You may be relay free (i.e. a spammer is *not* using your servers as a relay) but said scumbag is using one of your addresses as a forged "From:" address.
1) spammer sends out messages appearing to come from "[EMAIL PROTECTED]" 2) many many many recipients do not exist 3) receiving mail systems send the NDR bounce to the perceived sender "[EMAIL PROTECTED]" 4) ??? 5) profit! > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, December 19, 2003 9:47 AM > To: Exchange Discussions > Subject: TONS of NDR's > > > Exch5.5 sp4 on win2k sp4 > > > I have no idea where they are all comming from. Every > morning I come in and > the que is stacked with 24,000+ NDR messages, they look like spam but > abuse.net spamcop, openrbl, and ordb all say I am relay free, > IT policy > forces strong passwords and guest is disabled. I'm at a loss > where these > messages are comming from, but they look like they are relaying. > > Reading the open relay/spamcop thread I wonder if someone got > compromised, > is there a logging setting that will tell me what user > accounts are being > used to auth against? Or does anyone know what events those > would be logged > as? Any help is always greatly appreciated. > > > e- > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
