Just seen our exchange log files for today and found a spammer using our server all from the same IP address.
Is there a quick way to ban an IP address from connecting to our exchange 2003 server?
I can then look at the security stuff later, just want the spam to stop relaying quickly.
Cheers.
Section 2 of this gives you the location to restrict relaying, images in the URL but not quoted.
Configure Exchange 2003 Server
Just need to set it to All except the list below or even better just allow relaying for your internal mail servers.2. Configuring the SMTP server for inbound email
Next we will configure the SMTP-Server. This is the part of Exchange that accepts incomming emails from POPcon. No special settings are needed to work with POPcon but these are the standard settings in any case:
You will find the settings for the SMTP server under Servers/Protocols/SMTP/Default SMTP Virtual Server. Open the properties by right-clicking on the Default SMTP Virtual Server and choosing "Properties":
The settings on tab "General" can normally be left to the defaults.
On the tab "Access" you can find some configuration settings that might interfere with POPcon.
POPcon only works with a standard SMTP connection WITHOUT authentication, so allow "Anonymous access" in the "Authentication" dialog:
Choose "Connection" to grant or refuse the right to connect to the SMTP server to individual or multiple IP Address Ranges. Please ensure the system POPcon runs on does have the right to connect granted. With this setting ALL systems will have access to your SMTP server:
Under "Relay..." you can assign the right to relay through your SMTP-Server to some systems. This might be needed in some configuration and to be sure you should grant the system POPcon runs on relay rights. All other systems will need to authenticate before accessing the SMTP server to prevent unauthorized users using your system to relay spam:
Under the "Messages" tab you can restrict message size and number of messages accepted for each connection. Please make sure these settings are liberal enough to allow POPcon to transmit large messages to your server.
Last edited by SYNACK; 20th March 2009 at 04:47 PM.
Well I managed to ban the IP address now I need to know what to do about the security. This is a quote from the email I recieved from our ISP who banned the smtp connection when they saw the spam.
Anyone ever heard of this before? I remember the days of closing open relays with a simple tick box in exchange but this seems a bit more complicated> In respect of the current outbound SMTP service block, we will need
> you to either disable AUTH LOGIN completely before this can be
> removed, or alternatively set up a temporary, test account on the
> system that we can
> use to test whether authentication does in fact still permit an
> authenticated external user to relay.
How do I disable AUTH LOGIN in exchange 2003? What are the implications for this?
AUTH LOGIN is one method of SMTP authentication (others include PLAIN and CRAM-MD5). In Plain and Login the passwords are sent in the clear, so they are subject to sniffing. Cram-Md5 uses a password digest to authenticate 'securely' (note: md5 is still subject to brute-force attacks).Originally Posted by ittech
Well I managed to ban the IP address now I need to know what to do about the security. This is a quote from the email I recieved from our ISP who banned the smtp connection when they saw the spam.
Anyone ever heard of this before? I remember the days of closing open relays with a simple tick box in exchange but this seems a bit more complicated
How do I disable AUTH LOGIN in exchange 2003? What are the implications for this?
See http://www.technoids.org/saslmech.html
In Exchange you can set which of these methods you allow, though I don't have it in front of me to check where for you.
I'm still struggling with this, everytime I enable outgoing mail 1000s of spam messages are queued up
My ISP says someone has hacked the smtp password and no organisation should need to use AUTH LOGIN. I'm a bit confused as I don't know what to change in exchange to fix it. Google doesn't show up much.
This Microsoft page goes into detail of how to make sure you're not an open relay.
When you think you've got it right, go to a command prompt and type the following sequence (put your mailserver name in place of <mailserver> but enter the other stuff exactly as is)
telnet <mailserver> 25
helo computername
mail from: testemail@testdomain.com
rcpt to: anothertest@test.com
Exchange should reply to your "helo" (you ought to put the real name of your PC but it doesn't matter for this). It will accept the "mail from" (it doesn't know that address doesn't exist; it could do and that's fine). After the recipient bit it should reject you - at this point you've said you're sending email from testdomain.com to test.com and (unless one of those happens to be your domain!) that won't be allowed unless you have an open relay.
Mail relay testing is a good website to use to test if your server is a open relay.
HTH
Jack
Thanks for the links, the problem wasn't that we had an "open" relay but that someone had run a password cracker on our smtp connection and found a way to send legitimate connections through our mail server.
I think I've solved it by only allowing a connection to our incoming mail host and denying all other IP addresses. I also had to change the outbound connection to DNS as our IP got banned from the ISP's smtp feed. The only problem I have now is AOL addresses don't work but I've had that before and its something to do with PTR records
Here is the options I changed in exchange manager if anyone is interested.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
