Question : Exchange 2000 Relaying Spam

We were approached recently by a new customer who was being used as an open relay. I have looked through the configuration of the exchange server (sbs 2000) and it seems to be setup properly. The smtp connector is not setup to relay for any domains, the only area that should allow relay is authenticated users. I believe its possible that an internal account may have been compromised (i can see that the emails are clearly originating from external addresses). I am unable to track down what account was used to send the emails. the smtp log below just shows "USER" when i use exchange message tracking it shows the from address, but that is just a fake address. Is there anywhere i can determine what account was used, or is there anything else i should be checking to prevent this from happening? They actually use a spam filtering company, so for the time being i have blocked all incomming smtp communication from anyone other then their filtering provider (mx record points to provider). I am confident that will eliminate this problem but i am trying to determine how it happend in the first place.

below is a sample of the smtp log the messages from the ebay account are the ones in question. at the very least is there anyway to configure the exchange server so that it will not send a message that claims to originate from a domain other then the one exchange is supposedly hosting? This is SBS 2000. i substituted the internal addresses.

time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
2008-05-29 00:00:00 207.155.253.97 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250-SIZE+20972544 0 0 17 0 5172 SMTP - - - -
2008-05-29 00:00:00 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 33 30 0 SMTP - - - -
2008-05-29 00:00:01 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:om> 250 0 36 33 0 SMTP - - - -
2008-05-29 00:00:01 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:ge.ca> 250 0 39 36 0 SMTP - - - -
2008-05-29 00:00:02 198.162.104.240 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 220+************ 0 0 16 0 156 SMTP - - - -
2008-05-29 00:00:02 198.162.104.240 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 EHLO - campbelldc.CampbellManufacturing.local 0 0 4 0 156 SMTP - - - -
2008-05-29 00:00:02 198.162.104.240 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250-outram.ucfv.ca 0 0 18 0 250 SMTP - - - -
2008-05-29 00:00:02 198.162.104.240 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 MAIL - FROM:+SIZE=2425 0 0 4 0 250 SMTP - - - -
2008-05-29 00:00:02 198.162.104.240 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250+Ok 0 0 6 0 328 SMTP - - - -
2008-05-29 00:00:02 198.162.104.240 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 RCPT - TO: 0 0 4 0 328 SMTP - - - -
2008-05-29 00:00:02 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 29 26 0 SMTP - - - -
2008-05-29 00:00:02 198.162.104.240 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 450+:+Recipient+address+rejected:+User+unknown+in+local+recipient+table 0 0 89 0 422 SMTP - - - -
2008-05-29 00:00:02 198.162.104.240 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 RSET - - 0 0 4 0 422 SMTP - - - -
2008-05-29 00:00:02 198.162.104.240 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250+Ok 0 0 6 0 500 SMTP - - - -
2008-05-29 00:00:02 198.162.104.240 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 QUIT - - 0 0 4 0 500 SMTP - - - -
2008-05-29 00:00:02 198.162.104.240 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 221+Bye 0 0 7 0 578 SMTP - - - -
2008-05-29 00:00:02 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:> 250 0 34 31 0 SMTP - - - -
2008-05-29 00:00:04 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 31 28 0 SMTP - - - -
2008-05-29 00:00:04 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 31 28 0 SMTP - - - -
2008-05-29 00:00:05 207.155.253.97 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250+8BITMIME 0 0 12 0 10172 SMTP - - - -
2008-05-29 00:00:05 207.155.253.97 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 MAIL - FROM:+SIZE=2425 0 0 4 0 10172 SMTP - - - -
2008-05-29 00:00:05 207.155.253.97 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250+Sender+OK+[0E3RSFQGCM00] 0 0 28 0 10265 SMTP - - - -
2008-05-29 00:00:05 207.155.253.97 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 RCPT - TO: 0 0 4 0 10265 SMTP - - - -
2008-05-29 00:00:05 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 32 29 0 SMTP - - - -
2008-05-29 00:00:06 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 33 30 0 SMTP - - - -
2008-05-29 00:00:06 199.232.76.166 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 220+mx10.gnu.org+ESMTP+Exim+4.60+Wed,+28+May+2008+20:00:07+-0400 0 0 64 0 16 SMTP - - - -
2008-05-29 00:00:06 199.232.76.166 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 EHLO - campbelldc.CampbellManufacturing.local 0 0 4 0 16 SMTP - - - -
2008-05-29 00:00:06 199.232.76.166 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250-mx10.gnu.org+Hello+campbelldc.CampbellManufacturing.local+[12.152.49.130] 0 0 77 0 47 SMTP - - - -
2008-05-29 00:00:06 199.232.76.166 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 MAIL - FROM:+SIZE=2425 0 0 4 0 47 SMTP - - - -
2008-05-29 00:00:06 199.232.76.166 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250+OK 0 0 6 0 78 SMTP - - - -
