
   
   -Original Message-
   From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
   Posted At: Thursday, May 29, 2003 9:06 AM
   Posted To: swynk
   Conversation: Open Relay Help
   Subject: Open Relay Help
   
   
   Apparently my mail server has been listed as an Open Relay at
   http://njabl.org/.
   
   I've followed the instructions listed in the following FAQ, 
  and still
   get listed

RE: Open Relay Help

2003-05-30 Thread Randal, Phil

On the subject of emails from , RFC2821 says your mailer must
accept them.  It neededn't do anything with them, though.

There's a surprisingly large number of misconfigured mailers
which bounce them, alas.

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

 -Original Message-
 From: Paul Hutchings [mailto:[EMAIL PROTECTED]
 Sent: 29 May 2003 15:58
 To: Exchange Discussions
 Subject: RE: Open Relay Help
 
 
 If it's originator is  they're NDRs and the likes - they 
 can be safely
 deleted.
 
 You might want to keep an eye on http://www.openrbl.org to 
 make sure you
 don't creep onto more DNSBLs as people receive stuff that may 
 have been sent
 through your server and report it to Spamcop and the likes.
 
 Some lists you'll be able to get removed from, some you're 
 stuck on simply
 for being with QWest.
 
 regards,
 Paul
 --
 Paul Hutchings
 Network Administrator, MIRA Ltd.
 Tel: 024 7635 5378, Fax: 024 7635 8378
 mailto:[EMAIL PROTECTED]
 
  -Original Message-
  From: Taylor, Skip [mailto:[EMAIL PROTECTED]
  Sent: 29 May 2003 15:52
  To: Exchange Discussions
  Subject: RE: Open Relay Help
  
  
  I saw about 50 or so.  I'm still getting items in the queue 
  with a blank
  originator.  Is this to be expected?  What happens to these items?
  
  Skip Taylor, MCSE
  Network Administrator
  Jordan, Jones, and Goulding
  
  
  -Original Message-
  From: Paul Hutchings [mailto:[EMAIL PROTECTED]
  Sent: Thursday, May 29, 2003 10:46 AM
  To: Exchange Discussion
  Subject: RE: Open Relay Help
  
  
  Nope, rejects relay attempts using sam spade.
  
  If you've not already done so check your outbound queue - you 
  don't want to
  find there's 10,000 spams in there :-)
  
  regards,
  Paul
  --
  Paul Hutchings
  Network Administrator, MIRA Ltd.
  Tel: 024 7635 5378, Fax: 024 7635 8378
  mailto:[EMAIL PROTECTED]
  
   -Original Message-
   From: Taylor, Skip [mailto:[EMAIL PROTECTED]
   Sent: 29 May 2003 15:44
   To: Exchange Discussions
   Subject: RE: Open Relay Help
   
   
   I unchecked Hosts and clients connecting to these internal 
   addresses and
   restarted the IMS.  Still relaying?
   
   Skip Taylor, MCSE
   Network Administrator
   Jordan, Jones, and Goulding
   
   
   -Original Message-
   From: Paul Hutchings [mailto:[EMAIL PROTECTED]
   Sent: Thursday, May 29, 2003 10:42 AM
   To: Exchange Discussion
   Subject: RE: Open Relay Help
   
   
   I think the Hosts and clients connecting to these internal 
   addresses is
   your problem - you don't need it ticked (or I should say it 
   isn't ticked
   here and doesn't affect inbound email).
   
   regards,
   Paul
   --
   Paul Hutchings
   Network Administrator, MIRA Ltd.
   Tel: 024 7635 5378, Fax: 024 7635 8378
   mailto:[EMAIL PROTECTED]
   
-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED]
Sent: 29 May 2003 15:35
To: Exchange Discussions
Subject: RE: Open Relay Help


On the Routing tab Reroute incoming SMTP mail (required for 
POP3/IMAP4
support)is checked.
In the field below Sent to: has our domain of jjg.com and 
   Route to: is
inbound

The Routing Restrictions are as follows:
Hosts and clients that successfully authenticate is not checked.
Host and clients with these IP addresses is checked and 
populated with 3
internal addresses for Canon Image Runner copiers that can 
   send email.
Hosts and clients connecting to these internal addresses is 
checked with the
Internal IP address of our exchange server.
Specify the hosts and clients that can NEVER route mail 
 is empty.

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:29 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


Still open... What's that tab say now exactly?

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:23 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: RE: Open Relay Help


I'm sure I did but restarted once more to make sure.  Can you 
try again?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:13 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


You're still an open relay. Did you restart the IMS after 
  making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted

RE: Open Relay Help

It looks like a bunch of Qwest IPs are on blacklists because of Qwests
alleged unwillinglness to terminate spammers using their network - I don't
really know the specifics, but I suspect if you go to
http://groups.google.com/groups?hl=enlr=ie=UTF-8oe=UTF-8q=qwest+group%3A
news.admin.net-abuse.* you'll get an idea.

