We are under a spam attack of sorts. Could you help me out.
Title: Message How are they doing this. Someone out their is sending out spam and for a return address they were specifying an email address and [EMAIL PROTECTED]. Then they used a open mail relay server to send out the spam. When they send a email to a bad email address the receiving mail server sends a non delivery report to our mail server. Our quick solution to that was to drop the MX record for the dbcorp.ab.ca domain. We could do this mainly because it has not been used for several years now. The only reason we had it was for legacy support. Since we dropped the MX record I figured it would not be possible for mail servers to send us NDR. But now we are receiving NDR at our web server for the dbcorp.ab.cadomain. I don't understand why a mail server would be sending NDR to that IP address. Right now we have set up a MX record under dbcorp.ab.ca that points to the web server of the company that is sending out the spam but I still see the NDR coming to us on our web server.I assumed if there is no MX record there could be no mail delivery be it a NDR or otherwise. How are they managing to make email servers point to our web site for the NDR List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: We are under a spam attack of sorts. Could you help me out.
Title: Message Your server is set up to relay. See http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 -Original Message-From: Rod Cappon [mailto:[EMAIL PROTECTED]]Sent: Friday, July 12, 2002 11:57 AMTo: MS-Exchange Admin IssuesSubject: We are under a spam attack of sorts. Could you help me out. How are they doing this. Someone out their is sending out spam and for a return address they were specifying an email address and [EMAIL PROTECTED]. Then they used a open mail relay server to send out the spam. When they send a email to a bad email address the receiving mail server sends a non delivery report to our mail server. Our quick solution to that was to drop the MX record for the dbcorp.ab.ca domain. We could do this mainly because it has not been used for several years now. The only reason we had it was for legacy support. Since we dropped the MX record I figured it would not be possible for mail servers to send us NDR. But now we are receiving NDR at our web server for the dbcorp.ab.cadomain. I don't understand why a mail server would be sending NDR to that IP address. Right now we have set up a MX record under dbcorp.ab.ca that points to the web server of the company that is sending out the spam but I still see the NDR coming to us on our web server.I assumed if there is no MX record there could be no mail delivery be it a NDR or otherwise. How are they managing to make email servers point to our web site for the NDRList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: We are under a spam attack of sorts. Could you help me out.
Disable port 25 on your Web server? -Original Message- From: Rod Cappon [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 10:57 AM To: MS-Exchange Admin Issues Subject: We are under a spam attack of sorts. Could you help me out. How are they doing this. Someone out their is sending out spam and for a return address they were specifying an email address and [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] . Then they used a open mail relay server to send out the spam. When they send a email to a bad email address the receiving mail server sends a non delivery report to our mail server. Our quick solution to that was to drop the MX record for the dbcorp.ab.ca domain. We could do this mainly because it has not been used for several years now. The only reason we had it was for legacy support. Since we dropped the MX record I figured it would not be possible for mail servers to send us NDR. But now we are receiving NDR at our web server for the dbcorp.ab.ca domain. I don't understand why a mail server would be sending NDR to that IP address. Right now we have set up a MX record under dbcorp.ab.ca that points to the web server of the company that is sending out the spam but I still see the NDR coming to us on our web server. I assumed if there is no MX record there could be no mail delivery be it a NDR or otherwise. How are they managing to make email servers point to our web site for the NDR List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: We are under a spam attack of sorts. Could you help me out.
Could be wrong but this may be someone with Klez. Steve Clark Clark Systems Support, LLC AVIEN Charter Member Who's watching your network? www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax The data furnished in connection with this document is deemed by Clark Systems Support, LLC., to contain proprietary and privileged information and shall not be disclosed or used for the benefit of others without the prior written permission of Clark Systems Support, LLC. -Original Message- From: Rod Cappon [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 11:57 AM To: MS-Exchange Admin Issues Subject: We are under a spam attack of sorts. Could you help me out. How are they doing this. Someone out their is sending out spam and for a return address they were specifying an email address and [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] . Then they used a open mail relay server to send out the spam. When they send a email to a bad email address the receiving mail server sends a non delivery report to our mail server. Our quick solution to that was to drop the MX record for the dbcorp.ab.ca domain. We could do this mainly because it has not been used for several years now. The only reason we had it was for legacy support. Since we dropped the MX record I figured it would not be possible for mail servers to send us NDR. But now we are receiving NDR at our web server for the dbcorp.ab.ca domain. I don't understand why a mail server would be sending NDR to that IP address. Right now we have set up a MX record under dbcorp.ab.ca that points to the web server of the company that is sending out the spam but I still see the NDR coming to us on our web server. I assumed if there is no MX record there could be no mail delivery be it a NDR or otherwise. How are they managing to make email servers point to our web site for the NDR List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: We are under a spam attack of sorts. Could you help me out.
