Just a thought, Joe - if you do no legitimate business/e-mail with Asian locations, you can block some /8 addresses and pretty much cut that traffic out altogether. That's what I do here, cuts way down on attempted attacks and spam. Drop me a note offline if you want specifics on that.
David [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, February 11, 2004 9:37 PM To: Exchange Discussions Subject: RE: I'm being used to relay spam, how the hell do I stop it? I had just figured that out and finished turning on logging probably while you were writing your message. Thanks for the response though! Of course it's all quiet now (no spam coming in). Since the IP addresses that were being used to spam through us were in China I'm guessing things will pick back up again when it's night there, and daytime here... That seems to be the pattern so I'll keep my eyes peeled in the morning... Thanks again. As much as I hate to say that I've had a user's password compromised, at this point I'll be happy if it is something that simple (so long as I find it and close the hole!). -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 11:48 PM To: Exchange Discussions Subject: RE: I'm being used to relay spam, how the hell do I stop it? Husked is not the user, it's the machine name that connected. Turn on audit logging in the local machine policy and also turn on logon event logging on the Exchange server Diagnostics page (Transport section I think). The SMTP Protocol log will sadly not show the AUTH attempts. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Posted At: Wednesday, February 11, 2004 4:26 PM Posted To: Microsoft Exchange Conversation: I'm being used to relay spam, how the hell do I stop it? Subject: I'm being used to relay spam, how the hell do I stop it? After getting a complaint from one of the support staff that the amount of NDR's had increased dramatically over the past few days, I started digging... I noticed that for the last few days my SMTP logs have gotten much larger than they have been for the past two months... More digging. Reading the logs, it appears our server is accepting messages and then later in the logs I see outbound connections opening to try and deliver the messages... I know this will probably wrap horribly for the list, but I've pasted together an entire transaction from the spammer... 21:11:55 200.67.88.184 husked SMTPSVC1 SEQUOYAH 10.1.1.3 0 EHLO - =+husked 250 321 11 - - 21:12:00 200.67.88.184 husked 10.1.1.3 0 MAIL - +FROM:+<[EMAIL PROTECTED]> 250 51 39 - - 21:12:01 200.67.88.184 husked 10.1.1.3 0 RCPT - +TO:<[EMAIL PROTECTED]> 250 30 27 - - 21:12:03 200.67.88.184 husked 10.1.1.3 0 DATA - <[EMAIL PROTECTED]> 250 131 1083 - - 21:12:55 KEBIMail OutboundConnectionCommand - 25 EHLO - sequoyah.namfg.com 0 4 0 - - 21:12:55 KEBIMail OutboundConnectionResponse - 25 - - 250-kebi.com+Hello+[63.147.248.70],+pleased+to+meet+you 0 55 0 - - 21:12:55 KEBIMail OutboundConnectionCommand - 25 MAIL - FROM:<[EMAIL PROTECTED]>+SIZE=1438 0 4 0 - - 21:12:56 KEBIMail OutboundConnectionResponse - 25 - - 250+2.1.0+<[EMAIL PROTECTED]>...+Sender+ok 0 51 0 - - 21:12:56 KEBIMail OutboundConnectionCommand - 25 RCPT - TO:<[EMAIL PROTECTED]> 0 4 0 - - 21:12:56 KEBIMail OutboundConnectionResponse - 25 - - 250+2.1.5+<[EMAIL PROTECTED]>...+Recipient+ok 0 45 0 - - 21:12:56 KEBIMail OutboundConnectionCommand - 25 DATA - - 0 4 0 - - 21:12:56 KEBIMail OutboundConnectionResponse - 25 - - 354+Enter+mail,+end+with+"."+on+a+line+by+itself 0 48 0 - - 21:12:57 KEBIMail OutboundConnectionResponse - 25 - - 250+2.0.0+i1BLCts8020222+Message+accepted+for+delivery 0 54 0 - - 21:12:57 KEBIMail OutboundConnectionCommand - 25 QUIT - - 0 4 0 - - 21:12:57 KEBIMail OutboundConnectionResponse - 25 - - 221+2.0.0+kebi.com+closing+connection 0 37 0 - - In my SMTP server properties the I have relaying enabled for some specific internal IP's (all in the 10.x.x.x range) and users who authenticate... 200.67.88.184 is definitely not on that list and we do not have a user named "husked"... According to the mail relay tests that I've run, we're not a relay (Relaying Prohibited)... <<< 220 sequoyah.namfg.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Wed, 11 Feb 2004 17:02:06 -0500 >>> HELO www.abuse.net <<< 250 sequoyah.namfg.com Hello [208.31.42.77] Relay test 1 >>> RSET <<< 250 2.0.0 Resetting >>> MAIL FROM:<[EMAIL PROTECTED]> <<< 250 2.1.0 [EMAIL PROTECTED] OK >>> RCPT TO:<[EMAIL PROTECTED]> <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Relay test 2 >>> RSET <<< 250 2.0.0 Resetting >>> MAIL FROM:<spamtest> <<< 250 2.1.0 [EMAIL PROTECTED] OK >>> RCPT TO:<[EMAIL PROTECTED]> <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Relay test 3 >>> RSET <<< 250 2.0.0 Resetting >>> MAIL FROM:<> <<< 250 2.1.0 <>....Sender OK >>> RCPT TO:<[EMAIL PROTECTED]> <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Relay test 4 >>> RSET <<< 250 2.0.0 Resetting >>> MAIL FROM:<[EMAIL PROTECTED]> <<< 250 2.1.0 [EMAIL PROTECTED] OK >>> RCPT TO:<[EMAIL PROTECTED]> <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Relay test 5 >>> RSET <<< 250 2.0.0 Resetting >>> MAIL FROM:<[EMAIL PROTECTED]> <<< 250 2.1.0 [EMAIL PROTECTED] OK >>> RCPT TO:<[EMAIL PROTECTED]> <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Relay test 6 >>> RSET <<< 250 2.0.0 Resetting >>> MAIL FROM:<[EMAIL PROTECTED]> <<< 250 2.1.0 [EMAIL PROTECTED] OK >>> RCPT TO:<[EMAIL PROTECTED]> <<< 250 2.1.5 [EMAIL PROTECTED] >>> DATA <<< 354 Start mail input; end with <CRLF>.<CRLF> >>> (message body) <<< 250 2.6.0 <[EMAIL PROTECTED]> Queued mail for delivery Sorry for the long message, but I'm at a loss... HELP! Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