Main thing is get of any lists you're on because you were an open relay,
short of changing IPs or ISPs you can't do much about the others.

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

 -Original Message-
 From: Taylor, Skip [mailto:[EMAIL PROTECTED]
 Sent: 29 May 2003 16:04
 To: Exchange Discussions
 Subject: RE: Open Relay Help
 
 
 Thank you All for your help on this issue.
 
 btw what's the deal with Qwest?  We just switched to them 2 weeks ago.
 
 Skip Taylor, MCSE
 Network Administrator
 Jordan, Jones, and Goulding
 
 
 -Original Message-
 From: Paul Hutchings [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 29, 2003 10:58 AM
 To: Exchange Discussion
 Subject: RE: Open Relay Help
 
 
 If it's originator is  they're NDRs and the likes - they 
 can be safely
 deleted.
 
 You might want to keep an eye on http://www.openrbl.org to 
 make sure you
 don't creep onto more DNSBLs as people receive stuff that may 
 have been sent
 through your server and report it to Spamcop and the likes.
 
 Some lists you'll be able to get removed from, some you're 
 stuck on simply
 for being with QWest.
 
 regards,
 Paul
 --
 Paul Hutchings
 Network Administrator, MIRA Ltd.
 Tel: 024 7635 5378, Fax: 024 7635 8378
 mailto:[EMAIL PROTECTED]
 
  -Original Message-
  From: Taylor, Skip [mailto:[EMAIL PROTECTED]
  Sent: 29 May 2003 15:52
  To: Exchange Discussions
  Subject: RE: Open Relay Help
  
  
  I saw about 50 or so.  I'm still getting items in the queue 
  with a blank
  originator.  Is this to be expected?  What happens to these items?
  
  Skip Taylor, MCSE
  Network Administrator
  Jordan, Jones, and Goulding
  
  
  -Original Message-
  From: Paul Hutchings [mailto:[EMAIL PROTECTED]
  Sent: Thursday, May 29, 2003 10:46 AM
  To: Exchange Discussion
  Subject: RE: Open Relay Help
  
  
  Nope, rejects relay attempts using sam spade.
  
  If you've not already done so check your outbound queue - you 
  don't want to
  find there's 10,000 spams in there :-)
  
  regards,
  Paul
  --
  Paul Hutchings
  Network Administrator, MIRA Ltd.
  Tel: 024 7635 5378, Fax: 024 7635 8378
  mailto:[EMAIL PROTECTED]
  
   -Original Message-
   From: Taylor, Skip [mailto:[EMAIL PROTECTED]
   Sent: 29 May 2003 15:44
   To: Exchange Discussions
   Subject: RE: Open Relay Help
   
   
   I unchecked Hosts and clients connecting to these internal 
   addresses and
   restarted the IMS.  Still relaying?
   
   Skip Taylor, MCSE
   Network Administrator
   Jordan, Jones, and Goulding
   
   
   -Original Message-
   From: Paul Hutchings [mailto:[EMAIL PROTECTED]
   Sent: Thursday, May 29, 2003 10:42 AM
   To: Exchange Discussion
   Subject: RE: Open Relay Help
   
   
   I think the Hosts and clients connecting to these internal 
   addresses is
   your problem - you don't need it ticked (or I should say it 
   isn't ticked
   here and doesn't affect inbound email).
   
   regards,
   Paul
   --
   Paul Hutchings
   Network Administrator, MIRA Ltd.
   Tel: 024 7635 5378, Fax: 024 7635 8378
   mailto:[EMAIL PROTECTED]
   
-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED]
Sent: 29 May 2003 15:35
To: Exchange Discussions
Subject: RE: Open Relay Help


On the Routing tab Reroute incoming SMTP mail (required for 
POP3/IMAP4
support)is checked.
In the field below Sent to: has our domain of jjg.com and 
   Route to: is
inbound

The Routing Restrictions are as follows:
Hosts and clients that successfully authenticate is not checked.
Host and clients with these IP addresses is checked and 
populated with 3
internal addresses for Canon Image Runner copiers that can 
   send email.
Hosts and clients connecting to these internal addresses is 
checked with the
Internal IP address of our exchange server.
Specify the hosts and clients that can NEVER route mail 
 is empty.

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:29 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


Still open... What's that tab say now exactly?

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:23 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: RE: Open Relay Help


I'm sure I did but restarted once more to make sure.  Can you 
try

RE: Open Relay Help