RE: Open Relay/Spamcop
But can't the same thing be said for frequent forced changes to passwords? Perhaps even more so? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randal, Phil Sent: Friday, December 19, 2003 2:14 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop strong passwords = post-it(tm) notes on monitors = weak passwords ;-) Merry Christmas everyone, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ed Crowley [MVP] Sent: 18 December 2003 21:32 To: Exchange Discussions Subject: RE: Open Relay/Spamcop Strong passwords mean much more than forced changes. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Thursday, December 18, 2003 8:49 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I agree with Ben. My Exchange 2000 box at my last company was setup to allow realaying after sucessfuly authentication because I had POP3 clients at other offices that had no other SMTP gateway. Disabling the Guest account and forcing the users to change passwords every 30 days kept our risk at a minimum. We got tagged as a relay once, but forcing user password changes on the spot fixed the problem. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 10:48 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20
RE: Open Relay/Spamcop
And what? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 9:18 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop And... Rest assured that this topic has been discussed by us vendor whores. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 11:19 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
strong passwords = post-it(tm) notes on monitors = weak passwords ;-) Merry Christmas everyone, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ed Crowley [MVP] Sent: 18 December 2003 21:32 To: Exchange Discussions Subject: RE: Open Relay/Spamcop Strong passwords mean much more than forced changes. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Thursday, December 18, 2003 8:49 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I agree with Ben. My Exchange 2000 box at my last company was setup to allow realaying after sucessfuly authentication because I had POP3 clients at other offices that had no other SMTP gateway. Disabling the Guest account and forcing the users to change passwords every 30 days kept our risk at a minimum. We got tagged as a relay once, but forcing user password changes on the spot fixed the problem. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 10:48 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20
Re: Open Relay/Spamcop
The Exchange 2000 server is behind a NAT and I have looked into the possibility of this. I have been out on the spamcop site and for the life of me cannot find a way to make them check the server again to see if it is closed relay like ORDB does. Any ideas or comments http://www.sbsfaq.com/ click on http://www.sbsfaq.com/news/getArticle.asp?MessageID=1A447390AA6611CD9BC800AA002FC45A0900E049B559A334DD479C5D360FB473600B00018718F401C41B681A9640A459B27C5FF7E684B1E57203path=News/Mail Relaying - new ways they are getting through your security I think this might apply to versions other then SBS too. You're sure they don't run a proxy server of any kind? Or any other service that is capable of sending mail? B. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
Try checking with http://www.abuse.net/relay.html Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bridges, Samantha Sent: 18 December 2003 15:59 To: Exchange Discussions Subject: Open Relay/Spamcop Hello All and Happy Holidays! I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by setting up a POP account in Outlook, putting the server that is being reported as Open relay as my Outgoing SMTP server. When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be open relay? I have checked (over the phone) all his Virtual SMTP Server settings to verify correct configuration. Everything seems to be checked or unchecked as recommended by Microsoft. We have Stopped/Started Services for SMTP The Exchange 2000 server is behind a NAT and I have looked into the possibility of this. I have been out on the spamcop site and for the life of me cannot find a way to make them check the server again to see if it is closed relay like ORDB does. Any ideas or comments Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 [EMAIL PROTECTED] http://www.misd.net CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by setting up a POP account in Outlook, putting the server that is being reported as Open relay as my Outgoing SMTP server. =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be open relay? =20 I have checked (over the phone) all his Virtual SMTP Server settings to verify correct configuration. Everything seems to be checked or unchecked as recommended by Microsoft. We have Stopped/Started Services for SMTP The Exchange 2000 server is behind a NAT and I have looked into the possibility of this. I have been out on the spamcop site and for the life of me cannot find a way to make them check the server again to see if it is closed relay like ORDB does. =20 Any ideas or comments =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 [EMAIL PROTECTED] http://www.misd.net CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. =20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20 copies of the original message. =20 =3D20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mode=3D= lang=3Denglish To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
I'm gonna comment on this one again. This type of vulnerability should only be an issue if your Guest account is enabled. You HAVE to leave anonymous access on if you want other mail systems to communicate with you. If you have POP3 and/or IMAP clients, you must leave the box checked to allow all computers which successfully relay I have never seen a case where the server truly was an open relay with these settings. If your configuration was like this, than likely what happened is one of your accounts was compromised. Exchange WILL NOT relay with those settings unless you successfully authenticate, such as you do when you specify that the outgoing smtp server requires authentication. Also, if this is the case, it is NOT a case where you were an open relay, it is a case where an account was compromised and allowed to relay off the server. Configuring user accounts with strong passwords, and configuring them to lock out after x number of unsuccessful logins should mitigate any risk of SMTP Auth attacks, aside from a user revealing their password. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Wohlgemuth, Mike [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:23 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by setting up a POP account in Outlook, putting the server that is being reported as Open relay as my Outgoing SMTP server. =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be open relay? =20 I have checked (over the phone) all his Virtual SMTP Server settings to verify correct configuration. Everything seems to be checked or unchecked as recommended by Microsoft. We have Stopped/Started Services for SMTP The Exchange 2000 server is behind a NAT and I have looked into the possibility of this. I have been out on the spamcop site and for the life of me cannot find a way to make them check the server again to see if it is closed relay like ORDB does. =20 Any ideas or comments =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 [EMAIL PROTECTED] http://www.misd.net CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. =20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20 copies of the original message. =20 =3D20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo de=3D= lang=3Denglish To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
However, I would welcome any information that proves me otherwise. i.e. configure these settings, with the guest account disabled, and prove that it actually will relay - not authenticated relay, that doesn't count. If it is authenticated relay, it is because a password was compromised. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Ben Winzenz Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20 copies of the original message. =20 =3D20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo de=3D= lang=3Denglish To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting
RE: Open Relay/Spamcop
