Re: Open relay issues

2003-09-04 Thread Chris Scharff 
Those aren't relay failures, there's nothing to fix. They are (exclusively I
think) tests for other mail servers which at one point used to incorrectly
relay mail formatted like that. Exchange does not. My server 'fails' the
same tests. If you crank up logging on the SMTP conversation what addresses
is the connecting IP address sending to?

> From: "Pat Richard" <[EMAIL PROTECTED]>
> Reply-To: "Exchange Discussions" <[EMAIL PROTECTED]>
> Date: Thu, 4 Sep 2003 23:25:10 -0400
> To: "Exchange Discussions" <[EMAIL PROTECTED]>
> Subject: Open relay issues
> 
> Okay, I'm still looking through the archives and stuff, but it's late, so I'll
> post this before I call it a night.
> 
> Client has a server that suddenly shuts down.
> 
> I reboot and troubleshoot, to find literally TENS OF THOUSANDS of items in the
> badmail folder. All dated within the last two or three days. The server had
> shut down because the drive ran out of space.
> 
> So I clear that up and start nosing around..
> 
> I check for open relay (telnet), and can't find any problem. I start to think
> maybe this is a SoBig.F issue, until I read some of the NDRs.
> 
> Within fifteen minutes, badmail starts to accumulate again. I look further,
> and see a connection in the OPEN SESSIONS section of System Manager. I kill
> the connection after jotting down some details. Queues are just jammed full of
> crap - Viagra ads, etc.
> I clear this out again, along with badmail, and start watching. Sure enough, a
> short time later, someone from the same IP subnet connects and it starts all
> over.
> I look through a ton of articles on open relay, and everything checks out.
> Then, I run this test: http://tools.appriver.com/openrelay.php
> <http://tools.appriver.com/openrelay.php>  which basically tries to relay
> using various combinations of addressing formats.
> Test #14 fails
> Test #16 fails
> Test #28 fails
> #14 uses a rcpt to format of
> RCPT TO: <"[EMAIL PROTECTED]">
> Notice the quotes.
> #16 uses
> RCPT TO: <"relaytest%appriver.com">
> Notice the quotes and the %
> #28 uses
> RCPT TO: 
> notice the format there.
> 
> I manually tried each on via telnet against the server. Sure enough, the
> server doesn't complain. But every one bounces back with an NDR complaining
> about the recipient address. So my belief is that they're attempting one (or
> more) of these methods, and all of them are bouncing, causing the badmail
> problem.
> 
> My question is, how do I close this hole? Server is Win2k SBS SP4, E2k SP3.
> Connection is firewalled T1.
> 
> Any help would be greatly appreciated. Thanks!
> 


_
List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]

Open relay issues

2003-09-04 Thread Pat Richard 
Okay, I'm still looking through the archives and stuff, but it's late, so I'll post 
this before I call it a night.
 
Client has a server that suddenly shuts down.
 
I reboot and troubleshoot, to find literally TENS OF THOUSANDS of items in the badmail 
folder. All dated within the last two or three days. The server had shut down because 
the drive ran out of space.
 
So I clear that up and start nosing around..
 
I check for open relay (telnet), and can't find any problem. I start to think maybe 
this is a SoBig.F issue, until I read some of the NDRs.
 
Within fifteen minutes, badmail starts to accumulate again. I look further, and see a 
connection in the OPEN SESSIONS section of System Manager. I kill the connection after 
jotting down some details. Queues are just jammed full of crap - Viagra ads, etc.
I clear this out again, along with badmail, and start watching. Sure enough, a short 
time later, someone from the same IP subnet connects and it starts all over.
I look through a ton of articles on open relay, and everything checks out. Then, I run 
this test: http://tools.appriver.com/openrelay.php 
  which basically tries to relay using 
various combinations of addressing formats.
Test #14 fails
Test #16 fails
Test #28 fails
#14 uses a rcpt to format of 
RCPT TO: <"[EMAIL PROTECTED]"> 
Notice the quotes.
#16 uses
RCPT TO: <"relaytest%appriver.com"> 
Notice the quotes and the %
#28 uses
RCPT TO:  
notice the format there.
 
I manually tried each on via telnet against the server. Sure enough, the server 
doesn't complain. But every one bounces back with an NDR complaining about the 
recipient address. So my belief is that they're attempting one (or more) of these 
methods, and all of them are bouncing, causing the badmail problem.
 
My question is, how do I close this hole? Server is Win2k SBS SP4, E2k SP3. Connection 
is firewalled T1.
 
Any help would be greatly appreciated. Thanks!
[EMAIL 
PROTECTED])j¹%ŠË\¢o܂&âŸùr®+)•éíz·±r§ë^Æ٨uéZž§‚X¬…:.ž˛±Êâm隊[h•æ¯yì\…©àz[,Ã)är‰„ÅÈZž‹ŠËZvh§–+-i٢žÌ2žG(