Can't Stop Open Relay and Can't Relay Internal Mail

Can't Stop Open Relay and Can't Relay Internal Mail

Post by rhu » Sun, 11 Aug 2002 16:10:11



Please someone kindly help me.  This msg was posted 2 days
ago but the problem still can't be fixed.  Please read the
following re-post.  Thanks.

My Exchsrv 5.5 was identified as Open Relay server by
several anti-spam services.  I tried many ways to fix this
problem by following Paul Robichaux's article
(http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/mail/excrelay.asp), but all failed
to stop relaying.  Even I turned off all relays by
selecting "Do not reroute incoming SMTP mail" on Routing
tab (of course each time I remembered to stop and restart
IMS), the server still keeps relaying endlessly (can be
checked in the Event Viewer/Application Log. I have to
stop IMS currently.

In addition, according to Paul Robichaux's article, I
enabled (checked) "Hosts and clients that successfully
authenticate" and "Hosts and clients with these IP
addresses" and added relevant IP addresses in the box.  
However, the mail can't be sent out to the outside domains
from any authenticated user or the computer with relevant
IP.

In short, currently all internal mails can't be relaid to
the outside domains but the spamming massages still keep
passing through the server!

--- Response by JS ---

Quote:>-----Original Message-----
>Echange admin > IMS > Routing Tab > Routing Restrictions
> check the "Hosts
>and Clients Connecting to These Internal Addresses"

>Don't put any IP's in here. Close it and stop and start

Internet Mail Service.

>To test this...telnet into Port 25 of your server and
issue the following
>commands.

>Telnet 100.100.100.100 25  (substitute the IP of your
server)

>Helo Me
>(you should get helo back)


>(this doesn't matter, it's just simulating an outside
email address)


>(insert a valid email address from your domain....you

should get RECIPIENT
>OK)

>Now to see if you're locked down ....issue another rcpt
to:


>(this is a bogus address not affiliated with your

domain....you should get

Quote:>relaying denied.

>Hope this helped. Good luck

--- Response by rhu  -------

Thanks for your advice.  Done per your instruction. Tested
with telnet commands you suggested and everything looked
OK.  However, the server is still busy delivering spam
messages in mass volume.  I checked the Event
Viewer/Application Log.  After clearing all records, it'll
be full in a few minutes!  Huge amount of spam mails are
still passing through!

Now all relay are prohibited.  I can't even send out this
message via the server, but the server is still busy to
deliver spam mails from the outside!

Please HELP.  THANKS!

Randall

 
 
 

Can't Stop Open Relay and Can't Relay Internal Mail

Post by mpon » Sun, 11 Aug 2002 22:53:59


DUe this again ((according to Paul Robichaux's article, I
Quote:>enabled (checked) "Hosts and clients that successfully
>authenticate" and "Hosts and clients with these IP))

(dont forget to stop services frist) then delete
everytning in the qued  tab refreash and see if there is
any thing still there . if there is delete again. and
again. I had the same issue there were 1 million messages
i had to delete then just reboot server. i found this to
work better then services starting..
>also make sure you dont have another exchange server on
the site..
>-----Original Message-----
>Please someone kindly help me.  This msg was posted 2
days
>ago but the problem still can't be fixed.  Please read
the
>following re-post.  Thanks.

>My Exchsrv 5.5 was identified as Open Relay server by
>several anti-spam services.  I tried many ways to fix
this
>problem by following Paul Robichaux's article
>(http://www.microsoft.com/technet/treeview/default.asp?
>url=/technet/security/mail/excrelay.asp), but all failed
>to stop relaying.  Even I turned off all relays by
>selecting "Do not reroute incoming SMTP mail" on Routing
>tab (of course each time I remembered to stop and restart
>IMS), the server still keeps relaying endlessly (can be
>checked in the Event Viewer/Application Log. I have to
>stop IMS currently.

>In addition, according to Paul Robichaux's article, I
>enabled (checked) "Hosts and clients that successfully
>authenticate" and "Hosts and clients with these IP
>addresses" and added relevant IP addresses in the box.  
>However, the mail can't be sent out to the outside
domains
>from any authenticated user or the computer with relevant
>IP.

>In short, currently all internal mails can't be relaid to
>the outside domains but the spamming massages still keep
>passing through the server!

>--- Response by JS ---
>>-----Original Message-----
>>Echange admin > IMS > Routing Tab > Routing Restrictions
>> check the "Hosts
>>and Clients Connecting to These Internal Addresses"

>>Don't put any IP's in here. Close it and stop and start
>Internet Mail Service.

>>To test this...telnet into Port 25 of your server and
>issue the following
>>commands.