I agree with Ben. My Exchange 2000 box at my last company was setup to allow realaying after sucessfuly authentication because I had POP3 clients at other offices that had no other SMTP gateway. Disabling the Guest account and forcing the users to change passwords every 30 days kept our risk at a minimum. We got tagged as a relay once, but forcing user password changes on the spot fixed the problem. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 10:48 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20 copies of the original message. =20 =3D20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo de=3D= lang=3Denglish To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe
RE: Open Relay/Spamcop
What do you get when you telnet into the server and try to send mail to a bogus address? Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20 copies of the original message. =20 =3D20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo de=3D= lang=3Denglish To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
This may very well be the case. I cannot say one way or another. When I have seen this, it has always been the case that I am there fixing something else and happen upon this problem, fix it and move on. I DO know that I have seen it on boxes where the Guest account is disabled, but that does not rule out the possibility that some other account was compromised. However, I would welcome any information that proves me otherwise. i.e. configure these settings, with the guest account disabled, and prove that it actually will relay - not authenticated relay, that doesn't count. If it is authenticated relay, it is because a password was compromised.=20 Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Ben Winzenz=20 Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings.=20 Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... =20 Mike =20 =20 =20 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop =20 =20 This may or may not be the problem, but I have seen spammers able to=20 relay off an Exchange server if the following configuration applies: =20 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which=20 successfully authenticate to relay, regardless of the list above. is=20 checked. SMTP Virtual Server properties, Access page, Relay. =20 =20 =20 Hello All and Happy Holidays! =3D20 I have a colleague whos Exchange 2000 server is being reported as=20 Open =20 Relay by spamcop for the past month. I have tested his relay = by=3D20 setting up a POP account in Outlook, putting the server that is=20 being=3D20 reported as Open relay as my Outgoing SMTP server. = =3D3D20=20 =3D20 When I try to send a message using Outlook, I get a return=20 message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to=20 be=3D20 open relay? =3D3D20 =3D20 I have checked (over the phone) = all his Virtual SMTP Server settings=3D20 to verify correct configuration. =20 Everything seems to be checked or=3D20 unchecked as recommended = by Microsoft. =3D20 We have Stopped/Started Services for SMTP =3D20 The Exchange 2000=20 server is behind a NAT and I have looked into the=3D20 possibility = of=20 this. I have been out on the spamcop site and for the=3D20 life of = me cannot find a way to make them check the server again to=3D20 see if = it is closed relay like ORDB does. =3D3D20 =3D20 Any ideas or=20 comments =3D3D20 =3D20 =3D20 =3D20 Samantha Bridges = Communications=20 Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =3D20 [EMAIL PROTECTED] http://www.misd.net =3D20 =3D20 CONFIDENTIALITY NOTICE: This email message, including any=20 attachments, =20 is for the sole use of the intended recipient(s) and may = contain=3D20=20 confidential and privileged information. Any unauthorized review,=20 use, =20 disclosure or distribution is prohibited. If you are not the=20 intended=3D20 recipient, please contact the sender by reply email = and=20 destroy all=3D20 copies of the original message. =3D20 =3D3D20 =20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: = http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3D3Dexchangetext_mo de=3D3D=3D lang=3D3Denglish To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED
RE: Open Relay/Spamcop
Exchange WILL relay for authenticated users (by default), and it doesn't have to be the guest account (though that is a common attack). Have you left your Administrator account named Administrator? Do you leak user IDs to the outside world? Web pages? Email addresses? IM aliases? Backups run under the user ID backup? Dictionary password attack. Spammers have lots of patience. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 12:11 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop This may very well be the case. I cannot say one way or another. When I have seen this, it has always been the case that I am there fixing something else and happen upon this problem, fix it and move on. I DO know that I have seen it on boxes where the Guest account is disabled, but that does not rule out the possibility that some other account was compromised. However, I would welcome any information that proves me otherwise. i.e. configure these settings, with the guest account disabled, and prove that it actually will relay - not authenticated relay, that doesn't count. If it is authenticated relay, it is because a password was compromised.=20 Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Ben Winzenz=20 Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings.=20 Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... =20 Mike =20 =20 =20 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop =20 =20 This may or may not be the problem, but I have seen spammers able to=20 relay off an Exchange server if the following configuration applies: =20 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which=20 successfully authenticate to relay, regardless of the list above. is=20 checked. SMTP Virtual Server properties, Access page, Relay. =20 =20 =20 Hello All and Happy Holidays! =3D20 I have a colleague whos Exchange 2000 server is being reported as=20 Open =20 Relay by spamcop for the past month. I have tested his relay = by=3D20 setting up a POP account in Outlook, putting the server that is=20 being=3D20 reported as Open relay as my Outgoing SMTP server. = =3D3D20=20 =3D20 When I try to send a message using Outlook, I get a return=20 message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to=20 be=3D20 open relay? =3D3D20 =3D20 I have checked (over the phone) = all his Virtual SMTP Server settings=3D20 to verify correct configuration. =20 Everything seems to be checked or=3D20 unchecked as recommended = by Microsoft. =3D20 We have Stopped/Started Services for SMTP =3D20 The Exchange 2000=20 server is behind a NAT and I have looked into the=3D20 possibility = of=20 this. I have been out on the spamcop site and for the=3D20 life of = me cannot find a way to make them check the server again to=3D20 see if = it is closed relay like ORDB does. =3D3D20 =3D20 Any ideas or=20 comments =3D3D20 =3D20 =3D20 =3D20 Samantha Bridges = Communications=20 Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =3D20 [EMAIL PROTECTED] http://www.misd.net =3D20 =3D20 CONFIDENTIALITY NOTICE: This email message, including any=20 attachments, =20 is for the sole use of the intended recipient(s) and may = contain=3D20=20 confidential and privileged information. Any unauthorized review,=20 use, =20
RE: Open Relay/Spamcop
I seem to recall that there was a bug (fixed in sp3 maybe?) where if an SMTP packet had a forged source address of 127.0.0.1, SMTP would relay it regardless of relay settings. I may be misremembering the details. Also, no even half-way correctly firewall would let this type of packet in. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Thursday, December 18, 2003 11:51 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop However, I would welcome any information that proves me otherwise. i.e. configure these settings, with the guest account disabled, and prove that it actually will relay - not authenticated relay, that doesn't count. If it is authenticated relay, it is because a password was compromised. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Ben Winzenz Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20 copies of the original message. =20 =3D20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo de=3D= lang=3Denglish To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english
RE: Open Relay/Spamcop
But that is my point. I know Exchange relays for authenticated users by default. It is turned on to allow POP3/SMTP and IMAP accounts the ability to send using your Exchange server as the outgoing server. However, it won't relay for a spammer UNLESS an account has been compromised, at which point someone has in essence hacked your system. If you set up your environment correctly, the ONLY way an account will get compromised is if someone leaks their password. Dictionary attacks won't work because the account will get locked out after 3 attempts, and it is awfully hard to dictionary guess a complex password in 3 tries :-) Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 12:18 PM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Exchange WILL relay for authenticated users (by default), and it doesn't have to be the guest account (though that is a common attack). Have you left your Administrator account named Administrator? Do you leak user IDs to the outside world? Web pages? Email addresses? IM aliases? Backups run under the user ID backup? Dictionary password attack. Spammers have lots of patience. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 12:11 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop This may very well be the case. I cannot say one way or another. When I have seen this, it has always been the case that I am there fixing something else and happen upon this problem, fix it and move on. I DO know that I have seen it on boxes where the Guest account is disabled, but that does not rule out the possibility that some other account was compromised. However, I would welcome any information that proves me otherwise. i.e. configure these settings, with the guest account disabled, and prove that it actually will relay - not authenticated relay, that doesn't count. If it is authenticated relay, it is because a password was compromised.=20 Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Ben Winzenz=20 Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings.=20 Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... =20 Mike =20 =20 =20 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop =20 =20 This may or may not be the problem, but I have seen spammers able to=20 relay off an Exchange server if the following configuration applies: =20 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which=20 successfully authenticate to relay, regardless of the list above. is=20 checked. SMTP Virtual Server properties, Access page, Relay. =20 =20 =20 Hello All and Happy Holidays! =3D20 I have a colleague whos Exchange 2000 server is being reported as=20 Open =20 Relay by spamcop for the past month. I have tested his relay = by=3D20 setting up a POP account in Outlook, putting the server that is=20 being=3D20 reported as Open relay as my Outgoing SMTP server. = =3D3D20=20 =3D20 When I try to send a message using Outlook, I get a return=20 message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to=20 be=3D20 open relay? =3D3D20 =3D20 I have checked (over the phone) = all his Virtual SMTP Server settings=3D20 to verify correct configuration. =20 Everything seems to be checked or=3D20 unchecked as recommended = by Microsoft. =3D20 We
RE: Open Relay/Spamcop
Please post if you recall the article. I'll dig around and see if I can find it. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 12:23 PM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop I seem to recall that there was a bug (fixed in sp3 maybe?) where if an SMTP packet had a forged source address of 127.0.0.1, SMTP would relay it regardless of relay settings. I may be misremembering the details. Also, no even half-way correctly firewall would let this type of packet in. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Thursday, December 18, 2003 11:51 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop However, I would welcome any information that proves me otherwise. i.e. configure these settings, with the guest account disabled, and prove that it actually will relay - not authenticated relay, that doesn't count. If it is authenticated relay, it is because a password was compromised. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Ben Winzenz Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20 copies of the original message. =20 =3D20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter
RE: Open Relay/Spamcop
One of the reasons I like SpamCop (and actually use it myself) is because you can look up the actual reason a box is on the list: http://www.spamcop.net/bl.shtml Put the IP address in and it will show an example of exactly why they're listed. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bridges, Samantha [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 10:59 AM To: Exchange Discussions Subject: Open Relay/Spamcop Hello All and Happy Holidays! I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by setting up a POP account in Outlook, putting the server that is being reported as Open relay as my Outgoing SMTP server. When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be open relay? I have checked (over the phone) all his Virtual SMTP Server settings to verify correct configuration. Everything seems to be checked or unchecked as recommended by Microsoft. We have Stopped/Started Services for SMTP The Exchange 2000 server is behind a NAT and I have looked into the possibility of this. I have been out on the spamcop site and for the life of me cannot find a way to make them check the server again to see if it is closed relay like ORDB does. Any ideas or comments Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 [EMAIL PROTECTED] http://www.misd.net CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
Looking at http://openrbl.org/#dodgy ip address is also very revealing. Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad Sent: 18 December 2003 17:50 To: Exchange Discussions Subject: RE: Open Relay/Spamcop One of the reasons I like SpamCop (and actually use it myself) is because you can look up the actual reason a box is on the list: http://www.spamcop.net/bl.shtml Put the IP address in and it will show an example of exactly why they're listed. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bridges, Samantha [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 10:59 AM To: Exchange Discussions Subject: Open Relay/Spamcop Hello All and Happy Holidays! I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by setting up a POP account in Outlook, putting the server that is being reported as Open relay as my Outgoing SMTP server. When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be open relay? I have checked (over the phone) all his Virtual SMTP Server settings to verify correct configuration. Everything seems to be checked or unchecked as recommended by Microsoft. We have Stopped/Started Services for SMTP The Exchange 2000 server is behind a NAT and I have looked into the possibility of this. I have been out on the spamcop site and for the life of me cannot find a way to make them check the server again to see if it is closed relay like ORDB does. Any ideas or comments Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 [EMAIL PROTECTED] http://www.misd.net CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
But the point is that if you're listed on Spamcop, they'll tell you EXACTLY why. None of the other RBL's I've seen do that. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Randal, Phil [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 12:52 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop Looking at http://openrbl.org/#dodgy ip address is also very revealing. Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad Sent: 18 December 2003 17:50 To: Exchange Discussions Subject: RE: Open Relay/Spamcop One of the reasons I like SpamCop (and actually use it myself) is because you can look up the actual reason a box is on the list: http://www.spamcop.net/bl.shtml Put the IP address in and it will show an example of exactly why they're listed. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bridges, Samantha [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 10:59 AM To: Exchange Discussions Subject: Open Relay/Spamcop Hello All and Happy Holidays! I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by setting up a POP account in Outlook, putting the server that is being reported as Open relay as my Outgoing SMTP server. When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be open relay? I have checked (over the phone) all his Virtual SMTP Server settings to verify correct configuration. Everything seems to be checked or unchecked as recommended by Microsoft. We have Stopped/Started Services for SMTP The Exchange 2000 server is behind a NAT and I have looked into the possibility of this. I have been out on the spamcop site and for the life of me cannot find a way to make them check the server again to see if it is closed relay like ORDB does. Any ideas or comments Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 [EMAIL PROTECTED] http://www.misd.net CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
Uhm A ham sandwich? Maybe a limp fish? -Original Message- From: Candee Vaglica [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:59 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop What do you get when you telnet into the server and try to send mail to a bogus address? Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20 copies of the original message. =20 =3D20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo de=3D= lang=3Denglish To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
It is possible that a user account was compromised ... but here is the scenario I had and what worked to fix it ... Setup: Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user group (noted through ips in the relay tab ...) ; guest account disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. was checked ... Issue: My cues were huge; relaying may not have been going on (I did have a couple of external complaints that I was allowing relaying; but never made it on a list --- whew), but we were accepting the mail and then processing it internally; it was becoming a performance issue this internal processing is alluded to at http://support.microsoft.com/default.aspx?scid=kb;EN-US;304897 ... then we were getting our own NDR's back ... etc .. Solution: Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. ... all the relaying (or attempt at it stopped) Comment: BTW, for external servers to communicate with you, it is the SMTP Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab that must be checked P.S.: I tell users they can still pop their mail from outside our closed user group; but they must use their ISP's SMTP relay for sending mail or use OWA ... Mike -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 12:18 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop Exchange WILL relay for authenticated users (by default), and it doesn't have to be the guest account (though that is a common attack). Have you left your Administrator account named Administrator? Do you leak user IDs to the outside world? Web pages? Email addresses? IM aliases? Backups run under the user ID backup? Dictionary password attack. Spammers have lots of patience. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 12:11 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop This may very well be the case. I cannot say one way or another. When I have seen this, it has always been the case that I am there fixing something else and happen upon this problem, fix it and move on. I DO know that I have seen it on boxes where the Guest account is disabled, but that does not rule out the possibility that some other account was compromised. However, I would welcome any information that proves me otherwise. i.e. configure these settings, with the guest account disabled, and prove that it actually will relay - not authenticated relay, that doesn't count. If it is authenticated relay, it is because a password was compromised.=20 Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Ben Winzenz=20 Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings.=20 Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... =20 Mike =20 =20 =20 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop =20 =20 This may or may not be the problem, but I have seen spammers able to=20 relay off an Exchange server if the following configuration applies: =20 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which=20 successfully authenticate to relay, regardless of the list above. is=20 checked. SMTP Virtual Server properties, Access page, Relay. =20 =20 =20 Hello All and Happy Holidays! =3D20 I have a colleague whos Exchange 2000 server is being reported as=20 Open =20 Relay by spamcop for the past month. I have
RE: Open Relay/Spamcop
I'm right there with you on this one. Since I do not know for an absolute FACT one way or the other it may indeed be the case that a guest account was used or that an account was compromised. And God forbid that I even merely hint or suggest that this is a problem with Microsoft's software or in any way a design flaw, etc. because we all know that storm that would cause. But, that being said, I would like to implore to the MVP gods on this list that they might possibly want to maybe suggest to Microsoft that they take a look at this for no other reason than to at least modify the wording on the check boxes. I mean Anonymous Authentication allowed and Allow computers which successfully authenticate... on the surface seems to indicate that yes, you can anonymously authenticate and relay messages, which I cannot imagine would ever really be very useful to anyone except a spammer. I mean, change the wording or add a checkbox to specifically allow, not allow relaying by anonymous authentication. Who knows, I don't want to start another freaking firestorm about how much I hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY an issue specifically in a lot of small 1-50 person shops that use a single Exchange server for everything. This is where I have come in and seen it as a problem. There are exactly the people that don't generally have qualified IT help, thus because the default configuration seems to allow this kind of relaying issue it is a feature of the product that is adding to the overall spam problem on the Internet. Maybe the MVP gods and Microsoft care, maybe not, but I want to be absolutely clear that I do not care one iota, because if I did everyone would just tell me how stupid and ignorant and a wife beater I am. So, I don't care and please do not mistakenly believe that I care. God help us all if an MVP reads this, thinks I care and starts another massive thread of pointless arguing. It is possible that a user account was compromised ... but here is the scenario I had and what worked to fix it ... Setup: Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user group (noted through ips in the relay tab ...) ; guest account disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. was checked ... Issue: My cues were huge; relaying may not have been going on (I did have a couple of external complaints that I was allowing relaying; but never made it on a list --- whew), but we were accepting the mail and then processing it internally; it was becoming a performance issue this internal processing is alluded to at http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = then we were getting our own NDR's back ... etc .. Solution: Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. ... all the relaying (or attempt at it stopped) Comment: BTW, for external servers to communicate with you, it is the SMTP Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab that must be checked P.S.: I tell users they can still pop their mail from outside our closed user group; but they must use their ISP's SMTP relay for sending mail or use OWA ... Mike -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 12:18 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop Exchange WILL relay for authenticated users (by default), and it doesn't have to be the guest account (though that is a common attack). Have you left your Administrator account named Administrator? Do you leak user IDs to the outside world? Web pages? Email addresses? IM aliases? Backups run under the user ID backup? Dictionary password attack. Spammers have lots of patience. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 12:11 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop This may very well be the case. I cannot say one way or another. When I have seen this, it has always been the case that I am there fixing something else and happen upon this problem, fix it and move on. I DO know that I have seen it on boxes where the Guest account is disabled, but that does not rule out the possibility that some other account was compromised. However, I would welcome any information that proves me otherwise. i.e. configure these settings, with the guest account disabled, and=20 prove that it actually will relay - not authenticated relay, that=20 doesn't count. If it is authenticated relay, it is because a password was compromised.=3D20 =20 =20 Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 =20 =20
