RE: Exchange 5.5 server HACKED!
Ah the good old days W. Andrew Philips Customer Service Manager Networks Plus (785) 587-4121 x202 (785) 267-6800 x202 mailto:[EMAIL PROTECTED] -Original Message- From: Neil Hobson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 10:12 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 5.5 server HACKED! Hey Dan! You never did get back to Ed Woodrick on this list all those years ago as to why Exchange uses an Access database as an engine format! -Original Message- From: Dan Schwartz [mailto:[EMAIL PROTECTED]] Posted At: 16 July 2002 15:55 Posted To: Sunbelt Exchange List Conversation: Exchange 5.5 server HACKED! Subject: RE: Exchange 5.5 server HACKED! OK, does anyone have a list of the ports Exchange 5.5 uses, besides 25 110? Also, if anyone wants to look at the Event Logs, simply click on: http://www.rogue-admins.com/dansworld/Exchange_Attack_App_Eventlog.zip [This is a new link new file from the one previously posted by me.] Cheers! Dan There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence. (Jeremy S. Anderson) -Original Message- From: Ely, Don [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 9:36 AM Subject: RE: Exchange 5.5 server HACKED! U... Telneting to the server alone does NOT mean the server is an open relay... I can telnet port 25 to any server in the world, that doesn't mean I can relay mail... -Original Message- From: Joe Irvine [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 9:38 AM Subject: RE: Exchange 5.5 server HACKED! Actually, no.. if you can telnet to the mail server you can relay. No hacking needed. This is by the very nature of exchange. I would recommend looking at not allowing characters like %$! Through your firewall. Here's a link to check to see if you have an open relay.. http://www.abuse.net/relay.html Thanks, Joe Irvine -Original Message- From: Dan Schwartz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 9:30 AM To:MS-Exchange Admin Issues Subject: RE: Exchange 5.5 server HACKED! Importance:Low Look at the 4031 error messages, which indicate SOMEONE is trying to relay through the server, and since unauthorized relaying is prohibited that tells me someone has hacked in. -Original Message- From: William Lefkovics [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 1:03 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 5.5 server HACKED! Then it's sorta in production then, yes? Was there a concern other than the 4318's? -Original Message- From: Dan Schwartz [mailto:[EMAIL PROTECTED]] Sent: Monday, July 15, 2002 9:55 PM Subject: RE: Exchange 5.5 server HACKED! Yes, it's connected, and the DNS servers have been pointed at it for about a week... --- This attachment has been scanned for hostile code: Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/2002 List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm * This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands. If you have received this email in error, please contact our Support Desk immediately on 01202-360360 or email [EMAIL PROTECTED] * List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: STORE.EXE CPU Usage
What happens when you stop the AV software? If you are backing up your Exchange data with the server online - you must be using the agent -Original Message- From: Andy David [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 8:08 AM To: MS-Exchange Admin Issues Subject: RE: STORE.EXE CPU Usage And this started all of a sudden? Any Anti-Virus installed? Anything in the event logs? The high CPU usage is holding steady? -Original Message- From: Robert Jackson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 8:31 AM To: MS-Exchange Admin Issues Subject: RE: STORE.EXE CPU Usage Exchange SP4 Used also as a domain controller Shared Directories for File Sharing. No changes that I am aware of. Regards, Rab. = Robert JacksonPhone: +44 (0) 141 332 7999 Software Engineer Fax: +44 (0) 141 331 2820 Walker Martyn Ltd 1 Park Circus Place Email: [EMAIL PROTECTED] Glasgow G3 6AH, Scotland Web: http://www.walkermartyn.co.uk = -Original Message- From: Andy David [mailto:[EMAIL PROTECTED]] Sent: 28 May 2002 12:36 To: MS-Exchange Admin Issues Subject: RE: STORE.EXE CPU Usage What Exchange SP on you on? What else do have running on that box? Any recent changes made? -Original Message- From: Robert Jackson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 2:04 AM To: MS-Exchange Admin Issues Subject: STORE.EXE CPU Usage Hi All, We've got a problem with an Exchange Server running Windows NT4.0 Server. If I have a look at taskmgr, I find that STORE.EXE is running away with 50% of CPU usage. I've had a look at the Microsoft Knowledgebase. Article Q243950 states that this problem can arise if using ARCServe Agent for Exchange Server Backup. We are using ARCServe but I don't think we are using the Exchange Server Agent. I cannot find the registry key that this article talks about. Can anyone please help? TIA, Rab. = Robert JacksonPhone: +44 (0) 141 332 7999 Software Engineer Fax: +44 (0) 141 331 2820 Walker Martyn Ltd 1 Park Circus Place Email: [EMAIL PROTECTED] Glasgow G3 6AH, Scotland Web: http://www.walkermartyn.co.uk = The information in this internet E-mail is confidential and is intended solely for the addressee. Access, copying or re-use of information in it by anyone else is unauthorised. Any views or opinions presented are solely those of the author and do not necessarily represent those of Walker Martyn Ltd or any of its affiliates. If