Title: Message Sorry I should have stated this earlier, No I am not set up as a mail relay, the NDR are getting blocked at the firewall. I setup a sniffer to see if I had any unauthorized services sending out packets on port 25 within my network and there was none. Previously the NDR were arriving at my mail serverwhich ison a different IP address. Now they are showing up on my web server. -Original Message-From: Joe Friess [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 10:13 AMTo: MS-Exchange Admin IssuesSubject: RE: We are under a spam attack of sorts. Could you help me out. Your server is set up to relay. See http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696 -Original Message-From: Rod Cappon [mailto:[EMAIL PROTECTED]]Sent: Friday, July 12, 2002 11:57 AMTo: MS-Exchange Admin IssuesSubject: We are under a spam attack of sorts. Could you help me out. How are they doing this. Someone out their is sending out spam and for a return address they were specifying an email address and [EMAIL PROTECTED]. Then they used a open mail relay server to send out the spam. When they send a email to a bad email address the receiving mail server sends a non delivery report to our mail server. Our quick solution to that was to drop the MX record for the dbcorp.ab.ca domain. We could do this mainly because it has not been used for several years now. The only reason we had it was for legacy support. Since we dropped the MX record I figured it would not be possible for mail servers to send us NDR. But now we are receiving NDR at our web server for the dbcorp.ab.cadomain. I don't understand why a mail server would be sending NDR to that IP address. Right now we have set up a MX record under dbcorp.ab.ca that points to the web server of the company that is sending out the spam but I still see the NDR coming to us on our web server.I assumed if there is no MX record there could be no mail delivery be it a NDR or otherwise. How are they managing to make email servers point to our web site for the NDRList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htmList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: We are under a spam attack of sorts. Could you help me out.
I was wrong - wow, life insurance for $15, give me a pen - do hey really think you're going to actually sign up??? LOL Thanks. Steve Clark Clark Systems Support, LLC AVIEN Charter Member Who's watching your network? www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax The data furnished in connection with this document is deemed by Clark Systems Support, LLC., to contain proprietary and privileged information and shall not be disclosed or used for the benefit of others without the prior written permission of Clark Systems Support, LLC. -Original Message- From: Rod Cappon [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 12:29 PM To: MS-Exchange Admin Issues Subject: RE: We are under a spam attack of sorts. Could you help me out. I looked at the content of the NDR and it is definitely a spam message, You know the ones, get life insurance for $15. The same email message sent to thousands of different email address. -Original Message- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 10:14 AM To: MS-Exchange Admin Issues Subject: RE: We are under a spam attack of sorts. Could you help me out. Could be wrong but this may be someone with Klez. Steve Clark Clark Systems Support, LLC AVIEN Charter Member Who's watching your network? www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax The data furnished in connection with this document is deemed by Clark Systems Support, LLC., to contain proprietary and privileged information and shall not be disclosed or used for the benefit of others without the prior written permission of Clark Systems Support, LLC. -Original Message- From: Rod Cappon [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 11:57 AM To: MS-Exchange Admin Issues Subject: We are under a spam attack of sorts. Could you help me out. How are they doing this. Someone out their is sending out spam and for a return address they were specifying an email address and [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] . Then they used a open mail relay server to send out the spam. When they send a email to a bad email address the receiving mail server sends a non delivery report to our mail server. Our quick solution to that was to drop the MX record for the dbcorp.ab.ca domain. We could do this mainly because it has not been used for several years now. The only reason we had it was for legacy support. Since we dropped the MX record I figured it would not be possible for mail servers to send us NDR. But now we are receiving NDR at our web server for the dbcorp.ab.ca domain. I don't understand why a mail server would be sending NDR to that IP address. Right now we have set up a MX record under dbcorp.ab.ca that points to the web server of the company that is sending out the spam but I still see the NDR coming to us on our web server. I assumed if there is no MX record there could be no mail delivery be it a NDR or otherwise. How are they managing to make email servers point to our web site for the NDR List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
Re: We are under a spam attack of sorts. Could you help me out.