RE: Open Relay/Spamcop
Me thinks thou dost protest t much!!! :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Posted At: Thursday, December 18, 2003 1:19 PM Posted To: Exchange Discussion Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop I'm right there with you on this one. Since I do not know for an absolute FACT one way or the other it may indeed be the case that a guest account was used or that an account was compromised. And God forbid that I even merely hint or suggest that this is a problem with Microsoft's software or in any way a design flaw, etc. because we all know that storm that would cause. But, that being said, I would like to implore to the MVP gods on this list that they might possibly want to maybe suggest to Microsoft that they take a look at this for no other reason than to at least modify the wording on the check boxes. I mean Anonymous Authentication allowed and Allow computers which successfully authenticate... on the surface seems to indicate that yes, you can anonymously authenticate and relay messages, which I cannot imagine would ever really be very useful to anyone except a spammer. I mean, change the wording or add a checkbox to specifically allow, not allow relaying by anonymous authentication. Who knows, I don't want to start another freaking firestorm about how much I hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY an issue specifically in a lot of small 1-50 person shops that use a single Exchange server for everything. This is where I have come in and seen it as a problem. There are exactly the people that don't generally have qualified IT help, thus because the default configuration seems to allow this kind of relaying issue it is a feature of the product that is adding to the overall spam problem on the Internet. Maybe the MVP gods and Microsoft care, maybe not, but I want to be absolutely clear that I do not care one iota, because if I did everyone would just tell me how stupid and ignorant and a wife beater I am. So, I don't care and please do not mistakenly believe that I care. God help us all if an MVP reads this, thinks I care and starts another massive thread of pointless arguing. It is possible that a user account was compromised ... but here is the scenario I had and what worked to fix it ... Setup: Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user group (noted through ips in the relay tab ...) ; guest account disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. was checked ... Issue: My cues were huge; relaying may not have been going on (I did have a couple of external complaints that I was allowing relaying; but never made it on a list --- whew), but we were accepting the mail and then processing it internally; it was becoming a performance issue this internal processing is alluded to at http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = then we were getting our own NDR's back ... etc .. Solution: Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. ... all the relaying (or attempt at it stopped) Comment: BTW, for external servers to communicate with you, it is the SMTP Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab that must be checked P.S.: I tell users they can still pop their mail from outside our closed user group; but they must use their ISP's SMTP relay for sending mail or use OWA ... Mike -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 12:18 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop Exchange WILL relay for authenticated users (by default), and it doesn't have to be the guest account (though that is a common attack). Have you left your Administrator account named Administrator? Do you leak user IDs to the outside world? Web pages? Email addresses? IM aliases? Backups run under the user ID backup? Dictionary password attack. Spammers have lots of patience. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 12:11 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop This may very well be the case. I cannot say one way or another. When I have seen this, it has always been the case that I am there fixing something else and happen upon this problem, fix it and move on. I DO know that I have seen it on boxes where the Guest account is disabled, but that does not rule out the possibility that some other account was compromised. However, I would welcome any information that proves me otherwise. i.e. configure
RE: Open Relay/Spamcop
That probably was the case because someone guessed a username/password combination and they were able to successfully authenticate and relay mail. Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Wohlgemuth, Mike [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:23 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by setting up a POP account in Outlook, putting the server that is being reported as Open relay as my Outgoing SMTP server. =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be open relay? =20 I have checked (over the phone) all his Virtual SMTP Server settings to verify correct configuration. Everything seems to be checked or unchecked as recommended by Microsoft. We have Stopped/Started Services for SMTP The Exchange 2000 server is behind a NAT and I have looked into the possibility of this. I have been out on the spamcop site and for the life of me cannot find a way to make them check the server again to see if it is closed relay like ORDB does. =20 Any ideas or comments =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 [EMAIL PROTECTED] http://www.misd.net CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. =20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
Usually something simple like a Webmaster account with password password is a target of spammers. Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:49 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I agree with Ben. My Exchange 2000 box at my last company was setup to allow realaying after sucessfuly authentication because I had POP3 clients at other offices that had no other SMTP gateway. Disabling the Guest account and forcing the users to change passwords every 30 days kept our risk at a minimum. We got tagged as a relay once, but forcing user password changes on the spot fixed the problem. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 10:48 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20 copies of the original message. =20 =3D20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo de=3D= lang=3Denglish To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter
RE: Open Relay/Spamcop
Well, I'm certainly glad we aren't resorting to any of them thar unprofessional personal attacks. That would be just terrible. Jim H -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 2:19 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I'm right there with you on this one. Since I do not know for an absolute FACT one way or the other it may indeed be the case that a guest account was used or that an account was compromised. And God forbid that I even merely hint or suggest that this is a problem with Microsoft's software or in any way a design flaw, etc. because we all know that storm that would cause. But, that being said, I would like to implore to the MVP gods on this list that they might possibly want to maybe suggest to Microsoft that they take a look at this for no other reason than to at least modify the wording on the check boxes. I mean Anonymous Authentication allowed and Allow computers which successfully authenticate... on the surface seems to indicate that yes, you can anonymously authenticate and relay messages, which I cannot imagine would ever really be very useful to anyone except a spammer. I mean, change the wording or add a checkbox to specifically allow, not allow relaying by anonymous authentication. Who knows, I don't want to start another freaking firestorm about how much I hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY an issue specifically in a lot of small 1-50 person shops that use a single Exchange server for everything. This is where I have come in and seen it as a problem. There are exactly the people that don't generally have qualified IT help, thus because the default configuration seems to allow this kind of relaying issue it is a feature of the product that is adding to the overall spam problem on the Internet. Maybe the MVP gods and Microsoft care, maybe not, but I want to be absolutely clear that I do not care one iota, because if I did everyone would just tell me how stupid and ignorant and a wife beater I am. So, I don't care and please do not mistakenly believe that I care. God help us all if an MVP reads this, thinks I care and starts another massive thread of pointless arguing. It is possible that a user account was compromised ... but here is the scenario I had and what worked to fix it ... Setup: Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user group (noted through ips in the relay tab ...) ; guest account disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. was checked ... Issue: My cues were huge; relaying may not have been going on (I did have a couple of external complaints that I was allowing relaying; but never made it on a list --- whew), but we were accepting the mail and then processing it internally; it was becoming a performance issue this internal processing is alluded to at http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = then we were getting our own NDR's back ... etc .. Solution: Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. ... all the relaying (or attempt at it stopped) Comment: BTW, for external servers to communicate with you, it is the SMTP Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab that must be checked P.S.: I tell users they can still pop their mail from outside our closed user group; but they must use their ISP's SMTP relay for sending mail or use OWA ... Mike -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 12:18 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop Exchange WILL relay for authenticated users (by default), and it doesn't have to be the guest account (though that is a common attack). Have you left your Administrator account named Administrator? Do you leak user IDs to the outside world? Web pages? Email addresses? IM aliases? Backups run under the user ID backup? Dictionary password attack. Spammers have lots of patience. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 12:11 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop This may very well be the case. I cannot say one way or another. When I have seen this, it has always been the case that I am there fixing something else and happen upon this problem, fix it and move on. I DO know that I have seen it on boxes where the Guest account is disabled, but that does not rule out the possibility that some other account was compromised. However, I would welcome any information that proves me otherwise. i.e
RE: Open Relay/Spamcop
I think Anonymous Access (not Anonymous Authentication Allowed) and Allow computers which successfully authenticate to relay settings belong in different contexts. One context is about *simply being able to connect to the SMTP virtual server*, the other context is about being able to relay. I think you are extrapolating too much. Somehow it never dawned on me to merge these two contexts. Maybe because I had seen similar setting in many other SMTP server packages before. Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion P.S. if you turn off Anonymous Access, expect to never receive any mail from the Internet. -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 2:19 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I'm right there with you on this one. Since I do not know for an absolute FACT one way or the other it may indeed be the case that a guest account was used or that an account was compromised. And God forbid that I even merely hint or suggest that this is a problem with Microsoft's software or in any way a design flaw, etc. because we all know that storm that would cause. But, that being said, I would like to implore to the MVP gods on this list that they might possibly want to maybe suggest to Microsoft that they take a look at this for no other reason than to at least modify the wording on the check boxes. I mean Anonymous Authentication allowed and Allow computers which successfully authenticate... on the surface seems to indicate that yes, you can anonymously authenticate and relay messages, which I cannot imagine would ever really be very useful to anyone except a spammer. I mean, change the wording or add a checkbox to specifically allow, not allow relaying by anonymous authentication. Who knows, I don't want to start another freaking firestorm about how much I hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY an issue specifically in a lot of small 1-50 person shops that use a single Exchange server for everything. This is where I have come in and seen it as a problem. There are exactly the people that don't generally have qualified IT help, thus because the default configuration seems to allow this kind of relaying issue it is a feature of the product that is adding to the overall spam problem on the Internet. Maybe the MVP gods and Microsoft care, maybe not, but I want to be absolutely clear that I do not care one iota, because if I did everyone would just tell me how stupid and ignorant and a wife beater I am. So, I don't care and please do not mistakenly believe that I care. God help us all if an MVP reads this, thinks I care and starts another massive thread of pointless arguing. It is possible that a user account was compromised ... but here is the scenario I had and what worked to fix it ... Setup: Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user group (noted through ips in the relay tab ...) ; guest account disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. was checked ... Issue: My cues were huge; relaying may not have been going on (I did have a couple of external complaints that I was allowing relaying; but never made it on a list --- whew), but we were accepting the mail and then processing it internally; it was becoming a performance issue this internal processing is alluded to at http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = then we were getting our own NDR's back ... etc .. Solution: Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. ... all the relaying (or attempt at it stopped) Comment: BTW, for external servers to communicate with you, it is the SMTP Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab that must be checked P.S.: I tell users they can still pop their mail from outside our closed user group; but they must use their ISP's SMTP relay for sending mail or use OWA ... Mike -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 12:18 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop Exchange WILL relay for authenticated users (by default), and it doesn't have to be the guest account (though that is a common attack). Have you left your Administrator account named Administrator? Do you leak user IDs to the outside world? Web pages? Email addresses? IM aliases? Backups run under the user ID backup? Dictionary password attack. Spammers have lots of patience. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 12:11 PM
RE: Open Relay/Spamcop
Not in this thread, anyway. The authentication hole exists when someone hacks a password. If you need to allow authentication, you should consider doing this with a virtual server that is not exposed to the Internet. If you do expose your SMTP to the Internet with authentication, you should, at a minimum, restrict the accounts that can use it, force the use of SSL, and enforce strong password policies. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 8:37 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20 copies of the original message. =20 =3D20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo de=3D= lang=3Denglish To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Open Relay/Spamcop
Strong passwords mean much more than forced changes. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Thursday, December 18, 2003 8:49 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I agree with Ben. My Exchange 2000 box at my last company was setup to allow realaying after sucessfuly authentication because I had POP3 clients at other offices that had no other SMTP gateway. Disabling the Guest account and forcing the users to change passwords every 30 days kept our risk at a minimum. We got tagged as a relay once, but forcing user password changes on the spot fixed the problem. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 10:48 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20 copies of the original message. =20 =3D20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo de=3D= lang=3Denglish To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter
RE: Open Relay/Spamcop
Weak passwords. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Thursday, December 18, 2003 8:51 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop However, I would welcome any information that proves me otherwise. i.e. configure these settings, with the guest account disabled, and prove that it actually will relay - not authenticated relay, that doesn't count. If it is authenticated relay, it is because a password was compromised. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Ben Winzenz Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop I still think you are smoking crack on this, Greg. I have never seen a properly configured Exchange 2000 server relay UNLESS a user account was compromised, or the guest account was enabled. I've tested it and tested again, and never found Exchange to relay with those settings. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 18, 2003 11:37 AM Posted To: Exchange (Swynk) Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop Hey, thanks for the confirmation. People have told me that I am smoking crack and that the Exchange servers were horribly misconfigured. It's nice to know that I am not smoking crack. I concur with greg ... our server had those settings and we were being used as a relay ... turned off Allow all computers which successfully authenticate to relay, regardless of the list above. and that stopped it ... Mike -Original Message- From: Greg Deckler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:17 AM To: Exchange Discussions Subject: Re: Open Relay/Spamcop This may or may not be the problem, but I have seen spammers able to relay off an Exchange server if the following configuration applies: 1. If Anonymous access is turned on. SMTP Virtual Server properties, Access page, Authentication. 2. And, Allow all computers which successfully authenticate to relay, regardless of the list above. is checked. SMTP Virtual Server properties, Access page, Relay. Hello All and Happy Holidays! =20 I have a colleague whos Exchange 2000 server is being reported as Open Relay by spamcop for the past month. I have tested his relay by=20 setting up a POP account in Outlook, putting the server that is being=20 reported as Open relay as my Outgoing SMTP server. =3D20 =20 When I try to send a message using Outlook, I get a return message that 550 5.7.1 Unable to relay. I am relieved that it could not relay. That is good, however, why then is spamcop still reporting it to be=20 open relay? =3D20 =20 I have checked (over the phone) all his Virtual SMTP Server settings=20 to verify correct configuration. Everything seems to be checked or=20 unchecked as recommended by Microsoft. =20 We have Stopped/Started Services for SMTP =20 The Exchange 2000 server is behind a NAT and I have looked into the=20 possibility of this. I have been out on the spamcop site and for the=20 life of me cannot find a way to make them check the server again to=20 see if it is closed relay like ORDB does. =3D20 =20 Any ideas or comments =3D20 =20 =20 =20 Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 =20 [EMAIL PROTECTED] http://www.misd.net =20 =20 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain=20 confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended=20 recipient, please contact the sender by reply email and destroy all=20 copies of the original message. =20 =3D20 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchangetext_mo de=3D= lang=3Denglish To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List
RE: Open Relay/Spamcop
Rest assured that this topic has been discussed by us vendor whores. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 11:19 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I'm right there with you on this one. Since I do not know for an absolute FACT one way or the other it may indeed be the case that a guest account was used or that an account was compromised. And God forbid that I even merely hint or suggest that this is a problem with Microsoft's software or in any way a design flaw, etc. because we all know that storm that would cause. But, that being said, I would like to implore to the MVP gods on this list that they might possibly want to maybe suggest to Microsoft that they take a look at this for no other reason than to at least modify the wording on the check boxes. I mean Anonymous Authentication allowed and Allow computers which successfully authenticate... on the surface seems to indicate that yes, you can anonymously authenticate and relay messages, which I cannot imagine would ever really be very useful to anyone except a spammer. I mean, change the wording or add a checkbox to specifically allow, not allow relaying by anonymous authentication. Who knows, I don't want to start another freaking firestorm about how much I hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY an issue specifically in a lot of small 1-50 person shops that use a single Exchange server for everything. This is where I have come in and seen it as a problem. There are exactly the people that don't generally have qualified IT help, thus because the default configuration seems to allow this kind of relaying issue it is a feature of the product that is adding to the overall spam problem on the Internet. Maybe the MVP gods and Microsoft care, maybe not, but I want to be absolutely clear that I do not care one iota, because if I did everyone would just tell me how stupid and ignorant and a wife beater I am. So, I don't care and please do not mistakenly believe that I care. God help us all if an MVP reads this, thinks I care and starts another massive thread of pointless arguing. It is possible that a user account was compromised ... but here is the scenario I had and what worked to fix it ... Setup: Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user group (noted through ips in the relay tab ...) ; guest account disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. was checked ... Issue: My cues were huge; relaying may not have been going on (I did have a couple of external complaints that I was allowing relaying; but never made it on a list --- whew), but we were accepting the mail and then processing it internally; it was becoming a performance issue this internal processing is alluded to at http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = then we were getting our own NDR's back ... etc .. Solution: Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. ... all the relaying (or attempt at it stopped) Comment: BTW, for external servers to communicate with you, it is the SMTP Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab that must be checked P.S.: I tell users they can still pop their mail from outside our closed user group; but they must use their ISP's SMTP relay for sending mail or use OWA ... Mike -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 12:18 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop Exchange WILL relay for authenticated users (by default), and it doesn't have to be the guest account (though that is a common attack). Have you left your Administrator account named Administrator? Do you leak user IDs to the outside world? Web pages? Email addresses? IM aliases? Backups run under the user ID backup? Dictionary password attack. Spammers have lots of patience. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 12:11 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop This may very well be the case. I cannot say one way or another. When I have seen this, it has always been the case that I am there fixing something else and happen upon this problem, fix it and move on. I DO know that I have seen it on boxes where the Guest account is disabled, but that does not rule out the possibility that some other account was compromised. However
RE: Open Relay/Spamcop
talking dirty like that just gets me pumped up for the weekend ... yum ... thanks for all the input (all puns intended that relate to vendor whores) Mike -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 4:35 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop Rest assured that this topic has been discussed by us vendor whores. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 11:19 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I'm right there with you on this one. Since I do not know for an absolute FACT one way or the other it may indeed be the case that a guest account was used or that an account was compromised. And God forbid that I even merely hint or suggest that this is a problem with Microsoft's software or in any way a design flaw, etc. because we all know that storm that would cause. But, that being said, I would like to implore to the MVP gods on this list that they might possibly want to maybe suggest to Microsoft that they take a look at this for no other reason than to at least modify the wording on the check boxes. I mean Anonymous Authentication allowed and Allow computers which successfully authenticate... on the surface seems to indicate that yes, you can anonymously authenticate and relay messages, which I cannot imagine would ever really be very useful to anyone except a spammer. I mean, change the wording or add a checkbox to specifically allow, not allow relaying by anonymous authentication. Who knows, I don't want to start another freaking firestorm about how much I hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY an issue specifically in a lot of small 1-50 person shops that use a single Exchange server for everything. This is where I have come in and seen it as a problem. There are exactly the people that don't generally have qualified IT help, thus because the default configuration seems to allow this kind of relaying issue it is a feature of the product that is adding to the overall spam problem on the Internet. Maybe the MVP gods and Microsoft care, maybe not, but I want to be absolutely clear that I do not care one iota, because if I did everyone would just tell me how stupid and ignorant and a wife beater I am. So, I don't care and please do not mistakenly believe that I care. God help us all if an MVP reads this, thinks I care and starts another massive thread of pointless arguing. It is possible that a user account was compromised ... but here is the scenario I had and what worked to fix it ... Setup: Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user group (noted through ips in the relay tab ...) ; guest account disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. was checked ... Issue: My cues were huge; relaying may not have been going on (I did have a couple of external complaints that I was allowing relaying; but never made it on a list --- whew), but we were accepting the mail and then processing it internally; it was becoming a performance issue this internal processing is alluded to at http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = then we were getting our own NDR's back ... etc .. Solution: Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. ... all the relaying (or attempt at it stopped) Comment: BTW, for external servers to communicate with you, it is the SMTP Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab that must be checked P.S.: I tell users they can still pop their mail from outside our closed user group; but they must use their ISP's SMTP relay for sending mail or use OWA ... Mike -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 12:18 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop Exchange WILL relay for authenticated users (by default), and it doesn't have to be the guest account (though that is a common attack). Have you left your Administrator account named Administrator? Do you leak user IDs to the outside world? Web pages? Email addresses? IM aliases? Backups run under the user ID backup? Dictionary password attack. Spammers have lots of patience. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 12:11 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop This may very well be the case. I cannot say one way
RE: Open Relay/Spamcop
Excuse me, I have to go yell at the posters over in the IPCop mailing list. They keep mailing to the list, even though I haven't read it in weeks! Of all the nerve. Jim H -Original Message- From: Wohlgemuth, Mike [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 5:19 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop talking dirty like that just gets me pumped up for the weekend ... yum ... thanks for all the input (all puns intended that relate to vendor whores) Mike -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 4:35 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop Rest assured that this topic has been discussed by us vendor whores. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 11:19 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop I'm right there with you on this one. Since I do not know for an absolute FACT one way or the other it may indeed be the case that a guest account was used or that an account was compromised. And God forbid that I even merely hint or suggest that this is a problem with Microsoft's software or in any way a design flaw, etc. because we all know that storm that would cause. But, that being said, I would like to implore to the MVP gods on this list that they might possibly want to maybe suggest to Microsoft that they take a look at this for no other reason than to at least modify the wording on the check boxes. I mean Anonymous Authentication allowed and Allow computers which successfully authenticate... on the surface seems to indicate that yes, you can anonymously authenticate and relay messages, which I cannot imagine would ever really be very useful to anyone except a spammer. I mean, change the wording or add a checkbox to specifically allow, not allow relaying by anonymous authentication. Who knows, I don't want to start another freaking firestorm about how much I hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY an issue specifically in a lot of small 1-50 person shops that use a single Exchange server for everything. This is where I have come in and seen it as a problem. There are exactly the people that don't generally have qualified IT help, thus because the default configuration seems to allow this kind of relaying issue it is a feature of the product that is adding to the overall spam problem on the Internet. Maybe the MVP gods and Microsoft care, maybe not, but I want to be absolutely clear that I do not care one iota, because if I did everyone would just tell me how stupid and ignorant and a wife beater I am. So, I don't care and please do not mistakenly believe that I care. God help us all if an MVP reads this, thinks I care and starts another massive thread of pointless arguing. It is possible that a user account was compromised ... but here is the scenario I had and what worked to fix it ... Setup: Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user group (noted through ips in the relay tab ...) ; guest account disabled; SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. was checked ... Issue: My cues were huge; relaying may not have been going on (I did have a couple of external complaints that I was allowing relaying; but never made it on a list --- whew), but we were accepting the mail and then processing it internally; it was becoming a performance issue this internal processing is alluded to at http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = then we were getting our own NDR's back ... etc .. Solution: Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... Allow all computers which successfully authenticate to relay, regardless of the list above. ... all the relaying (or attempt at it stopped) Comment: BTW, for external servers to communicate with you, it is the SMTP Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab that must be checked P.S.: I tell users they can still pop their mail from outside our closed user group; but they must use their ISP's SMTP relay for sending mail or use OWA ... Mike -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 12:18 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop Exchange WILL relay for authenticated users (by default), and it doesn't have to be the guest account (though that is a common attack). Have you left your Administrator account named Administrator? Do you leak user IDs to the outside world? Web pages? Email addresses? IM aliases? Backups run
RE: Open Relay/Spamcop
And... Rest assured that this topic has been discussed by us vendor whores. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 11:19 AM To: Exchange Discussions Subject: RE: Open Relay/Spamcop _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]