you are not the intended recipient please contact [EMAIL PROTECTED] List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm -- The information contained in this email message is privileged and confidential information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copy of this message is strictly prohibited. If you have received this email in error, please immediately notify Veronis Suhler Stevenson by telephone (212)935-4990, fax (212)381-8168, or email ([EMAIL PROTECTED]) and delete the message. Thank you. == List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm The information in this internet E-mail is confidential and is intended solely for the addressee. Access, copying or re-use of information in it by anyone else is unauthorised. Any views or opinions presented are solely those of the author and do not necessarily represent those of Walker Martyn Ltd or any of its affiliates. If you are not the intended recipient please contact [EMAIL PROTECTED] List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm -- The information contained in this email message is privileged and confidential information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copy of this message is
RE: Exchange Server infected.
Title: Message there may not be virus problems - DITTO what Greg said...NAV will go through the information store and apply the rules you have implemented to existing email in everyone's mailboxes. Anything it finds will result in the actions you have set up.. i.e. delete, quarantine, notify etc. The notification emails will be sent regardless of any users being logged in. I would set the rules to quarantine everything the 1st shot so you don't lose emails or attachments. If you ever move mailboxes from one store to another in the future it will do the same thing and dig up more rule violations. W. Andrew Philips Customer Service Manager Networks Plus (785) 587-4121 x202 (785) 267-6800 x202 [EMAIL PROTECTED] -Original Message-From: Ben Ong [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 09, 2002 2:23 AMTo: MS-Exchange Admin IssuesSubject: RE: Exchange Server infected. 6 of the mailbox is having these problem, I delete all the mailbox and recreate a new mailbox. Still not work. I even switch the NAVMSE from VAPI/MAPI to MAPI mode, and do a manual scan, no virus was found in all mailboxs. Thanks Ben -Original Message-From: Zangara, Jim [mailto:[EMAIL PROTECTED]]Sent: 09 May 2002 13:19To: MS-Exchange Admin IssuesSubject: RE: Exchange Server infected. Are you sure that is the case? Klez masks the sender so it could be from a third party that is not associated with you at all. Run a scan and look at your logs. Jim Zangara, MCSE+I, A+ IT Manager Special Projects Engineer Premiere Radio Networks A Division of Clear Channel Communications 15260 Ventura Blvd Suite 500 Sherman Oaks, CA 91403 Direct: (818) 461-8620 mailto:[EMAIL PROTECTED] -Original Message- From: Ben Ong [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 08, 2002 9:04 PM To: MS-Exchange Admin Issues Subject: RE: Exchange Server infected. Yes, I had turn on the blocking of file attachment. (NAVMSE 2.18) I'm puzzle that why the email was send out even without the user of that mailbox login to his PC. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 09 May 2002 09:57 To: MS-Exchange Admin Issues Subject: RE: Exchange Server infected. Have you recently turned on File Attachment Blocking? It looks like somebody has. NAVMSE is scanning through all the mailboxes and deleting attached files with extensions in the list set up in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\NAVMSE\2.5\BlockingPolicy\Attachmen t (the 2.5 will match whatever version you have, I believe 2.1 was the first version to support this). Greg Ewy Trilogy Systems 515-964-9505 mailto:[EMAIL PROTECTED] -Original Message- From: Ben Ong [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 08, 2002 8:54 PM To: MS-Exchange Admin Issues Subject: Exchange Server infected. Hi, I suspect my exchange sever having some kind of infection. I got a few mailboxs which sending email by it own, even when user PC was not on. Helps!!! Thanks Ben -Original Message- To: postmaster Subject: Admin Alert: Norton AntiVirus detected a virus in a message. The infected file was deleted. Sender of the infected attachment: webmaster Recipient of the infected attachment: Tham Kok Yun\Inbox Subject of the message: And Resources One or more attachments were deleted. Attachment nowrap.exe was Deleted for the following reasons: Virus UNAUTHORIZED FILE was found. ATTENTION! The information contained in this E-mail may be CONFIDENTIAL and PRIVILEGED. It is intended for individual or entity named above. If you are not the intended recipient, please be notified that any use, review, distribution or copying of this E-mail is strictly prohibited. If you have received this E-mail by error, please delete it and notify the sender immediately. Thank you. List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm ATTENTION! The information contained in this E-mail may be CONFIDENTIAL and PRIVILEGED. It is intended for individual or entity named above. If you are not the intended recipient, please be notified that any use, review, distribution or copying of this E-mail is strictly prohibited. If you have received this E-mail by error, please delete it and notify the sender immediately. Thank you. List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htmList Charter and FAQ at:http://www.sunbelt-software.com
