Unauthorized SMTP Relay

Unauthorized SMTP Relay

Post by Dave Boa » Thu, 04 Sep 2003 01:49:46



I have Exhange Server 5.5 Sp4. SMTP relay has been
restricted.  

When I check my outgoing queue, I find lots
of unknown message pending and waiting to send. After a
while, I get lots of notification email in my
administrator email account, "Outbound Mail Failure".

One of the recipients is getting "returned mail:user
unknown" messages from "Mail Delivery Subsytem".  I have
changed their password frequently in the last 7 days, but
they continue get these messsages.

Can anybody help me?

Thanks, Dave

P.S. - The Routing Restrictions have been set as follows:
Reroute incoming SMTP Mail:
- The name of the domain to be routed is specified in the
routing listbox, and is specified as "Should be accepted
as inbound."

Routing Restrictions:
Hosts and clients that sucessfully authenticate - Checked
Hosts and Client with these IP Addresses - Checked
- but no IP addresses actually entered in the list box
because I some users have dynamic IP addresses.
Specify the hosts and clients that can NEVER route mail
- I have entered a couple of IP addresses from very active
abusers...
64.253.204.147 - 255.255.255.0
68.153.235.77 - 255.255.255.0

 
 
 

1. Unauthorized SMTP Relay

I have Exchange 2000. From everything I've read, it
appears that the only way to prevent unsolicited and
unauthorized message to be relayed is is to specify the IP
address of acceptable senders.

If this is the case, one wonders, why one needs an Active
Directory that should prevent unauthorized access to the
services offered on a server.

If the server is required to know the IP address of all
its users to be secure, then there is not much need for a
username and password.

What amazes me about it, is how the server will relay mail
that came from an unauthorized source. The originating
message should not even get to the SMTP virtual server. Do
the spammers decode a data stream to get the username and
password included in a legitemate transction. Then use
this known user to send the message.

If its that easy, then I guess there is no way to protect
a server from this activity.

My guess is that its not done that way. I have asked our
ISP technical support about it and they told me that Clear
Text Username and Passwords are generally encrypted in
some way. Somehow the message shows up as a relay Job to
be done by the SMTP virtual server without having gone
throught the authentication process.

Since there is an SMTP log that is aware of the From: and
To: names, it must be possible to filter authorized
messages based on those two bits of info. To process the
message it would have to either come from or be going to a
name that is listed in the servers directory. I am
surprized that such a service does not exist as a filter
available via the SMTP server's properties. If it has the
ability to detect the IP address of an incoming message,
surely it must have the ability to detect the From: or To:
names. In fact, those names can be listed in the SMTP log
for each tranction, so why no filtering at that level.

I'm sure there is a reason for this.

2. Restore

3. OWA: 401.3 Unauthorized: Unauthorized due to ACL on resource

4. Process Monitor

5. 401.3 Unauthorized: Unauthorized due to ACL on resource using OWA

6. Filter Outgoing Mail

7. Forms designer

8. Unauthorized relay

9. unauthorized relay traffic prohibited

10. unauthorized relaying

11. Unauthorized Relaying

12. Unauthorized mail relay