+ Post New Thread
Results 1 to 8 of 8
Windows Thread, Ban an IP address from connecting to exchange in Technical; Just seen our exchange log files for today and found a spammer using our server all from the same IP ...
  1. #1
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,998
    Thank Post
    983
    Thanked 474 Times in 396 Posts
    Blog Entries
    12
    Rep Power
    96

    Ban an IP address from connecting to exchange

    Just seen our exchange log files for today and found a spammer using our server all from the same IP address.

    Is there a quick way to ban an IP address from connecting to our exchange 2003 server?

    I can then look at the security stuff later, just want the spam to stop relaying quickly.

    Cheers.

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    Section 2 of this gives you the location to restrict relaying, images in the URL but not quoted.

    Configure Exchange 2003 Server
    2. Configuring the SMTP server for inbound email

    Next we will configure the SMTP-Server. This is the part of Exchange that accepts incomming emails from POPcon. No special settings are needed to work with POPcon but these are the standard settings in any case:



    You will find the settings for the SMTP server under Servers/Protocols/SMTP/Default SMTP Virtual Server. Open the properties by right-clicking on the Default SMTP Virtual Server and choosing "Properties":





    The settings on tab "General" can normally be left to the defaults.







    On the tab "Access" you can find some configuration settings that might interfere with POPcon.











    POPcon only works with a standard SMTP connection WITHOUT authentication, so allow "Anonymous access" in the "Authentication" dialog:









    Choose "Connection" to grant or refuse the right to connect to the SMTP server to individual or multiple IP Address Ranges. Please ensure the system POPcon runs on does have the right to connect granted. With this setting ALL systems will have access to your SMTP server:









    Under "Relay..." you can assign the right to relay through your SMTP-Server to some systems. This might be needed in some configuration and to be sure you should grant the system POPcon runs on relay rights. All other systems will need to authenticate before accessing the SMTP server to prevent unauthorized users using your system to relay spam:















    Under the "Messages" tab you can restrict message size and number of messages accepted for each connection. Please make sure these settings are liberal enough to allow POPcon to transmit large messages to your server.
    Just need to set it to All except the list below or even better just allow relaying for your internal mail servers.
    Last edited by SYNACK; 20th March 2009 at 04:47 PM.

  3. #3
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,998
    Thank Post
    983
    Thanked 474 Times in 396 Posts
    Blog Entries
    12
    Rep Power
    96
    Well I managed to ban the IP address now I need to know what to do about the security. This is a quote from the email I recieved from our ISP who banned the smtp connection when they saw the spam.

    > In respect of the current outbound SMTP service block, we will need
    > you to either disable AUTH LOGIN completely before this can be
    > removed, or alternatively set up a temporary, test account on the
    > system that we can
    > use to test whether authentication does in fact still permit an
    > authenticated external user to relay.
    Anyone ever heard of this before? I remember the days of closing open relays with a simple tick box in exchange but this seems a bit more complicated

    How do I disable AUTH LOGIN in exchange 2003? What are the implications for this?

  4. #4

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,867
    Thank Post
    412
    Thanked 778 Times in 651 Posts
    Rep Power
    182
    Quote Originally Posted by ittech View Post
    Well I managed to ban the IP address now I need to know what to do about the security. This is a quote from the email I recieved from our ISP who banned the smtp connection when they saw the spam.



    Anyone ever heard of this before? I remember the days of closing open relays with a simple tick box in exchange but this seems a bit more complicated

    How do I disable AUTH LOGIN in exchange 2003? What are the implications for this?
    AUTH LOGIN is one method of SMTP authentication (others include PLAIN and CRAM-MD5). In Plain and Login the passwords are sent in the clear, so they are subject to sniffing. Cram-Md5 uses a password digest to authenticate 'securely' (note: md5 is still subject to brute-force attacks).

    See http://www.technoids.org/saslmech.html

    In Exchange you can set which of these methods you allow, though I don't have it in front of me to check where for you.

  5. #5
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,998
    Thank Post
    983
    Thanked 474 Times in 396 Posts
    Blog Entries
    12
    Rep Power
    96
    Quote Originally Posted by powdarrmonkey View Post
    AUTH LOGIN is one method of SMTP authentication (others include PLAIN and CRAM-MD5). In Plain and Login the passwords are sent in the clear, so they are subject to sniffing. Cram-Md5 uses a password digest to authenticate 'securely' (note: md5 is still subject to brute-force attacks).

    See Negotiating an SMTP AUTH Authentication Mechanism

    In Exchange you can set which of these methods you allow, though I don't have it in front of me to check where for you.
    I'm still struggling with this, everytime I enable outgoing mail 1000s of spam messages are queued up

    My ISP says someone has hacked the smtp password and no organisation should need to use AUTH LOGIN. I'm a bit confused as I don't know what to change in exchange to fix it. Google doesn't show up much.

  6. #6

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,159
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    125
    This Microsoft page goes into detail of how to make sure you're not an open relay.

    When you think you've got it right, go to a command prompt and type the following sequence (put your mailserver name in place of <mailserver> but enter the other stuff exactly as is)

    telnet <mailserver> 25
    helo computername
    mail from: testemail@testdomain.com
    rcpt to: anothertest@test.com

    Exchange should reply to your "helo" (you ought to put the real name of your PC but it doesn't matter for this). It will accept the "mail from" (it doesn't know that address doesn't exist; it could do and that's fine). After the recipient bit it should reject you - at this point you've said you're sending email from testdomain.com to test.com and (unless one of those happens to be your domain!) that won't be allowed unless you have an open relay.

  7. #7

    Join Date
    Jan 2007
    Location
    Durham, UK
    Posts
    328
    Thank Post
    33
    Thanked 17 Times in 12 Posts
    Rep Power
    21
    Mail relay testing is a good website to use to test if your server is a open relay.
    HTH
    Jack

  8. #8
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,998
    Thank Post
    983
    Thanked 474 Times in 396 Posts
    Blog Entries
    12
    Rep Power
    96
    Thanks for the links, the problem wasn't that we had an "open" relay but that someone had run a password cracker on our smtp connection and found a way to send legitimate connections through our mail server.

    I think I've solved it by only allowing a connection to our incoming mail host and denying all other IP addresses. I also had to change the outbound connection to DNS as our IP got banned from the ISP's smtp feed. The only problem I have now is AOL addresses don't work but I've had that before and its something to do with PTR records

    Here is the options I changed in exchange manager if anyone is interested.




SHARE:
+ Post New Thread

Similar Threads

  1. Exchange Address Lists
    By Earthling in forum Windows
    Replies: 3
    Last Post: 25th February 2009, 01:19 PM
  2. To Ban Or Not To Ban this is the question
    By NBC_Sys_C-ord in forum School ICT Policies
    Replies: 54
    Last Post: 5th December 2008, 11:24 AM
  3. Iphones connecting to exchange 2003
    By Mcshammer_dj in forum Windows
    Replies: 8
    Last Post: 12th November 2008, 03:07 PM
  4. Outlook Address list and Exchange
    By DSapseid in forum Windows
    Replies: 8
    Last Post: 23rd June 2007, 10:11 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •