Exchange Server Compromised

  • Thread starter Nicolas Macarez
  • Start date Views 2,124
N

Nicolas Macarez

I have an Exchange Server 2003 with just a few users.

We are having issues that make think that my server might be used as a relay

for some spammers: some external recipients can't receive the mails that we

send to them, my fixed public IP adress is listed on 6 majors RBL such as:

cbl.abuseat.org

dnsbl-1.uceprotect.net

ix.dnsbl.manitu.net

sbl-xbl.spamhaus.org

bl.spamcop.net

xbl.spamhaus.org

I hava done many things so far to try to secure the server:

++ Fully patched

++ Run Exchange Server Best Practice Analyzer, but nothing outstanding was

discovered

++ Made sure that I am not a relay: under Exchange System Manager,

Administrative Groups, First Administrative Group, Servers, SERVERNAME,

Protocols, SMTP, Default SMTP Virtual Server and right click Properties :

On the Access tab then the Relay button, I unchecked everything, and in the

Users button only set the Submit permission for the Authenticated users

++ I turned on the SMTP Logging but I am not sure it really helps to

understand what's happening...

What can I do then to be sure that my server is safe?

Help greatly appreciated

Nicolas
 
E

Ed Crowley [MVP]

Post your domain and someone here can check for you. Or go here and have

them look at your server:

http://www.abuse.net/relay.html

Ed Crowley MVP

"There are seldom good technological solutions to behavioral problems."

> .

"Nicolas Macarez" <macarez@free.fr> wrote in message

news:uEVRG1a$JHA.5068@TK2MSFTNGP03.phx.gbl...
> I have an Exchange Server 2003 with just a few users.

> We are having issues that make think that my server might be used as a
> relay
> for some spammers: some external recipients can't receive the mails that
> we
> send to them, my fixed public IP adress is listed on 6 majors RBL such as:

> cbl.abuseat.org
> dnsbl-1.uceprotect.net
> ix.dnsbl.manitu.net
> sbl-xbl.spamhaus.org
> bl.spamcop.net
> xbl.spamhaus.org

> I hava done many things so far to try to secure the server:

> ++ Fully patched
> ++ Run Exchange Server Best Practice Analyzer, but nothing outstanding was
> discovered
> ++ Made sure that I am not a relay: under Exchange System Manager,
> Administrative Groups, First Administrative Group, Servers, SERVERNAME,
> Protocols, SMTP, Default SMTP Virtual Server and right click Properties :
> On the Access tab then the Relay button, I unchecked everything, and in
> the
> Users button only set the Submit permission for the Authenticated users
> ++ I turned on the SMTP Logging but I am not sure it really helps to
> understand what's happening...

> What can I do then to be sure that my server is safe?
> Help greatly appreciated
> Nicolas

>
 
R

Rich Matheisen [MVP]

On Sun, 5 Jul 2009 22:14:58 +0200, "Nicolas Macarez" <macarez@free.fr
wrote:


> I have an Exchange Server 2003 with just a few users.

> We are having issues that make think that my server might be used as a relay
> for some spammers: some external recipients can't receive the mails that we
> send to them, my fixed public IP adress is listed on 6 majors RBL such as:

> cbl.abuseat.org
> dnsbl-1.uceprotect.net
> ix.dnsbl.manitu.net
> sbl-xbl.spamhaus.org
> bl.spamcop.net
> xbl.spamhaus.org

> I hava done many things so far to try to secure the server:

> ++ Fully patched
> ++ Run Exchange Server Best Practice Analyzer, but nothing outstanding was
> discovered
> ++ Made sure that I am not a relay: under Exchange System Manager,
> Administrative Groups, First Administrative Group, Servers, SERVERNAME,
> Protocols, SMTP, Default SMTP Virtual Server and right click Properties :
> On the Access tab then the Relay button, I unchecked everything, and in the
> Users button only set the Submit permission for the Authenticated users
> ++ I turned on the SMTP Logging but I am not sure it really helps to
> understand what's happening...

> What can I do then to be sure that my server is safe?


Try not allowing authenticated user to use your server as a SMTP

relay.

If you're not seeing the traffin in the SMTP protocol logs then

perhaps its not your server that's the problem. If you share your

external IP address with other machines, as you would if you NAT

addresses, then the email may be coming from anywhere. If there's no

reason to allow other machines to send email directly to the Internet

then shut off access to port 25 at your firewall.

-
Rich Matheisen

 
N

Nicolas Macarez

Thanks Ed,

I check at http://www.abuse.net/relay.html

but all I got was:

Mail relay testing

This host was recently tested with an anonymous test.

The host appeared to accept a test message for relay.

Not very useful...

Help appreciated

"Ed Crowley [MVP]" <curspice@nospam.net> a écrit dans le message de news:

eERx$Jb$JHA.4692@TK2MSFTNGP02.phx.gbl...
> Post your domain and someone here can check for you. Or go here and have
> them look at your server:
> http://www.abuse.net/relay.html
> > Ed Crowley MVP
> "There are seldom good technological solutions to behavioral problems."
> .

> "Nicolas Macarez" <macarez@free.fr> wrote in message
> news:uEVRG1a$JHA.5068@TK2MSFTNGP03.phx.gbl...
> >I have an Exchange Server 2003 with just a few users.
>

>> We are having issues that make think that my server might be used as a
> > relay
> > for some spammers: some external recipients can't receive the mails that
> > we
> > send to them, my fixed public IP adress is listed on 6 majors RBL such
> > as:
>

>> cbl.abuseat.org
> > dnsbl-1.uceprotect.net
> > ix.dnsbl.manitu.net
> > sbl-xbl.spamhaus.org
> > bl.spamcop.net
> > xbl.spamhaus.org
>

>> I hava done many things so far to try to secure the server:
>

>> ++ Fully patched
> > ++ Run Exchange Server Best Practice Analyzer, but nothing outstanding
> > was
> > discovered
> > ++ Made sure that I am not a relay: under Exchange System Manager,
> > Administrative Groups, First Administrative Group, Servers, SERVERNAME,
> > Protocols, SMTP, Default SMTP Virtual Server and right click Properties :
> > On the Access tab then the Relay button, I unchecked everything, and in
> > the
> > Users button only set the Submit permission for the Authenticated users
> > ++ I turned on the SMTP Logging but I am not sure it really helps to
> > understand what's happening...
>

>> What can I do then to be sure that my server is safe?
> > Help greatly appreciated
> > Nicolas
>

>
>
>>

>
 
R

Rich Matheisen [MVP]

On Mon, 6 Jul 2009 00:36:29 +0200, "Nicolas Macarez" <macarez@free.fr
wrote:


> Thanks Ed,

> I check at http://www.abuse.net/relay.html
> but all I got was:
> Mail relay testing
> This host was recently tested with an anonymous test.
> The host appeared to accept a test message for relay.

> Not very useful...


It's very useful. The relayed email commands will be found in your

SMTP protocol logs. Assuming you're recording sufficient details in

that log you should be able to see what's going on.

However, and this is always one that's debatable, if you don't have

recipient filtering enabled on your server you'll accept email for

addresses that don't exist in your domain. That can sometimes cause

the diagnosis to be erroneous -- but you /should/ have recipient

filtering enabled. There's no sense in accepting email that you can't

deliver.

What domains appear in your Recipient Policies? Do you have a SMTP

Connector? If so, does it have an "Address Space" of "*"? If it does,

is the box at the bottom of the "Address Space" tab checked (the one

labeled "Allow messages to be relayed to these domains")? It shouldn't

be.

-
Rich Matheisen

 
J

jamestechman

Double check.

The default settings block open relay. The default settings are as

follows:

•Select Only the list below.

•The Computers dialog box shows Access Granted to the Internal IP

address of the Small Business Server network and to the external IP

address (if the server has more than one network card.)

•Make sure that Allow all computers which successfully authenticate to

relay, regardless of the list above is selected

James Chong (MVP)

MCITP | EA | EMA; MCSE | M+, S+

Security+, Project+, ITIL

On Jul 5, 4:14 pm, "Nicolas Macarez" <maca...@free.fr> wrote:
> I have an Exchange Server 2003 with just a few users.

> We are having issues that make think that my server might be used as a relay
> for some spammers:  some external recipients can't receive the mails that we
> send to them, my fixed public IP adress is listed on 6 majors RBL such as:

> cbl.abuseat.org
> dnsbl-1.uceprotect.net
> ix.dnsbl.manitu.net
> sbl-xbl.spamhaus.org
> bl.spamcop.net
> xbl.spamhaus.org

> I hava done many things so far to try to secure the server:

> ++ Fully patched
> ++ Run Exchange Server Best Practice Analyzer, but nothing outstanding was
> discovered
> ++ Made sure that I am not a relay: under Exchange System Manager,
> Administrative Groups, First Administrative Group, Servers, SERVERNAME,
> Protocols, SMTP, Default SMTP Virtual Server and right click Properties :
> On the Access tab then the Relay  button, I unchecked everything, and in the
> Users button only set the Submit permission for the Authenticated users
> ++ I turned on the SMTP Logging but I am not sure it really helps to
> understand what's happening...

> What can I do then to be sure that my server is safe?
> Help greatly appreciated
> Nicolas
 
M

Mark D. MacLachlan

OK, so it has already been suggested that you remove the check to allow

all authenticated users the ability to relay. That will prevent

workstations that are infected with spamware to send out mail.

And as was suggested you should enable recipient filtering but also

enable SMTP tarpitting.

If you are using IMF, make sure it is set to get updates from Windows

Update.

I have scripts available in the following FAQ to enable the SMTP tarpit

and the IMF Update. http://www.tek-tips.com/faqs.cfm?fid=6503.

You need to get the relay turned off and then you should be able to get

off of the black lists. Your customers that can't receive your mail

will likely not be able to until you get off those lists.

Lastly, make sure that you have an SPF record so spoofed mail can't

pose as coming from your company.

Hope that helps,

Mark D. MacLachlan
 
N

Nicolas Macarez

Ed,

here is what I got by registering on abuse.net.

However, I have not received any mail from this test as they say I would if

it was really an open relay.

(I changed the public IP Address and the domain name, of course)

----- START OF THE Abuse.net TEST --------------
Mail relay testing

Connecting to 195.68.90.23 for registered user test ...

<<< 220 cleveland.mycompany.fr Microsoft ESMTP MAIL Service, Version:

6.0.3790.3959 ready at Mon, 6 Jul 2009 06:22:22 +0200
> >> HELO www.abuse.net


<<< 250 cleveland.mycompany.fr Hello [208.31.42.77]

Relay test 1
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@abuse.net>


<<< 250 2.1.0 spamtest@abuse.net....Sender OK
> >> RCPT TO:<macarez@free.fr>


<<< 550 5.7.1 Unable to relay for macarez@free.fr

Relay test 2
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest>


<<< 250 2.1.0 spamtest@mycompany.fr....Sender OK
> >> RCPT TO:<macarez@free.fr>


<<< 550 5.7.1 Unable to relay for macarez@free.fr

Relay test 3
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<>


<<< 250 2.1.0 <>....Sender OK
> >> RCPT TO:<macarez@free.fr>


<<< 550 5.7.1 Unable to relay for macarez@free.fr

Relay test 4
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.90.23]>


<<< 250 2.1.0 spamtest@[195.68.90.23]....Sender OK
> >> RCPT TO:<macarez@free.fr>


<<< 550 5.7.1 Unable to relay for macarez@free.fr

Relay test 5
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@mail.mycompany.fr>


<<< 250 2.1.0 spamtest@mail.mycompany.fr....Sender OK
> >> RCPT TO:<macarez@free.fr>


<<< 550 5.7.1 Unable to relay for macarez@free.fr

Relay test 6
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.90.23]>


<<< 250 2.1.0 spamtest@[195.68.90.23]....Sender OK
> >> RCPT TO:<macarez%free.fr@[195.68.90.23]>


<<< 550 5.7.1 Unable to relay for macarez%free.fr@[195.68.90.23]

Relay test 7
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.90.23]>


<<< 250 2.1.0 spamtest@[195.68.90.23]....Sender OK
> >> RCPT TO:<macarez%free.fr@mail.mycompany.fr>


<<< 550 5.7.1 Unable to relay for macarez%free.fr@mail.mycompany.fr

Relay test 8
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.90.23]>


<<< 250 2.1.0 spamtest@[195.68.90.23]....Sender OK
> >> RCPT TO:<"macarez@free.fr">


<<< 250 2.1.5 "macarez@free.fr"@mycompany.fr
> >> DATA


<<< 354 Start mail input; end with <CRLF>.<CRLF>
> >> (message body)


<<< 250 2.6.0 <rlytest-1246854093-1973@abuse.net> Queued mail for delivery

Relay test result

Hmmn, at first glance, host appeared to accept a message for relay.

THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.

Some systems appear to accept relay mail, but then reject messages

internally rather than delivering them, but you cannot tell at this point

whether the message will be relayed or not.

If it is really an open relay, the test message will be delivered to you. If

you do not receive the test message in your e-mail in the next few hours, it

IS NOT an open relay.

----- END OF THE Abuse.net TEST --------------
"Ed Crowley [MVP]" <curspice@nospam.net> a écrit dans le message de news:

eERx$Jb$JHA.4692@TK2MSFTNGP02.phx.gbl...
> Post your domain and someone here can check for you. Or go here and have
> them look at your server:
> http://www.abuse.net/relay.html
> > Ed Crowley MVP
> "There are seldom good technological solutions to behavioral problems."
> .

> "Nicolas Macarez" <macarez@free.fr> wrote in message
> news:uEVRG1a$JHA.5068@TK2MSFTNGP03.phx.gbl...
> >I have an Exchange Server 2003 with just a few users.
>

>> We are having issues that make think that my server might be used as a
> > relay
> > for some spammers: some external recipients can't receive the mails that
> > we
> > send to them, my fixed public IP adress is listed on 6 majors RBL such
> > as:
>

>> cbl.abuseat.org
> > dnsbl-1.uceprotect.net
> > ix.dnsbl.manitu.net
> > sbl-xbl.spamhaus.org
> > bl.spamcop.net
> > xbl.spamhaus.org
>

>> I hava done many things so far to try to secure the server:
>

>> ++ Fully patched
> > ++ Run Exchange Server Best Practice Analyzer, but nothing outstanding
> > was
> > discovered
> > ++ Made sure that I am not a relay: under Exchange System Manager,
> > Administrative Groups, First Administrative Group, Servers, SERVERNAME,
> > Protocols, SMTP, Default SMTP Virtual Server and right click Properties :
> > On the Access tab then the Relay button, I unchecked everything, and in
> > the
> > Users button only set the Submit permission for the Authenticated users
> > ++ I turned on the SMTP Logging but I am not sure it really helps to
> > understand what's happening...
>

>> What can I do then to be sure that my server is safe?
> > Help greatly appreciated
> > Nicolas
>

>
>
>>

>
 
N

Nicolas Macarez

"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> a écrit dans le

message de news: uec255lcc5ttjfkslu7miqdem8qu5hplhb@4ax.com...
> On Mon, 6 Jul 2009 00:36:29 +0200, "Nicolas Macarez" <macarez@free.fr
> wrote:
>
> >Thanks Ed,
>

>>I check at http://www.abuse.net/relay.html
> >but all I got was:
> >Mail relay testing
> >This host was recently tested with an anonymous test.
> >The host appeared to accept a test message for relay.
>

>>Not very useful...


> It's very useful. The relayed email commands will be found in your
> SMTP protocol logs. Assuming you're recording sufficient details in
> that log you should be able to see what's going on.


Can you help me on that subject: I turned on the Log in the properties of

the SMTP Server: right-click on the Default SMTP Virtuak Server, General

Tab, check Enable Logging, W3C Extended Logfile Format. The daily file which

is created containfs some infos like:

#Software: Microsoft Internet Information Services 6.0

#Version: 1.0

#Date: 2009-07-05 22:00:12

#Fields: time c-ip cs-method cs-uri-stem sc-status

22:00:12 209.85.147.27 - - 0

22:00:12 209.85.147.27 DATA - 0

22:00:12 209.85.147.27 - - 0

22:00:12 209.85.147.27 - - 0

22:00:12 209.85.147.27 QUIT - 0

22:00:13 190.157.209.49 EHLO - 250

22:00:13 190.157.209.49 MAIL - 250

22:00:13 190.157.209.49 RCPT - 250

22:00:13 190.157.209.49 RCPT - 250

22:00:13 190.157.209.49 RCPT - 250

22:00:13 190.157.209.49 RCPT - 250

22:00:13 190.157.209.49 RCPT - 250

22:00:13 190.157.209.49 DATA - 250

22:00:14 190.157.209.49 QUIT - 240

22:00:34 196.221.57.59 QUIT - 240

22:00:34 196.221.57.59 QUIT - 240

22:00:34 196.221.57.59 QUIT - 240

22:00:48 212.27.42.5 EHLO - 250

22:00:48 212.27.42.5 MAIL - 250

22:00:48 212.27.42.5 RCPT - 250

22:00:49 212.27.42.5 DATA - 250

22:00:49 212.27.42.5 QUIT - 240

Can I exploit that?

Is there another setting in the Exchange System Manager to get some more

information on what's going on with SMTP?



> However, and this is always one that's debatable, if you don't have
> recipient filtering enabled on your server you'll accept email for
> addresses that don't exist in your domain. That can sometimes cause
> the diagnosis to be erroneous -- but you /should/ have recipient
> filtering enabled. There's no sense in accepting email that you can't
> deliver.


Yes, I know. I have read :

http://hellomate.typepad.com/exchange/2003/09/exchange_2003_r.html

But I did follow your advice and configured Recipient filtering by following

this page:

http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html


> What domains appear in your Recipient Policies?


Only the mycompany.fr domain

Do you have a SMTP
> Connector?


No, not at the beginning, but... I had to set up one with DynDns to get the

Outbound message flow going on.

Otherwise, there were to many recipients (hotmail and gmail recipients to

name a few) that were not getting our mails.

I also hope that in the meantime, I shall be delisted automatically from the

6 RBL since in fact, normally, no mail is flowing out from my Exchange

Default Virtual SMTP Server.

If so, does it have an "Address Space" of "*"? If it does,
> is the box at the bottom of the "Address Space" tab checked (the one
> labeled "Allow messages to be relayed to these domains")? It shouldn't
> be.
> -> Rich Matheisen
>
 
N

Nicolas Macarez

"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> a écrit dans le

message de news: lo4255dsbf8pbd7t8r3kfd2pibm4e1n7d6@4ax.com...
> On Sun, 5 Jul 2009 22:14:58 +0200, "Nicolas Macarez" <macarez@free.fr
> wrote:
>
> >I have an Exchange Server 2003 with just a few users.
>

>>We are having issues that make think that my server might be used as a
> >relay
> >for some spammers: some external recipients can't receive the mails that
> >we
> >send to them, my fixed public IP adress is listed on 6 majors RBL such as:
>

>>cbl.abuseat.org
> >dnsbl-1.uceprotect.net
> >ix.dnsbl.manitu.net
> >sbl-xbl.spamhaus.org
> >bl.spamcop.net
> >xbl.spamhaus.org
>

>>I hava done many things so far to try to secure the server:
>

>>++ Fully patched
> >++ Run Exchange Server Best Practice Analyzer, but nothing outstanding was
> >discovered
> >++ Made sure that I am not a relay: under Exchange System Manager,
> >Administrative Groups, First Administrative Group, Servers, SERVERNAME,
> >Protocols, SMTP, Default SMTP Virtual Server and right click Properties :
> >On the Access tab then the Relay button, I unchecked everything, and in
> >the
> >Users button only set the Submit permission for the Authenticated users
> >++ I turned on the SMTP Logging but I am not sure it really helps to
> >understand what's happening...
>

>>What can I do then to be sure that my server is safe?


> Try not allowing authenticated user to use your server as a SMTP
> relay.


Rich,

That's what I did.



> If you're not seeing the traffin in the SMTP protocol logs then
> perhaps its not your server that's the problem.


I can see some traffic in the logs anyway: at least because of the SMTP

traffic for inbound messages.

I guess I need to make an effort to sort the inbound mails from the outbound

mails. :)

If you share your
> external IP address with other machines, as you would if you NAT
> addresses, then the email may be coming from anywhere. If there's no
> reason to allow other machines to send email directly to the Internet
> then shut off access to port 25 at your firewall.
> -> Rich Matheisen
>
 
N

Nicolas Macarez

Thanks James,

I double check and my seetings are as you suggest.

Regards

Nicolas

"jamestechman" <jamestechman@gmail.com> a écrit dans le message de news:

e0d68204-a12c-4e24-8309-1f5180e24553@y17g2000yqn.googlegroups.com...

Double check.

The default settings block open relay. The default settings are as

follows:

•Select Only the list below.

•The Computers dialog box shows Access Granted to the Internal IP

address of the Small Business Server network and to the external IP

address (if the server has more than one network card.)

•Make sure that Allow all computers which successfully authenticate to

relay, regardless of the list above is selected

James Chong (MVP)

MCITP | EA | EMA; MCSE | M+, S+

Security+, Project+, ITIL

On Jul 5, 4:14 pm, "Nicolas Macarez" <maca...@free.fr> wrote:
> I have an Exchange Server 2003 with just a few users.

> We are having issues that make think that my server might be used as a
> relay
> for some spammers: some external recipients can't receive the mails that
> we
> send to them, my fixed public IP adress is listed on 6 majors RBL such as:

> cbl.abuseat.org
> dnsbl-1.uceprotect.net
> ix.dnsbl.manitu.net
> sbl-xbl.spamhaus.org
> bl.spamcop.net
> xbl.spamhaus.org

> I hava done many things so far to try to secure the server:

> ++ Fully patched
> ++ Run Exchange Server Best Practice Analyzer, but nothing outstanding was
> discovered
> ++ Made sure that I am not a relay: under Exchange System Manager,
> Administrative Groups, First Administrative Group, Servers, SERVERNAME,
> Protocols, SMTP, Default SMTP Virtual Server and right click Properties :
> On the Access tab then the Relay button, I unchecked everything, and in
> the
> Users button only set the Submit permission for the Authenticated users
> ++ I turned on the SMTP Logging but I am not sure it really helps to
> understand what's happening...

> What can I do then to be sure that my server is safe?
> Help greatly appreciated
> Nicolas
 
N

Nicolas Macarez

"Mark D. MacLachlan" <markdmac@live.com> a écrit dans le message de news:

OluveRf$JHA.1252@TK2MSFTNGP04.phx.gbl...
> OK, so it has already been suggested that you remove the check to allow
> all authenticated users the ability to relay. That will prevent
> workstations that are infected with spamware to send out mail.


Mark,

That's what I did so far.



> And as was suggested you should enable recipient filtering but also
> enable SMTP tarpitting.


I will get a closer look at the documentation on the subject as well at you

webpage.



> If you are using IMF, make sure it is set to get updates from Windows
> Update.


I am using IMF. I got the last update from Windows Update.



> I have scripts available in the following FAQ to enable the SMTP tarpit
> and the IMF Update. http://www.tek-tips.com/faqs.cfm?fid=6503.


Many thanks!



> You need to get the relay turned off and then you should be able to get
> off of the black lists. Your customers that can't receive your mail
> will likely not be able to until you get off those lists.


I have in the meantime set up a SMTP connector with DynDns.org to get the

outbound mails flowing out. I hope I'll be delisted soon from the 6 RBL I'm

stuck with. I just hope that afterwards it will be the end of it. But how

can I be sure?

> Lastly, make sure that you have an SPF record so spoofed mail can't
> pose as coming from your company.


I need to see that with the registrar where I set up the Zone File for my

domain (MX, CNAME, etc.)



> Hope that helps,

> Mark D. MacLachlan
 
R

Rich Matheisen [MVP]

On Mon, 6 Jul 2009 11:22:36 +0200, "Nicolas Macarez" <macarez@free.fr
wrote:

[ snip ]


> Can you help me on that subject: I turned on the Log in the properties of
> the SMTP Server: right-click on the Default SMTP Virtuak Server, General
> Tab, check Enable Logging, W3C Extended Logfile Format. The daily file which
> is created containfs some infos like:

> #Software: Microsoft Internet Information Services 6.0
> #Version: 1.0
> #Date: 2009-07-05 22:00:12
> #Fields: time c-ip cs-method cs-uri-stem sc-status
> 22:00:12 209.85.147.27 - - 0
> 22:00:12 209.85.147.27 DATA - 0
> 22:00:12 209.85.147.27 - - 0
> 22:00:12 209.85.147.27 - - 0
> 22:00:12 209.85.147.27 QUIT - 0
> 22:00:13 190.157.209.49 EHLO - 250


[ snip ]

I don't know which IP address is yours, nor can I see the email

addresses in the RCPT TO commands. If you see IP addresses connecting

to your server and the RCPT TO command contains an address that's not

in your Recipient Policies you should see a status of 5xx (probably

550), not 250.