Title: Message Hi, If dbcorp.ab.ca is the domain you are reffering to, then I guess the answer lies in your dns-configuration: ; DiG 8.3 any dbcorp.ab.ca;; res options: init recurs defnam dnsrch;; got answer:;; -HEADER- opcode: QUERY, status: NOERROR, id: 4;; flags: qr aa ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1;; QUERY SECTION:;; dbcorp.ab.ca, type = ANY, class = IN ;; ANSWER SECTION:dbcorp.ab.ca. 1H IN A 207.54.97.121-- every mail for a [EMAIL PROTECTED] will be pointed to this address, unless a MX is specified dbcorp.ab.ca. 1H IN NS empire.dbcorp.com.dbcorp.ab.ca. 1H IN NS ns2.terago.ca.dbcorp.ab.ca. 1H IN SOA empire.dbcorp.com. mis.dbcorp.com. ( 30 ; serial 15M ; refresh 10M ; retry 1D ; expiry 1H ) ; minimum dbcorp.ab.ca. 1H IN MX 10 mail. -- I see an MX record ... ;; ADDITIONAL SECTION:empire.dbcorp.com. 1H IN A 207.54.97.123 ;; Total query time: 279 msec;; FROM: flagship to SERVER: default -- 212.254.207.10;; WHEN: Fri Jul 12 18:41:09 2002;; MSG SIZE sent: 30 rcvd: 178 hope this helps, regards reto - Original Message - From: Rod Cappon To: MS-Exchange Admin Issues Sent: Friday, July 12, 2002 5:57 PM Subject: We are under a spam attack of sorts. Could you help me out. How are they doing this. Someone out their is sending out spam and for a return address they were specifying an email address and [EMAIL PROTECTED]. Then they used a open mail relay server to send out the spam. When they send a email to a bad email address the receiving mail server sends a non delivery report to our mail server. Our quick solution to that was to drop the MX record for the dbcorp.ab.ca domain. We could do this mainly because it has not been used for several years now. The only reason we had it was for legacy support. Since we dropped the MX record I figured it would not be possible for mail servers to send us NDR. But now we are receiving NDR at our web server for the dbcorp.ab.cadomain. I don't understand why a mail server would be sending NDR to that IP address. Right now we have set up a MX record under dbcorp.ab.ca that points to the web server of the company that is sending out the spam but I still see the NDR coming to us on our web server.I assumed if there is no MX record there could be no mail delivery be it a NDR or otherwise. How are they managing to make email servers point to our web site for the NDRList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: We are under a spam attack of sorts. Could you help me out.
Title: Message What did the MX record say that you removed? I checked just now and perhaps the caches haven't caught up, but I got this on an nslookup: dbcorp.ab.ca MX preference = 10, mail exchanger = mail If that's the MX record you dropped, I'm a little surprised that it used to work. Perhaps mail servers automatically append the domain to a domain-less mail exchanger name. If indeed the MX record is gone, then mail to [EMAIL PROTECTED]will be sent to dbcorp.ab.ca's A record address. Don't be surprised that DNS changes aren't effective immediately. Carl -Original Message-From: Rod Cappon [mailto:[EMAIL PROTECTED]]Sent: Friday, July 12, 2002 12:36 PMTo: MS-Exchange Admin IssuesSubject: RE: We are under a spam attack of sorts. Could you help me out. Can do, shall give it a try. But why are the mail servers sending it there. That is the big question. -Original Message-From: Carl Houseman [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 10:27 AMTo: MS-Exchange Admin IssuesSubject: RE: We are under a spam attack of sorts. Could you help me out. dbcorp.ab.ca's address is the same aswww.dbcorp.ab.ca, 207.54.97.120. You will have to remove the A record for dbcorp.ab.ca to avoid this. Or disable inbound SMTP on that server. -Original Message-From: Rod Cappon [mailto:[EMAIL PROTECTED]]Sent: Friday, July 12, 2002 11:57 AMTo: MS-Exchange Admin IssuesSubject: We are under a spam attack of sorts. Could you help me out. How are they doing this. Someone out their is sending out spam and for a return address they were specifying an email address and [EMAIL PROTECTED]. Then they used a open mail relay server to send out the spam. When they send a email to a bad email address the receiving mail server sends a non delivery report to our mail server. Our quick solution to that was to drop the MX record for the dbcorp.ab.ca domain. We could do this mainly because it has not been used for several years now. The only reason we had it was for legacy support. Since we dropped the MX record I figured it would not be possible for mail servers to send us NDR. But now we are receiving NDR at our web server for the dbcorp.ab.cadomain. I don't understand why a mail server would be sending NDR to that IP address. Right now we have set up a MX record under dbcorp.ab.ca that points to the web server of the company that is sending out the spam but I still see the NDR coming to us on our web server.I assumed if there is no MX record there could be no mail delivery be it a NDR or otherwise. How are they managing to make email servers point to our web site for the NDRList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htmList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htmList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: We are under a spam attack of sorts. Could you help me out.