RE: Mailbox size limits
100 Meg except for the owners, they are unlimited W. Andrew Philips Customer Service Manager Networks Plus (785) 587-4121 x202 (785) 267-6800 x202 [EMAIL PROTECTED] -Original Message- From: Jon Farr [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 12:34 PM To: MS-Exchange Admin Issues Subject: Mailbox size limits I'm curious what other businesses are using for mailbox size limits. We have a user at one client who keeps insisting that 90Mb isn't enough (we've already made exceptions to get her to that point). I'd like to have some comparisons to show her that 90Mb is ridiculous. For 95% of the users, we use the defaults from Exchange (45/60/80), which still seems large to me. Then there are the few packrats who won't delete an email. Ever. thanks, Jon Farr List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Question for Exchange 2000 and Terminal Server
Title: Message works great for me -Original Message-From: James Chris L [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 9:42 AMTo: MS-Exchange Admin IssuesSubject: Question for Exchange 2000 and Terminal Server This is a question for someone who has used Exchange 2000 for a while. What disadvantages are there to using Terminal Server to administer an Exchange 2000 server? What type of problems might occur when Terminal Services are used to Logon and Administer an Exchange 2000 server?List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Future plans 2
you must not be married. -Original Message- From: William Lefkovics [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 14, 2002 10:34 AM To: MS-Exchange Admin Issues Subject: RE: Future plans 2 I've never been inside one of these 'WalMart' places you refer. I don't think they exist. Are you sure you have the name right? -Original Message- From: Neil Hobson [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 14, 2002 12:44 AM To: MS-Exchange Admin Issues Subject: RE: Future plans 2 The reason I mentioned OWA in the first place is because I've done this for a customer of mine in the UK. They've got several people from a small corner-shop outfit in the USA (called WalMart I think...!) accessing mailboxes on their system via OWA. Using SSL of course... :-) Neil Hobson Silversands http://www.silversands.co.uk Microsoft Gold Certified Partner For Enterprise Systems For Collaborative Solutions -Original Message- From: Matthew Carpenter [mailto:[EMAIL PROTECTED]] Posted At: 13 February 2002 21:09 Posted To: Sunbelt Exchange List Conversation: Future plans 2 Subject: RE: Future plans 2 That is the best answer I have received, and you are right. I have no idea how to implement this without dropped mail to nonhomed recipients here OR there. I will discuss with them the different options that truly seem available: They home the mailboxes and we use OWA to use their domain there is a LEGAL partnership in which we act as connected sites, only passing THEIR address book I have not found another way around this, nor have I heard a good alternative otherwise -Original Message- From: Benjamin Winzenz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 13, 2002 1:08 PM To: MS-Exchange Admin Issues Subject: RE: Future plans 2 I'm just saying that you may want to consult with your legal department. Having the permission of the owner of the domain doesn't mean squat in the legal world. You are talking about basically interchanging internal company information. That, plus you don't have a plan in place how you want to accomplish this. The owner of the domain may not realize the scope of a project like this, which may not even be possible. In your given scenario below, if you were to add an MX record for their domain and accept it as inbound, you would HAVE to have a way to route the messages destined for their employees. Otherwise, mail is going to bounce. Why? Because the way that MX records work is that the server with the lowest cost gets most of the messages sent to it. There will be some messages that get sent to the other server. There isn't any way around this. That means that you will be receiving mail for possibly ANY person working at the other company. You get a message for a person at the other company, and your Exchange server doesn't know what the hell to do with it. You don't have any recipients with that name set up. Ends up being very messy. I was thinking earlier about setting up custom recipients for them, but that too would end up being messy, and I don't think it would work. They could, however, set up some mailboxes and custom recipients for you, have the mailbox deliver mail to the custom recipient and have those custom recipients forward the mail to your server. That, or setting up some mailboxes for you and you using OWA, would be by far the easiest, if not the only, solutions to what you are asking. Anything else is sounding more like a consulting gig to find a solution to your problem. If they are so insistent on you using their e-mail, why don't they provide the solution? Otherwise, tell them to go with the above-mentioned OWA, or forward your mail via CR's, and let you reply using your own addy's. Ben Winzenz, MCSE Network/Systems Administrator Peregrine Systems -Original Message- From: Matthew Carpenter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 13, 2002 1:25 PM To: MS-Exchange Admin Issues Subject: RE: Future plans 2 List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Public Folder Permissions ?
