subject:"open relay"

And...

> Rest assured that this topic has been discussed by us vendor whores.
> 
> Ed Crowley MCSE+Internet MVP
> Freelance E-Mail Philosopher
> Protecting the world from PSTs and Bricked Backups!T
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
> Sent: Thursday, December 18, 2003 11:19 AM
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
> 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Jim Helfer


 Excuse me, I have to go yell at the posters over in the IPCop mailing list.
They keep mailing to the list, even though I haven't read it in weeks! Of
all the nerve.


 Jim H
 

-Original Message-
From: Wohlgemuth, Mike [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 5:19 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

talking dirty like that just gets me pumped up for the weekend ... yum ...

thanks for all the "input" (all puns intended that relate to "vendor
whores")

Mike



-Original Message-
From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 18, 2003 4:35 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


Rest assured that this topic has been discussed by us vendor whores.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 11:19 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an
absolute FACT one way or the other it may indeed be the case that a
guest account was used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we
all know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this
list that they might possibly want to maybe suggest to Microsoft that
they take a look at this for no other reason than to at least modify the
wording on the check boxes. I mean "Anonymous Authentication allowed"
and "Allow computers which successfully authenticate..." on the surface
seems to indicate that yes, you can anonymously authenticate and relay
messages, which I cannot imagine would ever really be very useful to
anyone except a spammer. I mean, change the wording or add a checkbox to
specifically allow, not allow relaying by anonymous authentication. Who
knows, I don't want to start another freaking firestorm about how much I
hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY
an issue specifically in a lot of small 1-50 person shops that use a
single Exchange server for everything. This is where I have come in and
seen it as a problem. There are exactly the people that don't generally
have qualified IT help, thus because the default configuration seems to
allow this kind of relaying issue it is a "feature" of the product that
is adding to the overall spam problem on the Internet. Maybe the MVP
gods and Microsoft care, maybe not, but I want to be absolutely clear
that I do not care one iota, because if I did everyone would just tell
me how stupid and ignorant and a wife beater I am. So, I don't care and
please do not mistakenly believe that I care. God help us all if an MVP
reads this, thinks I care and starts another massive thread of pointless
arguing.

> It is possible that a user account was compromised ... but here is the
> scenario I had and what "worked" to fix it ...
> 
> Setup:
> Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed
> user group (noted through ips in the relay tab ...) ; guest account 
> disabled; SMTP Virtual Server Properties/Access Tab/Relay ... "Allow 
> all computers which successfully authenticate to relay, regardless of
the
list above."
> was checked ...
> 
> Issue:
> My cues were huge; relaying may not have been going on (I did have a
> couple of external complaints that I was allowing relaying; but never 
> made it on a list --- whew), but we were accepting the mail and then 
> processing it internally; it was becoming a performance issue  
> this internal processing is alluded to at
> http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... =

> then we were getting our own NDR's back ... etc ..
> 
> Solution:
> Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... "Allow
> all computers which successfully authenticate to relay, regardless of 
> the list above." ... all the relaying (or attempt at it stopped)
> 
> Comment:
> BTW, for external servers to communicate with you, it is the SMTP
> Virtual Server Properties/Access Tab/Authentication/Anonymous Access 
> tab that must be checked 
> 
> P.S.:
> I tell users they can still pop their mail from outside our closed
> user group; but they must use their ISP's SMTP relay for sending mail 
> or use OWA ...
> 
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Ken Cornetet [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 12:18 PM
> To: Exchange Discussions
> Subject: RE: Open Relay/

RE: Open Relay/Spamcop

2003-12-18 Thread Wohlgemuth, Mike

talking dirty like that just gets me pumped up for the weekend ... yum
...

thanks for all the "input" (all puns intended that relate to "vendor
whores")

Mike



-Original Message-
From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 4:35 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


Rest assured that this topic has been discussed by us vendor whores.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 11:19 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an
absolute FACT one way or the other it may indeed be the case that a
guest account was used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we
all know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this
list that they might possibly want to maybe suggest to Microsoft that
they take a look at this for no other reason than to at least modify the
wording on the check boxes. I mean "Anonymous Authentication allowed"
and "Allow computers which successfully authenticate..." on the surface
seems to indicate that yes, you can anonymously authenticate and relay
messages, which I cannot imagine would ever really be very useful to
anyone except a spammer. I mean, change the wording or add a checkbox to
specifically allow, not allow relaying by anonymous authentication. Who
knows, I don't want to start another freaking firestorm about how much I
hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY
an issue specifically in a lot of small 1-50 person shops that use a
single Exchange server for everything. This is where I have come in and
seen it as a problem. There are exactly the people that don't generally
have qualified IT help, thus because the default configuration seems to
allow this kind of relaying issue it is a "feature" of the product that
is adding to the overall spam problem on the Internet. Maybe the MVP
gods and Microsoft care, maybe not, but I want to be absolutely clear
that I do not care one iota, because if I did everyone would just tell
me how stupid and ignorant and a wife beater I am. So, I don't care and
please do not mistakenly believe that I care. God help us all if an MVP
reads this, thinks I care and starts another massive thread of pointless
arguing.

> It is possible that a user account was compromised ... but here is the
> scenario I had and what "worked" to fix it ...
> 
> Setup:
> Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed
> user group (noted through ips in the relay tab ...) ; guest account 
> disabled; SMTP Virtual Server Properties/Access Tab/Relay ... "Allow 
> all computers which successfully authenticate to relay, regardless of
the
list above."
> was checked ...
> 
> Issue:
> My cues were huge; relaying may not have been going on (I did have a
> couple of external complaints that I was allowing relaying; but never 
> made it on a list --- whew), but we were accepting the mail and then 
> processing it internally; it was becoming a performance issue  
> this internal processing is alluded to at
> http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... =

> then we were getting our own NDR's back ... etc ..
> 
> Solution:
> Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... "Allow
> all computers which successfully authenticate to relay, regardless of 
> the list above." ... all the relaying (or attempt at it stopped)
> 
> Comment:
> BTW, for external servers to communicate with you, it is the SMTP
> Virtual Server Properties/Access Tab/Authentication/Anonymous Access 
> tab that must be checked 
> 
> P.S.:
> I tell users they can still pop their mail from outside our closed
> user group; but they must use their ISP's SMTP relay for sending mail 
> or use OWA ...
> 
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Ken Cornetet [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 12:18 PM
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
> 
> 
> Exchange WILL relay for authenticated users (by default), and it
> doesn't have to be the guest account (though that is a common attack).
> 
> Have you left your Administrator account named Administrator? Do you
> "leak" user IDs to the outside world? Web pages? Email addresses? IM 
> aliases? Backups run under t

RE: Open Relay/Spamcop

Rest assured that this topic has been discussed by us vendor whores.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 11:19 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an absolute
FACT one way or the other it may indeed be the case that a guest account was
used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we all
know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this list
that they might possibly want to maybe suggest to Microsoft that they take a
look at this for no other reason than to at least modify the wording on the
check boxes. I mean "Anonymous Authentication allowed" and "Allow computers
which successfully authenticate..." on the surface seems to indicate that
yes, you can anonymously authenticate and relay messages, which I cannot
imagine would ever really be very useful to anyone except a spammer. I mean,
change the wording or add a checkbox to specifically allow, not allow
relaying by anonymous authentication. Who knows, I don't want to start
another freaking firestorm about how much I hate Microsoft, yadda, yadda. I
guess my point is that it is OBVIOUSLY an issue specifically in a lot of
small 1-50 person shops that use a single Exchange server for everything.
This is where I have come in and seen it as a problem. There are exactly the
people that don't generally have qualified IT help, thus because the default
configuration seems to allow this kind of relaying issue it is a "feature"
of the product that is adding to the overall spam problem on the Internet.
Maybe the MVP gods and Microsoft care, maybe not, but I want to be
absolutely clear that I do not care one iota, because if I did everyone
would just tell me how stupid and ignorant and a wife beater I am. So, I
don't care and please do not mistakenly believe that I care. God help us all
if an MVP reads this, thinks I care and starts another massive thread of
pointless arguing.

> It is possible that a user account was compromised ... but here is the 
> scenario I had and what "worked" to fix it ...
> 
> Setup:
> Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed 
> user group (noted through ips in the relay tab ...) ; guest account 
> disabled; SMTP Virtual Server Properties/Access Tab/Relay ... "Allow 
> all computers which successfully authenticate to relay, regardless of the
list above."
> was checked ...
> 
> Issue:
> My cues were huge; relaying may not have been going on (I did have a 
> couple of external complaints that I was allowing relaying; but never 
> made it on a list --- whew), but we were accepting the mail and then 
> processing it internally; it was becoming a performance issue  
> this internal processing is alluded to at
> http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = 
> then we were getting our own NDR's back ... etc ..
> 
> Solution:
> Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... "Allow 
> all computers which successfully authenticate to relay, regardless of 
> the list above." ... all the relaying (or attempt at it stopped)
> 
> Comment:
> BTW, for external servers to communicate with you, it is the SMTP 
> Virtual Server Properties/Access Tab/Authentication/Anonymous Access 
> tab that must be checked 
> 
> P.S.:
> I tell users they can still pop their mail from outside our closed 
> user group; but they must use their ISP's SMTP relay for sending mail 
> or use OWA ...
> 
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Ken Cornetet [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 12:18 PM
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
> 
> 
> Exchange WILL relay for authenticated users (by default), and it 
> doesn't have to be the guest account (though that is a common attack).
> 
> Have you left your Administrator account named Administrator? Do you 
> "leak" user IDs to the outside world? Web pages? Email addresses? IM 
> aliases? Backups run under the user ID "backup"?
> 
> Dictionary password attack. Spammers have lots of patience.
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
> Sent: Thursday, December 18, 2003 12:11 PM
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
&g

RE: Open Relay/Spamcop

Weak passwords.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, December 18, 2003 8:51 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

However, I would welcome any information that proves me otherwise.  i.e.
configure these settings, with the guest account disabled, and prove that it
actually will relay - not authenticated relay, that doesn't count.  If it is
authenticated relay, it is because a password was compromised. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Ben Winzenz
Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice to know that I am not smoking crack.

> I concur with greg ... our server had those settings and we were being

> used as a relay ... turned off "Allow all computers which successfully

> authenticate to relay, regardless of the list above." and that stopped

> it ...
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 11:17 AM
> To: Exchange Discussions
> Subject: Re: Open Relay/Spamcop
> 
> 
> This may or may not be the problem, but I have seen spammers able to 
> relay off an Exchange server if the following configuration applies:
> 
> 1. If "Anonymous access" is turned on. SMTP Virtual Server properties,

> Access page, Authentication. 2. And, "Allow all computers which 
> successfully authenticate to relay, regardless of the list above." is 
> checked. SMTP Virtual Server properties, Access page, Relay.
> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as 
> >Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20

> >setting up a POP account in Outlook, putting the server that is 
> >being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
> >=20  When I try to send a message using Outlook, I get a return 
> >message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
> > That is good, however, why then is spamcop still reporting it to 
> >be=20  open relay? =3D20 =20  I have checked (over the phone) all his

> >Virtual SMTP Server settings=20  to verify correct configuration.  
> >Everything seems to be "checked" or=20  "unchecked" as recommended by

> >Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP =20  The Exchange 2000 
> >server is behind a NAT and I have looked into the=20  possibility of 
> >this.  I have been out on the spamcop site and for the=20  life of me

> >cannot find a way to make them check the server again to=20  see if 
> >it is closed relay like ORDB does. =3D20 =20  Any ideas or 
> >comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
> >Technician  Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any 
> >attachments,
> 
> > is for the sole use of the intended recipient(s) and may contain=20 
> > confidential and privileged information. Any unauthorized review, 
> > use,
> 
> > disclosure or distribution is prohibited. If you are not the 
> >intended=20  recipient, please contact the sender by reply email and 
> >destroy all=20  copies of the original message.
> >=20
> > =3D20
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/l

RE: Open Relay/Spamcop

Strong passwords mean much more than forced changes.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz
Sent: Thursday, December 18, 2003 8:49 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I agree with Ben.  My Exchange 2000 box at my last company was setup to
allow realaying after sucessfuly authentication because I had POP3 clients
at other offices that had no other SMTP gateway.  Disabling the Guest
account and forcing the users to change passwords every 30 days kept our
risk at a minimum.  We got tagged as a relay once, but forcing user password
changes on the spot fixed the problem.   

Eric Fretz

L-3 Communications
ComCept Division
2800 Discovery Blvd.
Rockwall, TX 75032
tel:   972.772.7501
fax:  972.772.7510



-Original Message-
From: Ben Winzenz [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 18, 2003 10:48 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and tested
again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 11:37 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's nice
to know that I am not smoking crack.

> I concur with greg ... our server had those settings and we were being

> used as a relay ... turned off "Allow all computers which successfully

> authenticate to relay, regardless of the list above." and that stopped

> it ...
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 11:17 AM
> To: Exchange Discussions
> Subject: Re: Open Relay/Spamcop
> 
> 
> This may or may not be the problem, but I have seen spammers able to
> relay off an Exchange server if the following configuration applies:
> 
> 1. If "Anonymous access" is turned on. SMTP Virtual Server properties,

> Access page, Authentication. 2. And, "Allow all computers which
> successfully authenticate to relay, regardless of the list above." is 
> checked. SMTP Virtual Server properties, Access page, Relay.
> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as
> >Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20

> >setting up a POP account in Outlook, putting the server that is
> >being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
> >=20  When I try to send a message using Outlook, I get a return 
> >message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
> > That is good, however, why then is spamcop still reporting it to
> >be=20  open relay? =3D20 =20  I have checked (over the phone) all his

> >Virtual SMTP Server settings=20  to verify correct configuration.
> >Everything seems to be "checked" or=20  "unchecked" as recommended by

> >Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP =20  The Exchange 2000
> >server is behind a NAT and I have looked into the=20  possibility of 
> >this.  I have been out on the spamcop site and for the=20  life of me

> >cannot find a way to make them check the server again to=20  see if
> >it is closed relay like ORDB does. =3D20 =20  Any ideas or 
> >comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
> >Technician  Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any 
> >attachments,
> 
> > is for the sole use of the intended recipient(s) and may contain=20
> > confidential and privileged information. Any unauthorized review, 
> > use,
> 
> > disclosure or distribution is prohibited. If you are not the
> >intended=20  recipient, please contact the sender by reply email and 
> >destroy all=20  copies of the original message.
> >=20
> > =3D20
> 
>

RE: Open Relay/Spamcop

Not in this thread, anyway.  The authentication hole exists when someone
hacks a password.  If you need to allow authentication, you should consider
doing this with a virtual server that is not exposed to the Internet.  If
you do expose your SMTP to the Internet with authentication, you should, at
a minimum, restrict the accounts that can use it, force the use of SSL, and
enforce strong password policies.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 8:37 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's nice
to know that I am not smoking crack.

> I concur with greg ... our server had those settings and we were being 
> used as a relay ... turned off "Allow all computers which successfully 
> authenticate to relay, regardless of the list above." and that stopped 
> it ...
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 11:17 AM
> To: Exchange Discussions
> Subject: Re: Open Relay/Spamcop
> 
> 
> This may or may not be the problem, but I have seen spammers able to 
> relay off an Exchange server if the following configuration applies:
> 
> 1. If "Anonymous access" is turned on. SMTP Virtual Server properties, 
> Access page, Authentication. 2. And, "Allow all computers which 
> successfully authenticate to relay, regardless of the list above." is 
> checked. SMTP Virtual Server properties, Access page, Relay.
> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as 
> >Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20  
> >setting up a POP account in Outlook, putting the server that is 
> >being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
> >=20  When I try to send a message using Outlook, I get a return 
> >message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not relay.
> > That is good, however, why then is spamcop still reporting it to 
> >be=20  open relay? =3D20 =20  I have checked (over the phone) all his 
> >Virtual SMTP Server settings=20  to verify correct configuration.  
> >Everything seems to be "checked" or=20  "unchecked" as recommended by 
> >Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP =20  The Exchange 2000 
> >server is behind a NAT and I have looked into the=20  possibility of 
> >this.  I have been out on the spamcop site and for the=20  life of me 
> >cannot find a way to make them check the server again to=20  see if 
> >it is closed relay like ORDB does. =3D20 =20  Any ideas or 
> >comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
> >Technician  Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any 
> >attachments,
> 
> > is for the sole use of the intended recipient(s) and may contain=20 
> > confidential and privileged information. Any unauthorized review, 
> > use,
> 
> > disclosure or distribution is prohibited. If you are not the 
> >intended=20  recipient, please contact the sender by reply email and 
> >destroy all=20  copies of the original message.
> >=20
> > =3D20
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mo
> de=3D=
> &
> lang=3Denglish
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

I think "Anonymous Access" (not "Anonymous Authentication Allowed") and
"Allow computers which successfully authenticate to relay" settings
belong in different contexts. One context is about *simply being able to
connect to the SMTP virtual server*, the other context is about being
able to relay.

I think you are extrapolating too much.

Somehow it never dawned on me to merge these two contexts. Maybe because
I had seen similar setting in many other SMTP server packages before.

Sincerely,

Andrey Fyodorov, Exchange MVP
Systems Engineer
Messaging and Collaboration
Spherion

P.S. if you turn off Anonymous Access, expect to never receive any mail
from the Internet.


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 2:19 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an
absolute
FACT one way or the other it may indeed be the case that a guest account
was used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we
all
know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this
list
that they might possibly want to maybe suggest to Microsoft that they
take
a look at this for no other reason than to at least modify the wording
on
the check boxes. I mean "Anonymous Authentication allowed" and "Allow
computers which successfully authenticate..." on the surface seems to
indicate that yes, you can anonymously authenticate and relay messages,
which I cannot imagine would ever really be very useful to anyone except
a
spammer. I mean, change the wording or add a checkbox to specifically
allow, not allow relaying by anonymous authentication. Who knows, I
don't
want to start another freaking firestorm about how much I hate
Microsoft,
yadda, yadda. I guess my point is that it is OBVIOUSLY an issue
specifically in a lot of small 1-50 person shops that use a single
Exchange server for everything. This is where I have come in and seen it
as a problem. There are exactly the people that don't generally have
qualified IT help, thus because the default configuration seems to allow
this kind of relaying issue it is a "feature" of the product that is
adding to the overall spam problem on the Internet. Maybe the MVP gods
and
Microsoft care, maybe not, but I want to be absolutely clear that I do
not
care one iota, because if I did everyone would just tell me how stupid
and
ignorant and a wife beater I am. So, I don't care and please do not
mistakenly believe that I care. God help us all if an MVP reads this,
thinks I care and starts another massive thread of pointless arguing.

> It is possible that a user account was compromised ... but here is the
> scenario I had and what "worked" to fix it ...
> 
> Setup:
> Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed
user
> group (noted through ips in the relay tab ...) ; guest account
disabled;
> SMTP Virtual Server Properties/Access Tab/Relay ... "Allow all
computers
> which successfully authenticate to relay, regardless of the list
above."
> was checked ...
> 
> Issue:
> My cues were huge; relaying may not have been going on (I did have a
> couple of external complaints that I was allowing relaying; but never
> made it on a list --- whew), but we were accepting the mail and then
> processing it internally; it was becoming a performance issue 
this
> internal processing is alluded to at
> http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... =
> then
> we were getting our own NDR's back ... etc ..
> 
> Solution:
> Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... "Allow
all
> computers which successfully authenticate to relay, regardless of the
> list above." ... all the relaying (or attempt at it stopped)
> 
> Comment:
> BTW, for external servers to communicate with you, it is the SMTP
> Virtual Server Properties/Access Tab/Authentication/Anonymous Access
tab
> that must be checked 
> 
> P.S.:
> I tell users they can still pop their mail from outside our closed
user
> group; but they must use their ISP's SMTP relay for sending mail or
use
> OWA ...
> 
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Ken Cornetet [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 12:18 PM
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
> 
> 
> Exchange WILL relay for authenticated users (by default), and it
doesn't
> have to be the guest account (though that is a common attack).
> 
> Have you left your Administrator account named Administrator

RE: Open Relay/Spamcop

2003-12-18 Thread Jim Helfer



 Well, I'm certainly glad we aren't resorting to any of them thar
unprofessional personal attacks.  That would be just terrible.  

 Jim H

-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 2:19 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an absolute
FACT one way or the other it may indeed be the case that a guest account was
used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we all
know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this list
that they might possibly want to maybe suggest to Microsoft that they take a
look at this for no other reason than to at least modify the wording on the
check boxes. I mean "Anonymous Authentication allowed" and "Allow computers
which successfully authenticate..." on the surface seems to indicate that
yes, you can anonymously authenticate and relay messages, which I cannot
imagine would ever really be very useful to anyone except a spammer. I mean,
change the wording or add a checkbox to specifically allow, not allow
relaying by anonymous authentication. Who knows, I don't want to start
another freaking firestorm about how much I hate Microsoft, yadda, yadda. I
guess my point is that it is OBVIOUSLY an issue specifically in a lot of
small 1-50 person shops that use a single Exchange server for everything.
This is where I have come in and seen it as a problem. There are exactly the
people that don't generally have qualified IT help, thus because the default
configuration seems to allow this kind of relaying issue it is a "feature"
of the product that is adding to the overall spam problem on the Internet.
Maybe the MVP gods and Microsoft care, maybe not, but I want to be
absolutely clear that I do not care one iota, because if I did everyone
would just tell me how stupid and ignorant and a wife beater I am. So, I
don't care and please do not mistakenly believe that I care. God help us all
if an MVP reads this, thinks I care and starts another massive thread of
pointless arguing.

> It is possible that a user account was compromised ... but here is the 
> scenario I had and what "worked" to fix it ...
> 
> Setup:
> Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed 
> user group (noted through ips in the relay tab ...) ; guest account 
> disabled; SMTP Virtual Server Properties/Access Tab/Relay ... "Allow 
> all computers which successfully authenticate to relay, regardless of the
list above."
> was checked ...
> 
> Issue:
> My cues were huge; relaying may not have been going on (I did have a 
> couple of external complaints that I was allowing relaying; but never 
> made it on a list --- whew), but we were accepting the mail and then 
> processing it internally; it was becoming a performance issue  
> this internal processing is alluded to at
> http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = 
> then we were getting our own NDR's back ... etc ..
> 
> Solution:
> Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... "Allow 
> all computers which successfully authenticate to relay, regardless of 
> the list above." ... all the relaying (or attempt at it stopped)
> 
> Comment:
> BTW, for external servers to communicate with you, it is the SMTP 
> Virtual Server Properties/Access Tab/Authentication/Anonymous Access 
> tab that must be checked 
> 
> P.S.:
> I tell users they can still pop their mail from outside our closed 
> user group; but they must use their ISP's SMTP relay for sending mail 
> or use OWA ...
> 
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Ken Cornetet [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 12:18 PM
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
> 
> 
> Exchange WILL relay for authenticated users (by default), and it 
> doesn't have to be the guest account (though that is a common attack).
> 
> Have you left your Administrator account named Administrator? Do you 
> "leak" user IDs to the outside world? Web pages? Email addresses? IM 
> aliases? Backups run under the user ID "backup"?
> 
> Dictionary password attack. Spammers have lots of patience.
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
> Sent: Thursday, December 18, 2003 12:11 PM
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
> 
> 
> This may very well be the case. I can

RE: Open Relay/Spamcop

You cannot always tell the users to use their own ISP's SMTP server.

For example, back at iNNERHOST we could not tell our customers to do
that. They wanted to use our SMTP servers, because in their mind that's
what they were paying us for. If we did not accommodate - they left.
Remember, customer is always right.

Also if you use your ISP's SMTP server to send outgoing mail, then all
your outgoing mail goes that way, including intra-office mail. What if
something happens with that ISP's SMTP server and mail gets stuck there
- try to explain to the furious users now why their mail is not getting
to their colleagues.

I have never had an issue with relaying for authenticated users on
Exchange.

Sincerely,

Andrey Fyodorov, Exchange MVP
Systems Engineer
Messaging and Collaboration
Spherion


-Original Message-
From: Wohlgemuth, Mike [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 1:53 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

It is possible that a user account was compromised ... but here is the
scenario I had and what "worked" to fix it ...

Setup:
Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user
group (noted through ips in the relay tab ...) ; guest account disabled;
SMTP Virtual Server Properties/Access Tab/Relay ... "Allow all computers
which successfully authenticate to relay, regardless of the list above."
was checked ...

Issue:
My cues were huge; relaying may not have been going on (I did have a
couple of external complaints that I was allowing relaying; but never
made it on a list --- whew), but we were accepting the mail and then
processing it internally; it was becoming a performance issue  this
internal processing is alluded to at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;304897 ... then
we were getting our own NDR's back ... etc ..

Solution:
Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... "Allow all
computers which successfully authenticate to relay, regardless of the
list above." ... all the relaying (or attempt at it stopped)

Comment:
BTW, for external servers to communicate with you, it is the SMTP
Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab
that must be checked 

P.S.:
I tell users they can still pop their mail from outside our closed user
group; but they must use their ISP's SMTP relay for sending mail or use
OWA ...


Mike



-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 12:18 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


Exchange WILL relay for authenticated users (by default), and it doesn't
have to be the guest account (though that is a common attack).

Have you left your Administrator account named Administrator? Do you
"leak" user IDs to the outside world? Web pages? Email addresses? IM
aliases? Backups run under the user ID "backup"?

Dictionary password attack. Spammers have lots of patience.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 12:11 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


This may very well be the case. I cannot say one way or another. When I
have seen this, it has always been the case that I am there fixing
something else and happen upon this problem, fix it and move on. I DO
know that I have seen it on boxes where the Guest account is disabled,
but that does not rule out the possibility that some other account was
compromised.

> However, I would welcome any information that proves me otherwise.
> i.e. configure these settings, with the guest account disabled, and 
> prove that it actually will relay - not authenticated relay, that 
> doesn't count.  If it is authenticated relay, it is because a password

> was compromised.=20
> 
> 
> Ben Winzenz
> Network Engineer
> Gardner & White
> (317) 581-1580 ext 418
> 
> 
> -Original Message-
> From: Ben Winzenz=20
> Posted At: Thursday, December 18, 2003 11:48 AM
> Posted To: Exchange (Swynk)
> Conversation: Open Relay/Spamcop
> Subject: RE: Open Relay/Spamcop
> 
> 
> I still think you are smoking crack on this, Greg.  I have never seen
> a properly configured Exchange 2000 server relay UNLESS a user account

> was compromised, or the guest account was enabled.  I've tested it and

> tested again, and never found Exchange to relay with those
> settings.=20
> 
> 
> Ben Winzenz
> Network Engineer
> Gardner & White
> (317) 581-1580 ext 418
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
> December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
> Conversation: Open Relay/Spamcop
> Subject: RE: Open Relay/Spamcop
> 
> 
> Hey,

RE: Open Relay/Spamcop

Usually something simple like a Webmaster account with "password"
password is a target of spammers.

Sincerely,

Andrey Fyodorov, Exchange MVP
Systems Engineer
Messaging and Collaboration
Spherion


-Original Message-
From: Eric Fretz [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 11:49 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I agree with Ben.  My Exchange 2000 box at my last company was setup to
allow realaying after sucessfuly authentication because I had POP3
clients
at other offices that had no other SMTP gateway.  Disabling the Guest
account and forcing the users to change passwords every 30 days kept our
risk at a minimum.  We got tagged as a relay once, but forcing user
password
changes on the spot fixed the problem.   

Eric Fretz

L-3 Communications
ComCept Division
2800 Discovery Blvd.
Rockwall, TX 75032
tel:   972.772.7501
fax:  972.772.7510



-Original Message-
From: Ben Winzenz [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 10:48 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested
again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 11:37 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice
to know that I am not smoking crack.

> I concur with greg ... our server had those settings and we were being

> used as a relay ... turned off "Allow all computers which successfully

> authenticate to relay, regardless of the list above." and that stopped

> it ...
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 11:17 AM
> To: Exchange Discussions
> Subject: Re: Open Relay/Spamcop
> 
> 
> This may or may not be the problem, but I have seen spammers able to
> relay off an Exchange server if the following configuration applies:
> 
> 1. If "Anonymous access" is turned on. SMTP Virtual Server properties,

> Access page, Authentication. 2. And, "Allow all computers which
> successfully authenticate to relay, regardless of the list above." is 
> checked. SMTP Virtual Server properties, Access page, Relay.
> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as
> >Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20

> >setting up a POP account in Outlook, putting the server that is
> >being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
> >=20  When I try to send a message using Outlook, I get a return 
> >message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
> > That is good, however, why then is spamcop still reporting it to
> >be=20  open relay? =3D20 =20  I have checked (over the phone) all his

> >Virtual SMTP Server settings=20  to verify correct configuration.
> >Everything seems to be "checked" or=20  "unchecked" as recommended by

> >Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP =20  The Exchange 2000
> >server is behind a NAT and I have looked into the=20  possibility of 
> >this.  I have been out on the spamcop site and for the=20  life of me

> >cannot find a way to make them check the server again to=20  see if
> >it is closed relay like ORDB does. =3D20 =20  Any ideas or 
> >comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
> >Technician  Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any 
> >attachments,
> 
> > is for the sole use of the intended recipient(s) and may contain=20
> > confidential and privileged information. Any unauthorized review, 
> > use,
> 
> > disclosure or distribution is prohibited. If you are not the
> >intended=20  recipient, please contact the sender by reply email and 
> >destroy all=20  copies of the original message.
> >=20
> > =3D20
> 
> __

RE: Open Relay/Spamcop

There was indeed a bug with MS SMTP service on Windows 2000, and some
hotfixes and/or services packs fixed that issue a bunch of moons ago. Or
at least that's how I remember it.

Sincerely,

Andrey Fyodorov, Exchange MVP
Systems Engineer
Messaging and Collaboration
Spherion


-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 12:23 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I seem to recall that there was a bug (fixed in sp3 maybe?) where if an
SMTP packet had a forged source address of 127.0.0.1, SMTP would relay
it regardless of relay settings.

I may be misremembering the details.

Also, no even half-way correctly firewall would let this type of packet
in.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, December 18, 2003 11:51 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


However, I would welcome any information that proves me otherwise.  i.e.
configure these settings, with the guest account disabled, and prove
that it actually will relay - not authenticated relay, that doesn't
count.  If it is authenticated relay, it is because a password was
compromised. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Ben Winzenz 
Posted At: Thursday, December 18, 2003 11:48 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice to know that I am not smoking crack.

> I concur with greg ... our server had those settings and we were being

> used as a relay ... turned off "Allow all computers which successfully

> authenticate to relay, regardless of the list above." and that stopped

> it ...
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 11:17 AM
> To: Exchange Discussions
> Subject: Re: Open Relay/Spamcop
> 
> 
> This may or may not be the problem, but I have seen spammers able to
> relay off an Exchange server if the following configuration applies:
> 
> 1. If "Anonymous access" is turned on. SMTP Virtual Server properties,

> Access page, Authentication. 2. And, "Allow all computers which
> successfully authenticate to relay, regardless of the list above." is 
> checked. SMTP Virtual Server properties, Access page, Relay.
> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as
> >Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20

> >setting up a POP account in Outlook, putting the server that is
> >being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
> >=20  When I try to send a message using Outlook, I get a return 
> >message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
> > That is good, however, why then is spamcop still reporting it to
> >be=20  open relay? =3D20 =20  I have checked (over the phone) all his

> >Virtual SMTP Server settings=20  to verify correct configuration.
> >Everything seems to be "checked" or=20  "unchecked" as recommended by

> >Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP =20  The Exchange 2000
> >server is behind a NAT and I have looked into the=20  possibility of 
> >this.  I have been out on the spamcop site and for the=20  life of me

> >cannot find a way to make them check the server again to=20  see if
> >it is closed relay like ORDB does. =3D20 =20  Any ideas or 
> >comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
> >Technician  Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any 
> >attachments,
>

RE: Open Relay/Spamcop

That probably was the case because someone guessed a username/password
combination and they were able to successfully authenticate and relay
mail.

Sincerely,

Andrey Fyodorov, Exchange MVP
Systems Engineer
Messaging and Collaboration
Spherion

-Original Message-
From: Wohlgemuth, Mike [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 11:23 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop

I concur with greg ... our server had those settings and we were being
used as a relay ... turned off "Allow all computers which successfully
authenticate to relay, regardless of the list above." and that stopped
it ...

Mike



-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 11:17 AM
To: Exchange Discussions
Subject: Re: Open Relay/Spamcop


This may or may not be the problem, but I have seen spammers able to
relay off an Exchange server if the following configuration applies:

1. If "Anonymous access" is turned on. SMTP Virtual Server properties,
Access page, Authentication. 2. And, "Allow all computers which
successfully authenticate to relay, regardless of the list above." is
checked. SMTP Virtual Server properties, Access page, Relay.



> Hello All and Happy Holidays!
> 
> I have a colleague whos Exchange 2000 server is being reported as Open

> Relay by spamcop for the past month.  I have tested his relay by 
> setting up a POP account in Outlook, putting the server that is being 
> reported as Open relay as my Outgoing SMTP server. =20
> 
> When I try to send a message using Outlook, I get a return message
that
> 550 5.7.1 Unable to relay.  I am relieved that it could not relay.
> That is good, however, why then is spamcop still reporting it to be 
> open relay? =20
> 
> I have checked (over the phone) all his Virtual SMTP Server settings 
> to verify correct configuration.  Everything seems to be "checked" or 
> "unchecked" as recommended by Microsoft.
> 
> We have Stopped/Started Services for SMTP
> 
> The Exchange 2000 server is behind a NAT and I have looked into the 
> possibility of this.  I have been out on the spamcop site and for the 
> life of me cannot find a way to make them check the server again to 
> see if it is closed relay like ORDB does. =20
> 
> Any ideas or comments =20
> 
> 
> 
> Samantha Bridges
> Communications Technician
> Macomb Intermediate School District
> 44001 Garfield Road
> Clinton Township  MI  48038-1100
> (586) 228-3300
> 
> [EMAIL PROTECTED]
> http://www.misd.net
> 
> 
> CONFIDENTIALITY NOTICE: This email message, including any attachments,

> is for the sole use of the intended recipient(s) and may contain 
> confidential and privileged information. Any unauthorized review, use,

> disclosure or distribution is prohibited. If you are not the intended 
> recipient, please contact the sender by reply email and destroy all 
> copies of the original message.
> 
> =20

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Clemens, Rick

Me thinks thou dost protest t much!!!  :-) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Posted At: Thursday, December 18, 2003 1:19 PM
Posted To: Exchange Discussion
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an
absolute FACT one way or the other it may indeed be the case that a
guest account was used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we
all know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this
list that they might possibly want to maybe suggest to Microsoft that
they take a look at this for no other reason than to at least modify the
wording on the check boxes. I mean "Anonymous Authentication allowed"
and "Allow computers which successfully authenticate..." on the surface
seems to indicate that yes, you can anonymously authenticate and relay
messages, which I cannot imagine would ever really be very useful to
anyone except a spammer. I mean, change the wording or add a checkbox to
specifically allow, not allow relaying by anonymous authentication. Who
knows, I don't want to start another freaking firestorm about how much I
hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY
an issue specifically in a lot of small 1-50 person shops that use a
single Exchange server for everything. This is where I have come in and
seen it as a problem. There are exactly the people that don't generally
have qualified IT help, thus because the default configuration seems to
allow this kind of relaying issue it is a "feature" of the product that
is adding to the overall spam problem on the Internet. Maybe the MVP
gods and Microsoft care, maybe not, but I want to be absolutely clear
that I do not care one iota, because if I did everyone would just tell
me how stupid and ignorant and a wife beater I am. So, I don't care and
please do not mistakenly believe that I care. God help us all if an MVP
reads this, thinks I care and starts another massive thread of pointless
arguing.

> It is possible that a user account was compromised ... but here is the

> scenario I had and what "worked" to fix it ...
> 
> Setup:
> Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed 
> user group (noted through ips in the relay tab ...) ; guest account 
> disabled; SMTP Virtual Server Properties/Access Tab/Relay ... "Allow 
> all computers which successfully authenticate to relay, regardless of
the list above."
> was checked ...
> 
> Issue:
> My cues were huge; relaying may not have been going on (I did have a 
> couple of external complaints that I was allowing relaying; but never 
> made it on a list --- whew), but we were accepting the mail and then 
> processing it internally; it was becoming a performance issue  
> this internal processing is alluded to at
> http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... =

> then we were getting our own NDR's back ... etc ..
> 
> Solution:
> Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... "Allow 
> all computers which successfully authenticate to relay, regardless of 
> the list above." ... all the relaying (or attempt at it stopped)
> 
> Comment:
> BTW, for external servers to communicate with you, it is the SMTP 
> Virtual Server Properties/Access Tab/Authentication/Anonymous Access 
> tab that must be checked 
> 
> P.S.:
> I tell users they can still pop their mail from outside our closed 
> user group; but they must use their ISP's SMTP relay for sending mail 
> or use OWA ...
> 
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Ken Cornetet [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 12:18 PM
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
> 
> 
> Exchange WILL relay for authenticated users (by default), and it 
> doesn't have to be the guest account (though that is a common attack).
> 
> Have you left your Administrator account named Administrator? Do you 
> "leak" user IDs to the outside world? Web pages? Email addresses? IM 
> aliases? Backups run under the user ID "backup"?
> 
> Dictionary password attack. Spammers have lots of patience.
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
> Sent: Thursday, December 18, 2003 12:11 PM
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
> 
> 
> This may very well be the case. I cannot say one way or another. When 
> I

RE: Open Relay/Spamcop

I'm right there with you on this one. Since I do not know for an absolute
FACT one way or the other it may indeed be the case that a guest account
was used or that an account was compromised.

And God forbid that I even merely hint or suggest that this is a problem
with Microsoft's software or in any way a design flaw, etc. because we all
know that storm that would cause.

But, that being said, I would like to implore to the MVP gods on this list
that they might possibly want to maybe suggest to Microsoft that they take
a look at this for no other reason than to at least modify the wording on
the check boxes. I mean "Anonymous Authentication allowed" and "Allow
computers which successfully authenticate..." on the surface seems to
indicate that yes, you can anonymously authenticate and relay messages,
which I cannot imagine would ever really be very useful to anyone except a
spammer. I mean, change the wording or add a checkbox to specifically
allow, not allow relaying by anonymous authentication. Who knows, I don't
want to start another freaking firestorm about how much I hate Microsoft,
yadda, yadda. I guess my point is that it is OBVIOUSLY an issue
specifically in a lot of small 1-50 person shops that use a single
Exchange server for everything. This is where I have come in and seen it
as a problem. There are exactly the people that don't generally have
qualified IT help, thus because the default configuration seems to allow
this kind of relaying issue it is a "feature" of the product that is
adding to the overall spam problem on the Internet. Maybe the MVP gods and
Microsoft care, maybe not, but I want to be absolutely clear that I do not
care one iota, because if I did everyone would just tell me how stupid and
ignorant and a wife beater I am. So, I don't care and please do not
mistakenly believe that I care. God help us all if an MVP reads this,
thinks I care and starts another massive thread of pointless arguing.

> It is possible that a user account was compromised ... but here is the
> scenario I had and what "worked" to fix it ...
> 
> Setup:
> Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user
> group (noted through ips in the relay tab ...) ; guest account disabled;
> SMTP Virtual Server Properties/Access Tab/Relay ... "Allow all computers
> which successfully authenticate to relay, regardless of the list above."
> was checked ...
> 
> Issue:
> My cues were huge; relaying may not have been going on (I did have a
> couple of external complaints that I was allowing relaying; but never
> made it on a list --- whew), but we were accepting the mail and then
> processing it internally; it was becoming a performance issue  this
> internal processing is alluded to at
> http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... =
> then
> we were getting our own NDR's back ... etc ..
> 
> Solution:
> Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... "Allow all
> computers which successfully authenticate to relay, regardless of the
> list above." ... all the relaying (or attempt at it stopped)
> 
> Comment:
> BTW, for external servers to communicate with you, it is the SMTP
> Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab
> that must be checked 
> 
> P.S.:
> I tell users they can still pop their mail from outside our closed user
> group; but they must use their ISP's SMTP relay for sending mail or use
> OWA ...
> 
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Ken Cornetet [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 12:18 PM
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
> 
> 
> Exchange WILL relay for authenticated users (by default), and it doesn't
> have to be the guest account (though that is a common attack).
> 
> Have you left your Administrator account named Administrator? Do you
> "leak" user IDs to the outside world? Web pages? Email addresses? IM
> aliases? Backups run under the user ID "backup"?
> 
> Dictionary password attack. Spammers have lots of patience.
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
> Sent: Thursday, December 18, 2003 12:11 PM
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
> 
> 
> This may very well be the case. I cannot say one way or another. When I
> have seen this, it has always been the case that I am there fixing
> something else and happen upon this problem, fix it and move on. I DO
> know that I have seen it on boxes where the Guest account is disabled,
> but that does not rule out the possibility that some other account was
> compromised.

RE: Open Relay/Spamcop

2003-12-18 Thread Wohlgemuth, Mike

It is possible that a user account was compromised ... but here is the
scenario I had and what "worked" to fix it ...

Setup:
Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed user
group (noted through ips in the relay tab ...) ; guest account disabled;
SMTP Virtual Server Properties/Access Tab/Relay ... "Allow all computers
which successfully authenticate to relay, regardless of the list above."
was checked ...

Issue:
My cues were huge; relaying may not have been going on (I did have a
couple of external complaints that I was allowing relaying; but never
made it on a list --- whew), but we were accepting the mail and then
processing it internally; it was becoming a performance issue  this
internal processing is alluded to at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;304897 ... then
we were getting our own NDR's back ... etc ..

Solution:
Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... "Allow all
computers which successfully authenticate to relay, regardless of the
list above." ... all the relaying (or attempt at it stopped)

Comment:
BTW, for external servers to communicate with you, it is the SMTP
Virtual Server Properties/Access Tab/Authentication/Anonymous Access tab
that must be checked 

P.S.:
I tell users they can still pop their mail from outside our closed user
group; but they must use their ISP's SMTP relay for sending mail or use
OWA ...


Mike



-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 12:18 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


Exchange WILL relay for authenticated users (by default), and it doesn't
have to be the guest account (though that is a common attack).

Have you left your Administrator account named Administrator? Do you
"leak" user IDs to the outside world? Web pages? Email addresses? IM
aliases? Backups run under the user ID "backup"?

Dictionary password attack. Spammers have lots of patience.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 12:11 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


This may very well be the case. I cannot say one way or another. When I
have seen this, it has always been the case that I am there fixing
something else and happen upon this problem, fix it and move on. I DO
know that I have seen it on boxes where the Guest account is disabled,
but that does not rule out the possibility that some other account was
compromised.

> However, I would welcome any information that proves me otherwise.
> i.e. configure these settings, with the guest account disabled, and 
> prove that it actually will relay - not authenticated relay, that 
> doesn't count.  If it is authenticated relay, it is because a password

> was compromised.=20
> 
> 
> Ben Winzenz
> Network Engineer
> Gardner & White
> (317) 581-1580 ext 418
> 
> 
> -Original Message-
> From: Ben Winzenz=20
> Posted At: Thursday, December 18, 2003 11:48 AM
> Posted To: Exchange (Swynk)
> Conversation: Open Relay/Spamcop
> Subject: RE: Open Relay/Spamcop
> 
> 
> I still think you are smoking crack on this, Greg.  I have never seen
> a properly configured Exchange 2000 server relay UNLESS a user account

> was compromised, or the guest account was enabled.  I've tested it and

> tested again, and never found Exchange to relay with those
> settings.=20
> 
> 
> Ben Winzenz
> Network Engineer
> Gardner & White
> (317) 581-1580 ext 418
> 
> 
> -Original Message-----
> From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
> December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
> Conversation: Open Relay/Spamcop
> Subject: RE: Open Relay/Spamcop
> 
> 
> Hey, thanks for the confirmation. People have told me that I am
> smoking crack and that the Exchange servers were horribly 
> misconfigured. It's nice to know that I am not smoking crack.
> 
> > I concur with greg ... our server had those settings and we were
> > being
> 
> > used as a relay ... turned off "Allow all computers which
> > successfully
> 
> > authenticate to relay, regardless of the list above." and that
> > stopped
> 
> > it ...
> >=20
> > Mike
> >=20
> >=20
> >=20
> > -Original Message-
> > From: Greg Deckler [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, December 18, 2003 11:17 AM
> > To: Exchange Discussions
> > Subject: Re: Open Relay/Spamcop
> >=20
> >=20
> > This may or may not be the problem, but I have seen spammers able
> >to=20  relay off an Exchange server if the following configuration 
> >appl

RE: Open Relay/Spamcop

2003-12-18 Thread Kevin Wilkie

Uhm A ham sandwich?

Maybe a limp fish?

-Original Message-
From: Candee Vaglica [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 11:59 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


What do you get when you telnet into the server and try to send mail to
a bogus address?



> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as 
> >Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20

> >setting up a POP account in Outlook, putting the server that is 
> >being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
> >=20  When I try to send a message using Outlook, I get a return 
> >message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
> > That is good, however, why then is spamcop still reporting it to 
> >be=20  open relay? =3D20 =20  I have checked (over the phone) all his

> >Virtual SMTP Server settings=20  to verify correct configuration. 
> >Everything seems to be "checked" or=20  "unchecked" as recommended by

> >Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP =20  The Exchange 2000 
> >server is behind a NAT and I have looked into the=20  possibility of 
> >this.  I have been out on the spamcop site and for the=20  life of me

> >cannot find a way to make them check the server again to=20  see if 
> >it is closed relay like ORDB does. =3D20 =20  Any ideas or 
> >comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
> >Technician  Macomb Intermediate School District  44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any 
> >attachments,
> 
> > is for the sole use of the intended recipient(s) and may contain=20 
> > confidential and privileged information. Any unauthorized review, 
> > use,
> 
> > disclosure or distribution is prohibited. If you are not the 
> >intended=20  recipient, please contact the sender by reply email and 
> >destroy all=20  copies of the original message. =20
> > =3D20
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mo
> de=3D=
> &
> lang=3Denglish
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Roger Seielstad

But the point is that if you're listed on Spamcop, they'll tell you EXACTLY
why. None of the other RBL's I've seen do that.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Randal, Phil [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, December 18, 2003 12:52 PM
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
> 
> 
> Looking at http://openrbl.org/# is also 
> very revealing.
> 
> Cheers,
> 
> Phil
> 
> -
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of 
> > Roger Seielstad
> > Sent: 18 December 2003 17:50
> > To: Exchange Discussions
> > Subject: RE: Open Relay/Spamcop
> > 
> > 
> > One of the reasons I like SpamCop (and actually use it 
> > myself) is because
> > you can look up the actual reason a box is on the list:
> > http://www.spamcop.net/bl.shtml
> > 
> > Put the IP address in and it will show an example of exactly 
> > why they're
> > listed.
> > 
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP
> > Sr. Systems Administrator
> > Inovis Inc.
> > 
> > 
> > > -Original Message-
> > > From: Bridges, Samantha [mailto:[EMAIL PROTECTED] 
> > > Sent: Thursday, December 18, 2003 10:59 AM
> > > To: Exchange Discussions
> > > Subject: Open Relay/Spamcop
> > > 
> > > 
> > > Hello All and Happy Holidays!
> > > 
> > > I have a colleague whos Exchange 2000 server is being 
> > reported as Open
> > > Relay by spamcop for the past month.  I have tested his relay 
> > > by setting
> > > up a POP account in Outlook, putting the server that is 
> > being reported
> > > as Open relay as my Outgoing SMTP server.  
> > > 
> > > When I try to send a message using Outlook, I get a return 
> > > message that
> > > 550 5.7.1 Unable to relay.  I am relieved that it could 
> > not relay.
> > > That is good, however, why then is spamcop still reporting it 
> > > to be open
> > > relay?  
> > > 
> > > I have checked (over the phone) all his Virtual SMTP Server 
> > > settings to
> > > verify correct configuration.  Everything seems to be "checked" or
> > > "unchecked" as recommended by Microsoft.
> > > 
> > > We have Stopped/Started Services for SMTP
> > > 
> > > The Exchange 2000 server is behind a NAT and I have 
> looked into the
> > > possibility of this.  I have been out on the spamcop site 
> > and for the
> > > life of me cannot find a way to make them check the server 
> > > again to see
> > > if it is closed relay like ORDB does.  
> > > 
> > > Any ideas or comments  
> > > 
> > > 
> > > 
> > > Samantha Bridges
> > > Communications Technician
> > > Macomb Intermediate School District
> > > 44001 Garfield Road
> > > Clinton Township  MI  48038-1100
> > > (586) 228-3300
> > > 
> > > [EMAIL PROTECTED]
> > > http://www.misd.net
> > > 
> > > 
> > > CONFIDENTIALITY NOTICE: This email message, including any 
> > attachments,
> > > is for the sole use of the intended recipient(s) and may contain
> > > confidential and privileged information. Any unauthorized 
> > review, use,
> > > disclosure or distribution is prohibited. If you are not 
> > the intended
> > > recipient, please contact the sender by reply email and 
> destroy all
> > > copies of the original message.
> > > 
> > >  
> > > 
> > > _
> > > List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> > > Web Interface: 
> > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
> > ext_mode=&lang=english
> > To unsubscribe: mailto:[EMAIL PROTECTED]
> > Exchange List admin:[EMAIL PROTECTED]
> > 
> > _
> > List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> > Web Interface: 
> > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
> ext_mode=&lang=english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface: 
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
ext_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Randal, Phil

Looking at http://openrbl.org/# is also very revealing.