> Can I exploit that?


Sure, but you need to log more detail.

On the "General" tab of the SMTP Virtual Server, click the

"Properties..." button. On the next dialog box, select the "Advanced"

tab. Check /all/ the boxes.


> Is there another setting in the Exchange System Manager to get some more
> information on what's going on with SMTP?


See above. :)



>
>

>> However, and this is always one that's debatable, if you don't have
> > recipient filtering enabled on your server you'll accept email for
> > addresses that don't exist in your domain. That can sometimes cause
> > the diagnosis to be erroneous -- but you /should/ have recipient
> > filtering enabled. There's no sense in accepting email that you can't
> > deliver.


> Yes, I know. I have read :
> http://hellomate.typepad.com/exchange/2003/09/exchange_2003_r.html

> But I did follow your advice and configured Recipient filtering by following
> this page:
> http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

>
> > What domains appear in your Recipient Policies?


> Only the mycompany.fr domain

> Do you have a SMTP
> > Connector?


> No, not at the beginning, but... I had to set up one with DynDns to get the
> Outbound message flow going on.
> Otherwise, there were to many recipients (hotmail and gmail recipients to
> name a few) that were not getting our mails.
> I also hope that in the meantime, I shall be delisted automatically from the
> 6 RBL since in fact, normally, no mail is flowing out from my Exchange
> Default Virtual SMTP Server.


If you're sending email and using a dynamically assigned IP address to

do so that may your problem. Dynamic IP address blocks are regularly

listed on DNSBLs. Is your SMTP Connector sending all your mail to a

smart host that uses a static IP address?


> If so, does it have an "Address Space" of "*"? If it does,
> > is the box at the bottom of the "Address Space" tab checked (the one
> > labeled "Allow messages to be relayed to these domains")? It shouldn't
> > be.


You didn't answer this part of the question. :)

-
Rich Matheisen

 
R

Rich Matheisen [MVP]

On Mon, 6 Jul 2009 11:07:06 +0200, "Nicolas Macarez" <macarez@free.fr
wrote:


> Ed,
> here is what I got by registering on abuse.net.
> However, I have not received any mail from this test as they say I would if
> it was really an open relay.

> (I changed the public IP Address and the domain name, of course)


[ snip ]


> Relay test 8
> >>> RSET

> <<< 250 2.0.0 Resetting
> >>> MAIL FROM:<spamtest@[195.68.90.23]>

> <<< 250 2.1.0 spamtest@[195.68.90.23]....Sender OK
> >>> RCPT TO:<"macarez@free.fr">

> <<< 250 2.1.5 "macarez@free.fr"@mycompany.fr
> >>> DATA

> <<< 354 Start mail input; end with <CRLF>.<CRLF>
> >>> (message body)

> <<< 250 2.6.0 <rlytest-1246854093-1973@abuse.net> Queued mail for delivery


Exchange wouldn't deliver that message, it would send a NDR to the

sender. There's no relay here.

It does, however, appear that you do NOT have recipient filtering

enabled. If you did that RCPT TO would have been rejected.

This leads me to believe that you may be on DNSBLs because of this.

Your server will send the entire content of the original email to the

sender -- and if the sender is forged (as they often are) your server

will send the NDR to an innocent bystander.

Enable recipient filtering and you'll be a lot happier.

-
Rich Matheisen

 
N

Nicolas Macarez

"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> a écrit dans le

message de news: ruq355lcv155gcm1s1sj45odqov6e7t68u@4ax.com...
> On Mon, 6 Jul 2009 11:07:06 +0200, "Nicolas Macarez" <macarez@free.fr
> wrote:
>
> >Ed,
> >here is what I got by registering on abuse.net.
> >However, I have not received any mail from this test as they say I would
> >if
> >it was really an open relay.
>

>>(I changed the public IP Address and the domain name, of course)


> [ snip ]
>
> >Relay test 8
> >>>> RSET

> ><<< 250 2.0.0 Resetting
> >>>> MAIL FROM:<spamtest@[195.68.90.23]>

> ><<< 250 2.1.0 spamtest@[195.68.90.23]....Sender OK
> >>>> RCPT TO:<"macarez@free.fr">

> ><<< 250 2.1.5 "macarez@free.fr"@mycompany.fr
> >>>> DATA

> ><<< 354 Start mail input; end with <CRLF>.<CRLF>
> >>>> (message body)

> ><<< 250 2.6.0 <rlytest-1246854093-1973@abuse.net> Queued mail for
> >delivery


> Exchange wouldn't deliver that message, it would send a NDR to the
> sender. There's no relay here.

> It does, however, appear that you do NOT have recipient filtering
> enabled. If you did that RCPT TO would have been rejected.

> This leads me to believe that you may be on DNSBLs because of this.
> Your server will send the entire content of the original email to the
> sender -- and if the sender is forged (as they often are) your server
> will send the NDR to an innocent bystander.

> Enable recipient filtering and you'll be a lot happier.
> -> Rich Matheisen
>


Rich,

here is what I got tonight on abuse.net - getting better. :)

Mail relay testing

Connecting to 195.68.22.25 for registered user test ...

<<< 220 cleveland.mycompany.fr Microsoft ESMTP MAIL Service, Version:

6.0.3790.3959 ready at Mon, 6 Jul 2009 23:06:58 +0200
> >> HELO www.abuse.net


<<< 250 cleveland.mycompany.fr Hello [208.31.42.77]

Relay test 1
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@abuse.net>


<<< 250 2.1.0 spamtest@abuse.net....Sender OK
> >> RCPT TO:<macarez@free.fr>


<<< 550 5.7.1 Unable to relay for macarez@free.fr

Relay test 2
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest>


<<< 250 2.1.0 spamtest@mycompany.fr....Sender OK
> >> RCPT TO:<macarez@free.fr>


<<< 550 5.7.1 Unable to relay for macarez@free.fr

Relay test 3
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<>


<<< 250 2.1.0 <>....Sender OK
> >> RCPT TO:<macarez@free.fr>


<<< 550 5.7.1 Unable to relay for macarez@free.fr

Relay test 4
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<macarez@free.fr>


<<< 550 5.7.1 Unable to relay for macarez@free.fr

Relay test 5
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@mail.mycompany.fr>


<<< 250 2.1.0 spamtest@mail.mycompany.fr....Sender OK
> >> RCPT TO:<macarez@free.fr>


<<< 550 5.7.1 Unable to relay for macarez@free.fr

Relay test 6
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<macarez%free.fr@[195.68.22.25]>


<<< 550 5.7.1 Unable to relay for macarez%free.fr@[195.68.22.25]

Relay test 7
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<macarez%free.fr@mail.mycompany.fr>


<<< 550 5.7.1 Unable to relay for macarez%free.fr@mail.mycompany.fr

Relay test 8
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<"macarez@free.fr">


<<< 550 5.1.1 User unknown

Relay test 9
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<"macarez%free.fr">


<<< 550 5.1.1 User unknown

Relay test 10
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<macarez@free.fr@[195.68.22.25]>


<<< 501 5.5.4 Invalid Address

Relay test 11
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<"macarez@free.fr"@[195.68.22.25]>


<<< 550 5.7.1 Unable to relay for "macarez@free.fr"@[195.68.22.25]

Relay test 12
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<macarez@free.fr@mail.mycompany.fr>


<<< 501 5.5.4 Invalid Address

Relay test 13
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<@[195.68.22.25]:macarez@free.fr>


<<< 550 5.7.1 Unable to relay for macarez@free.fr

Relay test 14
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<@mail.mycompany.fr:macarez@free.fr>


<<< 550 5.7.1 Unable to relay for macarez@free.fr

Relay test 15
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<free.fr!macarez>


<<< 550 5.1.1 User unknown

Relay test 16
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<free.fr!macarez@[195.68.22.25]>


<<< 550 5.7.1 Unable to relay for free.fr!macarez@[195.68.22.25]

Relay test 17
> >> RSET


<<< 250 2.0.0 Resetting
> >> MAIL FROM:<spamtest@[195.68.22.25]>


<<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >> RCPT TO:<free.fr!macarez@mail.mycompany.fr>


<<< 550 5.7.1 Unable to relay for free.fr!macarez@mail.mycompany.fr

Relay test result

All tests performed, no relays accepted.
 
N

Nicolas Macarez

"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> a écrit dans le

message de news: q7q355t726rdh1ieu8t24m834o0et7m0o3@4ax.com...
> On Mon, 6 Jul 2009 11:22:36 +0200, "Nicolas Macarez" <macarez@free.fr
> wrote:

> [ snip ]
>
> >Can you help me on that subject: I turned on the Log in the properties of
> >the SMTP Server: right-click on the Default SMTP Virtuak Server, General
> >Tab, check Enable Logging, W3C Extended Logfile Format. The daily file
> >which
> >is created containfs some infos like:
>

>>#Software: Microsoft Internet Information Services 6.0
> >#Version: 1.0
> >#Date: 2009-07-05 22:00:12
> >#Fields: time c-ip cs-method cs-uri-stem sc-status
> >22:00:12 209.85.147.27 - - 0
> >22:00:12 209.85.147.27 DATA - 0
> >22:00:12 209.85.147.27 - - 0
> >22:00:12 209.85.147.27 - - 0
> >22:00:12 209.85.147.27 QUIT - 0
> >22:00:13 190.157.209.49 EHLO - 250


> [ snip ]

> I don't know which IP address is yours, nor can I see the email
> addresses in the RCPT TO commands. If you see IP addresses connecting
> to your server and the RCPT TO command contains an address that's not
> in your Recipient Policies you should see a status of 5xx (probably
> 550), not 250.