Right... When we migrated I just rebuilt the groups as security groups and used the change as an opportunity to clean up and re-evaluate the groups and their members. I don't recall if they converted themselves during the migration (it was about a year ago) - I don't think they did for us either. W. Andrew Philips Customer Service Manager Networks Plus Phone: (785) 587-4121 x202 (785) 267-6800 x202 Fax: (785) 565-2902 Email: mailto:[EMAIL PROTECTED] -Original Message- From: Neil Hobson [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 07, 2002 10:13 AM To: MS-Exchange Admin Issues Subject: RE: Public Folder Permissions ? You have to use USGs and not UDGs. However, if you use UDGs, the store.exe process should convert these to USGs for you. So I'd look in the event log for any indication as to why this conversion process is failing. One reason it will fail is if there's any entry in the UDG that cannot be resolved by AD. Neil Hobson Silversands http://www.silversands.co.uk Microsoft Gold Certified Partner For Enterprise Systems For Collaborative Solutions -Original Message- From: Mark [mailto:[EMAIL PROTECTED]] Posted At: 07 February 2002 16:12 Posted To: Sunbelt Exchange List Conversation: Public Folder Permissions ? Subject: RE: Public Folder Permissions ? Universal Distribution Group. Windows 2K native mode, E2K still in mixed mode but there are NO 5.5 servers. Thanks. What scope of group are you adding to the ACL, and what mode is your Windows 2000 domain running in? Neil Hobson Silversands http://www.silversands.co.uk Microsoft Gold Certified Partner For Enterprise Systems For Collaborative Solutions List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm ** This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands, or any of its subsidiary companies. If you have received this email in error, please contact our Support Desk immediately by telephone on 01202-36 or via email at [EMAIL PROTECTED] ** List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: My IIS SMTP is being used as a relay - need help stopping this
http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 did someone send you this? This was the easiest for me to understand... W. Andrew Philips Customer Service Manager Networks Plus Phone: (785) 587-4121 x202 (785) 267-6800 x202 Fax: (785) 565-2902 Email: mailto:[EMAIL PROTECTED] -Original Message- From: Jesse Rink [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 8:35 AM To: MS-Exchange Admin Issues Subject: My IIS SMTP is being used as a relay - need help stopping this Well, after making sure my IIS 4.0 SMTP relay server was not infected by the NIMDA virus and applying all the MS01-044 IIS cumulative security bulletin, I am still being used as a relay point. The most confusing thing is: I can't understand how they are doing it because when I telnet into the IIS SMTP relay from HOME, it DOESN'T allow me to relay. The following shows up: 220-w-smtp01.whitnall.com Microsoft SMTP MAIL ready at Wed, 21 Nov 2001 08:16:19 -0600 Version: 5.5.1877.197.19 220 ESMTP spoken here At this point I try and type Helo me, Mail From:, or other commands, and they ALL fail with either a) a 550 error, b) no response. If on the other hand, I telnet into the SMTP relay from a PC here on the LAN I can issue Helo me, Mail From: or other commands and use it as a relay without problem. What I'm looking for is someone running IIS SMTP services to help me out here. My IIS SMTP relay is in my DMZ Interface and my (1) Exchange server is on the Inside Interface of the firewall. I'm worried that our domain will start getting banned or black listed (I heard this happens) because we are being used as a relay point. This is the 2nd day it's been occuring and I need to get this fixed soon. If you can help, please let me know. Thanks. Jesse Rink [EMAIL PROTECTED] List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm