PLEASE HELP: My Exchange server is being blasted by Spammer
Mike Busch
messages in my inbox. More than usual ;) They are
almost all coming from the Exchange Admin auto
notification. Here's the type of message I get:
****************************************
A mail message could not be sent because the following
host is unknown:
tpts9.seed.net.tw
The message that caused this notification was:
To: <rip...@ms34.hinet.net>;
<or...@ms34.hinet.net>; <ppt1...@ms47.hinet.net>;
<ppt1...@tpts9.seed.net.tw>; <pp...@yahoo.com.tw>;
<qs...@yahoo.com.tw>; <panc...@yahoo.com.tw>;
<r...@yahoo.com.tw>; <qian...@yahoo.com.tw>;
<q1231...@yahoo.com.tw>; <pow...@yahoo.com.tw>;
<oula...@yahoo.com.tw>; <ronald...@yahoo.com.tw>;
<rang...@yahoo.com.tw>; <q0...@yahoo.com.tw>;
<q120...@yahoo.com.tw>; <ov...@yahoo.com.tw>;
<pengt...@yahoo.com.tw>; <peter...@yahoo.com.tw>;
<qiann...@yahoo.com.tw>; <ques...@yahoo.com.tw>;
<pa...@yahoo.com.tw>; <s18...@yahoo.com.tw>;
<ous...@yahoo.com.tw>; <ric...@ms2.hinet.net>;
<robe...@pchome.com.tw>; <r1...@pchome.com.tw>;
<prepe...@pchome.com.tw>; <on...@pchome.com.tw>;
<or...@pchome.com.tw>; <rout...@pchome.com.tw>;
<q40...@pchome.com.tw>; <rabi...@pchome.com.tw>;
<pn...@pchome.com.tw>; <prepo...@pchome.com.tw>;
<qe...@pchome.com.tw>; <paradi...@pchome.com.tw>;
<s86...@pchome.com.tw>; <ox...@pchome.com.tw>;
<rir...@pchome.com.tw>; <rd...@seed.net.tw>;
<qu...@seed.net.tw>; <oy...@seed.net.tw>;
<pz...@seed.net.tw>; <ran...@seed.net.tw>;
<rt...@seed.net.tw>; <saga_...@seed.net.tw>;
<rq...@seed.net.tw>; <pi...@seed.net.tw>;
<rb...@seed.net.tw>; <pm...@seed.net.tw>;
<sa...@ms65.hinet.net>; <ron...@ms10.hinet.net>;
<r121...@ms10.hinet.net>; <s66...@ms10.hinet.net>;
<sais...@ethome.net.tw>; <o...@ethome.net.tw>;
<ppt1...@ms11.hinet.net>; <po8...@ms26.hinet.net>;
<rk...@ms68.hinet.net>; <ppk1...@ms68.hinet.net>;
<penn...@sinamail.com>; <qj...@sinamail.com>;
<sai...@sinamail.com>; <quinte...@sinamail.com>;
<rq...@sinamail.com>; <qe...@ms24.hinet.net>;
<pei...@ms24.hinet.net>; <o...@ms24.hinet.net>;
<rl...@ms32.hinet.net>; <pa...@ms17.hinet.net>;
<reb...@url.com.tw>; <p121...@ms14.hinet.net>;
<pee...@ms48.hinet.net>; <rcl...@ms48.hinet.net>;
<po...@ms3.hinet.net>; <sam...@ms3.hinet.net>;
<ppt1...@ms31.hinet.net>; <sam...@ms31.hinet.net>;
<pr...@ms21.hinet.net>; <ppt1...@ms21.hinet.net>;
<ppt2...@tpts4.seed.net.tw>; <pop...@ms43.hinet.net>;
<pegg...@ms16.hinet.net>; <pum...@taiwan.com>;
<ppk1...@ms33.hinet.net>; <reemp...@mail2000.com.tw>;
<q33...@ms27.hinet.net>; <pri...@ms27.hinet.net>;
<ppk1...@ms69.hinet.net>; <ppk1...@ms69.hinet.net>;
<pri...@ms55.hinet.net>; <p1200...@cm1.ethome.net.tw>;
<sam...@cm1.ethome.net.tw>; <ppt1...@ms42.hinet.net>;
<r2...@ms12.hinet.net>; <rmo...@ms57.url.com.tw>;
<ray...@ms52.hinet.net>; <pan3...@ms39.hinet.net>
From: <ma...@216.181.47.4>
Subject:
***************************************
216.181.47.4 is my public IP for my exchange server. This
weekend I was making many changes to my router and
firewall to open up my network to our new New Jersey office
(we are in Maryland). But I have a feeling I have opened
myself up to spammer attacks. I've got 7500 other
messages that look just like the one above. The name Mark
will change to simon or john or frank periodically, but
the type of error I'm getting and the from @218.181.47.4
is always the same. What did I do on my firewall that
opened me up to attack?
Spammers suck! and now so does my morning.
Your advice and wisdom is greatly appreciated.
Thanks,
Mike Busch
Simon Jackson
Is your Exchange server open to relay mail for others? If
so search the Microsoft site for how to prevent mail
relaying.
Also you could be being a little unlucky...I have seen the
scenario where spammers send a mailshot and instead of
just making up a nonsense mail address for the reply field
they actually use somebody's real MX return address. This
way when a mail system attempts to block them by doing a
reverse lookup check everything seems to be OK. Your
records are valid.
You have identified that the mails all have @216.181.47.4
in them - Can you set something to filter these mails as
they come into the organisation? What version of Exchange
are you running?
Regards,
Sam.
>.
>
Andy Peck
Bad News, you are acting as a open relay.
To verify this yourself (just in case your unsure)
http://support.microsoft.com/default.aspx?scid=kb;en-us;313395&Product=exch2k
Articles on how to stop being a relay
http://www.slipstick.com/exs/relay.htm
(IMHO) The firewall is a red herring, the mail comes over port 25 regardless
of whether it's legit ro spam.
Hopes this helps
Andy Peck
.
Mike Busch
I'm running Exchange 5.5. I believe it is open for SMTP
relay. I didn't build this server and it is a very
problematic one at that. Scheduled for replacement and
upgrade to EXCH2K3, however that doesn't help me in the
mean time. Any advice would be appreciated.
Mike
>.
>
Mike Busch
The first link didn't really apply to me as I'm currently
(and not for long) running EXCH5.5. However this link:
Articles on how to stop being a relay
http://www.slipstick.com/exs/relay.htm
Became extremely helpful and ultimately helped me figure
the problem out. This past weekend a group of NJ IT
people were opening up traffic between our offices. In
doing so we changed IMS routing on the exchange server.
Someone over there told me to open their domain as a relay
instead of inbound. I bleieve this is what caused the
problem. I changed that entry to inbound and so far have
not had a problem since.
Thanks so much for your advice. It was greatly
appreciated.
Mike B.
>..
>
>
>.
>
Andy Peck
I'm glad that pointed you in the right direction.
The first articles was really only meant as a test to prove your where
operating as an open relay. The command set is common to all exchange
versions, in fact common to all smtp services.
Andy Peck
"Mike Busch" <anon...@discussions.microsoft.com> wrote in message
news:abf201c3ec27$a6801f40$a301...@phx.gbl...