2008-05-29 00:00:06 199.232.76.166 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 RCPT - TO:> 0 0 4 0 78 SMTP - - - -
2008-05-29 00:00:06 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 30 27 0 SMTP - - - -
2008-05-29 00:00:06 199.232.76.166 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250+Accepted 0 0 12 0 125 SMTP - - - -
2008-05-29 00:00:06 199.232.76.166 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 DATA - - 0 0 4 0 125 SMTP - - - -
2008-05-29 00:00:06 199.232.76.166 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 354+Enter+message,+ending+with+"."+on+a+line+by+itself 0 0 54 0 156 SMTP - - - -
2008-05-29 00:00:06 199.232.76.166 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 550+This+message+contains+malware+(HTML.Phishing.Auction-147) 0 0 61 0 312 SMTP - - - -
2008-05-29 00:00:06 199.232.76.166 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 QUIT - - 0 0 4 0 328 SMTP - - - -
2008-05-29 00:00:07 199.232.76.166 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 221+mx10.gnu.org+closing+connection 0 0 35 0 359 SMTP - - - -
2008-05-29 00:00:07 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 28 25 0 SMTP - - - -
2008-05-29 00:00:08 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:l.com> 250 0 39 36 0 SMTP - - - -
2008-05-29 00:00:08 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:et> 250 0 36 33 0 SMTP - - - -
2008-05-29 00:00:10 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:m> 250 0 35 32 0 SMTP - - - -
2008-05-29 00:00:10 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 27 24 0 SMTP - - - -
2008-05-29 00:00:11 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 33 30 0 SMTP - - - -
2008-05-29 00:00:11 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:s.ca> 250 0 38 35 0 SMTP - - - -
2008-05-29 00:00:13 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 32 29 0 SMTP - - - -
2008-05-29 00:00:13 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 32 29 0 SMTP - - - -
2008-05-29 00:00:14 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:m> 250 0 35 32 0 SMTP - - - -
2008-05-29 00:00:14 89.250.128.3 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 220+pluto.link-m.de+ESMTP 0 0 25 0 125 SMTP - - - -
2008-05-29 00:00:14 89.250.128.3 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 EHLO - campbelldc.CampbellManufacturing.local 0 0 4 0 125 SMTP - - - -
2008-05-29 00:00:14 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:a> 250 0 35 32 0 SMTP - - - -
2008-05-29 00:00:14 89.250.128.3 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250-pluto.link-m.de 0 0 19 0 234 SMTP - - - -
2008-05-29 00:00:14 89.250.128.3 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 MAIL - FROM: 0 0 4 0 234 SMTP - - - -
2008-05-29 00:00:14 89.250.128.3 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250+ok 0 0 6 0 343 SMTP - - - -
2008-05-29 00:00:14 89.250.128.3 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 RCPT - TO:national.de> 0 0 4 0 343 SMTP - - - -
2008-05-29 00:00:15 89.250.128.3 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250+ok 0 0 6 0 578 SMTP - - - -
2008-05-29 00:00:15 89.250.128.3 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 DATA - - 0 0 4 0 578 SMTP - - - -
2008-05-29 00:00:15 89.250.128.3 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 354+go+ahead 0 0 12 0 703 SMTP - - - -
2008-05-29 00:00:15 89.250.128.3 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 250+ok+1212019218+qp+29773 0 0 26 0 859 SMTP - - - -
2008-05-29 00:00:15 89.250.128.3 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 QUIT - - 0 0 4 0 859 SMTP - - - -
2008-05-29 00:00:15 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:> 250 0 34 31 0 SMTP - - - -
2008-05-29 00:00:15 89.250.128.3 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 221+pluto.link-m.de 0 0 19 0 968 SMTP - - - -
2008-05-29 00:00:16 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 28 25 0 SMTP - - - -
2008-05-29 00:00:16 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 31 28 0 SMTP - - - -
2008-05-29 00:00:18 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 31 28 0 SMTP - - - -
2008-05-29 00:00:18 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:com> 250 0 37 34 0 SMTP - - - -
2008-05-29 00:00:20 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:n.com> 250 0 39 36 0 SMTP - - - -
2008-05-29 00:00:20 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 32 29 0 SMTP - - - -
2008-05-29 00:00:21 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 29 26 0 SMTP - - - -
2008-05-29 00:00:21 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO: 250 0 31 28 0 SMTP - - - -
2008-05-29 00:00:23 203.82.65.9 User SMTPSVC1 CAMPBELLDC 10.0.0.2 0 RCPT - +TO:> 250 0 34 31 0 SMTP - - - -
2008-05-29 00:00:23 209.181.247.105 OutboundConnectionResponse SMTPSVC1 CAMPBELLDC - 25 - - 220+nullmx+SMTP+421+Timed+out. 0 0 30 0 20047 SMTP - - - -
2008-05-29 00:00:23 209.181.247.105 OutboundConnectionCommand SMTPSVC1 CAMPBELLDC - 25 EHLO - campbelldc.CampbellManufacturing.local 0 0 4 0 20047 SMTP - - - -

Answer : Exchange 2000 Relaying Spam

First, test your system:

From the remote client, follow these steps: 1. Click Start, click Run, type telnet, and then click OK.
2. At the Telnet command prompt, type set local_echo, and then press ENTER.
3. At the Telnet command prompt, type open sbs-IP-address 25, and then press ENTER (where sbs-IP-address is the external public IP address of the Small Business Server computer).