Yes - that's the case. I enabled the Extended logging as you indicated to

me. And I get some 550. I need to go further in those logs tomorrow.


>
> >Can I exploit that?


> Sure, but you need to log more detail.

> On the "General" tab of the SMTP Virtual Server, click the
> "Properties..." button. On the next dialog box, select the "Advanced"
> tab. Check /all/ the boxes.
>
> >Is there another setting in the Exchange System Manager to get some more
> >information on what's going on with SMTP?


> See above. :)
>
>

>>
> >
>>> However, and this is always one that's debatable, if you don't have
> >> recipient filtering enabled on your server you'll accept email for
> >> addresses that don't exist in your domain. That can sometimes cause
> >> the diagnosis to be erroneous -- but you /should/ have recipient
> >> filtering enabled. There's no sense in accepting email that you can't
> >> deliver.

>

>>Yes, I know. I have read :
> >http://hellomate.typepad.com/exchange/2003/09/exchange_2003_r.html
>

>>But I did follow your advice and configured Recipient filtering by
> >following
> >this page:
> >http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
>

>
>>
> >> What domains appear in your Recipient Policies?

>

>>Only the mycompany.fr domain
>

>>Do you have a SMTP
> >> Connector?

>

>>No, not at the beginning, but... I had to set up one with DynDns to get
> >the
> >Outbound message flow going on.
> >Otherwise, there were to many recipients (hotmail and gmail recipients to
> >name a few) that were not getting our mails.
> >I also hope that in the meantime, I shall be delisted automatically from
> >the
> >6 RBL since in fact, normally, no mail is flowing out from my Exchange
> >Default Virtual SMTP Server.


> If you're sending email and using a dynamically assigned IP address to
> do so that may your problem. Dynamic IP address blocks are regularly
> listed on DNSBLs. Is your SMTP Connector sending all your mail to a
> smart host that uses a static IP address?
>
> >If so, does it have an "Address Space" of "*"? If it does,
> >> is the box at the bottom of the "Address Space" tab checked (the one
> >> labeled "Allow messages to be relayed to these domains")? It shouldn't
> >> be.


> You didn't answer this part of the question. :)


My SMTP Connector is sending all the mails to outbound.mailhop.org (the

DynDns SMTP server). I paid for this provisional service this morning just

to make the users happy and get some time to make the things proper and

smooth - and also to be delisted. I am off from one RBL; five remaining.

I don't intend to use any SMTP connector in the future, when everything is

back to normal.

I also blocked the port 25 for all the workstations in the outbound rules on

the perimeter firewall, in case a client PC got infected by some stuff.


> -> Rich Matheisen
>
 
R

Rich Matheisen [MVP]

On Tue, 7 Jul 2009 00:14:29 +0200, "Nicolas Macarez" <macarez@free.fr
wrote:

[ snip ]


> My SMTP Connector is sending all the mails to outbound.mailhop.org (the
> DynDns SMTP server). I paid for this provisional service this morning just
> to make the users happy and get some time to make the things proper and
> smooth - and also to be delisted. I am off from one RBL; five remaining.
> I don't intend to use any SMTP connector in the future, when everything is
> back to normal.


But you /should/ continue to use a SMTP Connector. What you still

haven't answered is whether or not the box at the bottom of the

"Address Space" tab on that connector is checked.

-
Rich Matheisen

 
R

Rich Matheisen [MVP]

On Mon, 6 Jul 2009 23:19:55 +0200, "Nicolas Macarez" <macarez@free.fr
wrote:

[ snip ]


> here is what I got tonight on abuse.net - getting better. :)


[ snip ]


> Relay test 8
> >>> RSET

> <<< 250 2.0.0 Resetting
> >>> MAIL FROM:<spamtest@[195.68.22.25]>

> <<< 250 2.1.0 spamtest@[195.68.22.25]....Sender OK
> >>> RCPT TO:<"macarez@free.fr">

> <<< 550 5.1.1 User unknown


This will go a long way towards your staying off any DNBL.

-
Rich Matheisen

 
N

Nicolas Macarez

"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> a écrit dans le

message de news: jdb55552s9d4ekgkb6dv9fjgoeaf3601r9@4ax.com...
> On Tue, 7 Jul 2009 00:14:29 +0200, "Nicolas Macarez" <macarez@free.fr
> wrote:

> [ snip ]
>
> >My SMTP Connector is sending all the mails to outbound.mailhop.org (the
> >DynDns SMTP server). I paid for this provisional service this morning just
> >to make the users happy and get some time to make the things proper and
> >smooth - and also to be delisted. I am off from one RBL; five remaining.
> >I don't intend to use any SMTP connector in the future, when everything is
> >back to normal.


> But you /should/ continue to use a SMTP Connector. What you still
> haven't answered is whether or not the box at the bottom of the
> "Address Space" tab on that connector is checked.


No it is not checked - and has never been checked. I am not sure about what

this checkbox is meant for.

In the SMTP Logs (the extended one, now...), how can I spot the outgoing

mail from my organization?

Many - many thanks for your help.

Nicolas
 

Top