Cheers,

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of 
> Roger Seielstad
> Sent: 18 December 2003 17:50
> To: Exchange Discussions
> Subject: RE: Open Relay/Spamcop
> 
> 
> One of the reasons I like SpamCop (and actually use it 
> myself) is because
> you can look up the actual reason a box is on the list:
> http://www.spamcop.net/bl.shtml
> 
> Put the IP address in and it will show an example of exactly 
> why they're
> listed.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Bridges, Samantha [mailto:[EMAIL PROTECTED] 
> > Sent: Thursday, December 18, 2003 10:59 AM
> > To: Exchange Discussions
> > Subject: Open Relay/Spamcop
> > 
> > 
> > Hello All and Happy Holidays!
> > 
> > I have a colleague whos Exchange 2000 server is being 
> reported as Open
> > Relay by spamcop for the past month.  I have tested his relay 
> > by setting
> > up a POP account in Outlook, putting the server that is 
> being reported
> > as Open relay as my Outgoing SMTP server.  
> > 
> > When I try to send a message using Outlook, I get a return 
> > message that
> > 550 5.7.1 Unable to relay.  I am relieved that it could 
> not relay.
> > That is good, however, why then is spamcop still reporting it 
> > to be open
> > relay?  
> > 
> > I have checked (over the phone) all his Virtual SMTP Server 
> > settings to
> > verify correct configuration.  Everything seems to be "checked" or
> > "unchecked" as recommended by Microsoft.
> > 
> > We have Stopped/Started Services for SMTP
> > 
> > The Exchange 2000 server is behind a NAT and I have looked into the
> > possibility of this.  I have been out on the spamcop site 
> and for the
> > life of me cannot find a way to make them check the server 
> > again to see
> > if it is closed relay like ORDB does.  
> > 
> > Any ideas or comments  
> > 
> > 
> > 
> > Samantha Bridges
> > Communications Technician
> > Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> > 
> > [EMAIL PROTECTED]
> > http://www.misd.net
> > 
> > 
> > CONFIDENTIALITY NOTICE: This email message, including any 
> attachments,
> > is for the sole use of the intended recipient(s) and may contain
> > confidential and privileged information. Any unauthorized 
> review, use,
> > disclosure or distribution is prohibited. If you are not 
> the intended
> > recipient, please contact the sender by reply email and destroy all
> > copies of the original message.
> > 
> >  
> > 
> > _
> > List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> > Web Interface: 
> > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
> ext_mode=&lang=english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface: 
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
ext_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Roger Seielstad

One of the reasons I like SpamCop (and actually use it myself) is because
you can look up the actual reason a box is on the list:
http://www.spamcop.net/bl.shtml

Put the IP address in and it will show an example of exactly why they're
listed.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Bridges, Samantha [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, December 18, 2003 10:59 AM
> To: Exchange Discussions
> Subject: Open Relay/Spamcop
> 
> 
> Hello All and Happy Holidays!
> 
> I have a colleague whos Exchange 2000 server is being reported as Open
> Relay by spamcop for the past month.  I have tested his relay 
> by setting
> up a POP account in Outlook, putting the server that is being reported
> as Open relay as my Outgoing SMTP server.  
> 
> When I try to send a message using Outlook, I get a return 
> message that
> 550 5.7.1 Unable to relay.  I am relieved that it could not relay.
> That is good, however, why then is spamcop still reporting it 
> to be open
> relay?  
> 
> I have checked (over the phone) all his Virtual SMTP Server 
> settings to
> verify correct configuration.  Everything seems to be "checked" or
> "unchecked" as recommended by Microsoft.
> 
> We have Stopped/Started Services for SMTP
> 
> The Exchange 2000 server is behind a NAT and I have looked into the
> possibility of this.  I have been out on the spamcop site and for the
> life of me cannot find a way to make them check the server 
> again to see
> if it is closed relay like ORDB does.  
> 
> Any ideas or comments  
> 
> 
> 
> Samantha Bridges
> Communications Technician
> Macomb Intermediate School District
> 44001 Garfield Road
> Clinton Township  MI  48038-1100
> (586) 228-3300
> 
> [EMAIL PROTECTED]
> http://www.misd.net
> 
> 
> CONFIDENTIALITY NOTICE: This email message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply email and destroy all
> copies of the original message.
> 
>  
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface: 
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
ext_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

Please post if you recall the article.  I'll dig around and see if I can
find it. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 12:23 PM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I seem to recall that there was a bug (fixed in sp3 maybe?) where if an
SMTP packet had a forged source address of 127.0.0.1, SMTP would relay
it regardless of relay settings.

I may be misremembering the details.

Also, no even half-way correctly firewall would let this type of packet
in.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, December 18, 2003 11:51 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


However, I would welcome any information that proves me otherwise.  i.e.
configure these settings, with the guest account disabled, and prove
that it actually will relay - not authenticated relay, that doesn't
count.  If it is authenticated relay, it is because a password was
compromised. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Ben Winzenz
Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange
(Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice to know that I am not smoking crack.

> I concur with greg ... our server had those settings and we were being

> used as a relay ... turned off "Allow all computers which successfully

> authenticate to relay, regardless of the list above." and that stopped

> it ...
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 11:17 AM
> To: Exchange Discussions
> Subject: Re: Open Relay/Spamcop
> 
> 
> This may or may not be the problem, but I have seen spammers able to
> relay off an Exchange server if the following configuration applies:
> 
> 1. If "Anonymous access" is turned on. SMTP Virtual Server properties,

> Access page, Authentication. 2. And, "Allow all computers which
> successfully authenticate to relay, regardless of the list above." is 
> checked. SMTP Virtual Server properties, Access page, Relay.
> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as
> >Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20

> >setting up a POP account in Outlook, putting the server that is
> >being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
> >=20  When I try to send a message using Outlook, I get a return 
> >message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
> > That is good, however, why then is spamcop still reporting it to
> >be=20  open relay? =3D20 =20  I have checked (over the phone) all his

> >Virtual SMTP Server settings=20  to verify correct configuration.
> >Everything seems to be "checked" or=20  "unchecked" as recommended by

> >Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP =20  The Exchange 2000
> >server is behind a NAT and I have looked into the=20  possibility of 
> >this.  I have been out on the spamcop site and for the=20  life of me

> >cannot find a way to make them check the server again to=20  see if
> >it is closed relay like ORDB does. =3D20 =20  Any ideas or 
> >comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
> >Technician  Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any 
> >attachments,
> 
> > is for the sole use of the intended recipient(s) and may contain=20
>

RE: Open Relay/Spamcop

But that is my point.  I know Exchange relays for authenticated users by
default.  It is turned on to allow POP3/SMTP and IMAP accounts the
ability to send using your Exchange server as the outgoing server.
However, it won't relay for a spammer UNLESS an account has been
compromised, at which point someone has in essence hacked your system.
If you set up your environment correctly, the ONLY way an account will
get compromised is if someone leaks their password.  Dictionary attacks
won't work because the account will get locked out after 3 attempts, and
it is awfully hard to dictionary guess a complex password in 3 tries :-)



Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 12:18 PM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Exchange WILL relay for authenticated users (by default), and it doesn't
have to be the guest account (though that is a common attack).

Have you left your Administrator account named Administrator? Do you
"leak" user IDs to the outside world? Web pages? Email addresses? IM
aliases? Backups run under the user ID "backup"?

Dictionary password attack. Spammers have lots of patience.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 12:11 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


This may very well be the case. I cannot say one way or another. When I
have seen this, it has always been the case that I am there fixing
something else and happen upon this problem, fix it and move on. I DO
know that I have seen it on boxes where the Guest account is disabled,
but that does not rule out the possibility that some other account was
compromised.

> However, I would welcome any information that proves me otherwise.  
> i.e. configure these settings, with the guest account disabled, and 
> prove that it actually will relay - not authenticated relay, that 
> doesn't count.  If it is authenticated relay, it is because a password

> was compromised.=20
> 
> 
> Ben Winzenz
> Network Engineer
> Gardner & White
> (317) 581-1580 ext 418
> 
> 
> -Original Message-
> From: Ben Winzenz=20
> Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange 
> (Swynk)
> Conversation: Open Relay/Spamcop
> Subject: RE: Open Relay/Spamcop
> 
> 
> I still think you are smoking crack on this, Greg.  I have never seen 
> a properly configured Exchange 2000 server relay UNLESS a user account

> was compromised, or the guest account was enabled.  I've tested it and

> tested again, and never found Exchange to relay with those 
> settings.=20
> 
> 
> Ben Winzenz
> Network Engineer
> Gardner & White
> (317) 581-1580 ext 418
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, 
> December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
> Conversation: Open Relay/Spamcop
> Subject: RE: Open Relay/Spamcop
> 
> 
> Hey, thanks for the confirmation. People have told me that I am 
> smoking crack and that the Exchange servers were horribly 
> misconfigured. It's nice to know that I am not smoking crack.
> 
> > I concur with greg ... our server had those settings and we were 
> > being
> 
> > used as a relay ... turned off "Allow all computers which 
> > successfully
> 
> > authenticate to relay, regardless of the list above." and that 
> > stopped
> 
> > it ...
> >=20
> > Mike
> >=20
> >=20
> >=20
> > -Original Message-
> > From: Greg Deckler [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, December 18, 2003 11:17 AM
> > To: Exchange Discussions
> > Subject: Re: Open Relay/Spamcop
> >=20
> >=20
> > This may or may not be the problem, but I have seen spammers able 
> >to=20  relay off an Exchange server if the following configuration
> >applies: =20  1. If "Anonymous access" is turned on. SMTP Virtual 
> >Server properties,
> 
> > Access page, Authentication. 2. And, "Allow all computers which=20 
> >successfully authenticate to relay, regardless of the list above."
> >is=20  checked. SMTP Virtual Server properties, Access page, Relay. 
> >=20 =20
> >=20
> > > Hello All and Happy Holidays!
> > >=3D20
> > > I have a colleague whos Exchange 2000 server is being reported 
> > >as=20 Open
> >=20
> > > Relay by spamcop for the past month.  I have tested his relay =
> by=3D20
> 
> > >setting up a POP account in Outloo

RE: Open Relay/Spamcop

2003-12-18 Thread Ken Cornetet

I seem to recall that there was a bug (fixed in sp3 maybe?) where if an
SMTP packet had a forged source address of 127.0.0.1, SMTP would relay
it regardless of relay settings.

I may be misremembering the details.

Also, no even half-way correctly firewall would let this type of packet
in.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, December 18, 2003 11:51 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


However, I would welcome any information that proves me otherwise.  i.e.
configure these settings, with the guest account disabled, and prove
that it actually will relay - not authenticated relay, that doesn't
count.  If it is authenticated relay, it is because a password was
compromised. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Ben Winzenz 
Posted At: Thursday, December 18, 2003 11:48 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice to know that I am not smoking crack.

> I concur with greg ... our server had those settings and we were being

> used as a relay ... turned off "Allow all computers which successfully

> authenticate to relay, regardless of the list above." and that stopped

> it ...
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 11:17 AM
> To: Exchange Discussions
> Subject: Re: Open Relay/Spamcop
> 
> 
> This may or may not be the problem, but I have seen spammers able to
> relay off an Exchange server if the following configuration applies:
> 
> 1. If "Anonymous access" is turned on. SMTP Virtual Server properties,

> Access page, Authentication. 2. And, "Allow all computers which
> successfully authenticate to relay, regardless of the list above." is 
> checked. SMTP Virtual Server properties, Access page, Relay.
> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as
> >Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20

> >setting up a POP account in Outlook, putting the server that is
> >being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
> >=20  When I try to send a message using Outlook, I get a return 
> >message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
> > That is good, however, why then is spamcop still reporting it to
> >be=20  open relay? =3D20 =20  I have checked (over the phone) all his

> >Virtual SMTP Server settings=20  to verify correct configuration.
> >Everything seems to be "checked" or=20  "unchecked" as recommended by

> >Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP =20  The Exchange 2000
> >server is behind a NAT and I have looked into the=20  possibility of 
> >this.  I have been out on the spamcop site and for the=20  life of me

> >cannot find a way to make them check the server again to=20  see if
> >it is closed relay like ORDB does. =3D20 =20  Any ideas or 
> >comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
> >Technician  Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any 
> >attachments,
> 
> > is for the sole use of the intended recipient(s) and may contain=20
> > confidential and privileged information. Any unauthorized review, 
> > use,
> 
> > disclosure or distribution is prohibited. If you are not the
> >intended=20  recipient, please contact the sender by reply email and 
> >destroy all=20  copies of the original message.
> >=20
> > =3D20
> 
> ___

RE: Open Relay/Spamcop

2003-12-18 Thread Ken Cornetet

Exchange WILL relay for authenticated users (by default), and it doesn't
have to be the guest account (though that is a common attack).

Have you left your Administrator account named Administrator? Do you
"leak" user IDs to the outside world? Web pages? Email addresses? IM
aliases? Backups run under the user ID "backup"?

Dictionary password attack. Spammers have lots of patience.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler
Sent: Thursday, December 18, 2003 12:11 PM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


This may very well be the case. I cannot say one way or another. When I
have seen this, it has always been the case that I am there fixing
something else and happen upon this problem, fix it and move on. I DO
know that I have seen it on boxes where the Guest account is disabled,
but that does not rule out the possibility that some other account was
compromised.

> However, I would welcome any information that proves me otherwise.  
> i.e. configure these settings, with the guest account disabled, and 
> prove that it actually will relay - not authenticated relay, that 
> doesn't count.  If it is authenticated relay, it is because a password

> was compromised.=20
> 
> 
> Ben Winzenz
> Network Engineer
> Gardner & White
> (317) 581-1580 ext 418
> 
> 
> -Original Message-
> From: Ben Winzenz=20
> Posted At: Thursday, December 18, 2003 11:48 AM
> Posted To: Exchange (Swynk)
> Conversation: Open Relay/Spamcop
> Subject: RE: Open Relay/Spamcop
> 
> 
> I still think you are smoking crack on this, Greg.  I have never seen 
> a properly configured Exchange 2000 server relay UNLESS a user account

> was compromised, or the guest account was enabled.  I've tested it and

> tested again, and never found Exchange to relay with those 
> settings.=20
> 
> 
> Ben Winzenz
> Network Engineer
> Gardner & White
> (317) 581-1580 ext 418
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, 
> December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
> Conversation: Open Relay/Spamcop
> Subject: RE: Open Relay/Spamcop
> 
> 
> Hey, thanks for the confirmation. People have told me that I am 
> smoking crack and that the Exchange servers were horribly 
> misconfigured. It's nice to know that I am not smoking crack.
> 
> > I concur with greg ... our server had those settings and we were 
> > being
> 
> > used as a relay ... turned off "Allow all computers which 
> > successfully
> 
> > authenticate to relay, regardless of the list above." and that 
> > stopped
> 
> > it ...
> >=20
> > Mike
> >=20
> >=20
> >=20
> > -Original Message-
> > From: Greg Deckler [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, December 18, 2003 11:17 AM
> > To: Exchange Discussions
> > Subject: Re: Open Relay/Spamcop
> >=20
> >=20
> > This may or may not be the problem, but I have seen spammers able 
> >to=20  relay off an Exchange server if the following configuration 
> >applies: =20  1. If "Anonymous access" is turned on. SMTP Virtual 
> >Server properties,
> 
> > Access page, Authentication. 2. And, "Allow all computers which=20  
> >successfully authenticate to relay, regardless of the list above." 
> >is=20  checked. SMTP Virtual Server properties, Access page, Relay. 
> >=20 =20
> >=20
> > > Hello All and Happy Holidays!
> > >=3D20
> > > I have a colleague whos Exchange 2000 server is being reported 
> > >as=20 Open
> >=20
> > > Relay by spamcop for the past month.  I have tested his relay =
> by=3D20
> 
> > >setting up a POP account in Outlook, putting the server that is=20 
> > >being=3D20  reported as Open relay as my Outgoing SMTP server. =
> =3D3D20=20
> > >=3D20  When I try to send a message using Outlook, I get a 
> > >return=20 message
> > that
> > > 550 5.7.1 Unable to relay.  I am relieved that it could not
> relay.
> > > That is good, however, why then is spamcop still reporting it 
> > >to=20 be=3D20  open relay? =3D3D20 =3D20  I have checked (over the 
> > >phone) =
> all his
> 
> > >Virtual SMTP Server settings=3D20  to verify correct configuration.

> > >=20 Everything seems to be "checked" or=3D20  "unchecked" as 
> > >recommended =
> by
> 
> > >Microsoft.
> > >=3D20
> > > We have Stopped/Started Services for SMTP =3D20  The Exchange 
> > >2000=20 server is

RE: Open Relay/Spamcop

This may very well be the case. I cannot say one way or another. When I
have seen this, it has always been the case that I am there fixing
something else and happen upon this problem, fix it and move on. I DO know
that I have seen it on boxes where the Guest account is disabled, but that
does not rule out the possibility that some other account was compromised.

> However, I would welcome any information that proves me otherwise.  i.e.
> configure these settings, with the guest account disabled, and prove
> that it actually will relay - not authenticated relay, that doesn't
> count.  If it is authenticated relay, it is because a password was
> compromised.=20
> 
> 
> Ben Winzenz
> Network Engineer
> Gardner & White
> (317) 581-1580 ext 418
> 
> 
> -Original Message-
> From: Ben Winzenz=20
> Posted At: Thursday, December 18, 2003 11:48 AM
> Posted To: Exchange (Swynk)
> Conversation: Open Relay/Spamcop
> Subject: RE: Open Relay/Spamcop
> 
> 
> I still think you are smoking crack on this, Greg.  I have never seen a
> properly configured Exchange 2000 server relay UNLESS a user account was
> compromised, or the guest account was enabled.  I've tested it and
> tested again, and never found Exchange to relay with those settings.=20
> 
> 
> Ben Winzenz
> Network Engineer
> Gardner & White
> (317) 581-1580 ext 418
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
> December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
> Conversation: Open Relay/Spamcop
> Subject: RE: Open Relay/Spamcop
> 
> 
> Hey, thanks for the confirmation. People have told me that I am smoking
> crack and that the Exchange servers were horribly misconfigured. It's
> nice to know that I am not smoking crack.
> 
> > I concur with greg ... our server had those settings and we were being
> 
> > used as a relay ... turned off "Allow all computers which successfully
> 
> > authenticate to relay, regardless of the list above." and that stopped
> 
> > it ...
> >=20
> > Mike
> >=20
> >=20
> >=20
> > -Original Message-
> > From: Greg Deckler [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, December 18, 2003 11:17 AM
> > To: Exchange Discussions
> > Subject: Re: Open Relay/Spamcop
> >=20
> >=20
> > This may or may not be the problem, but I have seen spammers able to=20
> > relay off an Exchange server if the following configuration applies:
> >=20
> > 1. If "Anonymous access" is turned on. SMTP Virtual Server properties,
> 
> > Access page, Authentication. 2. And, "Allow all computers which=20
> > successfully authenticate to relay, regardless of the list above." is=20
> > checked. SMTP Virtual Server properties, Access page, Relay.
> >=20
> >=20
> >=20
> > > Hello All and Happy Holidays!
> > >=3D20
> > > I have a colleague whos Exchange 2000 server is being reported as=20
> > >Open
> >=20
> > > Relay by spamcop for the past month.  I have tested his relay =
> by=3D20
> 
> > >setting up a POP account in Outlook, putting the server that is=20
> > >being=3D20  reported as Open relay as my Outgoing SMTP server. =
> =3D3D20=20
> > >=3D20  When I try to send a message using Outlook, I get a return=20
> > >message
> > that
> > > 550 5.7.1 Unable to relay.  I am relieved that it could not
> relay.
> > > That is good, however, why then is spamcop still reporting it to=20
> > >be=3D20  open relay? =3D3D20 =3D20  I have checked (over the phone) =
> all his
> 
> > >Virtual SMTP Server settings=3D20  to verify correct configuration. =20
> > >Everything seems to be "checked" or=3D20  "unchecked" as recommended =
> by
> 
> > >Microsoft.
> > >=3D20
> > > We have Stopped/Started Services for SMTP =3D20  The Exchange 2000=20
> > >server is behind a NAT and I have looked into the=3D20  possibility =
> of=20
> > >this.  I have been out on the spamcop site and for the=3D20  life of =
> me
> 
> > >cannot find a way to make them check the server again to=3D20  see if =
> 
> > >it is closed relay like ORDB does. =3D3D20 =3D20  Any ideas or=20
> > >comments =3D3D20 =3D20 =3D20 =3D20  Samantha Bridges  =
> Communications=20
> > >Technician  Macomb Intermediate School District
> > > 44001 Garfield Road
> > > Clinton Township  MI  48038-1100
> > > (586) 228-3300
> > >=3D20
> > > [EMAIL PROTECTED]
> > > http://www.misd.net
>

RE: Open Relay/Spamcop

2003-12-18 Thread Candee Vaglica

What do you get when you telnet into the server and try to send mail to a
bogus address?



> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as
> >Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20

> >setting up a POP account in Outlook, putting the server that is
> >being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
> >=20  When I try to send a message using Outlook, I get a return 
> >message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
> > That is good, however, why then is spamcop still reporting it to
> >be=20  open relay? =3D20 =20  I have checked (over the phone) all his

> >Virtual SMTP Server settings=20  to verify correct configuration.
> >Everything seems to be "checked" or=20  "unchecked" as recommended by

> >Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP =20  The Exchange 2000
> >server is behind a NAT and I have looked into the=20  possibility of 
> >this.  I have been out on the spamcop site and for the=20  life of me

> >cannot find a way to make them check the server again to=20  see if
> >it is closed relay like ORDB does. =3D20 =20  Any ideas or 
> >comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
> >Technician  Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any 
> >attachments,
> 
> > is for the sole use of the intended recipient(s) and may contain=20
> > confidential and privileged information. Any unauthorized review, 
> > use,
> 
> > disclosure or distribution is prohibited. If you are not the
> >intended=20  recipient, please contact the sender by reply email and 
> >destroy all=20  copies of the original message.
> >=20
> > =3D20
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface: 
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mo
> de=3D=
> &
> lang=3Denglish
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Eric Fretz

I agree with Ben.  My Exchange 2000 box at my last company was setup to
allow realaying after sucessfuly authentication because I had POP3 clients
at other offices that had no other SMTP gateway.  Disabling the Guest
account and forcing the users to change passwords every 30 days kept our
risk at a minimum.  We got tagged as a relay once, but forcing user password
changes on the spot fixed the problem.   

Eric Fretz

L-3 Communications
ComCept Division
2800 Discovery Blvd.
Rockwall, TX 75032
tel:   972.772.7501
fax:  972.772.7510



-Original Message-
From: Ben Winzenz [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 10:48 AM
To: Exchange Discussions
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and tested
again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 11:37 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's nice
to know that I am not smoking crack.

> I concur with greg ... our server had those settings and we were being

> used as a relay ... turned off "Allow all computers which successfully

> authenticate to relay, regardless of the list above." and that stopped

> it ...
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 11:17 AM
> To: Exchange Discussions
> Subject: Re: Open Relay/Spamcop
> 
> 
> This may or may not be the problem, but I have seen spammers able to
> relay off an Exchange server if the following configuration applies:
> 
> 1. If "Anonymous access" is turned on. SMTP Virtual Server properties,

> Access page, Authentication. 2. And, "Allow all computers which
> successfully authenticate to relay, regardless of the list above." is 
> checked. SMTP Virtual Server properties, Access page, Relay.
> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as
> >Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20

> >setting up a POP account in Outlook, putting the server that is
> >being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
> >=20  When I try to send a message using Outlook, I get a return 
> >message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
> > That is good, however, why then is spamcop still reporting it to
> >be=20  open relay? =3D20 =20  I have checked (over the phone) all his

> >Virtual SMTP Server settings=20  to verify correct configuration.
> >Everything seems to be "checked" or=20  "unchecked" as recommended by

> >Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP =20  The Exchange 2000
> >server is behind a NAT and I have looked into the=20  possibility of 
> >this.  I have been out on the spamcop site and for the=20  life of me

> >cannot find a way to make them check the server again to=20  see if
> >it is closed relay like ORDB does. =3D20 =20  Any ideas or 
> >comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
> >Technician  Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any 
> >attachments,
> 
> > is for the sole use of the intended recipient(s) and may contain=20
> > confidential and privileged information. Any unauthorized review, 
> > use,
> 
> > disclosure or distribution is prohibited. If you are not the
> >intended=20  recipient, please contact the sender by reply email and 
> >destroy all=20  copies of the original message.
> >=20
> > =3D20
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface: 
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mo
> de=3D=
> &
> lang=3Denglish
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]

_

RE: Open Relay/Spamcop

However, I would welcome any information that proves me otherwise.  i.e.
configure these settings, with the guest account disabled, and prove
that it actually will relay - not authenticated relay, that doesn't
count.  If it is authenticated relay, it is because a password was
compromised. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Ben Winzenz 
Posted At: Thursday, December 18, 2003 11:48 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday,
December 18, 2003 11:37 AM Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice to know that I am not smoking crack.

> I concur with greg ... our server had those settings and we were being

> used as a relay ... turned off "Allow all computers which successfully

> authenticate to relay, regardless of the list above." and that stopped

> it ...
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 11:17 AM
> To: Exchange Discussions
> Subject: Re: Open Relay/Spamcop
> 
> 
> This may or may not be the problem, but I have seen spammers able to 
> relay off an Exchange server if the following configuration applies:
> 
> 1. If "Anonymous access" is turned on. SMTP Virtual Server properties,

> Access page, Authentication. 2. And, "Allow all computers which 
> successfully authenticate to relay, regardless of the list above." is 
> checked. SMTP Virtual Server properties, Access page, Relay.
> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as 
> >Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20

> >setting up a POP account in Outlook, putting the server that is 
> >being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
> >=20  When I try to send a message using Outlook, I get a return 
> >message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
> > That is good, however, why then is spamcop still reporting it to 
> >be=20  open relay? =3D20 =20  I have checked (over the phone) all his

> >Virtual SMTP Server settings=20  to verify correct configuration.  
> >Everything seems to be "checked" or=20  "unchecked" as recommended by

> >Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP =20  The Exchange 2000 
> >server is behind a NAT and I have looked into the=20  possibility of 
> >this.  I have been out on the spamcop site and for the=20  life of me

> >cannot find a way to make them check the server again to=20  see if 
> >it is closed relay like ORDB does. =3D20 =20  Any ideas or 
> >comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
> >Technician  Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any 
> >attachments,
> 
> > is for the sole use of the intended recipient(s) and may contain=20 
> > confidential and privileged information. Any unauthorized review, 
> > use,
> 
> > disclosure or distribution is prohibited. If you are not the 
> >intended=20  recipient, please contact the sender by reply email and 
> >destroy all=20  copies of the original message.
> >=20
> > =3D20
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mo
> de=3D=
> &
> lang=3Denglish
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:

RE: Open Relay/Spamcop

I still think you are smoking crack on this, Greg.  I have never seen a
properly configured Exchange 2000 server relay UNLESS a user account was
compromised, or the guest account was enabled.  I've tested it and
tested again, and never found Exchange to relay with those settings. 


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 11:37 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's
nice to know that I am not smoking crack.

> I concur with greg ... our server had those settings and we were being

> used as a relay ... turned off "Allow all computers which successfully

> authenticate to relay, regardless of the list above." and that stopped

> it ...
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 11:17 AM
> To: Exchange Discussions
> Subject: Re: Open Relay/Spamcop
> 
> 
> This may or may not be the problem, but I have seen spammers able to 
> relay off an Exchange server if the following configuration applies:
> 
> 1. If "Anonymous access" is turned on. SMTP Virtual Server properties,

> Access page, Authentication. 2. And, "Allow all computers which 
> successfully authenticate to relay, regardless of the list above." is 
> checked. SMTP Virtual Server properties, Access page, Relay.
> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as 
> >Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20

> >setting up a POP account in Outlook, putting the server that is 
> >being=20  reported as Open relay as my Outgoing SMTP server. =3D20 
> >=20  When I try to send a message using Outlook, I get a return 
> >message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not
relay.
> > That is good, however, why then is spamcop still reporting it to 
> >be=20  open relay? =3D20 =20  I have checked (over the phone) all his

> >Virtual SMTP Server settings=20  to verify correct configuration.  
> >Everything seems to be "checked" or=20  "unchecked" as recommended by

> >Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP =20  The Exchange 2000 
> >server is behind a NAT and I have looked into the=20  possibility of 
> >this.  I have been out on the spamcop site and for the=20  life of me

> >cannot find a way to make them check the server again to=20  see if 
> >it is closed relay like ORDB does. =3D20 =20  Any ideas or 
> >comments =3D20 =20 =20 =20  Samantha Bridges  Communications 
> >Technician  Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any 
> >attachments,
> 
> > is for the sole use of the intended recipient(s) and may contain=20 
> > confidential and privileged information. Any unauthorized review, 
> > use,
> 
> > disclosure or distribution is prohibited. If you are not the 
> >intended=20  recipient, please contact the sender by reply email and 
> >destroy all=20  copies of the original message.
> >=20
> > =3D20
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mo
> de=3D=
> &
> lang=3Denglish
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

I'm gonna comment on this one again.  This type of vulnerability should
only be an issue if your Guest account is enabled.  You HAVE to leave
anonymous access on if you want other mail systems to communicate with
you.  If you have POP3 and/or IMAP clients, you must leave the box
checked to "allow all computers which successfully relay...".  I have
never seen a case where the server truly was an open relay with these
settings.

If your configuration was like this, than likely what happened is one of
your accounts was compromised.  Exchange WILL NOT relay with those
settings unless you successfully authenticate, such as you do when you
specify that the outgoing smtp server requires authentication.  Also, if
this is the case, it is NOT a case where you were an open relay, it is a
case where an account was compromised and allowed to relay off the
server.  Configuring user accounts with strong passwords, and
configuring them to lock out after x number of unsuccessful logins
should mitigate any risk of SMTP Auth attacks, aside from a user
revealing their password.


Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418


-Original Message-
From: Wohlgemuth, Mike [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, December 18, 2003 11:23 AM
Posted To: Exchange (Swynk)
Conversation: Open Relay/Spamcop
Subject: RE: Open Relay/Spamcop


I concur with greg ... our server had those settings and we were being
used as a relay ... turned off "Allow all computers which successfully
authenticate to relay, regardless of the list above." and that stopped
it ...

Mike



-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 18, 2003 11:17 AM
To: Exchange Discussions
Subject: Re: Open Relay/Spamcop


This may or may not be the problem, but I have seen spammers able to
relay off an Exchange server if the following configuration applies:

1. If "Anonymous access" is turned on. SMTP Virtual Server properties,
Access page, Authentication. 2. And, "Allow all computers which
successfully authenticate to relay, regardless of the list above." is
checked. SMTP Virtual Server properties, Access page, Relay.



> Hello All and Happy Holidays!
> 
> I have a colleague whos Exchange 2000 server is being reported as Open

> Relay by spamcop for the past month.  I have tested his relay by 
> setting up a POP account in Outlook, putting the server that is being 
> reported as Open relay as my Outgoing SMTP server. =20
> 
> When I try to send a message using Outlook, I get a return message
that
> 550 5.7.1 Unable to relay.  I am relieved that it could not relay.
> That is good, however, why then is spamcop still reporting it to be 
> open relay? =20
> 
> I have checked (over the phone) all his Virtual SMTP Server settings 
> to verify correct configuration.  Everything seems to be "checked" or 
> "unchecked" as recommended by Microsoft.
> 
> We have Stopped/Started Services for SMTP
> 
> The Exchange 2000 server is behind a NAT and I have looked into the 
> possibility of this.  I have been out on the spamcop site and for the 
> life of me cannot find a way to make them check the server again to 
> see if it is closed relay like ORDB does. =20
> 
> Any ideas or comments =20
> 
> 
> 
> Samantha Bridges
> Communications Technician
> Macomb Intermediate School District
> 44001 Garfield Road
> Clinton Township  MI  48038-1100
> (586) 228-3300
> 
> [EMAIL PROTECTED]
> http://www.misd.net
> 
> 
> CONFIDENTIALITY NOTICE: This email message, including any attachments,

> is for the sole use of the intended recipient(s) and may contain 
> confidential and privileged information. Any unauthorized review, use,

> disclosure or distribution is prohibited. If you are not the intended 
> recipient, please contact the sender by reply email and destroy all 
> copies of the original message.
> 
> =20

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

Hey, thanks for the confirmation. People have told me that I am smoking
crack and that the Exchange servers were horribly misconfigured. It's nice
to know that I am not smoking crack.

> I concur with greg ... our server had those settings and we were being
> used as a relay ... turned off "Allow all computers which successfully
> authenticate to relay, regardless of the list above." and that stopped
> it ...
> 
> Mike
> 
> 
> 
> -Original Message-
> From: Greg Deckler [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 18, 2003 11:17 AM
> To: Exchange Discussions
> Subject: Re: Open Relay/Spamcop
> 
> 
> This may or may not be the problem, but I have seen spammers able to
> relay off an Exchange server if the following configuration applies:
> 
> 1. If "Anonymous access" is turned on. SMTP Virtual Server properties,
> Access page, Authentication. 2. And, "Allow all computers which
> successfully authenticate to relay, regardless of the list above." is
> checked. SMTP Virtual Server properties, Access page, Relay.
> 
> 
> 
> > Hello All and Happy Holidays!
> >=20
> > I have a colleague whos Exchange 2000 server is being reported as Open
> 
> > Relay by spamcop for the past month.  I have tested his relay by=20
> > setting up a POP account in Outlook, putting the server that is being=20
> > reported as Open relay as my Outgoing SMTP server. =3D20
> >=20
> > When I try to send a message using Outlook, I get a return message
> that
> > 550 5.7.1 Unable to relay.  I am relieved that it could not relay.
> > That is good, however, why then is spamcop still reporting it to be=20
> > open relay? =3D20
> >=20
> > I have checked (over the phone) all his Virtual SMTP Server settings=20
> > to verify correct configuration.  Everything seems to be "checked" or=20
> > "unchecked" as recommended by Microsoft.
> >=20
> > We have Stopped/Started Services for SMTP
> >=20
> > The Exchange 2000 server is behind a NAT and I have looked into the=20
> > possibility of this.  I have been out on the spamcop site and for the=20
> > life of me cannot find a way to make them check the server again to=20
> > see if it is closed relay like ORDB does. =3D20
> >=20
> > Any ideas or comments =3D20
> >=20
> >=20
> >=20
> > Samantha Bridges
> > Communications Technician
> > Macomb Intermediate School District
> > 44001 Garfield Road
> > Clinton Township  MI  48038-1100
> > (586) 228-3300
> >=20
> > [EMAIL PROTECTED]
> > http://www.misd.net
> >=20
> >=20
> > CONFIDENTIALITY NOTICE: This email message, including any attachments,
> 
> > is for the sole use of the intended recipient(s) and may contain=20
> > confidential and privileged information. Any unauthorized review, use,
> 
> > disclosure or distribution is prohibited. If you are not the intended=20
> > recipient, please contact the sender by reply email and destroy all=20
> > copies of the original message.
> >=20
> > =3D20
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mode=3D=
> &
> lang=3Denglish
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Wohlgemuth, Mike

I concur with greg ... our server had those settings and we were being
used as a relay ... turned off "Allow all computers which successfully
authenticate to relay, regardless of the list above." and that stopped
it ...

Mike



-Original Message-
From: Greg Deckler [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 11:17 AM
To: Exchange Discussions
Subject: Re: Open Relay/Spamcop


This may or may not be the problem, but I have seen spammers able to
relay off an Exchange server if the following configuration applies:

1. If "Anonymous access" is turned on. SMTP Virtual Server properties,
Access page, Authentication. 2. And, "Allow all computers which
successfully authenticate to relay, regardless of the list above." is
checked. SMTP Virtual Server properties, Access page, Relay.



> Hello All and Happy Holidays!
> 
> I have a colleague whos Exchange 2000 server is being reported as Open

> Relay by spamcop for the past month.  I have tested his relay by 
> setting up a POP account in Outlook, putting the server that is being 
> reported as Open relay as my Outgoing SMTP server. =20
> 
> When I try to send a message using Outlook, I get a return message
that
> 550 5.7.1 Unable to relay.  I am relieved that it could not relay.
> That is good, however, why then is spamcop still reporting it to be 
> open relay? =20
> 
> I have checked (over the phone) all his Virtual SMTP Server settings 
> to verify correct configuration.  Everything seems to be "checked" or 
> "unchecked" as recommended by Microsoft.
> 
> We have Stopped/Started Services for SMTP
> 
> The Exchange 2000 server is behind a NAT and I have looked into the 
> possibility of this.  I have been out on the spamcop site and for the 
> life of me cannot find a way to make them check the server again to 
> see if it is closed relay like ORDB does. =20
> 
> Any ideas or comments =20
> 
> 
> 
> Samantha Bridges
> Communications Technician
> Macomb Intermediate School District
> 44001 Garfield Road
> Clinton Township  MI  48038-1100
> (586) 228-3300
> 
> [EMAIL PROTECTED]
> http://www.misd.net
> 
> 
> CONFIDENTIALITY NOTICE: This email message, including any attachments,

> is for the sole use of the intended recipient(s) and may contain 
> confidential and privileged information. Any unauthorized review, use,

> disclosure or distribution is prohibited. If you are not the intended 
> recipient, please contact the sender by reply email and destroy all 
> copies of the original message.
> 
> =20

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Re: Open Relay/Spamcop

This may or may not be the problem, but I have seen spammers able to relay
off an Exchange server if the following configuration applies:

1. If "Anonymous access" is turned on. SMTP Virtual Server properties,
Access page, Authentication.
2. And, "Allow all computers which successfully authenticate to relay,
regardless of the list above." is checked. SMTP Virtual Server properties,
Access page, Relay.



> Hello All and Happy Holidays!
> 
> I have a colleague whos Exchange 2000 server is being reported as Open
> Relay by spamcop for the past month.  I have tested his relay by setting
> up a POP account in Outlook, putting the server that is being reported
> as Open relay as my Outgoing SMTP server. =20
> 
> When I try to send a message using Outlook, I get a return message that
> 550 5.7.1 Unable to relay.  I am relieved that it could not relay.
> That is good, however, why then is spamcop still reporting it to be open
> relay? =20
> 
> I have checked (over the phone) all his Virtual SMTP Server settings to
> verify correct configuration.  Everything seems to be "checked" or
> "unchecked" as recommended by Microsoft.
> 
> We have Stopped/Started Services for SMTP
> 
> The Exchange 2000 server is behind a NAT and I have looked into the
> possibility of this.  I have been out on the spamcop site and for the
> life of me cannot find a way to make them check the server again to see
> if it is closed relay like ORDB does. =20
> 
> Any ideas or comments =20
> 
> 
> 
> Samantha Bridges
> Communications Technician
> Macomb Intermediate School District
> 44001 Garfield Road
> Clinton Township  MI  48038-1100
> (586) 228-3300
> 
> [EMAIL PROTECTED]
> http://www.misd.net
> 
> 
> CONFIDENTIALITY NOTICE: This email message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply email and destroy all
> copies of the original message.
> 
> =20

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay/Spamcop

2003-12-18 Thread Randal, Phil

Try checking with http://www.abuse.net/relay.html

Cheers,

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Bridges,
> Samantha
> Sent: 18 December 2003 15:59
> To: Exchange Discussions
> Subject: Open Relay/Spamcop
> 
> 
> Hello All and Happy Holidays!
> 
> I have a colleague whos Exchange 2000 server is being reported as Open
> Relay by spamcop for the past month.  I have tested his relay 
> by setting
> up a POP account in Outlook, putting the server that is being reported
> as Open relay as my Outgoing SMTP server.  
> 
> When I try to send a message using Outlook, I get a return 
> message that
> 550 5.7.1 Unable to relay.  I am relieved that it could not relay.
> That is good, however, why then is spamcop still reporting it 
> to be open
> relay?  
> 
> I have checked (over the phone) all his Virtual SMTP Server 
> settings to
> verify correct configuration.  Everything seems to be "checked" or
> "unchecked" as recommended by Microsoft.
> 
> We have Stopped/Started Services for SMTP
> 
> The Exchange 2000 server is behind a NAT and I have looked into the
> possibility of this.  I have been out on the spamcop site and for the
> life of me cannot find a way to make them check the server 
> again to see
> if it is closed relay like ORDB does.  
> 
> Any ideas or comments  
> 
> 
> 
> Samantha Bridges
> Communications Technician
> Macomb Intermediate School District
> 44001 Garfield Road
> Clinton Township  MI  48038-1100
> (586) 228-3300
> 
> [EMAIL PROTECTED]
> http://www.misd.net
> 
> 
> CONFIDENTIALITY NOTICE: This email message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply email and destroy all
> copies of the original message.
> 
>  
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface: 
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
ext_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Open Relay/Spamcop

2003-12-18 Thread Bridges, Samantha

Hello All and Happy Holidays!

I have a colleague whos Exchange 2000 server is being reported as Open
Relay by spamcop for the past month.  I have tested his relay by setting
up a POP account in Outlook, putting the server that is being reported
as Open relay as my Outgoing SMTP server.  

When I try to send a message using Outlook, I get a return message that
550 5.7.1 Unable to relay.  I am relieved that it could not relay.
That is good, however, why then is spamcop still reporting it to be open
relay?  

I have checked (over the phone) all his Virtual SMTP Server settings to
verify correct configuration.  Everything seems to be "checked" or
"unchecked" as recommended by Microsoft.

We have Stopped/Started Services for SMTP

The Exchange 2000 server is behind a NAT and I have looked into the
possibility of this.  I have been out on the spamcop site and for the
life of me cannot find a way to make them check the server again to see
if it is closed relay like ORDB does.  

Any ideas or comments  



Samantha Bridges
Communications Technician
Macomb Intermediate School District
44001 Garfield Road
Clinton Township  MI  48038-1100
(586) 228-3300

[EMAIL PROTECTED]
http://www.misd.net


CONFIDENTIALITY NOTICE: This email message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all
copies of the original message.

 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Spam Clogging the IMC Queue -- Feigning Open Relay

2003-11-03 Thread Couch, Nate

Excuse me.  Symantec said they weren't aware of any virus that can put dummy
addresses in the To and From fields?  I find that hard to believe since the
Klez virus, among others, does this very thing and they are certainly aware
of that virus.

As for your original issue about the spam delete the messages that you know
are spam and re-check your open relay situation.  It sounds like there is a
hole somewhere that you didn't plug.  Check Q articles 

Q260973
Q265293
Q313395

Nate Couch
EDS Messaging

> --
> From: Jay Kulsh
> Reply To: Exchange Discussions
> Sent: Sunday, November 2, 2003 11:17 PM
> To:   Exchange Discussions
> Subject:  Spam Clogging the IMC Queue -- Feigning Open Relay
> 
> Hi folks,
> 
> We do not have open relay on our two Exchange servers (5.5 SP4) as tested
> by
> various tools. However in the queue of IMC, there are thousand of messages
> that have outside domains in both source and destination addresses. The
> addresses of originators are obviously computer generated with words like
> [EMAIL PROTECTED], [EMAIL PROTECTED] etc. We have no proof yet that any of
> these
> messages are actually delivered -- as if we were open realy -- to the
> destination domain but that is a possibility.
> 
> Symantec techsupport stated that they are not aware of any virus or worm
> that can do this.
> 
> If we are not allowing open-relay what is causing these messages to get to
> our IMC queue? Please help!
> 
> Jay
> __
> Jay Kulsh
> iLAN
> Pasadena, CA
> 
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&la
> ng=english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
> 
> 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Re: Spam Clogging the IMC Queue -- Feigning Open Relay

2003-11-03 Thread AliAdmin

Hi

I had a similar problem as we have a lot of mobile users. Unfortunately the
authentication seemed temperamental depending on which ISP you were using,
so forced everybody to use the VPN and restricted routing to internal IP's
only.

I think that did the trick, but I wouldn't be surprised if the spammers find
a way around it.

Bye

Ali

- Original Message - 
From: "Jay Kulsh" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Monday, November 03, 2003 12:11 PM
Subject: Re: Spam Clogging the IMC Queue -- Feigning Open Relay


> Let me answer my own question. Those spammers were using authentication to
> logon to SMTP server of our Exchange. Once we saw what user account was
> being used and disabled it, problem went away. (Due to POP3 users, we have
> to allow routing thru authentication.)
>
> Jay Kulsh
>
> Please visit http://www.cancer-treatment.net
>
> - Original Message - 
> From: Jay Kulsh
> To: Exchange Discussions
> Sent: Sunday, November 02, 2003 9:17 PM
> Subject: Spam Clogging the IMC Queue -- Feigning Open Relay
>
>
>
> Hi folks,
>
> We do not have open relay on our two Exchange servers (5.5 SP4) as tested
by
> various tools. However in the queue of IMC, there are thousand of messages
> that have outside domains in both source and destination addresses. The
> addresses of originators are obviously computer generated with words like
> [EMAIL PROTECTED], [EMAIL PROTECTED] etc. We have no proof yet that any of
these
> messages are actually delivered -- as if we were open realy -- to the
> destination domain but that is a possibility.
>
> Symantec techsupport stated that they are not aware of any virus or worm
> that can do this.
>
> If we are not allowing open-relay what is causing these messages to get to
> our IMC queue? Please help!
>
> Jay
> __
> Jay Kulsh
> iLAN
> Pasadena, CA
>
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
>
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
>
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Re: Spam Clogging the IMC Queue -- Feigning Open Relay

2003-11-03 Thread Jay Kulsh

Let me answer my own question. Those spammers were using authentication to
logon to SMTP server of our Exchange. Once we saw what user account was
being used and disabled it, problem went away. (Due to POP3 users, we have
to allow routing thru authentication.)

Jay Kulsh

Please visit http://www.cancer-treatment.net

- Original Message - 
From: Jay Kulsh
To: Exchange Discussions
Sent: Sunday, November 02, 2003 9:17 PM
Subject: Spam Clogging the IMC Queue -- Feigning Open Relay



Hi folks,

We do not have open relay on our two Exchange servers (5.5 SP4) as tested by
various tools. However in the queue of IMC, there are thousand of messages
that have outside domains in both source and destination addresses. The
addresses of originators are obviously computer generated with words like
[EMAIL PROTECTED], [EMAIL PROTECTED] etc. We have no proof yet that any of these
messages are actually delivered -- as if we were open realy -- to the
destination domain but that is a possibility.

Symantec techsupport stated that they are not aware of any virus or worm
that can do this.

If we are not allowing open-relay what is causing these messages to get to
our IMC queue? Please help!

Jay
__
Jay Kulsh
iLAN
Pasadena, CA


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Spam Clogging the IMC Queue -- Feigning Open Relay

2003-11-02 Thread Jay Kulsh

Hi folks,

We do not have open relay on our two Exchange servers (5.5 SP4) as tested by
various tools. However in the queue of IMC, there are thousand of messages
that have outside domains in both source and destination addresses. The
addresses of originators are obviously computer generated with words like
[EMAIL PROTECTED], [EMAIL PROTECTED] etc. We have no proof yet that any of these
messages are actually delivered -- as if we were open realy -- to the
destination domain but that is a possibility.

Symantec techsupport stated that they are not aware of any virus or worm
that can do this.

If we are not allowing open-relay what is causing these messages to get to
our IMC queue? Please help!

Jay
__
Jay Kulsh
iLAN
Pasadena, CA


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Re: Open relay issues

2003-09-04 Thread Chris Scharff

Those aren't relay failures, there's nothing to fix. They are (exclusively I
think) tests for other mail servers which at one point used to incorrectly
relay mail formatted like that. Exchange does not. My server 'fails' the
same tests. If you crank up logging on the SMTP conversation what addresses
is the connecting IP address sending to?

> From: "Pat Richard" <[EMAIL PROTECTED]>
> Reply-To: "Exchange Discussions" <[EMAIL PROTECTED]>
> Date: Thu, 4 Sep 2003 23:25:10 -0400
> To: "Exchange Discussions" <[EMAIL PROTECTED]>
> Subject: Open relay issues
> 
> Okay, I'm still looking through the archives and stuff, but it's late, so I'll
> post this before I call it a night.
> 
> Client has a server that suddenly shuts down.
> 
> I reboot and troubleshoot, to find literally TENS OF THOUSANDS of items in the
> badmail folder. All dated within the last two or three days. The server had
> shut down because the drive ran out of space.
> 
> So I clear that up and start nosing around..
> 
> I check for open relay (telnet), and can't find any problem. I start to think
> maybe this is a SoBig.F issue, until I read some of the NDRs.
> 
> Within fifteen minutes, badmail starts to accumulate again. I look further,
> and see a connection in the OPEN SESSIONS section of System Manager. I kill
> the connection after jotting down some details. Queues are just jammed full of
> crap - Viagra ads, etc.
> I clear this out again, along with badmail, and start watching. Sure enough, a
> short time later, someone from the same IP subnet connects and it starts all
> over.
> I look through a ton of articles on open relay, and everything checks out.
> Then, I run this test: http://tools.appriver.com/openrelay.php
> <http://tools.appriver.com/openrelay.php>  which basically tries to relay
> using various combinations of addressing formats.
> Test #14 fails
> Test #16 fails
> Test #28 fails
> #14 uses a rcpt to format of
> RCPT TO: <"[EMAIL PROTECTED]">
> Notice the quotes.
> #16 uses
> RCPT TO: <"relaytest%appriver.com">
> Notice the quotes and the %
> #28 uses
> RCPT TO: 
> notice the format there.
> 
> I manually tried each on via telnet against the server. Sure enough, the
> server doesn't complain. But every one bounces back with an NDR complaining
> about the recipient address. So my belief is that they're attempting one (or
> more) of these methods, and all of them are bouncing, causing the badmail
> problem.
> 
> My question is, how do I close this hole? Server is Win2k SBS SP4, E2k SP3.
> Connection is firewalled T1.
> 
> Any help would be greatly appreciated. Thanks!
> 


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Open relay issues

2003-09-04 Thread Pat Richard

Okay, I'm still looking through the archives and stuff, but it's late, so I'll post
this before I call it a night.

Client has a server that suddenly shuts down.