Title: Message Yes I do have a MX record. I figured if they want to send out spam in my name I could at least send them the NDR. I have updated my dbcorp.ab.ca to 10.10.10.10. For a little while I had it set to 207.54.97.121 and I was seeing the NDR show up there. So you are right in what you are saying. A summary would be if there is no MX record a matching host record will be used instead. Is this correct. Then why didn't the email go off to their IP address when I created the MX record. -Original Message-From: Reto Inversini [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 10:57 AMTo: MS-Exchange Admin IssuesSubject: Re: We are under a spam attack of sorts. Could you help me out. Hi, If dbcorp.ab.ca is the domain you are reffering to, then I guess the answer lies in your dns-configuration: ; DiG 8.3 any dbcorp.ab.ca;; res options: init recurs defnam dnsrch;; got answer:;; -HEADER- opcode: QUERY, status: NOERROR, id: 4;; flags: qr aa ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1;; QUERY SECTION:;; dbcorp.ab.ca, type = ANY, class = IN ;; ANSWER SECTION:dbcorp.ab.ca. 1H IN A 207.54.97.121-- every mail for a [EMAIL PROTECTED] will be pointed to this address, unless a MX is specified dbcorp.ab.ca. 1H IN NS empire.dbcorp.com.dbcorp.ab.ca. 1H IN NS ns2.terago.ca.dbcorp.ab.ca. 1H IN SOA empire.dbcorp.com. mis.dbcorp.com. ( 30 ; serial 15M ; refresh 10M ; retry 1D ; expiry 1H ) ; minimum dbcorp.ab.ca. 1H IN MX 10 mail. -- I see an MX record ... ;; ADDITIONAL SECTION:empire.dbcorp.com. 1H IN A 207.54.97.123 ;; Total query time: 279 msec;; FROM: flagship to SERVER: default -- 212.254.207.10;; WHEN: Fri Jul 12 18:41:09 2002;; MSG SIZE sent: 30 rcvd: 178 hope this helps, regards reto - Original Message - From: Rod Cappon To: MS-Exchange Admin Issues Sent: Friday, July 12, 2002 5:57 PM Subject: We are under a spam attack of sorts. Could you help me out. How are they doing this. Someone out their is sending out spam and for a return address they were specifying an email address and [EMAIL PROTECTED]. Then they used a open mail relay server to send out the spam. When they send a email to a bad email address the receiving mail server sends a non delivery report to our mail server. Our quick solution to that was to drop the MX record for the dbcorp.ab.ca domain. We could do this mainly because it has not been used for several years now. The only reason we had it was for legacy support. Since we dropped the MX record I figured it would not be possible for mail servers to send us NDR. But now we are receiving NDR at our web server for the dbcorp.ab.cadomain. I don't understand why a mail server would be sending NDR to that IP address. Right now we have set up a MX record under dbcorp.ab.ca that points to the web server of the company that is sending out the spam but I still see the NDR coming to us on our web server.I assumed if there is no MX record there could be no mail delivery be it a NDR or otherwise. How are they managing to make email servers point to our web site for the NDRList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htmList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
