Exch 5.5 sp4
In a scenario where a end users password has been compromised and is being
used to drop spam crap on the internet mail service, what logging options
can be used to identify the account that is authenticating? Also is there a
way to tie a message id to a specific authenticated user?
In that particular event( app log? ) is there anything else in the
description that I can search against to find it quickly? Like sending
domain, ip, message id, etc,?
e-
-Original Message-
From: Webb, Andy [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 23, 2003 9:12 AM
To: Exchange
For the record those are event 2010
-Original Message-
From: Webb, Andy [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 23, 2003 9:12 AM
To: Exchange Discussions
Subject: RE: SMTP Logging options?
IMS Diagnostics Logging / SMTP Protocol Logging / Medium
You'll need to look for the
I looked in the log dir and I only have a route.log and a route.old neither
contain and IP or sender data related to this, the 2010 events don't
correspond with the loads of garbage ndr's I am seeing either.
Could these logs be in another folder?
e-
-Original Message-
From: Webb, Andy
Well I'm totally lost I think. I found a tacking.log folder in root of
exchsrvr. So for example in my ims ques ( which is relay secure) I have a
ndr of spam, for destination in-f01.net and in the tracking log I see..
c=us;a= ;p=arup;l=POSTOFFICE020312221600190859 10182003.12.23 14:50:24
Ouch
However the time stamps should coincide yes? And if its one or a few users
that have been compd the garbage is fairly regular intervals, I would think
it would show up.
What about this base64 thing? I cant seem to find this encoded base 64 auth
string to plug into that website.
Ok I think I found a problem. The 250 auth in the middle
12/23/2003 12:42:33 PM : A connection to 81.21.68.106 was established.
12/23/2003 12:42:59 PM : 220 www.redmode.com ESMTP
12/23/2003 12:42:59 PM : EHLO postoffice02.aruplab.com
12/23/2003 12:42:59 PM : 250-www.redmode.com
250-AUTH
I didn't take it as a slam :) I'll read those rfc's
So those auth's should be there cause they are NDR's, Now I just need to
find the entries for the real messages that are causing the ndr's and find
out what user they are using. In the mean time and I am going to cut my
timeouts down to nothing
Yes, but for every single IP I block 10 more show up. It has more of a feel
of a hole or a compd password especially when I come in AM and there are
24,000 ndr's in the que.
Just to clarify are the logs you are talking about a few emails ago are in
fact the logs from the imcdata/log folder yes?
Funny turn of events, I was running down remote users and veryifying strong
passwords when the manager of sales comes in and someone text messaged his
phone with his domain password.
interesting.
-Original Message-
From: Eric Fretz [mailto:[EMAIL PROTECTED]
Sent: Monday, December 22,
Would be a nice feature in 5.5 if I could turn off NDR's to the internet or
on specific users.
-Original Message-
From: B. van Ouwerkerk [mailto:[EMAIL PROTECTED]
Sent: Monday, December 22, 2003 12:22 AM
To: Exchange Discussions
Subject: RE: TONS of NDR's
You don't have to read slashdot
Exch5.5 sp4 on win2k sp4
I have no idea where they are all comming from. Every morning I come in and
the que is stacked with 24,000+ NDR messages, they look like spam but
abuse.net spamcop, openrbl, and ordb all say I am relay free, IT policy
forces strong passwords and guest is disabled. I'm
We are very happy with Commvault Galaxy, but your not looking at that.
-Original Message-
From: Tigue Williams [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 10, 2003 11:42 AM
To: Exchange Discussions
Subject: Best backup software for Exchange
We are looking at Networker and
I feel sorry for those people, we had direct attach on every server.
Somewhere around 60 servers. The cost analysis showed our san paying for
itself in 4 years, and when we pulled our Exchange DB's, SQL, Oracle DB's
off DA raid5 sets and onto the SAN we saw no less then a 400% i/o increase.
Our
IBM 2105 Shark here, Exchange 5.5 db on the san. Works great, I love my
san. Best thing we have bought in a LONG time.
-Original Message-
From: Jason Rader [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 03, 2003 12:33 PM
To: Exchange Discussions
Subject: RE: Exchange on a SAN
Hi
exch 5.5 w/sp4
I'm trying to create a new folder under every users mailbox in my site and
I'm having problems finding an easy way to do this. Could anyone point me
in the right direction?
thanks
e-
_
List posting FAQ:
nope, checked it when i saw the supposed bug discovered email. guest
disabled
-Original Message-
From: Toby Considine (UNC Chapel Hill)
[mailto:[EMAIL PROTECTED]
Sent: Thursday, November 20, 2003 9:30 AM
To: Exchange Discussions
Subject: RE: unexplained failure of relay restriction
Do
exch 5.5 w/sp4
First let me say i am sorry, cause i keep comming back and asking this. I
MUST be missing something or just plai stupid, time to quit and go flip
burgers. We have a mail server that is 5.5 smtp bridgehead ( 12.10.133.30 )
and in routing restrictions have hosts and clients
here is 5 6 and 7. they seem same to me. sorry i got the numbering wrong,
i'm sure this is lack of understanding on my part, my ims ques are seeing
thousands of ndr's
To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
250 OK - Reset
MAIL FROM:
250 OK - mail from
RCPT TO:
Ok thats makes sense, sorry been pulling hair my hair out.
But this leads me to another question, then email doesnt deliver to the
external source. which is good. but it still hits my server and gets into
the ques. This morning I came in and there were 26,000 NDR's waiting in the
que. Which
nope, sitting in the exchange 5.5 ims que.
-Original Message-
From: Tony Hlabse [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 19, 2003 8:05 AM
To: Exchange Discussions
Subject: RE: lost in relay problem
In the Bad mail Que?
From: [EMAIL PROTECTED]
Reply-To: Exchange Discussions
sry more info, NDR's, LOTS of them, sitting in the OUT que on the exchange
5.5 smtp server all with host unreachable.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 19, 2003 8:12 AM
To: Exchange Discussions
Subject: RE: lost in relay problem
I assume they are failing or at least getting dumped onto my server cause my
ques are piling up with loads of ndrs.
-Original Message-
From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 17, 2003 11:01 PM
To: Exchange Discussions
Subject: RE: fail test 5, 7, 9
IN looking i had multi matches ndrs marked to go out, I have since removed
that. I assume thats good?? I was eaves dropping also on a exchange
disscussion going on at securityfocus.com about the guest account thing and
someone mention they blank email random character names to a single domain
I seem to be failing relay testing on 5,7, and 9. Is there a way NOT to
fail these tests in an exch 5.5 environment? My ques are seeing a lot of
garbage that I don't think is getting out, I'm all over google trying to get
a better idea of what these tests mean.
e-
Exch 5.5 sp4 on win2k sp4
So to my surprise I get a email notifying me that my domain is on a
blacklist, what a great way to start a Monday. So I relay test my email
server via abuse.net and I fail all the tests! Then I reboot the server and
once again all is well. I test it again and now my
26 matches
Mail list logo