I reboot and troubleshoot, to find literally TENS OF THOUSANDS of items in the badmail
folder. All dated within the last two or three days. The server had shut down because
the drive ran out of space.

So I clear that up and start nosing around..

I check for open relay (telnet), and can't find any problem. I start to think maybe
this is a SoBig.F issue, until I read some of the NDRs.

Within fifteen minutes, badmail starts to accumulate again. I look further, and see a
connection in the OPEN SESSIONS section of System Manager. I kill the connection after
jotting down some details. Queues are just jammed full of crap - Viagra ads, etc.
I clear this out again, along with badmail, and start watching. Sure enough, a short
time later, someone from the same IP subnet connects and it starts all over.
I look through a ton of articles on open relay, and everything checks out. Then, I run
this test: http://tools.appriver.com/openrelay.php
<http://tools.appriver.com/openrelay.php> which basically tries to relay using
various combinations of addressing formats.
Test #14 fails
Test #16 fails
Test #28 fails
#14 uses a rcpt to format of
RCPT TO: <"[EMAIL PROTECTED]">
Notice the quotes.
#16 uses
RCPT TO: <"relaytest%appriver.com">
Notice the quotes and the %
#28 uses
RCPT TO:
notice the format there.

I manually tried each on via telnet against the server. Sure enough, the server
doesn't complain. But every one bounces back with an NDR complaining about the
recipient address. So my belief is that they're attempting one (or more) of these
methods, and all of them are bouncing, causing the badmail problem.

My question is, how do I close this hole? Server is Win2k SBS SP4, E2k SP3. Connection
is firewalled T1.

Any help would be greatly appreciated. Thanks!
[EMAIL
PROTECTED])j¹%Ë\¢o܂&âùr®+)éíz·±r§ë^Æ٨uéZ§X¬:.˛±Êâm隊[hæ¯yì\©àz[,Ã)ärÅÈZËZvh§+-i٢Ì2G(

RE: Not Open Relay, but...

2003-06-30 Thread Blunt, James H (Jim)

That's not entirely correct.

Go to the properties of your IMS / Connections tab and in the "Message
Filtering" section, add @enterainmentmail.net...then stop/start you IMS
service.

It will then drop all e-mail from that domain.

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 5:02 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


Your mail system is accepting a mail for an invalid address (i.e.
[EMAIL PROTECTED]), and since it couldn't deliver it it's trying to send a
message back to the sender telling them it couldn't deliver the message. But
in this case, the spammer forged the sender address, so your mail server is
sending you NDRs because it can't send the original NDR back to the spoofed
address.  Make sense?  There's not much you can do with Exchange 5.5 to
avoid this situation unless the spammer is using a single IP address that
you can block from being able to send mail into your system.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Thursday, June 26, 2003 4:26 PM
Subject: RE: Not Open Relay, but...


> Thanks. I've also cut down the Notifications to just 'Host not Found'.
>
> One of the NDR's looks like this
>
> 
> A mail message could not be sent because the following host is 
> unknown:
>
> smdv231.entertainmentmail.net
> The message that caused this notification was:
>
>
>   To:   <[EMAIL PROTECTED]>
>   From: <>
>   Subject:  Undeliverable: Sales manager or Marketing dept
> -
>
> Is this is a Relay, shouldn't I not be accepting it in the first 
> place?
>
> Thanks for all the insight so far...
>
> Cheers,
> Tony
>
>
>
> -Original Message-
> From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2003 1:30 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> They're just using dfg.com.  Don't bother your MX record.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2003 1:37 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 
> messages sitting in the IMS queue after 8hrs? I have another site 
> where
the
> IMS has hardly any messages sitting in there so this is why I am
concerned.
> What if I changed the MX record's IP address, would that help slow it 
> down
a
> little or are they just using dfg.com?
>
> Cheers,
> Tony
>
> -Original Message-
> From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2003 10:10 AM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> Tony,
>
> Open up the properties page of your IMS Connection, go to the Internet
Mail
> tab and click on the Notifications... button.  My guess would be that 
> you have the "Always send notifications when non-delivery reports are
generated"
> radio button clicked.  If that is the case, select the second choice 
> and uncheck the options that you don't want.
>
> I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers 
> trying
to
> brute force their spam through the system.  I track the NDRs to create 
> a spreadsheet for management, showing them the exponential growth of 
> spam
and
> the load it is placing on the servers, in order to justify new 
> servers.
>
> Jim
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2003 9:58 AM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> I've tested via telnet and from home using Outlook Express and it 
> always replies with 550 so I think I'm good there. Just the amount of 
> mail is insane. I came in this morning at there's over 10,000 in the 
> IMS Queue. I guess eventually it will slow down...
>
> Thanks to all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: Dave Mills [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 5:28 PM
> To: Exchange Discussions
> Subject: Re: Not Open Relay, but...
>
>
> For #3, what you are seeing is spammer trying to find valid addresses 
> @dfg.com by simply guessing addresses and trying them, your best bet 
> would be to turn off the notification on your IMS for "E-mail address 
> could not
be
> found".  For #2, yes they will sit in the queue until they are 
> delivered
or
> just time out.  For #1, are you

RE: Not Open Relay, but...

2003-06-27 Thread William Lefkovics

Oh well.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, June 26, 2003 12:01 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

You tested someone else's domain at abuse.net without permission?  You do
realize that if it would have failed other tests, they get put on RBL's?
Not a move I would have made.  Yikes.
-

Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418

Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] Posted At: Thursday,
June 26, 2003 12:19 PM Posted To: Exchange (Swynk)
Conversation: Not Open Relay, but...
Subject: RE: Not Open Relay, but...

I tested it using abuse.net's relay test. It looks like your good for
not being an open relay. So my opinion is that you just have a spammer
who's trying to mine for address in your company. From what I
understand, there's a new program going around the spammer world, that
bruteforce guesses e-mail address and collects the NDR's from that
domain to determine what's legit and what isn't. My advise would be for
you to trace back the IP address he's using and put it in your host.deny
file.

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

Thanks, Dave. That's crystal clear.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 4:02 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


Your mail system is accepting a mail for an invalid address (i.e.
[EMAIL PROTECTED]), and since it couldn't deliver it it's trying to send a
message back to the sender telling them it couldn't deliver the message. But
in this case, the spammer forged the sender address, so your mail server is
sending you NDRs because it can't send the original NDR back to the spoofed
address.  Make sense?  There's not much you can do with Exchange 5.5 to
avoid this situation unless the spammer is using a single IP address that
you can block from being able to send mail into your system.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Thursday, June 26, 2003 4:26 PM
Subject: RE: Not Open Relay, but...


> Thanks. I've also cut down the Notifications to just 'Host not Found'.
>
> One of the NDR's looks like this
>
> 
> A mail message could not be sent because the following host is 
> unknown:
>
> smdv231.entertainmentmail.net
> The message that caused this notification was:
>
>
>   To:   <[EMAIL PROTECTED]>
>   From: <>
>   Subject:  Undeliverable: Sales manager or Marketing dept
> -
>
> Is this is a Relay, shouldn't I not be accepting it in the first 
> place?
>
> Thanks for all the insight so far...
>
> Cheers,
> Tony
>
>
>
> -Original Message-
> From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2003 1:30 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> They're just using dfg.com.  Don't bother your MX record.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2003 1:37 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000 
> messages sitting in the IMS queue after 8hrs? I have another site 
> where
the
> IMS has hardly any messages sitting in there so this is why I am
concerned.
> What if I changed the MX record's IP address, would that help slow it 
> down
a
> little or are they just using dfg.com?
>
> Cheers,
> Tony
>
> -Original Message-
> From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2003 10:10 AM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> Tony,
>
> Open up the properties page of your IMS Connection, go to the Internet
Mail
> tab and click on the Notifications... button.  My guess would be that 
> you have the "Always send notifications when non-delivery reports are
generated"
> radio button clicked.  If that is the case, select the second choice 
> and uncheck the options that you don't want.
>
> I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers 
> trying
to
> brute force their spam through the system.  I track the NDRs to create 
> a spreadsheet for management, showing them the exponential growth of 
> spam
and
> the load it is placing on the servers, in order to justify new 
> servers.
>
> Jim
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2003 9:58 AM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> I've tested via telnet and from home using Outlook Express and it 
> always replies with 550 so I think I'm good there. Just the amount of 
> mail is insane. I came in this morning at there's over 10,000 in the 
> IMS Queue. I guess eventually it will slow down...
>
> Thanks to all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: Dave Mills [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 5:28 PM
> To: Exchange Discussions
> Subject: Re: Not Open Relay, but...
>
>
> For #3, what you are seeing is spammer trying to find valid addresses 
> @dfg.com by simply guessing addresses and trying them, your best bet 
> would be to turn off the notification on your IMS for "E-mail address 
> could not
be
> found".  For #2, yes they will sit in the queue until they are 
> delivered
or
> just time out.  For #1, are you sure you're not an open relay?  See
>
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
> change_Server_55.html.
>
> - Dave
>
> - O

Re: Not Open Relay, but...

2003-06-26 Thread Dave Mills

Your mail system is accepting a mail for an invalid address (i.e.
[EMAIL PROTECTED]), and since it couldn't deliver it it's trying to send a
message back to the sender telling them it couldn't deliver the message.
But in this case, the spammer forged the sender address, so your mail server
is sending you NDRs because it can't send the original NDR back to the
spoofed address.  Make sense?  There's not much you can do with Exchange 5.5
to avoid this situation unless the spammer is using a single IP address that
you can block from being able to send mail into your system.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Thursday, June 26, 2003 4:26 PM
Subject: RE: Not Open Relay, but...


> Thanks. I've also cut down the Notifications to just 'Host not Found'.
>
> One of the NDR's looks like this
>
> 
> A mail message could not be sent because the following host is unknown:
>
> smdv231.entertainmentmail.net
> The message that caused this notification was:
>
>
>   To:   <[EMAIL PROTECTED]>
>   From: <>
>   Subject:  Undeliverable: Sales manager or Marketing dept
> -
>
> Is this is a Relay, shouldn't I not be accepting it in the first place?
>
> Thanks for all the insight so far...
>
> Cheers,
> Tony
>
>
>
> -Original Message-
> From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2003 1:30 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> They're just using dfg.com.  Don't bother your MX record.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2003 1:37 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000
> messages sitting in the IMS queue after 8hrs? I have another site where
the
> IMS has hardly any messages sitting in there so this is why I am
concerned.
> What if I changed the MX record's IP address, would that help slow it down
a
> little or are they just using dfg.com?
>
> Cheers,
> Tony
>
> -Original Message-
> From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2003 10:10 AM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> Tony,
>
> Open up the properties page of your IMS Connection, go to the Internet
Mail
> tab and click on the Notifications... button.  My guess would be that you
> have the "Always send notifications when non-delivery reports are
generated"
> radio button clicked.  If that is the case, select the second choice and
> uncheck the options that you don't want.
>
> I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying
to
> brute force their spam through the system.  I track the NDRs to create a
> spreadsheet for management, showing them the exponential growth of spam
and
> the load it is placing on the servers, in order to justify new servers.
>
> Jim
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2003 9:58 AM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> I've tested via telnet and from home using Outlook Express and it always
> replies with 550 so I think I'm good there. Just the amount of mail is
> insane. I came in this morning at there's over 10,000 in the IMS Queue. I
> guess eventually it will slow down...
>
> Thanks to all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: Dave Mills [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 5:28 PM
> To: Exchange Discussions
> Subject: Re: Not Open Relay, but...
>
>
> For #3, what you are seeing is spammer trying to find valid addresses
> @dfg.com by simply guessing addresses and trying them, your best bet would
> be to turn off the notification on your IMS for "E-mail address could not
be
> found".  For #2, yes they will sit in the queue until they are delivered
or
> just time out.  For #1, are you sure you're not an open relay?  See
>
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
> change_Server_55.html.
>
> - Dave
>
> - Original Message - 
> From: "Woods, Tony" <[EMAIL PROTECTED]>
> To: "Exchange Discussions" <[EMAIL PROTECTED]>
> Sent: Wednesday, June 25, 2003 5:00 PM
> Subject: RE: Not Open Relay, but...
>
>
> > Hi John,
> >
> > Is this i

RE: Not Open Relay, but...

Thanks. I've also cut down the Notifications to just 'Host not Found'. 

One of the NDR's looks like this


A mail message could not be sent because the following host is unknown:

smdv231.entertainmentmail.net
The message that caused this notification was:


  To:   <[EMAIL PROTECTED]>
  From: <>
  Subject:  Undeliverable: Sales manager or Marketing dept
-

Is this is a Relay, shouldn't I not be accepting it in the first place?

Thanks for all the insight so far...

Cheers,
Tony



-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 1:30 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


They're just using dfg.com.  Don't bother your MX record.

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 1:37 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000
messages sitting in the IMS queue after 8hrs? I have another site where the
IMS has hardly any messages sitting in there so this is why I am concerned.
What if I changed the MX record's IP address, would that help slow it down a
little or are they just using dfg.com?

Cheers,
Tony

-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 10:10 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


Tony,

Open up the properties page of your IMS Connection, go to the Internet Mail
tab and click on the Notifications... button.  My guess would be that you
have the "Always send notifications when non-delivery reports are generated"
radio button clicked.  If that is the case, select the second choice and
uncheck the options that you don't want.

I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to
brute force their spam through the system.  I track the NDRs to create a
spreadsheet for management, showing them the exponential growth of spam and
the load it is placing on the servers, in order to justify new servers.

Jim

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue. I
guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for "E-mail address could not be
found".  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


> Hi John,
>
> Is this in response to my question #3? If so, does everyone receive
> over 2000 messages every hour in the 'Admin' mailbox with a subject 
> line of
> 'Notification: Inbound Mail Failure"? I understand getting some but
> over 2000 an hour? Each of these messages is addressed to 
> [EMAIL PROTECTED] or whatever. It's just random letters in front of the 
> domain name @dfg.com
and
> there's just a ton of them. Thanks for any ideas, all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: John Strongosky [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:46 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> NDR's (non-delivery reports) from spammer's probably.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:23 PM
> To: Exchange Discussions
> Subject: Not Open Relay, but...
>
>
> Hello,
>
> NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com
>
> I've just taken over a site's Exchange server and have noticed
> something strange. It's been sometime since I had to play with 
> Exchange this deep
but
> the Queues on my IMS keep filling up with 1000's of emails. We're not
> an Ope

RE: Not Open Relay, but...

2003-06-26 Thread Blunt, James H (Jim)

They're just using dfg.com.  Don't bother your MX record.

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 1:37 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000
messages sitting in the IMS queue after 8hrs? I have another site where the
IMS has hardly any messages sitting in there so this is why I am concerned.
What if I changed the MX record's IP address, would that help slow it down a
little or are they just using dfg.com?

Cheers,
Tony

-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 10:10 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

Tony,

Open up the properties page of your IMS Connection, go to the Internet Mail
tab and click on the Notifications... button.  My guess would be that you
have the "Always send notifications when non-delivery reports are generated"
radio button clicked.  If that is the case, select the second choice and
uncheck the options that you don't want.

I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to
brute force their spam through the system.  I track the NDRs to create a
spreadsheet for management, showing them the exponential growth of spam and
the load it is placing on the servers, in order to justify new servers.

Jim

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue. I
guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...

For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for "E-mail address could not be
found".  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...

> Hi John,
>
> Is this in response to my question #3? If so, does everyone receive
> over 2000 messages every hour in the 'Admin' mailbox with a subject 
> line of
> 'Notification: Inbound Mail Failure"? I understand getting some but 
> over 2000 an hour? Each of these messages is addressed to 
> [EMAIL PROTECTED] or whatever. It's just random letters in front of the 
> domain name @dfg.com
and
> there's just a ton of them. Thanks for any ideas, all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: John Strongosky [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:46 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> NDR's (non-delivery reports) from spammer's probably.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:23 PM
> To: Exchange Discussions
> Subject: Not Open Relay, but...
>
>
> Hello,
>
> NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com
>
> I've just taken over a site's Exchange server and have noticed
> something strange. It's been sometime since I had to play with 
> Exchange this deep
but
> the Queues on my IMS keep filling up with 1000's of emails. We're not
> an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
> Message Awaiting Delivery' with originator <> and Destination Host of
> different .com's. There is a ton of Inbound Mail Failures in the 
> 'Admin' mailbox for delivery failures as well. My three questions are:
>
> 1) Are these messages that are trying to relay but failing?
>
> 2) If so, are they just going to sit in the Queue for the default
> time?
>
> 3) For the Inbound Mail Failures,  a lot of them are going to bogus
> addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
> coming from?
>
> Thanks in advance.
>
> Cheers,
> Tony
>
> ___

RE: Not Open Relay, but...

2003-06-26 Thread Blunt, James H (Jim)

H...well it would be for me, but then again, I'm not sure I have the
qualifications to answer that question.  We are a small company (and getting
smaller by the day!) of roughly 600 people.  If you're a big company, you
may be getting significantly larger numbers of messages sitting in you IMS
queue.  

Our current time-out period for attempting delivery is 72 hours.  Until that
time expires, they WILL sit in the IMS queue awaiting delivery.  Then they
will generate a non-delivery notification to your Admin mailbox.  I would
probably get a lot more of those sitting in my queue, if I didn't have so
many spam domains in my block list.  That and the fact that I delete them at
least once a day.

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 1:37 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000
messages sitting in the IMS queue after 8hrs? I have another site where the
IMS has hardly any messages sitting in there so this is why I am concerned.
What if I changed the MX record's IP address, would that help slow it down a
little or are they just using dfg.com?

Cheers,
Tony

-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 10:10 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


Tony,

Open up the properties page of your IMS Connection, go to the Internet Mail
tab and click on the Notifications... button.  My guess would be that you
have the "Always send notifications when non-delivery reports are generated"
radio button clicked.  If that is the case, select the second choice and
uncheck the options that you don't want.

I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to
brute force their spam through the system.  I track the NDRs to create a
spreadsheet for management, showing them the exponential growth of spam and
the load it is placing on the servers, in order to justify new servers.

Jim

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue. I
guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for "E-mail address could not be
found".  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


> Hi John,
>
> Is this in response to my question #3? If so, does everyone receive
> over 2000 messages every hour in the 'Admin' mailbox with a subject 
> line of
> 'Notification: Inbound Mail Failure"? I understand getting some but 
> over 2000 an hour? Each of these messages is addressed to 
> [EMAIL PROTECTED] or whatever. It's just random letters in front of the 
> domain name @dfg.com
and
> there's just a ton of them. Thanks for any ideas, all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: John Strongosky [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:46 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> NDR's (non-delivery reports) from spammer's probably.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:23 PM
> To: Exchange Discussions
> Subject: Not Open Relay, but...
>
>
> Hello,
>
> NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com
>
> I've just taken over a site's Exchange server and have noticed
> something strange. It's been sometime since I had to play with 
> Exchange this deep
but
> the Queues on my IMS keep filling up with 1000's of emails. We're not
> an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
> Message Awaiting Delivery

RE: Not Open Relay, but...

2003-06-26 Thread Christopher Hummert

Your best solution is to find out the source of those messages, and then
block the domain,

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony
Sent: Thursday, June 26, 2003 1:37 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000
messages sitting in the IMS queue after 8hrs? I have another site where
the IMS has hardly any messages sitting in there so this is why I am
concerned. What if I changed the MX record's IP address, would that help
slow it down a little or are they just using dfg.com?

Cheers,
Tony

-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 10:10 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

Tony,

Open up the properties page of your IMS Connection, go to the Internet
Mail tab and click on the Notifications... button.  My guess would be
that you have the "Always send notifications when non-delivery reports
are generated" radio button clicked.  If that is the case, select the
second choice and uncheck the options that you don't want.

I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying
to brute force their spam through the system.  I track the NDRs to
create a spreadsheet for management, showing them the exponential growth
of spam and the load it is placing on the servers, in order to justify
new servers.

Jim

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue.
I guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...

For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet
would be to turn off the notification on your IMS for "E-mail address
could not be found".  For #2, yes they will sit in the queue until they
are delivered or just time out.  For #1, are you sure you're not an open
relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M
S_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...

> Hi John,
>
> Is this in response to my question #3? If so, does everyone receive
> over 2000 messages every hour in the 'Admin' mailbox with a subject 
> line of
> 'Notification: Inbound Mail Failure"? I understand getting some but 
> over 2000 an hour? Each of these messages is addressed to 
> [EMAIL PROTECTED] or whatever. It's just random letters in front of the 
> domain name @dfg.com
and
> there's just a ton of them. Thanks for any ideas, all.
>
> Cheers,
> Tony
>
> -----Original Message-
> From: John Strongosky [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:46 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> NDR's (non-delivery reports) from spammer's probably.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:23 PM
> To: Exchange Discussions
> Subject: Not Open Relay, but...
>
>
> Hello,
>
> NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com
>
> I've just taken over a site's Exchange server and have noticed
> something strange. It's been sometime since I had to play with 
> Exchange this deep
but
> the Queues on my IMS keep filling up with 1000's of emails. We're not
> an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
> Message Awaiting Delivery' with originator <> and Destination Host of
> different .com's. There is a ton of Inbound Mail Failures in the 
> 'Admin' mailbox for delivery failures as well. My three questions are:
>
> 1) Are these messages that are trying to relay but failing?
>
> 2) If so, are they just going to sit in the Queue for the default
> time?
>
> 3) For the Inbound Mail Failures,  a lot of them are going to bogus
> addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
> coming from?
>
> Thanks in advance.
>

RE: Not Open Relay, but...

Thanks, Jim. Just so I'm clear, it's not uncommon to have over 10,000
messages sitting in the IMS queue after 8hrs? I have another site where the
IMS has hardly any messages sitting in there so this is why I am concerned.
What if I changed the MX record's IP address, would that help slow it down a
little or are they just using dfg.com?

Cheers,
Tony

-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 10:10 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


Tony,

Open up the properties page of your IMS Connection, go to the Internet Mail
tab and click on the Notifications... button.  My guess would be that you
have the "Always send notifications when non-delivery reports are generated"
radio button clicked.  If that is the case, select the second choice and
uncheck the options that you don't want.

I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to
brute force their spam through the system.  I track the NDRs to create a
spreadsheet for management, showing them the exponential growth of spam and
the load it is placing on the servers, in order to justify new servers.

Jim

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue. I
guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for "E-mail address could not be
found".  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


> Hi John,
>
> Is this in response to my question #3? If so, does everyone receive 
> over 2000 messages every hour in the 'Admin' mailbox with a subject 
> line of
> 'Notification: Inbound Mail Failure"? I understand getting some but 
> over 2000 an hour? Each of these messages is addressed to 
> [EMAIL PROTECTED] or whatever. It's just random letters in front of the 
> domain name @dfg.com
and
> there's just a ton of them. Thanks for any ideas, all.
>
> Cheers,
> Tony
>
> -----Original Message-
> From: John Strongosky [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:46 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> NDR's (non-delivery reports) from spammer's probably.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:23 PM
> To: Exchange Discussions
> Subject: Not Open Relay, but...
>
>
> Hello,
>
> NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com
>
> I've just taken over a site's Exchange server and have noticed 
> something strange. It's been sometime since I had to play with 
> Exchange this deep
but
> the Queues on my IMS keep filling up with 1000's of emails. We're not 
> an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
> Message Awaiting Delivery' with originator <> and Destination Host of 
> different .com's. There is a ton of Inbound Mail Failures in the 
> 'Admin' mailbox for delivery failures as well. My three questions are:
>
> 1) Are these messages that are trying to relay but failing?
>
> 2) If so, are they just going to sit in the Queue for the default 
> time?
>
> 3) For the Inbound Mail Failures,  a lot of them are going to bogus 
> addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
> coming from?
>
> Thanks in advance.
>
> Cheers,
> Tony
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
>
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
> =english
> To un

RE: Not Open Relay, but...

2003-06-26 Thread Ben Winzenz

It's still not something I would have done.  If you are going to test
someone else's domain that you don't own, then you really ought to
manually test it.  If you are using a 3rd party tool, then you don't
have any control over whether they send domain names that fail the relay
tests to RBL's.
-

Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418

Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, June 26, 2003 2:04 PM
Posted To: Exchange (Swynk)
Conversation: Not Open Relay, but...
Subject: RE: Not Open Relay, but...


It's the testing one. Not the one that puts people on the list


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, June 26, 2003 12:01 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...




You tested someone else's domain at abuse.net without permission?  You
do realize that if it would have failed other tests, they get put on
RBL's?  Not a move I would have made.  Yikes.
-

Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418

Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] Posted At:
Thursday, June 26, 2003 12:19 PM Posted To: Exchange (Swynk)
Conversation: Not Open Relay, but...
Subject: RE: Not Open Relay, but...