>>Telnet 100.100.100.100 25  (substitute the IP of your
>server)

>>Helo Me
>>(you should get helo back)


>>(this doesn't matter, it's just simulating an outside
>email address)


>>(insert a valid email address from your domain....you
>should get RECIPIENT
>>OK)

>>Now to see if you're locked down ....issue another rcpt
>to:


>>(this is a bogus address not affiliated with your
>domain....you should get
>>relaying denied.

>>Hope this helped. Good luck

>--- Response by rhu  -------

>Thanks for your advice.  Done per your instruction.
Tested
>with telnet commands you suggested and everything looked
>OK.  However, the server is still busy delivering spam
>messages in mass volume.  I checked the Event
>Viewer/Application Log.  After clearing all records,
it'll
>be full in a few minutes!  Huge amount of spam mails are
>still passing through!

>Now all relay are prohibited.  I can't even send out this
>message via the server, but the server is still busy to
>deliver spam mails from the outside!

>Please HELP.  THANKS!

>Randall

>.


 
 
 

Can't Stop Open Relay and Can't Relay Internal Mail

Post by rhu » Tue, 13 Aug 2002 17:07:20


Thank you very much for your comment.
I just don't quite understand your follwing phrase:
"delete everytning in the qued  tab refreash and see if
there is
any thing still there."

By "qued tab", do you mean the Queues tab in the IMS
Properties?
If so, when IMS is stopped, the Queues tab is disabled (no
queued
message at all.  If IMS is started, a huge amount of
spamming messages
will rush in very quickly and you'll never be able to
delete them all (because
they keep coming in).

Randall

>-----Original Message-----
>DUe this again ((according to Paul Robichaux's article, I
>>enabled (checked) "Hosts and clients that successfully
>>authenticate" and "Hosts and clients with these IP))
>(dont forget to stop services frist) then delete
>everytning in the qued  tab refreash and see if there is
>any thing still there . if there is delete again. and
>again. I had the same issue there were 1 million messages
>i had to delete then just reboot server. i found this to
>work better then services starting..
>>also make sure you dont have another exchange server on
>the site..
>>-----Original Message-----
>>Please someone kindly help me.  This msg was posted 2
>days
>>ago but the problem still can't be fixed.  Please read
>the
>>following re-post.  Thanks.

>>My Exchsrv 5.5 was identified as Open Relay server by
>>several anti-spam services.  I tried many ways to fix
>this
>>problem by following Paul Robichaux's article
>>(http://www.microsoft.com/technet/treeview/default.asp?
>>url=/technet/security/mail/excrelay.asp), but all failed
>>to stop relaying.  Even I turned off all relays by
>>selecting "Do not reroute incoming SMTP mail" on Routing
>>tab (of course each time I remembered to stop and
restart
>>IMS), the server still keeps relaying endlessly (can be
>>checked in the Event Viewer/Application Log. I have to
>>stop IMS currently.

>>In addition, according to Paul Robichaux's article, I
>>enabled (checked) "Hosts and clients that successfully
>>authenticate" and "Hosts and clients with these IP
>>addresses" and added relevant IP addresses in the box.  
>>However, the mail can't be sent out to the outside
>domains
>>from any authenticated user or the computer with
relevant
>>IP.

>>In short, currently all internal mails can't be relaid
to
>>the outside domains but the spamming massages still keep
>>passing through the server!

>>--- Response by JS ---
>>>-----Original Message-----
>>>Echange admin > IMS > Routing Tab > Routing
Restrictions
>>> check the "Hosts
>>>and Clients Connecting to These Internal Addresses"

>>>Don't put any IP's in here. Close it and stop and start
>>Internet Mail Service.

>>>To test this...telnet into Port 25 of your server and
>>issue the following
>>>commands.

>>>Telnet 100.100.100.100 25  (substitute the IP of your
>>server)

>>>Helo Me
>>>(you should get helo back)


>>>(this doesn't matter, it's just simulating an outside
>>email address)


>>>(insert a valid email address from your domain....you
>>should get RECIPIENT
>>>OK)

>>>Now to see if you're locked down ....issue another rcpt
>>to:


>>>(this is a bogus address not affiliated with your
>>domain....you should get
>>>relaying denied.

>>>Hope this helped. Good luck

>>--- Response by rhu  -------

>>Thanks for your advice.  Done per your instruction.
>Tested
>>with telnet commands you suggested and everything looked
>>OK.  However, the server is still busy delivering spam
>>messages in mass volume.  I checked the Event
>>Viewer/Application Log.  After clearing all records,
>it'll
>>be full in a few minutes!  Huge amount of spam mails are
>>still passing through!

>>Now all relay are prohibited.  I can't even send out
this
>>message via the server, but the server is still busy to
>>deliver spam mails from the outside!

>>Please HELP.  THANKS!

>>Randall

>>.

>.

 
 
 

Can't Stop Open Relay and Can't Relay Internal Mail

Post by Wend » Wed, 14 Aug 2002 08:02:14


I actually know little to nothing about 5.5 (little more
about E2K), but a local company just had a similar problem
they fixed today.  They received an e-mail informing them
their relays were open & people were spamming through
them. We're their ISP, so they informed us.  The local
company followed this article to fix it.  Saw your post &
thought I'd pass it along incase it was helpful.
http://www.exchangeadmin.com/Articles/Print.cfm?
ArticleID=7696

Wendy

>-----Original Message-----
>Thank you very much for your comment.
>I just don't quite understand your follwing phrase:
>"delete everytning in the qued  tab refreash and see if
>there is
>any thing still there."

>By "qued tab", do you mean the Queues tab in the IMS
>Properties?
>If so, when IMS is stopped, the Queues tab is disabled
(no
>queued
>message at all.  If IMS is started, a huge amount of
>spamming messages
>will rush in very quickly and you'll never be able to
>delete them all (because
>they keep coming in).

>Randall

>>-----Original Message-----
>>DUe this again ((according to Paul Robichaux's article,
I
>>>enabled (checked) "Hosts and clients that successfully
>>>authenticate" and "Hosts and clients with these IP))
>>(dont forget to stop services frist) then delete
>>everytning in the qued  tab refreash and see if there is
>>any thing still there . if there is delete again. and
>>again. I had the same issue there were 1 million
messages
>>i had to delete then just reboot server. i found this to
>>work better then services starting..
>>>also make sure you dont have another exchange server on
>>the site..
>>>-----Original Message-----
>>>Please someone kindly help me.  This msg was posted 2
>>days
>>>ago but the problem still can't be fixed.  Please read
>>the
>>>following re-post.  Thanks.

>>>My Exchsrv 5.5 was identified as Open Relay server by
>>>several anti-spam services.  I tried many ways to fix
>>this
>>>problem by following Paul Robichaux's article
>>>(http://www.microsoft.com/technet/treeview/default.asp?
>>>url=/technet/security/mail/excrelay.asp), but all
failed
>>>to stop relaying.  Even I turned off all relays by
>>>selecting "Do not reroute incoming SMTP mail" on
Routing
>>>tab (of course each time I remembered to stop and
>restart
>>>IMS), the server still keeps relaying endlessly (can be
>>>checked in the Event Viewer/Application Log. I have to
>>>stop IMS currently.

>>>In addition, according to Paul Robichaux's article, I
>>>enabled (checked) "Hosts and clients that successfully
>>>authenticate" and "Hosts and clients with these IP
>>>addresses" and added relevant IP addresses in the box.  
>>>However, the mail can't be sent out to the outside
>>domains
>>>from any authenticated user or the computer with
>relevant
>>>IP.

>>>In short, currently all internal mails can't be relaid
>to
>>>the outside domains but the spamming massages still
keep
>>>passing through the server!

>>>--- Response by JS ---
>>>>-----Original Message-----
>>>>Echange admin > IMS > Routing Tab > Routing
>Restrictions
>>>> check the "Hosts
>>>>and Clients Connecting to These Internal Addresses"

>>>>Don't put any IP's in here. Close it and stop and
start
>>>Internet Mail Service.

>>>>To test this...telnet into Port 25 of your server and
>>>issue the following
>>>>commands.

>>>>Telnet 100.100.100.100 25  (substitute the IP of your
>>>server)

>>>>Helo Me
>>>>(you should get helo back)


>>>>(this doesn't matter, it's just simulating an outside
>>>email address)


>>>>(insert a valid email address from your domain....you
>>>should get RECIPIENT
>>>>OK)

>>>>Now to see if you're locked down ....issue another
rcpt
>>>to:


>>>>(this is a bogus address not affiliated with your
>>>domain....you should get
>>>>relaying denied.

>>>>Hope this helped. Good luck

>>>--- Response by rhu  -------

>>>Thanks for your advice.  Done per your instruction.
>>Tested
>>>with telnet commands you suggested and everything
looked
>>>OK.  However, the server is still busy delivering spam
>>>messages in mass volume.  I checked the Event
>>>Viewer/Application Log.  After clearing all records,
>>it'll
>>>be full in a few minutes!  Huge amount of spam mails
are
>>>still passing through!

>>>Now all relay are prohibited.  I can't even send out
>this
>>>message via the server, but the server is still busy to
>>>deliver spam mails from the outside!

>>>Please HELP.  THANKS!

>>>Randall

>>>.

>>.

>.