The output is similar to the following:
220 server.smallbusiness.local Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready at "date" -0500
Note The "Version" reference may vary, depending on the version of Small Business Server.
4. Type ehlo anydomain.com, and then press ENTER (where anydomain is not the Small Business Server computer's e-mail domain. Make sure that the last line is:
250 OK
5. Type mail from:[email protected]om, and then press ENTER (where youremail@anydomain is an SMTP address that is not hosted on the Small Business Server computer). Make sure that the result is:
250 2.1.0 [email protected]....Sender OK
6. Type rcpt to:[email protected], and then press ENTER (where user@spam is not your e-mail domain). Make sure that the result is one of the following two responses:
550 5.7.1 Unable to relay for [email protected]

-or-

250 2.1.5 [email protected]
7. If the result is "550 5.7.1 Unable to relay for [email protected]," the Exchange server is not an open SMTP relay. If you previously configured Exchange Server to block open SMTP relaying and you want to clean up the Exchange server, go to the "Clean Up the Exchange Server's SMTP Queues" section of this article.
8. If the result is "250 2.1.5 [email protected]," the Exchange server is an open SMTP relay. Go to the "Configure the Exchange Server to Block Open SMTP Relaying" section of this article.

If you ARE open, here's how you close it for SBS:

There are two Exchange Server components that permit SMTP relaying to be turned on or off: " The Default SMTP Virtual Server
" The SMTP Connector

Additionally, if the server is running Microsoft Internet Security and Acceleration (ISA) Server 2000, the server may be an open relay if the following conditions are true: " ISA Server is configured with a server publishing rule for the SMTP protocol.
" 127.0.0.1 is in the list of IP addresses that are allowed to relay in the properties of the default SMTP Virtual Server.

To check the properties on the Default SMTP Virtual Server, follow these steps: 1. Click Start, click All Programs, click Microsoft Exchange, and then click System Manager.
2. Expand Servers, expand Servername, expand Protocols, and then expand SMTP.

If the server is an upgrade from Small Business Server 4.x, expand Administrative Groups, expand Servername, expand Servers, expand Servername, expand Protocols, expand SMTP.

3. Right-click Default SMTP Virtual Server and then click Properties.
4. Click the Access tab.
5. Click the Relay button at the bottom.
6. The default settings block open relay. The default settings are as follows: " Select Only the list below.
" The Computers dialog box shows Access Granted to the Internal IP address of the Small Business Server network and to the external IP address (if the server has more than one network card.)
" Make sure that Allow all computers which successfully authenticate to relay, regardless of the list above is selected.

7. Set the Default SMTP Virtual Server configuration for relaying as indicated, which restores its settings to their defaults.
To check the properties for the SmallBusiness SMTP Connector, follow these steps: 1. In the Exchange System Manager, expand Connectors, and then locate the SmallBusiness SMTP Connector.

If the server is an upgrade from Small Business Server 4.x, expand Administrative Groups, expand Servername, and then expand Connectors.

Note: The SmallBusiness SMTP Connector is created when you run the Small Business Server 2000 Internet Connection Wizard. If you have manually created an SMTP connector, it may not be named SmallBusiness SMTP connector. Also be aware that the SMTP connector is not required for external mail flow. The absence of a connector may not indicate a problem.
2. Right-click the SmallBusiness SMTP connector (or on the connector name that you manually created), and then click Properties.
3. Click the Address Space tab.
4. The default settings (when this connector is created by means of the Small Business Server 2000 Internet Connection Wizard) block open relay. The default settings are: " Address Space -Type: SMTP
" Address: *
" Cost: 1
" The Connector Scope is Entire Organization.
" Allow messages to be routed to these domains is cleared (not selected).

5. Configure the SMTP Connector as indicated to restore its settings to their default values.

If you need more detail, I got my information from: http://support.microsoft.com/kb/324958

Random Solutions

Windows 2003 w32time serivce

How to configure GSA sharing in Unix ?

PTR Records on Internal DNS

SMTP error message

Cisco IPT long distance calls show on AT&T bill as our call manager number; need extensions to show

Cheap Dedicated Server

DNS zone entry for web and email servers - 250 POINTS

SMTP DSN Error -> Can't send email!!

Checking what computer on the LAN is performing a Specific DNS query.