I tested it using abuse.net's relay test. It looks like your good for
not being an open relay. So my opinion is that you just have a spammer
who's trying to mine for address in your company. From what I
understand, there's a new program going around the spammer world, that
bruteforce guesses e-mail address and collects the NDR's from that
domain to determine what's legit and what isn't. My advise would be for
you to trace back the IP address he's using and put it in your host.deny
file.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...
Importance: High


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue.
I guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet
would be to turn off the notification on your IMS for "E-mail address
could not be found".  For #2, yes they will sit in the queue until they
are delivered or just time out.  For #1, are you sure you're not an open
relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M
S_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


> Hi John,
>
> Is this in response to my question #3? If so, does everyone receive 
> over 2000 messages every hour in the 'Admin' mailbox with a subject 
> line of
> 'Notification: Inbound Mail Failure"? I understand getting some but
over
> 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or

> whatever. It's just random letters in front of the domain name
@dfg.com
and
> there's just a ton of them. Thanks for any ideas, all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: John Strongosky [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:46 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> NDR's (non-delivery reports) from spammer's probably.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:23 PM
> To: Exchange Discussions
> Subject: Not Open Relay, but...
>
>
> Hello,
>
> NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com
>
> I've just taken over a site's Exchange server and have noticed 
> something strange. It's been sometime since I had to play with 
> Exchange this deep
but
> the Queues on my IMS keep filling up with 1000's of emails. We're not 
> an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
> Message Awaiting Delivery' with originator <> and Destination Host of 
> different .com's. There is a ton of Inbound Mail Failures in the 
> 'Ad

RE: Not Open Relay, but...

2003-06-26 Thread Christopher Hummert

It's the testing one. Not the one that puts people on the list

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz
Sent: Thursday, June 26, 2003 12:01 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...

You tested someone else's domain at abuse.net without permission?  You
do realize that if it would have failed other tests, they get put on
RBL's?  Not a move I would have made.  Yikes.
-

Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418

Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, June 26, 2003 12:19 PM
Posted To: Exchange (Swynk)
Conversation: Not Open Relay, but...
Subject: RE: Not Open Relay, but...

I tested it using abuse.net's relay test. It looks like your good for
not being an open relay. So my opinion is that you just have a spammer
who's trying to mine for address in your company. From what I
understand, there's a new program going around the spammer world, that
bruteforce guesses e-mail address and collects the NDR's from that
domain to determine what's legit and what isn't. My advise would be for
you to trace back the IP address he's using and put it in your host.deny
file.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...
Importance: High

I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue.
I guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...

For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet
would be to turn off the notification on your IMS for "E-mail address
could not be found".  For #2, yes they will sit in the queue until they
are delivered or just time out.  For #1, are you sure you're not an open
relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M
S_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...

> Hi John,
>
> Is this in response to my question #3? If so, does everyone receive 
> over 2000 messages every hour in the 'Admin' mailbox with a subject 
> line of
> 'Notification: Inbound Mail Failure"? I understand getting some but
over
> 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or

> whatever. It's just random letters in front of the domain name
@dfg.com
and
> there's just a ton of them. Thanks for any ideas, all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: John Strongosky [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:46 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> NDR's (non-delivery reports) from spammer's probably.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:23 PM
> To: Exchange Discussions
> Subject: Not Open Relay, but...
>
>
> Hello,
>
> NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com
>
> I've just taken over a site's Exchange server and have noticed 
> something strange. It's been sometime since I had to play with 
> Exchange this deep
but
> the Queues on my IMS keep filling up with 1000's of emails. We're not 
> an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
> Message Awaiting Delivery' with originator <> and Destination Host of 
> different .com's. There is a ton of Inbound Mail Failures in the 
> 'Admin' mailbox for delivery failures as well. My three questions are:
>
> 1) Are these messages that are trying to relay but failing?
>
> 2) If so, are they just going to sit in the Queue for the default 
> time?
>
> 3) For the Inbound Mail Failures,  a lot of them are going to bogus 
> addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
> coming from?
>
> Thanks in advance.
>
> Cheers,
> Tony
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
&g

RE: Not Open Relay, but...

2003-06-26 Thread Ben Winzenz



You tested someone else's domain at abuse.net without permission?  You
do realize that if it would have failed other tests, they get put on
RBL's?  Not a move I would have made.  Yikes.
-

Ben Winzenz
Network Engineer
Gardner & White
(317) 581-1580 ext 418

Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, June 26, 2003 12:19 PM
Posted To: Exchange (Swynk)
Conversation: Not Open Relay, but...
Subject: RE: Not Open Relay, but...


I tested it using abuse.net's relay test. It looks like your good for
not being an open relay. So my opinion is that you just have a spammer
who's trying to mine for address in your company. From what I
understand, there's a new program going around the spammer world, that
bruteforce guesses e-mail address and collects the NDR's from that
domain to determine what's legit and what isn't. My advise would be for
you to trace back the IP address he's using and put it in your host.deny
file.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...
Importance: High


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue.
I guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet
would be to turn off the notification on your IMS for "E-mail address
could not be found".  For #2, yes they will sit in the queue until they
are delivered or just time out.  For #1, are you sure you're not an open
relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M
S_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


> Hi John,
>
> Is this in response to my question #3? If so, does everyone receive
> over 2000 messages every hour in the 'Admin' mailbox with a subject 
> line of
> 'Notification: Inbound Mail Failure"? I understand getting some but
over
> 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or
> whatever. It's just random letters in front of the domain name
@dfg.com
and
> there's just a ton of them. Thanks for any ideas, all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: John Strongosky [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:46 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> NDR's (non-delivery reports) from spammer's probably.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:23 PM
> To: Exchange Discussions
> Subject: Not Open Relay, but...
>
>
> Hello,
>
> NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com
>
> I've just taken over a site's Exchange server and have noticed
> something strange. It's been sometime since I had to play with 
> Exchange this deep
but
> the Queues on my IMS keep filling up with 1000's of emails. We're not
> an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
> Message Awaiting Delivery' with originator <> and Destination Host of
> different .com's. There is a ton of Inbound Mail Failures in the 
> 'Admin' mailbox for delivery failures as well. My three questions are:
>
> 1) Are these messages that are trying to relay but failing?
>
> 2) If so, are they just going to sit in the Queue for the default
> time?
>
> 3) For the Inbound Mail Failures,  a lot of them are going to bogus
> addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
> coming from?
>
> Thanks in advance.
>
> Cheers,
> Tony
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
>
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang
> =english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
>
>

RE: Open Relay Suggestions

2003-06-26 Thread Matt Hoffman

We used to use Netscape's mail server back when it was free for educational
use.  At the time, we did have a closed relay system, but since our server
wouldn't respond with a 550, we got blacklisted.  It took us quite a lot of
effort to get the various Anti-relay sites to accept that we were a closed
relay.  

-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 2:22 PM
To: Exchange Discussions
Subject: RE: Open Relay Suggestions

Those aren't holes. One can legitimately accept mail for those addresses and
as long as it isn't relayed to the final destination the server is relay
secure. The designers of those tests have implemented their testing criteria
improperly.

-Original Message-
From: Chris H [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, June 26, 2003 11:23 AM
Posted To: swynk
Conversation: Open Relay Suggestions
Subject: Open Relay Suggestions

I am using Interscan Virus wall as my incoming smtp server on port 25; which
then forwards my mail to the Exchange IMC on port 6000. I have been testing
against open relay testers and I always fail the one or two tests where they
spam my domain name. I am assuming this is because Interscan cannot look up
usernames to see if the mailbox is valid? For that matter I dont think
Exchange 5.5's IMC does either?

Anyway to close this last hole? Suggestions? I worked hard to get off all
the RBL's the last mail admin had gotten us on  . . .

tia

chris

>>> RSET
<<< 250 web3: Reset State
>>> MAIL FROM:<[EMAIL PROTECTED]>
<<< 250 <[EMAIL PROTECTED]>: Sender Ok
>>> RCPT TO:<[EMAIL PROTECTED]>
<<< 250 [EMAIL PROTECTED]: Recipient Ok

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Suggestions

2003-06-26 Thread Chris Scharff

Those aren't holes. One can legitimately accept mail for those addresses
and as long as it isn't relayed to the final destination the server is
relay secure. The designers of those tests have implemented their
testing criteria improperly.

-Original Message-
From: Chris H [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, June 26, 2003 11:23 AM
Posted To: swynk
Conversation: Open Relay Suggestions
Subject: Open Relay Suggestions


I am using Interscan Virus wall as my incoming smtp server on port 25;
which then forwards my mail to the Exchange IMC on port 6000. I have
been testing against open relay testers and I always fail the one or two
tests where they spam my domain name. I am assuming this is because
Interscan cannot look up usernames to see if the mailbox is valid? For
that matter I dont think Exchange 5.5's IMC does either?

Anyway to close this last hole? Suggestions? I worked hard to get off
all the RBL's the last mail admin had gotten us on  . . .

tia

chris

>>> RSET
<<< 250 web3: Reset State
>>> MAIL FROM:<[EMAIL PROTECTED]>
<<< 250 <[EMAIL PROTECTED]>: Sender Ok
>>> RCPT TO:<[EMAIL PROTECTED]>
<<< 250 [EMAIL PROTECTED]: Recipient Ok


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

2003-06-26 Thread Blunt, James H (Jim)

Tony,

Open up the properties page of your IMS Connection, go to the Internet Mail
tab and click on the Notifications... button.  My guess would be that you
have the "Always send notifications when non-delivery reports are generated"
radio button clicked.  If that is the case, select the second choice and
uncheck the options that you don't want.

I receive anywhere from 3,000 to 10,000 ndrs a day, from spammers trying to
brute force their spam through the system.  I track the NDRs to create a
spreadsheet for management, showing them the exponential growth of spam and
the load it is placing on the servers, in order to justify new servers.

Jim

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue. I
guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for "E-mail address could not be
found".  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


> Hi John,
>
> Is this in response to my question #3? If so, does everyone receive
> over 2000 messages every hour in the 'Admin' mailbox with a subject 
> line of
> 'Notification: Inbound Mail Failure"? I understand getting some but over
> 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or
> whatever. It's just random letters in front of the domain name @dfg.com
and
> there's just a ton of them. Thanks for any ideas, all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: John Strongosky [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:46 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> NDR's (non-delivery reports) from spammer's probably.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:23 PM
> To: Exchange Discussions
> Subject: Not Open Relay, but...
>
>
> Hello,
>
> NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com
>
> I've just taken over a site's Exchange server and have noticed
> something strange. It's been sometime since I had to play with 
> Exchange this deep
but
> the Queues on my IMS keep filling up with 1000's of emails. We're not
> an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
> Message Awaiting Delivery' with originator <> and Destination Host of
> different .com's. There is a ton of Inbound Mail Failures in the 
> 'Admin' mailbox for delivery failures as well. My three questions are:
>
> 1) Are these messages that are trying to relay but failing?
>
> 2) If so, are they just going to sit in the Queue for the default
> time?
>
> 3) For the Inbound Mail Failures,  a lot of them are going to bogus
> addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
> coming from?
>
> Thanks in advance.
>
> Cheers,
> Tony
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
>
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
> =english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
>
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
> =english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
>
> _
> List po

RE: Not Open Relay, but...

2003-06-26 Thread Christopher Hummert

I tested it using abuse.net's relay test. It looks like your good for
not being an open relay. So my opinion is that you just have a spammer
who's trying to mine for address in your company. From what I
understand, there's a new program going around the spammer world, that
bruteforce guesses e-mail address and collects the NDR's from that
domain to determine what's legit and what isn't. My advise would be for
you to trace back the IP address he's using and put it in your host.deny
file.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony
Sent: Thursday, June 26, 2003 9:58 AM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...
Importance: High


I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue.
I guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet
would be to turn off the notification on your IMS for "E-mail address
could not be found".  For #2, yes they will sit in the queue until they
are delivered or just time out.  For #1, are you sure you're not an open
relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_M
S_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


> Hi John,
>
> Is this in response to my question #3? If so, does everyone receive
> over 2000 messages every hour in the 'Admin' mailbox with a subject 
> line of
> 'Notification: Inbound Mail Failure"? I understand getting some but
over
> 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or
> whatever. It's just random letters in front of the domain name
@dfg.com
and
> there's just a ton of them. Thanks for any ideas, all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: John Strongosky [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:46 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> NDR's (non-delivery reports) from spammer's probably.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:23 PM
> To: Exchange Discussions
> Subject: Not Open Relay, but...
>
>
> Hello,
>
> NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com
>
> I've just taken over a site's Exchange server and have noticed
> something strange. It's been sometime since I had to play with 
> Exchange this deep
but
> the Queues on my IMS keep filling up with 1000's of emails. We're not
> an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
> Message Awaiting Delivery' with originator <> and Destination Host of
> different .com's. There is a ton of Inbound Mail Failures in the 
> 'Admin' mailbox for delivery failures as well. My three questions are:
>
> 1) Are these messages that are trying to relay but failing?
>
> 2) If so, are they just going to sit in the Queue for the default
> time?
>
> 3) For the Inbound Mail Failures,  a lot of them are going to bogus
> addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
> coming from?
>
> Thanks in advance.
>
> Cheers,
> Tony
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
>
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang
> =english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
>
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang
> =english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
http://intm-dl.s

RE: Not Open Relay, but...

I've tested via telnet and from home using Outlook Express and it always
replies with 550 so I think I'm good there. Just the amount of mail is
insane. I came in this morning at there's over 10,000 in the IMS Queue. I
guess eventually it will slow down...

Thanks to all.

Cheers,
Tony

-Original Message-
From: Dave Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 5:28 PM
To: Exchange Discussions
Subject: Re: Not Open Relay, but...


For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for "E-mail address could not be
found".  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Ex
change_Server_55.html.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


> Hi John,
>
> Is this in response to my question #3? If so, does everyone receive 
> over 2000 messages every hour in the 'Admin' mailbox with a subject 
> line of
> 'Notification: Inbound Mail Failure"? I understand getting some but over
> 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or
> whatever. It's just random letters in front of the domain name @dfg.com
and
> there's just a ton of them. Thanks for any ideas, all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: John Strongosky [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:46 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> NDR's (non-delivery reports) from spammer's probably.
>
> -Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:23 PM
> To: Exchange Discussions
> Subject: Not Open Relay, but...
>
>
> Hello,
>
> NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com
>
> I've just taken over a site's Exchange server and have noticed 
> something strange. It's been sometime since I had to play with 
> Exchange this deep
but
> the Queues on my IMS keep filling up with 1000's of emails. We're not 
> an Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
> Message Awaiting Delivery' with originator <> and Destination Host of 
> different .com's. There is a ton of Inbound Mail Failures in the 
> 'Admin' mailbox for delivery failures as well. My three questions are:
>
> 1) Are these messages that are trying to relay but failing?
>
> 2) If so, are they just going to sit in the Queue for the default 
> time?
>
> 3) For the Inbound Mail Failures,  a lot of them are going to bogus 
> addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all 
> coming from?
>
> Thanks in advance.
>
> Cheers,
> Tony
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
>
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
> =english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
>
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
> =english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
>


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Open Relay Suggestions

2003-06-26 Thread Chris H

I am using Interscan Virus wall as my incoming smtp server on port 25; which
then forwards my mail to the Exchange IMC on port 6000. I have been testing
against open relay testers and I always fail the one or two tests where they
spam my domain name. I am assuming this is because Interscan cannot look up
usernames to see if the mailbox is valid? For that matter I dont think
Exchange 5.5's IMC does either?

Anyway to close this last hole? Suggestions? I worked hard to get off all
the RBL's the last mail admin had gotten us on  . . .

tia

chris

>>> RSET
<<< 250 web3: Reset State
>>> MAIL FROM:<[EMAIL PROTECTED]>
<<< 250 <[EMAIL PROTECTED]>: Sender Ok
>>> RCPT TO:<[EMAIL PROTECTED]>
<<< 250 [EMAIL PROTECTED]: Recipient Ok


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

2003-06-26 Thread hawkinsgp

I highly recommend going to one of the sites like mailabuse.org and
following their directions to verify that you're not an open relay BEFORE
you get blacklisted.  It can be a real pain to get off all the blacklists,
and your users will scream bloody murder.

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

2003-06-25 Thread Ed Crowley

1.  Probably not.  If your Exchange faces the Internet, it should reject the
relay attempt during the RCPT TO: command, so the messages won't be accepted
for delivery and therefore they won't be NDRed.
2.  Yes.
3.  If dfg.com is your domain then it's normal spam to automatically
generated addresses.

Ed Crowley MCSE+I MVP
"There are seldom good technological solutions to behavioral problems."


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Woods, Tony
Sent: Wednesday, June 25, 2003 3:23 PM
To: Exchange Discussions

Hello,

NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

I've just taken over a site's Exchange server and have noticed something
strange. It's been sometime since I had to play with Exchange this deep but
the Queues on my IMS keep filling up with 1000's of emails. We're not an
Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound
Message Awaiting Delivery' with originator <> and Destination Host of
different .com's. There is a ton of Inbound Mail Failures in the 'Admin'
mailbox for delivery failures as well. My three questions are:

1) Are these messages that are trying to relay but failing? 

2) If so, are they just going to sit in the Queue for the default time?

3) For the Inbound Mail Failures,  a lot of them are going to bogus
addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming
from?

Thanks in advance.

Cheers,
Tony

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Re: Not Open Relay, but...

2003-06-25 Thread Dave Mills

For #3, what you are seeing is spammer trying to find valid addresses
@dfg.com by simply guessing addresses and trying them, your best bet would
be to turn off the notification on your IMS for "E-mail address could not be
found".  For #2, yes they will sit in the queue until they are delivered or
just time out.  For #1, are you sure you're not an open relay?  See
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Exchange_Server_55.html.

- Dave

- Original Message - 
From: "Woods, Tony" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 5:00 PM
Subject: RE: Not Open Relay, but...


> Hi John,
>
> Is this in response to my question #3? If so, does everyone receive over
> 2000 messages every hour in the 'Admin' mailbox with a subject line of
> 'Notification: Inbound Mail Failure"? I understand getting some but over
> 2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or
> whatever. It's just random letters in front of the domain name @dfg.com
and
> there's just a ton of them. Thanks for any ideas, all.
>
> Cheers,
> Tony
>
> -Original Message-
> From: John Strongosky [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:46 PM
> To: Exchange Discussions
> Subject: RE: Not Open Relay, but...
>
>
> NDR's (non-delivery reports) from spammer's probably.
>
> -----Original Message-
> From: Woods, Tony [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 3:23 PM
> To: Exchange Discussions
> Subject: Not Open Relay, but...
>
>
> Hello,
>
> NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com
>
> I've just taken over a site's Exchange server and have noticed something
> strange. It's been sometime since I had to play with Exchange this deep
but
> the Queues on my IMS keep filling up with 1000's of emails. We're not an
> Open Relay that I can tell (I've tested) but there's just a ton of
'Outbound
> Message Awaiting Delivery' with originator <> and Destination Host of
> different .com's. There is a ton of Inbound Mail Failures in the 'Admin'
> mailbox for delivery failures as well. My three questions are:
>
> 1) Are these messages that are trying to relay but failing?
>
> 2) If so, are they just going to sit in the Queue for the default time?
>
> 3) For the Inbound Mail Failures,  a lot of them are going to bogus
> addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming
> from?
>
> Thanks in advance.
>
> Cheers,
> Tony
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
>
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
> =english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
>
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
> =english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
>
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin:[EMAIL PROTECTED]
>


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

2003-06-25 Thread Woods, Tony

Hi John,

Is this in response to my question #3? If so, does everyone receive over
2000 messages every hour in the 'Admin' mailbox with a subject line of
'Notification: Inbound Mail Failure"? I understand getting some but over
2000 an hour? Each of these messages is addressed to [EMAIL PROTECTED] or
whatever. It's just random letters in front of the domain name @dfg.com and
there's just a ton of them. Thanks for any ideas, all.

Cheers,
Tony

-Original Message-
From: John Strongosky [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 3:46 PM
To: Exchange Discussions
Subject: RE: Not Open Relay, but...


NDR's (non-delivery reports) from spammer's probably.

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 3:23 PM
To: Exchange Discussions
Subject: Not Open Relay, but...


Hello,

NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

I've just taken over a site's Exchange server and have noticed something
strange. It's been sometime since I had to play with Exchange this deep but
the Queues on my IMS keep filling up with 1000's of emails. We're not an
Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound
Message Awaiting Delivery' with originator <> and Destination Host of
different .com's. There is a ton of Inbound Mail Failures in the 'Admin'
mailbox for delivery failures as well. My three questions are:

1) Are these messages that are trying to relay but failing? 

2) If so, are they just going to sit in the Queue for the default time?

3) For the Inbound Mail Failures,  a lot of them are going to bogus
addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming
from?

Thanks in advance.

Cheers,
Tony

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Not Open Relay, but...

2003-06-25 Thread John Strongosky

NDR's (non-delivery reports) from spammer's probably.

-Original Message-
From: Woods, Tony [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 3:23 PM
To: Exchange Discussions
Subject: Not Open Relay, but...

Hello,

NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

I've just taken over a site's Exchange server and have noticed something
strange. It's been sometime since I had to play with Exchange this deep but
the Queues on my IMS keep filling up with 1000's of emails. We're not an
Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound
Message Awaiting Delivery' with originator <> and Destination Host of
different .com's. There is a ton of Inbound Mail Failures in the 'Admin'
mailbox for delivery failures as well. My three questions are:

1) Are these messages that are trying to relay but failing? 

2) If so, are they just going to sit in the Queue for the default time?

3) For the Inbound Mail Failures,  a lot of them are going to bogus
addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming
from?

Thanks in advance.

Cheers,
Tony

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Not Open Relay, but...

2003-06-25 Thread Woods, Tony

Hello,

NT 4 SP6a and Exchange 5.5 SP4. Domain in question is DFG.com

I've just taken over a site's Exchange server and have noticed something
strange. It's been sometime since I had to play with Exchange this deep but
the Queues on my IMS keep filling up with 1000's of emails. We're not an
Open Relay that I can tell (I've tested) but there's just a ton of 'Outbound
Message Awaiting Delivery' with originator <> and Destination Host of
different .com's. There is a ton of Inbound Mail Failures in the 'Admin'
mailbox for delivery failures as well. My three questions are:

1) Are these messages that are trying to relay but failing? 

2) If so, are they just going to sit in the Queue for the default time?

3) For the Inbound Mail Failures,  a lot of them are going to bogus
addresses like [EMAIL PROTECTED] or [EMAIL PROTECTED] Where are these all coming
from?

Thanks in advance.

Cheers,
Tony

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: How do I make sure my exchange server is not acting as an Open Relay?

2003-06-13 Thread John Parker

Ditto on that.
The same thing happened to my domain.

John Parker, MCSE
---End of Line---



-Original Message-
From: Bob Sadler [mailto:[EMAIL PROTECTED]
Sent: Friday, June 13, 2003 2:35 PM
To: Exchange Discussions
Subject: RE: How do I make sure my exchange server is not acting as an
Open Relay?


I checked, and didn't see that you are running as an open relay.

Perhaps the problem you are having is Reverse DNS?  I know that AOL
requires a Reverse DNS record if you want to talk to it.  I had to add
it into my records before they would talk to me :)



Bob Sadler
City of Leawood, KS, USA
WAN/Internet Specialist
913-339-6700 x194


-Original Message-
From: Romeo [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 13, 2003 1:37 PM
To: Exchange Discussions
Subject: How do I make sure my exchange server is not acting as an Open
Relay?


When ever a recipient from my site trying to send an email to a
recipient @aol.com. He/she will receive a message saying "Delivery to
the following recipients has been delayed." Then a few days later he/she
will receive another message saying "The following recipient(s) could
not be reached:" I finally talked to technical support at AOL and they
are telling me that I have been put on the block domain list because AOL
automatically check any IP that sends email to their domain and my IP is
acting as  An open relay, or also known as third-party relay.  How do I
stop this? What is the fix? Any comments or suggestion is truly
appreciated. Thank you

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: How do I make sure my exchange server is not acting as an Open Relay?

2003-06-13 Thread Bob Sadler

I checked, and didn't see that you are running as an open relay.

Perhaps the problem you are having is Reverse DNS?  I know that AOL
requires a Reverse DNS record if you want to talk to it.  I had to add
it into my records before they would talk to me :)



Bob Sadler
City of Leawood, KS, USA
WAN/Internet Specialist
913-339-6700 x194


-Original Message-
From: Romeo [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 13, 2003 1:37 PM
To: Exchange Discussions
Subject: How do I make sure my exchange server is not acting as an Open
Relay?


When ever a recipient from my site trying to send an email to a
recipient @aol.com. He/she will receive a message saying "Delivery to
the following recipients has been delayed." Then a few days later he/she
will receive another message saying "The following recipient(s) could
not be reached:" I finally talked to technical support at AOL and they
are telling me that I have been put on the block domain list because AOL
automatically check any IP that sends email to their domain and my IP is
acting as  An open relay, or also known as third-party relay.  How do I
stop this? What is the fix? Any comments or suggestion is truly
appreciated. Thank you

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

How do I make sure my exchange server is not acting as an Open Relay?

2003-06-13 Thread Romeo

When ever a recipient from my site trying to send an email to a
recipient @aol.com. He/she will receive a message saying "Delivery to
the following recipients has been delayed." Then a few days later he/she
will receive another message saying "The following recipient(s) could
not be reached:" I finally talked to technical support at AOL and they
are telling me that I have been put on the block domain list because AOL
automatically check any IP that sends email to their domain and my IP is
acting as  An open relay, or also known as third-party relay.  How do I
stop this? What is the fix? Any comments or suggestion is truly
appreciated. Thank you

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

2003-05-30 Thread Randal, Phil

Just what I needed, thanks!

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 17:44
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> Sooner or later I need to start using these guys:
> http://www.rfc-ignorant.com/policy-dsn.php
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Randal, Phil [mailto:[EMAIL PROTECTED] 
> > Sent: Thursday, May 29, 2003 11:10 AM
> > To: Exchange Discussions
> > Subject: RE: Open Relay Help
> > 
> > 
> > On the subject of emails from "<>", RFC2821 says your mailer 
> > must accept them.  It neededn't do anything with them, though.
> > 
> > There's a surprisingly large number of misconfigured mailers 
> > which bounce them, alas.
> > 
> > Phil
> > 
> > -
> > Phil Randal
> > Network Engineer
> > Herefordshire Council
> > Hereford, UK 
> > 
> > > -Original Message-
> > > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > > Sent: 29 May 2003 15:58
> > > To: Exchange Discussions
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > If it's originator is <> they're NDRs and the likes - they
> > > can be safely
> > > deleted.
> > > 
> > > You might want to keep an eye on http://www.openrbl.org to
> > > make sure you
> > > don't creep onto more DNSBLs as people receive stuff that may 
> > > have been sent
> > > through your server and report it to Spamcop and the likes.
> > > 
> > > Some lists you'll be able to get removed from, some you're
> > > stuck on simply
> > > for being with QWest.
> > > 
> > > regards,
> > > Paul
> > > --
> > > Paul Hutchings
> > > Network Administrator, MIRA Ltd.
> > > Tel: 024 7635 5378, Fax: 024 7635 8378 
> > > mailto:[EMAIL PROTECTED]
> > > 
> > > > -Original Message-
> > > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > > Sent: 29 May 2003 15:52
> > > > To: Exchange Discussions
> > > > Subject: RE: Open Relay Help
> > > > 
> > > > 
> > > > I saw about 50 or so.  I'm still getting items in the queue
> > > > with a blank
> > > > originator.  Is this to be expected?  What happens to 
> these items?
> > > > 
> > > > Skip Taylor, MCSE
> > > > Network Administrator
> > > > Jordan, Jones, and Goulding
> > > > 
> > > > 
> > > > -Original Message-
> > > > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > > > Sent: Thursday, May 29, 2003 10:46 AM
> > > > To: Exchange Discussion
> > > > Subject: RE: Open Relay Help
> > > > 
> > > > 
> > > > Nope, rejects relay attempts using sam spade.
> > > > 
> > > > If you've not already done so check your outbound queue - you
> > > > don't want to
> > > > find there's 10,000 spams in there :-)
> > > > 
> > > > regards,
> > > > Paul
> > > > --
> > > > Paul Hutchings
> > > > Network Administrator, MIRA Ltd.
> > > > Tel: 024 7635 5378, Fax: 024 7635 8378 
> > > > mailto:[EMAIL PROTECTED]
> > > > 
> > > > > -Original Message-
> > > > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > > > Sent: 29 May 2003 15:44
> > > > > To: Exchange Discussions
> > > > > Subject: RE: Open Relay Help
> > > > > 
> > > > > 
> > > > > I unchecked "Hosts and clients connecting to these internal
> > > > > addresses" and
> > > > > restarted the IMS.  Still relaying?
> > > > > 
> > > > > Skip Taylor, MCSE
> > > > > Network Administrator
> > > > > Jordan, Jones, and Goulding
> > > > > 
> > > > > 
> > > > > -Original Message-
> > > > > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > > > > Sent: Thursday

RE: Open Relay Help

2003-05-30 Thread Roger Seielstad

Sooner or later I need to start using these guys:
http://www.rfc-ignorant.com/policy-dsn.php

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Randal, Phil [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, May 29, 2003 11:10 AM
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> On the subject of emails from "<>", RFC2821 says your mailer 
> must accept them.  It neededn't do anything with them, though.
> 
> There's a surprisingly large number of misconfigured mailers 
> which bounce them, alas.
> 
> Phil
> 
> -
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK 
> 
> > -Original Message-
> > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > Sent: 29 May 2003 15:58
> > To: Exchange Discussions
> > Subject: RE: Open Relay Help
> > 
> > 
> > If it's originator is <> they're NDRs and the likes - they
> > can be safely
> > deleted.
> > 
> > You might want to keep an eye on http://www.openrbl.org to
> > make sure you
> > don't creep onto more DNSBLs as people receive stuff that may 
> > have been sent
> > through your server and report it to Spamcop and the likes.
> > 
> > Some lists you'll be able to get removed from, some you're
> > stuck on simply
> > for being with QWest.
> > 
> > regards,
> > Paul
> > --
> > Paul Hutchings
> > Network Administrator, MIRA Ltd.
> > Tel: 024 7635 5378, Fax: 024 7635 8378 
> > mailto:[EMAIL PROTECTED]
> > 
> > > -Original Message-
> > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > Sent: 29 May 2003 15:52
> > > To: Exchange Discussions
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > I saw about 50 or so.  I'm still getting items in the queue
> > > with a blank
> > > originator.  Is this to be expected?  What happens to these items?
> > > 
> > > Skip Taylor, MCSE
> > > Network Administrator
> > > Jordan, Jones, and Goulding
> > > 
> > > 
> > > -Original Message-
> > > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, May 29, 2003 10:46 AM
> > > To: Exchange Discussion
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > Nope, rejects relay attempts using sam spade.
> > > 
> > > If you've not already done so check your outbound queue - you
> > > don't want to
> > > find there's 10,000 spams in there :-)
> > > 
> > > regards,
> > > Paul
> > > --
> > > Paul Hutchings
> > > Network Administrator, MIRA Ltd.
> > > Tel: 024 7635 5378, Fax: 024 7635 8378 
> > > mailto:[EMAIL PROTECTED]
> > > 
> > > > -Original Message-
> > > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > > Sent: 29 May 2003 15:44
> > > > To: Exchange Discussions
> > > > Subject: RE: Open Relay Help
> > > > 
> > > > 
> > > > I unchecked "Hosts and clients connecting to these internal
> > > > addresses" and
> > > > restarted the IMS.  Still relaying?
> > > > 
> > > > Skip Taylor, MCSE
> > > > Network Administrator
> > > > Jordan, Jones, and Goulding
> > > > 
> > > > 
> > > > -Original Message-
> > > > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > > > Sent: Thursday, May 29, 2003 10:42 AM
> > > > To: Exchange Discussion
> > > > Subject: RE: Open Relay Help
> > > > 
> > > > 
> > > > I think the "Hosts and clients connecting to these internal
> > > > addresses" is
> > > > your problem - you don't need it ticked (or I should say it 
> > > > isn't ticked
> > > > here and doesn't affect inbound email).
> > > > 
> > > > regards,
> > > > Paul
> > > > --
> > > > Paul Hutchings
> > > > Network Administrator, MIRA Ltd.
> > > > Tel: 024 7635 5378, Fax: 024 7635 8378 
> > > > mailto:[EMAIL PROTECTED]
> > > > 
> > > > > -Original Message-
> > > > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > &

RE: Open Relay Help

Agreed.  It drives me nuts, as I do sender address verification using null
senders.  It's okay to reject null senders for multiple recipients, but not
for just one!  I'm also amazed at the number of sites that just ignore
e-mails I send informing them of their RFC violation.

Steven
---
Steven Dickenson <[EMAIL PROTECTED]>
Network Administrator
The Key School, Annapolis Maryland 

-Original Message-
From: Randal, Phil [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 11:10 AM
To: Exchange Discussions
Subject: RE: Open Relay Help


On the subject of emails from "<>", RFC2821 says your mailer must
accept them.  It neededn't do anything with them, though.

There's a surprisingly large number of misconfigured mailers
which bounce them, alas.

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -Original Message-
> From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 15:58
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> If it's originator is <> they're NDRs and the likes - they 
> can be safely
> deleted.
> 
> You might want to keep an eye on http://www.openrbl.org to 
> make sure you
> don't creep onto more DNSBLs as people receive stuff that may 
> have been sent
> through your server and report it to Spamcop and the likes.
> 
> Some lists you'll be able to get removed from, some you're 
> stuck on simply
> for being with QWest.
> 
> regards,
> Paul
> --
> Paul Hutchings
> Network Administrator, MIRA Ltd.
> Tel: 024 7635 5378, Fax: 024 7635 8378
> mailto:[EMAIL PROTECTED]
> 
> > -Original Message-
> > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > Sent: 29 May 2003 15:52
> > To: Exchange Discussions
> > Subject: RE: Open Relay Help
> > 
> > 
> > I saw about 50 or so.  I'm still getting items in the queue 
> > with a blank
> > originator.  Is this to be expected?  What happens to these items?
> > 
> > Skip Taylor, MCSE
> > Network Administrator
> > Jordan, Jones, and Goulding
> > 
> > 
> > -Original Message-
> > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 29, 2003 10:46 AM
> > To: Exchange Discussion
> > Subject: RE: Open Relay Help
> > 
> > 
> > Nope, rejects relay attempts using sam spade.
> > 
> > If you've not already done so check your outbound queue - you 
> > don't want to
> > find there's 10,000 spams in there :-)
> > 
> > regards,
> > Paul
> > --
> > Paul Hutchings
> > Network Administrator, MIRA Ltd.
> > Tel: 024 7635 5378, Fax: 024 7635 8378
> > mailto:[EMAIL PROTECTED]
> > 
> > > -Original Message-
> > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > Sent: 29 May 2003 15:44
> > > To: Exchange Discussions
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > I unchecked "Hosts and clients connecting to these internal 
> > > addresses" and
> > > restarted the IMS.  Still relaying?
> > > 
> > > Skip Taylor, MCSE
> > > Network Administrator
> > > Jordan, Jones, and Goulding
> > > 
> > > 
> > > -Original Message-
> > > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, May 29, 2003 10:42 AM
> > > To: Exchange Discussion
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > I think the "Hosts and clients connecting to these internal 
> > > addresses" is
> > > your problem - you don't need it ticked (or I should say it 
> > > isn't ticked
> > > here and doesn't affect inbound email).
> > > 
> > > regards,
> > > Paul
> > > --
> > > Paul Hutchings
> > > Network Administrator, MIRA Ltd.
> > > Tel: 024 7635 5378, Fax: 024 7635 8378
> > > mailto:[EMAIL PROTECTED]
> > > 
> > > > -Original Message-
> > > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > > Sent: 29 May 2003 15:35
> > > > To: Exchange Discussions
> > > > Subject: RE: Open Relay Help
> > > > 
> > > > 
> > > > On the Routing tab "Reroute incoming SMTP mail (required for 
> > > > POP3/IMAP4
> > > > support)is checked.
> > > > In the field below Sent to: has our domain of jjg.com and 
> > > Route to: is
> > > &g

RE: Open Relay Help

It looks like a bunch of Qwest IPs are on blacklists because of Qwests
alleged unwillinglness to terminate spammers using their network - I don't
really know the specifics, but I suspect if you go to
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=qwest+group%3A
news.admin.net-abuse.* you'll get an idea.

Main thing is get of any lists you're on because you were an open relay,
short of changing IPs or ISPs you can't do much about the others.

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 16:04
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> Thank you All for your help on this issue.
> 
> btw what's the deal with Qwest?  We just switched to them 2 weeks ago.
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:58 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> If it's originator is <> they're NDRs and the likes - they 
> can be safely
> deleted.
> 
> You might want to keep an eye on http://www.openrbl.org to 
> make sure you
> don't creep onto more DNSBLs as people receive stuff that may 
> have been sent
> through your server and report it to Spamcop and the likes.
> 
> Some lists you'll be able to get removed from, some you're 
> stuck on simply
> for being with QWest.
> 
> regards,
> Paul
> --
> Paul Hutchings
> Network Administrator, MIRA Ltd.
> Tel: 024 7635 5378, Fax: 024 7635 8378
> mailto:[EMAIL PROTECTED]
> 
> > -Original Message-
> > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > Sent: 29 May 2003 15:52
> > To: Exchange Discussions
> > Subject: RE: Open Relay Help
> > 
> > 
> > I saw about 50 or so.  I'm still getting items in the queue 
> > with a blank
> > originator.  Is this to be expected?  What happens to these items?
> > 
> > Skip Taylor, MCSE
> > Network Administrator
> > Jordan, Jones, and Goulding
> > 
> > 
> > -Original Message-
> > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 29, 2003 10:46 AM
> > To: Exchange Discussion
> > Subject: RE: Open Relay Help
> > 
> > 
> > Nope, rejects relay attempts using sam spade.
> > 
> > If you've not already done so check your outbound queue - you 
> > don't want to
> > find there's 10,000 spams in there :-)
> > 
> > regards,
> > Paul
> > --
> > Paul Hutchings
> > Network Administrator, MIRA Ltd.
> > Tel: 024 7635 5378, Fax: 024 7635 8378
> > mailto:[EMAIL PROTECTED]
> > 
> > > -Original Message-
> > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > Sent: 29 May 2003 15:44
> > > To: Exchange Discussions
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > I unchecked "Hosts and clients connecting to these internal 
> > > addresses" and
> > > restarted the IMS.  Still relaying?
> > > 
> > > Skip Taylor, MCSE
> > > Network Administrator
> > > Jordan, Jones, and Goulding
> > > 
> > > 
> > > -Original Message-
> > > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, May 29, 2003 10:42 AM
> > > To: Exchange Discussion
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > I think the "Hosts and clients connecting to these internal 
> > > addresses" is
> > > your problem - you don't need it ticked (or I should say it 
> > > isn't ticked
> > > here and doesn't affect inbound email).
> > > 
> > > regards,
> > > Paul
> > > --
> > > Paul Hutchings
> > > Network Administrator, MIRA Ltd.
> > > Tel: 024 7635 5378, Fax: 024 7635 8378
> > > mailto:[EMAIL PROTECTED]
> > > 
> > > > -Original Message-
> > > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > > Sent: 29 May 2003 15:35
> > > > To: Exchange Discussions
> > > > Subject: RE: Open Relay Help
> > > > 
> > > > 
> > > > On the Routing tab "Reroute incoming SMTP mail (required for 
> > > > POP3/IMAP4
> > > > support)is checked.

RE: Open Relay Help

2003-05-30 Thread Randal, Phil

On the subject of emails from "<>", RFC2821 says your mailer must
accept them.  It neededn't do anything with them, though.

There's a surprisingly large number of misconfigured mailers
which bounce them, alas.

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -Original Message-
> From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 15:58
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> If it's originator is <> they're NDRs and the likes - they 
> can be safely
> deleted.
> 
> You might want to keep an eye on http://www.openrbl.org to 
> make sure you
> don't creep onto more DNSBLs as people receive stuff that may 
> have been sent
> through your server and report it to Spamcop and the likes.
> 
> Some lists you'll be able to get removed from, some you're 
> stuck on simply
> for being with QWest.
> 
> regards,
> Paul
> --
> Paul Hutchings
> Network Administrator, MIRA Ltd.
> Tel: 024 7635 5378, Fax: 024 7635 8378
> mailto:[EMAIL PROTECTED]
> 
> > -Original Message-
> > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > Sent: 29 May 2003 15:52
> > To: Exchange Discussions
> > Subject: RE: Open Relay Help
> > 
> > 
> > I saw about 50 or so.  I'm still getting items in the queue 
> > with a blank
> > originator.  Is this to be expected?  What happens to these items?
> > 
> > Skip Taylor, MCSE
> > Network Administrator
> > Jordan, Jones, and Goulding
> > 
> > 
> > -Original Message-
> > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 29, 2003 10:46 AM
> > To: Exchange Discussion
> > Subject: RE: Open Relay Help
> > 
> > 
> > Nope, rejects relay attempts using sam spade.
> > 
> > If you've not already done so check your outbound queue - you 
> > don't want to
> > find there's 10,000 spams in there :-)
> > 
> > regards,
> > Paul
> > --
> > Paul Hutchings
> > Network Administrator, MIRA Ltd.
> > Tel: 024 7635 5378, Fax: 024 7635 8378
> > mailto:[EMAIL PROTECTED]
> > 
> > > -Original Message-
> > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > Sent: 29 May 2003 15:44
> > > To: Exchange Discussions
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > I unchecked "Hosts and clients connecting to these internal 
> > > addresses" and
> > > restarted the IMS.  Still relaying?
> > > 
> > > Skip Taylor, MCSE
> > > Network Administrator
> > > Jordan, Jones, and Goulding
> > > 
> > > 
> > > -Original Message-
> > > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, May 29, 2003 10:42 AM
> > > To: Exchange Discussion
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > I think the "Hosts and clients connecting to these internal 
> > > addresses" is
> > > your problem - you don't need it ticked (or I should say it 
> > > isn't ticked
> > > here and doesn't affect inbound email).
> > > 
> > > regards,
> > > Paul
> > > --
> > > Paul Hutchings
> > > Network Administrator, MIRA Ltd.
> > > Tel: 024 7635 5378, Fax: 024 7635 8378
> > > mailto:[EMAIL PROTECTED]
> > > 
> > > > -Original Message-
> > > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > > Sent: 29 May 2003 15:35
> > > > To: Exchange Discussions
> > > > Subject: RE: Open Relay Help
> > > > 
> > > > 
> > > > On the Routing tab "Reroute incoming SMTP mail (required for 
> > > > POP3/IMAP4
> > > > support)is checked.
> > > > In the field below Sent to: has our domain of jjg.com and 
> > > Route to: is
> > > > 
> > > > 
> > > > The Routing Restrictions are as follows:
> > > > Hosts and clients that successfully authenticate is not checked.
> > > > Host and clients with these IP addresses is checked and 
> > > > populated with 3
> > > > internal addresses for Canon Image Runner copiers that can 
> > > send email.
> > > > Hosts and clients connecting to these internal addresses is 
> > > > checked with the
> > > > Internal IP address of our exchange server.
> &

RE: Open Relay Help

Thank you All for your help on this issue.

btw what's the deal with Qwest?  We just switched to them 2 weeks ago.

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Paul Hutchings [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:58 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


If it's originator is <> they're NDRs and the likes - they can be safely
deleted.

You might want to keep an eye on http://www.openrbl.org to make sure you
don't creep onto more DNSBLs as people receive stuff that may have been sent
through your server and report it to Spamcop and the likes.

Some lists you'll be able to get removed from, some you're stuck on simply
for being with QWest.

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 15:52
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> I saw about 50 or so.  I'm still getting items in the queue 
> with a blank
> originator.  Is this to be expected?  What happens to these items?
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:46 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> Nope, rejects relay attempts using sam spade.
> 
> If you've not already done so check your outbound queue - you 
> don't want to
> find there's 10,000 spams in there :-)
> 
> regards,
> Paul
> --
> Paul Hutchings
> Network Administrator, MIRA Ltd.
> Tel: 024 7635 5378, Fax: 024 7635 8378
> mailto:[EMAIL PROTECTED]
> 
> > -Original Message-
> > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > Sent: 29 May 2003 15:44
> > To: Exchange Discussions
> > Subject: RE: Open Relay Help
> > 
> > 
> > I unchecked "Hosts and clients connecting to these internal 
> > addresses" and
> > restarted the IMS.  Still relaying?
> > 
> > Skip Taylor, MCSE
> > Network Administrator
> > Jordan, Jones, and Goulding
> > 
> > 
> > -Original Message-
> > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 29, 2003 10:42 AM
> > To: Exchange Discussion
> > Subject: RE: Open Relay Help
> > 
> > 
> > I think the "Hosts and clients connecting to these internal 
> > addresses" is
> > your problem - you don't need it ticked (or I should say it 
> > isn't ticked
> > here and doesn't affect inbound email).
> > 
> > regards,
> > Paul
> > --
> > Paul Hutchings
> > Network Administrator, MIRA Ltd.
> > Tel: 024 7635 5378, Fax: 024 7635 8378
> > mailto:[EMAIL PROTECTED]
> > 
> > > -Original Message-
> > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > Sent: 29 May 2003 15:35
> > > To: Exchange Discussions
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > On the Routing tab "Reroute incoming SMTP mail (required for 
> > > POP3/IMAP4
> > > support)is checked.
> > > In the field below Sent to: has our domain of jjg.com and 
> > Route to: is
> > > 
> > > 
> > > The Routing Restrictions are as follows:
> > > Hosts and clients that successfully authenticate is not checked.
> > > Host and clients with these IP addresses is checked and 
> > > populated with 3
> > > internal addresses for Canon Image Runner copiers that can 
> > send email.
> > > Hosts and clients connecting to these internal addresses is 
> > > checked with the
> > > Internal IP address of our exchange server.
> > > Specify the hosts and clients that can NEVER route mail is empty.
> > > 
> > > Skip Taylor, MCSE
> > > Network Administrator
> > > Jordan, Jones, and Goulding
> > > 
> > > 
> > > -Original Message-
> > > From: Chris Scharff [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, May 29, 2003 10:29 AM
> > > To: Exchange Discussion
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > Still open... What's that tab say now exactly?
> > > 
> > > -Original Message-
> > > From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> > > Posted At: Thursday, May 29, 2003 9:23 AM
> > > Posted To: swynk
> >

RE: Open Relay Help

If it's originator is <> they're NDRs and the likes - they can be safely
deleted.

You might want to keep an eye on http://www.openrbl.org to make sure you
don't creep onto more DNSBLs as people receive stuff that may have been sent
through your server and report it to Spamcop and the likes.

Some lists you'll be able to get removed from, some you're stuck on simply
for being with QWest.

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 15:52
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> I saw about 50 or so.  I'm still getting items in the queue 
> with a blank
> originator.  Is this to be expected?  What happens to these items?
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:46 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> Nope, rejects relay attempts using sam spade.
> 
> If you've not already done so check your outbound queue - you 
> don't want to
> find there's 10,000 spams in there :-)
> 
> regards,
> Paul
> --
> Paul Hutchings
> Network Administrator, MIRA Ltd.
> Tel: 024 7635 5378, Fax: 024 7635 8378
> mailto:[EMAIL PROTECTED]
> 
> > -Original Message-
> > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > Sent: 29 May 2003 15:44
> > To: Exchange Discussions
> > Subject: RE: Open Relay Help
> > 
> > 
> > I unchecked "Hosts and clients connecting to these internal 
> > addresses" and
> > restarted the IMS.  Still relaying?
> > 
> > Skip Taylor, MCSE
> > Network Administrator
> > Jordan, Jones, and Goulding
> > 
> > 
> > -Original Message-
> > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 29, 2003 10:42 AM
> > To: Exchange Discussion
> > Subject: RE: Open Relay Help
> > 
> > 
> > I think the "Hosts and clients connecting to these internal 
> > addresses" is
> > your problem - you don't need it ticked (or I should say it 
> > isn't ticked
> > here and doesn't affect inbound email).
> > 
> > regards,
> > Paul
> > --
> > Paul Hutchings
> > Network Administrator, MIRA Ltd.
> > Tel: 024 7635 5378, Fax: 024 7635 8378
> > mailto:[EMAIL PROTECTED]
> > 
> > > -Original Message-
> > > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > > Sent: 29 May 2003 15:35
> > > To: Exchange Discussions
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > On the Routing tab "Reroute incoming SMTP mail (required for 
> > > POP3/IMAP4
> > > support)is checked.
> > > In the field below Sent to: has our domain of jjg.com and 
> > Route to: is
> > > 
> > > 
> > > The Routing Restrictions are as follows:
> > > Hosts and clients that successfully authenticate is not checked.
> > > Host and clients with these IP addresses is checked and 
> > > populated with 3
> > > internal addresses for Canon Image Runner copiers that can 
> > send email.
> > > Hosts and clients connecting to these internal addresses is 
> > > checked with the
> > > Internal IP address of our exchange server.
> > > Specify the hosts and clients that can NEVER route mail is empty.
> > > 
> > > Skip Taylor, MCSE
> > > Network Administrator
> > > Jordan, Jones, and Goulding
> > > 
> > > 
> > > -Original Message-
> > > From: Chris Scharff [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, May 29, 2003 10:29 AM
> > > To: Exchange Discussion
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > Still open... What's that tab say now exactly?
> > > 
> > > -Original Message-
> > > From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> > > Posted At: Thursday, May 29, 2003 9:23 AM
> > > Posted To: swynk
> > > Conversation: Open Relay Help
> > > Subject: RE: Open Relay Help
> > > 
> > > 
> > > I'm sure I did but restarted once more to make sure.  Can you 
> > > try again?
> > > 
> > > Skip Taylor, MCSE
> > > Network Administrator
> > > Jordan, Jones, and Goulding
> &

RE: Open Relay Help

I saw about 50 or so.  I'm still getting items in the queue with a blank
originator.  Is this to be expected?  What happens to these items?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Paul Hutchings [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:46 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


Nope, rejects relay attempts using sam spade.

If you've not already done so check your outbound queue - you don't want to
find there's 10,000 spams in there :-)

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 15:44
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> I unchecked "Hosts and clients connecting to these internal 
> addresses" and
> restarted the IMS.  Still relaying?
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:42 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> I think the "Hosts and clients connecting to these internal 
> addresses" is
> your problem - you don't need it ticked (or I should say it 
> isn't ticked
> here and doesn't affect inbound email).
> 
> regards,
> Paul
> --
> Paul Hutchings
> Network Administrator, MIRA Ltd.
> Tel: 024 7635 5378, Fax: 024 7635 8378
> mailto:[EMAIL PROTECTED]
> 
> > -Original Message-
> > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > Sent: 29 May 2003 15:35
> > To: Exchange Discussions
> > Subject: RE: Open Relay Help
> > 
> > 
> > On the Routing tab "Reroute incoming SMTP mail (required for 
> > POP3/IMAP4
> > support)is checked.
> > In the field below Sent to: has our domain of jjg.com and 
> Route to: is
> > 
> > 
> > The Routing Restrictions are as follows:
> > Hosts and clients that successfully authenticate is not checked.
> > Host and clients with these IP addresses is checked and 
> > populated with 3
> > internal addresses for Canon Image Runner copiers that can 
> send email.
> > Hosts and clients connecting to these internal addresses is 
> > checked with the
> > Internal IP address of our exchange server.
> > Specify the hosts and clients that can NEVER route mail is empty.
> > 
> > Skip Taylor, MCSE
> > Network Administrator
> > Jordan, Jones, and Goulding
> > 
> > 
> > -Original Message-
> > From: Chris Scharff [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 29, 2003 10:29 AM
> > To: Exchange Discussion
> > Subject: RE: Open Relay Help
> > 
> > 
> > Still open... What's that tab say now exactly?
> > 
> > -Original Message-
> > From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> > Posted At: Thursday, May 29, 2003 9:23 AM
> > Posted To: swynk
> > Conversation: Open Relay Help
> > Subject: RE: Open Relay Help
> > 
> > 
> > I'm sure I did but restarted once more to make sure.  Can you 
> > try again?
> > 
> > Skip Taylor, MCSE
> > Network Administrator
> > Jordan, Jones, and Goulding
> > 
> > 
> > -Original Message-
> > From: Chris Scharff [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 29, 2003 10:13 AM
> > To: Exchange Discussion
> > Subject: RE: Open Relay Help
> > 
> > 
> > You're still an open relay. Did you restart the IMS after making the
> > changes described in the article?
> > 
> > Describe your settings on this tab as well in detail:
> > http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
> > 
> > -Original Message-
> > From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> > Posted At: Thursday, May 29, 2003 9:06 AM
> > Posted To: swynk
> > Conversation: Open Relay Help
> > Subject: Open Relay Help
> > 
> > 
> > Apparently my mail server has been listed as an Open Relay at
> > http://njabl.org/.
> > 
> > I've followed the instructions listed in the following FAQ, 
> and still
> > get listed as an open relay.
> > 
> > 3.73 Q: How can I configure my Exchange server so it can't be 
> > used as an
> > open relay? 
> > A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
> >  
> > 
> > My server is

RE: Open Relay Help

Nope, all good now.

Steven
---
Steven Dickenson <[EMAIL PROTECTED]>
Network Administrator
The Key School, Annapolis Maryland 

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 10:44 AM
To: Exchange Discussions
Subject: RE: Open Relay Help


I unchecked "Hosts and clients connecting to these internal addresses" and
restarted the IMS.  Still relaying?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Paul Hutchings [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:42 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


I think the "Hosts and clients connecting to these internal addresses" is
your problem - you don't need it ticked (or I should say it isn't ticked
here and doesn't affect inbound email).

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 15:35
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> On the Routing tab "Reroute incoming SMTP mail (required for 
> POP3/IMAP4
> support)is checked.
> In the field below Sent to: has our domain of jjg.com and Route to: is
> 
> 
> The Routing Restrictions are as follows:
> Hosts and clients that successfully authenticate is not checked.
> Host and clients with these IP addresses is checked and 
> populated with 3
> internal addresses for Canon Image Runner copiers that can send email.
> Hosts and clients connecting to these internal addresses is 
> checked with the
> Internal IP address of our exchange server.
> Specify the hosts and clients that can NEVER route mail is empty.
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-----
> From: Chris Scharff [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:29 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> Still open... What's that tab say now exactly?
> 
> -Original Message-----
> From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> Posted At: Thursday, May 29, 2003 9:23 AM
> Posted To: swynk
> Conversation: Open Relay Help
> Subject: RE: Open Relay Help
> 
> 
> I'm sure I did but restarted once more to make sure.  Can you 
> try again?
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Chris Scharff [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:13 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> You're still an open relay. Did you restart the IMS after making the
> changes described in the article?
> 
> Describe your settings on this tab as well in detail:
> http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
> 
> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> Posted At: Thursday, May 29, 2003 9:06 AM
> Posted To: swynk
> Conversation: Open Relay Help
> Subject: Open Relay Help
> 
> 
> Apparently my mail server has been listed as an Open Relay at
> http://njabl.org/.
> 
> I've followed the instructions listed in the following FAQ, and still
> get listed as an open relay.
> 
> 3.73 Q: How can I configure my Exchange server so it can't be 
> used as an
> open relay? 
> A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
>  
> 
> My server is as follows:
> Windows 2000 SP2
> Exchange 5.5 SP4
> Trend Micro's ScanMail and EManager are installed and current 
> on version
> and pattern files.
> 
> I have been unsuccessful in finding and searching the archives.  Any
> help would be greatly appreciated.
> 
> 
> 
> Skip Taylor, MCSE 
> Network Administrator 
> Jordan, Jones, and Goulding 
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
ext_mode=&
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
We

RE: Open Relay Help

2003-05-30 Thread Dave Vantine

No


-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 10:44 AM
To: Exchange Discussions
Subject: RE: Open Relay Help


I unchecked "Hosts and clients connecting to these internal addresses" and
restarted the IMS.  Still relaying?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Paul Hutchings [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:42 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


I think the "Hosts and clients connecting to these internal addresses" is
your problem - you don't need it ticked (or I should say it isn't ticked
here and doesn't affect inbound email).

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378 mailto:[EMAIL PROTECTED]

> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 15:35
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> On the Routing tab "Reroute incoming SMTP mail (required for
> POP3/IMAP4
> support)is checked.
> In the field below Sent to: has our domain of jjg.com and Route to: is
> 
> 
> The Routing Restrictions are as follows:
> Hosts and clients that successfully authenticate is not checked. Host 
> and clients with these IP addresses is checked and populated with 3
> internal addresses for Canon Image Runner copiers that can send email.
> Hosts and clients connecting to these internal addresses is 
> checked with the
> Internal IP address of our exchange server.
> Specify the hosts and clients that can NEVER route mail is empty.
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Chris Scharff [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:29 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> Still open... What's that tab say now exactly?
> 
> -----Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> Posted At: Thursday, May 29, 2003 9:23 AM
> Posted To: swynk
> Conversation: Open Relay Help
> Subject: RE: Open Relay Help
> 
> 
> I'm sure I did but restarted once more to make sure.  Can you
> try again?
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Chris Scharff [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:13 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> You're still an open relay. Did you restart the IMS after making the 
> changes described in the article?
> 
> Describe your settings on this tab as well in detail: 
> http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
> 
> -----Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> Posted At: Thursday, May 29, 2003 9:06 AM
> Posted To: swynk
> Conversation: Open Relay Help
> Subject: Open Relay Help
> 
> 
> Apparently my mail server has been listed as an Open Relay at 
> http://njabl.org/.
> 
> I've followed the instructions listed in the following FAQ, and still 
> get listed as an open relay.
> 
> 3.73 Q: How can I configure my Exchange server so it can't be
> used as an
> open relay? 
> A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
>  
> 
> My server is as follows:
> Windows 2000 SP2
> Exchange 5.5 SP4
> Trend Micro's ScanMail and EManager are installed and current
> on version
> and pattern files.
> 
> I have been unsuccessful in finding and searching the archives.  Any 
> help would be greatly appreciated.
> 
> 
> 
> Skip Taylor, MCSE
> Network Administrator 
> Jordan, Jones, and Goulding 
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface: 
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
ext_mode=&
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To uns

RE: Open Relay Help

Nope, rejects relay attempts using sam spade.

If you've not already done so check your outbound queue - you don't want to
find there's 10,000 spams in there :-)

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 15:44
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> I unchecked "Hosts and clients connecting to these internal 
> addresses" and
> restarted the IMS.  Still relaying?
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:42 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> I think the "Hosts and clients connecting to these internal 
> addresses" is
> your problem - you don't need it ticked (or I should say it 
> isn't ticked
> here and doesn't affect inbound email).
> 
> regards,
> Paul
> --
> Paul Hutchings
> Network Administrator, MIRA Ltd.
> Tel: 024 7635 5378, Fax: 024 7635 8378
> mailto:[EMAIL PROTECTED]
> 
> > -Original Message-
> > From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> > Sent: 29 May 2003 15:35
> > To: Exchange Discussions
> > Subject: RE: Open Relay Help
> > 
> > 
> > On the Routing tab "Reroute incoming SMTP mail (required for 
> > POP3/IMAP4
> > support)is checked.
> > In the field below Sent to: has our domain of jjg.com and 
> Route to: is
> > 
> > 
> > The Routing Restrictions are as follows:
> > Hosts and clients that successfully authenticate is not checked.
> > Host and clients with these IP addresses is checked and 
> > populated with 3
> > internal addresses for Canon Image Runner copiers that can 
> send email.
> > Hosts and clients connecting to these internal addresses is 
> > checked with the
> > Internal IP address of our exchange server.
> > Specify the hosts and clients that can NEVER route mail is empty.
> > 
> > Skip Taylor, MCSE
> > Network Administrator
> > Jordan, Jones, and Goulding
> > 
> > 
> > -Original Message-
> > From: Chris Scharff [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 29, 2003 10:29 AM
> > To: Exchange Discussion
> > Subject: RE: Open Relay Help
> > 
> > 
> > Still open... What's that tab say now exactly?
> > 
> > -Original Message-
> > From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> > Posted At: Thursday, May 29, 2003 9:23 AM
> > Posted To: swynk
> > Conversation: Open Relay Help
> > Subject: RE: Open Relay Help
> > 
> > 
> > I'm sure I did but restarted once more to make sure.  Can you 
> > try again?
> > 
> > Skip Taylor, MCSE
> > Network Administrator
> > Jordan, Jones, and Goulding
> > 
> > 
> > -Original Message-
> > From: Chris Scharff [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 29, 2003 10:13 AM
> > To: Exchange Discussion
> > Subject: RE: Open Relay Help
> > 
> > 
> > You're still an open relay. Did you restart the IMS after making the
> > changes described in the article?
> > 
> > Describe your settings on this tab as well in detail:
> > http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
> > 
> > -Original Message-
> > From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> > Posted At: Thursday, May 29, 2003 9:06 AM
> > Posted To: swynk
> > Conversation: Open Relay Help
> > Subject: Open Relay Help
> > 
> > 
> > Apparently my mail server has been listed as an Open Relay at
> > http://njabl.org/.
> > 
> > I've followed the instructions listed in the following FAQ, 
> and still
> > get listed as an open relay.
> > 
> > 3.73 Q: How can I configure my Exchange server so it can't be 
> > used as an
> > open relay? 
> > A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
> >  
> > 
> > My server is as follows:
> > Windows 2000 SP2
> > Exchange 5.5 SP4
> > Trend Micro's ScanMail and EManager are installed and current 
> > on version
> > and pattern files.
> > 
> > I have been unsuccessful in finding and searching the archives.  Any
> > help would be greatly appreciated.
> > 
> > 
&g

RE: Open Relay Help

I unchecked "Hosts and clients connecting to these internal addresses" and
restarted the IMS.  Still relaying?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Paul Hutchings [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:42 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


I think the "Hosts and clients connecting to these internal addresses" is
your problem - you don't need it ticked (or I should say it isn't ticked
here and doesn't affect inbound email).

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 15:35
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> On the Routing tab "Reroute incoming SMTP mail (required for 
> POP3/IMAP4
> support)is checked.
> In the field below Sent to: has our domain of jjg.com and Route to: is
> 
> 
> The Routing Restrictions are as follows:
> Hosts and clients that successfully authenticate is not checked.
> Host and clients with these IP addresses is checked and 
> populated with 3
> internal addresses for Canon Image Runner copiers that can send email.
> Hosts and clients connecting to these internal addresses is 
> checked with the
> Internal IP address of our exchange server.
> Specify the hosts and clients that can NEVER route mail is empty.
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Chris Scharff [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:29 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> Still open... What's that tab say now exactly?
> 
> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> Posted At: Thursday, May 29, 2003 9:23 AM
> Posted To: swynk
> Conversation: Open Relay Help
> Subject: RE: Open Relay Help
> 
> 
> I'm sure I did but restarted once more to make sure.  Can you 
> try again?
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Chris Scharff [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:13 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> You're still an open relay. Did you restart the IMS after making the
> changes described in the article?
> 
> Describe your settings on this tab as well in detail:
> http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
> 
> -----Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> Posted At: Thursday, May 29, 2003 9:06 AM
> Posted To: swynk
> Conversation: Open Relay Help
> Subject: Open Relay Help
> 
> 
> Apparently my mail server has been listed as an Open Relay at
> http://njabl.org/.
> 
> I've followed the instructions listed in the following FAQ, and still
> get listed as an open relay.
> 
> 3.73 Q: How can I configure my Exchange server so it can't be 
> used as an
> open relay? 
> A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
>  
> 
> My server is as follows:
> Windows 2000 SP2
> Exchange 5.5 SP4
> Trend Micro's ScanMail and EManager are installed and current 
> on version
> and pattern files.
> 
> I have been unsuccessful in finding and searching the archives.  Any
> help would be greatly appreciated.
> 
> 
> 
> Skip Taylor, MCSE 
> Network Administrator 
> Jordan, Jones, and Goulding 
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
ext_mode=&
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://w

RE: Open Relay Help

Man, I AM tired.  Sorry, wrong entry.

This is the one I was talking about.

> Hosts and clients connecting to these internal addresses is checked
> with the Internal IP address of our exchange server.

Remove that entry.

Steven
---
Steven Dickenson <[EMAIL PROTECTED]>
Network Administrator
The Key School, Annapolis Maryland 

-Original Message-
From: Dickenson, Steven [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 10:43 AM
To: Exchange Discussions
Subject: RE: Open Relay Help


> Host and clients with these IP addresses is checked and populated with 3
> internal addresses for Canon Image Runner copiers that can send email.

I'd bet money that's your problem.  I had my Exchange server setup like this
at one point, for a Mac client with an old version of Eudora that didn't
support SMTP AUTH.  It turned Exchange into an open relay.  Removing the IP
address, but leaving the box checked, solved my problem.

Steven
---
Steven Dickenson <[EMAIL PROTECTED]>
Network Administrator
The Key School, Annapolis Maryland 

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 10:35 AM
To: Exchange Discussions
Subject: RE: Open Relay Help


On the Routing tab "Reroute incoming SMTP mail (required for POP3/IMAP4
support)is checked.
In the field below Sent to: has our domain of jjg.com and Route to: is


The Routing Restrictions are as follows:
Hosts and clients that successfully authenticate is not checked.
Host and clients with these IP addresses is checked and populated with 3
internal addresses for Canon Image Runner copiers that can send email.
Hosts and clients connecting to these internal addresses is checked with the
Internal IP address of our exchange server.
Specify the hosts and clients that can NEVER route mail is empty.

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:29 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


Still open... What's that tab say now exactly?

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:23 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: RE: Open Relay Help


I'm sure I did but restarted once more to make sure.  Can you try again?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:13 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


You're still an open relay. Did you restart the IMS after making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:06 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: Open Relay Help


Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still
get listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version
and pattern files.

I have been unsuccessful in finding and searching the archives.  Any
help would be greatly appreciated.



Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&a

RE: Open Relay Help

> Host and clients with these IP addresses is checked and populated with 3
> internal addresses for Canon Image Runner copiers that can send email.

I'd bet money that's your problem.  I had my Exchange server setup like this
at one point, for a Mac client with an old version of Eudora that didn't
support SMTP AUTH.  It turned Exchange into an open relay.  Removing the IP
address, but leaving the box checked, solved my problem.

Steven
---
Steven Dickenson <[EMAIL PROTECTED]>
Network Administrator
The Key School, Annapolis Maryland 

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 10:35 AM
To: Exchange Discussions
Subject: RE: Open Relay Help


On the Routing tab "Reroute incoming SMTP mail (required for POP3/IMAP4
support)is checked.
In the field below Sent to: has our domain of jjg.com and Route to: is


The Routing Restrictions are as follows:
Hosts and clients that successfully authenticate is not checked.
Host and clients with these IP addresses is checked and populated with 3
internal addresses for Canon Image Runner copiers that can send email.
Hosts and clients connecting to these internal addresses is checked with the
Internal IP address of our exchange server.
Specify the hosts and clients that can NEVER route mail is empty.

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:29 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


Still open... What's that tab say now exactly?

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:23 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: RE: Open Relay Help


I'm sure I did but restarted once more to make sure.  Can you try again?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:13 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


You're still an open relay. Did you restart the IMS after making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:06 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: Open Relay Help


Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still
get listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version
and pattern files.

I have been unsuccessful in finding and searching the archives.  Any
help would be greatly appreciated.



Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:

RE: Open Relay Help

I think the "Hosts and clients connecting to these internal addresses" is
your problem - you don't need it ticked (or I should say it isn't ticked
here and doesn't affect inbound email).

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 15:35
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> On the Routing tab "Reroute incoming SMTP mail (required for 
> POP3/IMAP4
> support)is checked.
> In the field below Sent to: has our domain of jjg.com and Route to: is
> 
> 
> The Routing Restrictions are as follows:
> Hosts and clients that successfully authenticate is not checked.
> Host and clients with these IP addresses is checked and 
> populated with 3
> internal addresses for Canon Image Runner copiers that can send email.
> Hosts and clients connecting to these internal addresses is 
> checked with the
> Internal IP address of our exchange server.
> Specify the hosts and clients that can NEVER route mail is empty.
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Chris Scharff [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:29 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> Still open... What's that tab say now exactly?
> 
> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> Posted At: Thursday, May 29, 2003 9:23 AM
> Posted To: swynk
> Conversation: Open Relay Help
> Subject: RE: Open Relay Help
> 
> 
> I'm sure I did but restarted once more to make sure.  Can you 
> try again?
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Chris Scharff [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:13 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> You're still an open relay. Did you restart the IMS after making the
> changes described in the article?
> 
> Describe your settings on this tab as well in detail:
> http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
> 
> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> Posted At: Thursday, May 29, 2003 9:06 AM
> Posted To: swynk
> Conversation: Open Relay Help
> Subject: Open Relay Help
> 
> 
> Apparently my mail server has been listed as an Open Relay at
> http://njabl.org/.
> 
> I've followed the instructions listed in the following FAQ, and still
> get listed as an open relay.
> 
> 3.73 Q: How can I configure my Exchange server so it can't be 
> used as an
> open relay? 
> A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
>  
> 
> My server is as follows:
> Windows 2000 SP2
> Exchange 5.5 SP4
> Trend Micro's ScanMail and EManager are installed and current 
> on version
> and pattern files.
> 
> I have been unsuccessful in finding and searching the archives.  Any
> help would be greatly appreciated.
> 
> 
> 
> Skip Taylor, MCSE 
> Network Administrator 
> Jordan, Jones, and Goulding 
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
ext_mode=&
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_fa

RE: Open Relay Help

On the Routing tab "Reroute incoming SMTP mail (required for POP3/IMAP4
support)is checked.
In the field below Sent to: has our domain of jjg.com and Route to: is


The Routing Restrictions are as follows:
Hosts and clients that successfully authenticate is not checked.
Host and clients with these IP addresses is checked and populated with 3
internal addresses for Canon Image Runner copiers that can send email.
Hosts and clients connecting to these internal addresses is checked with the
Internal IP address of our exchange server.
Specify the hosts and clients that can NEVER route mail is empty.

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:29 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


Still open... What's that tab say now exactly?

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:23 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: RE: Open Relay Help


I'm sure I did but restarted once more to make sure.  Can you try again?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:13 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


You're still an open relay. Did you restart the IMS after making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:06 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: Open Relay Help


Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still
get listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version
and pattern files.

I have been unsuccessful in finding and searching the archives.  Any
help would be greatly appreciated.



Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

2003-05-30 Thread Chris Scharff

Still open... What's that tab say now exactly?

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:23 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: RE: Open Relay Help

I'm sure I did but restarted once more to make sure.  Can you try again?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding

-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:13 AM
To: Exchange Discussion
Subject: RE: Open Relay Help

You're still an open relay. Did you restart the IMS after making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:06 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: Open Relay Help

Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still
get listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version
and pattern files.

I have been unsuccessful in finding and searching the archives.  Any
help would be greatly appreciated.

Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

Still looks to be open

regards,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 024 7635 5378, Fax: 024 7635 8378
mailto:[EMAIL PROTECTED]

> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED]
> Sent: 29 May 2003 15:23
> To: Exchange Discussions
> Subject: RE: Open Relay Help
> 
> 
> I'm sure I did but restarted once more to make sure.  Can you 
> try again?
> 
> Skip Taylor, MCSE
> Network Administrator
> Jordan, Jones, and Goulding
> 
> 
> -Original Message-
> From: Chris Scharff [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2003 10:13 AM
> To: Exchange Discussion
> Subject: RE: Open Relay Help
> 
> 
> You're still an open relay. Did you restart the IMS after making the
> changes described in the article?
> 
> Describe your settings on this tab as well in detail:
> http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif
> 
> -Original Message-
> From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
> Posted At: Thursday, May 29, 2003 9:06 AM
> Posted To: swynk
> Conversation: Open Relay Help
> Subject: Open Relay Help
> 
> 
> Apparently my mail server has been listed as an Open Relay at
> http://njabl.org/.
> 
> I've followed the instructions listed in the following FAQ, and still
> get listed as an open relay.
> 
> 3.73 Q: How can I configure my Exchange server so it can't be 
> used as an
> open relay? 
> A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
>  
> 
> My server is as follows:
> Windows 2000 SP2
> Exchange 5.5 SP4
> Trend Micro's ScanMail and EManager are installed and current 
> on version
> and pattern files.
> 
> I have been unsuccessful in finding and searching the archives.  Any
> help would be greatly appreciated.
> 
> 
> 
> Skip Taylor, MCSE 
> Network Administrator 
> Jordan, Jones, and Goulding 
> 
> _
> List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
ext_mode=&
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]



_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

I'm sure I did but restarted once more to make sure.  Can you try again?

Skip Taylor, MCSE
Network Administrator
Jordan, Jones, and Goulding


-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 10:13 AM
To: Exchange Discussion
Subject: RE: Open Relay Help


You're still an open relay. Did you restart the IMS after making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:06 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: Open Relay Help


Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still
get listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version
and pattern files.

I have been unsuccessful in finding and searching the archives.  Any
help would be greatly appreciated.



Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

2003-05-30 Thread Chris Scharff

You're still an open relay. Did you restart the IMS after making the
changes described in the article?

Describe your settings on this tab as well in detail:
http://www.exchangeadmin.com/Files/04/7696/Screen_04.gif

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Posted At: Thursday, May 29, 2003 9:06 AM
Posted To: swynk
Conversation: Open Relay Help
Subject: Open Relay Help


Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still
get listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 
 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version
and pattern files.

I have been unsuccessful in finding and searching the archives.  Any
help would be greatly appreciated.



Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;
lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

RE: Open Relay Help

2003-05-30 Thread Andy David

You've got to contact them and have them take you out of their database.

-Original Message-
From: Taylor, Skip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 10:06 AM
To: Exchange Discussions
Subject: Open Relay Help

Apparently my mail server has been listed as an Open Relay at
http://njabl.org/.

I've followed the instructions listed in the following FAQ, and still get
listed as an open relay.

3.73 Q: How can I configure my Exchange server so it can't be used as an
open relay? 
A: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 

My server is as follows:
Windows 2000 SP2
Exchange 5.5 SP4
Trend Micro's ScanMail and EManager are installed and current on version and
pattern files.

I have been unsuccessful in finding and searching the archives.  Any help
would be greatly appreciated.

Skip Taylor, MCSE 
Network Administrator 
Jordan, Jones, and Goulding 

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang
=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

--
The information contained in this email message is privileged and confidential
information intended only for the use of the individual or entity to whom it
is addressed.  If the reader of this message is not the intended recipient,
you are hereby notified that any dissemination, distribution or copy of this
message is strictly prohibited.  If you have received this email in error,
please immediately notify Veronis Suhler Stevenson by telephone (212)935-4990,
fax (212)381-8168, or email ([EMAIL PROTECTED]) and delete the message.  Thank
you.

==

_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Open Relay Help