Partition filling up quickly Part 2

TheMSsForum.com: The Microsoft Software Forum

***Part 1 posted yesterday*****

Thanks Chad for your help, I found 3 queues on there. It's
not creating those logs at that rate. However this morning
I found a queue that was labeled "SmallBusiness SMTP
connector - e-wholesaler.net(SMTP Connector - Remote
Delivery)". Is this considered a spammer using my server
as an open relay still? I followed all the steps as I was
supposed to. SHould I start using a different port for my
SMTP server or it has to be port 25 always?. If I do that
I might have to do some changes on my Cisco PIX firewall.

PLease let me know
Top

Re: Partition filling up quickly Part 2 by Lanwench

Lanwench
Sat Aug 07 10:32:04 CDT 2004

John JUmp wrote:
> ***Part 1 posted yesterday*****
>
> Thanks Chad for your help, I found 3 queues on there. It's
> not creating those logs at that rate. However this morning
> I found a queue that was labeled "SmallBusiness SMTP
> connector - e-wholesaler.net(SMTP Connector - Remote
> Delivery)". Is this considered a spammer using my server
> as an open relay still? I followed all the steps as I was
> supposed to. SHould I start using a different port for my
> SMTP server or it has to be port 25 always?. If I do that
> I might have to do some changes on my Cisco PIX firewall.

Well, If you change the port from 25 to something else, nobody on the
Internet will be able to send mail to your server. So I guess that would
resolve the problem, but it's kind of like someone saying you should unplug
your server from the network or power it off entirely in order to save it.
;-)

E2k isn't an open relay by default. Who are the messages in the queues
*from*?

If they're from <>, that's your own server trying to send out an NDR to a
spammer (<> is null sender; is used to prevent mail loops). If you're seeing
a lot of this, you need to look into third party anti-spam solutions -

If they're from addresses on domains you don't manage on your server, you're
being used as a relay. Did you change your relay settings in ESM? See
http://www.msexchange.org/tutorials/MF005.html - also note that E2k/E2003
enable open relay by default, so if a) you've enabled guest (bad idea!)
and/or b) don't have a good complex password policy enabled, with regular
forced changes for users, someone may be exploiting your authenticated
relay. See http://www.vamsoft.com/orf/authattack.asp for info on this. I
always disable authenticated relay the moment I set up an Exchange server -
if anyone *does* need POP access from the outside, which I discourage, I
have them use their own ISP's SMTP server for outbound mail....

Hope this helps.



>
> PLease let me know


Top

Re: Partition filling up quickly Part 2 by John

John
Sat Aug 07 13:52:11 CDT 2004

Thanks, very insightful your question. The message is from
the postmaster@mydomain.com to "envelope recipient" "SMTP:
efdsas9567@e-wholesaler.net. Now I do not have that domain
in my spam filter.

WHat's the meaning of this?




>-----Original Message-----
>John JUmp wrote:
>> ***Part 1 posted yesterday*****
>>
>> Thanks Chad for your help, I found 3 queues on there.
It's
>> not creating those logs at that rate. However this
morning
>> I found a queue that was labeled "SmallBusiness SMTP
>> connector - e-wholesaler.net(SMTP Connector - Remote
>> Delivery)". Is this considered a spammer using my server
>> as an open relay still? I followed all the steps as I
was
>> supposed to. SHould I start using a different port for
my
>> SMTP server or it has to be port 25 always?. If I do
that
>> I might have to do some changes on my Cisco PIX
firewall.
>
>Well, If you change the port from 25 to something else,
nobody on the
>Internet will be able to send mail to your server. So I
guess that would
>resolve the problem, but it's kind of like someone saying
you should unplug
>your server from the network or power it off entirely in
order to save it.
>;-)
>
>E2k isn't an open relay by default. Who are the messages
in the queues
>*from*?
>
>If they're from <>, that's your own server trying to send
out an NDR to a
>spammer (<> is null sender; is used to prevent mail
loops). If you're seeing
>a lot of this, you need to look into third party anti-
spam solutions -
>
>If they're from addresses on domains you don't manage on
your server, you're
>being used as a relay. Did you change your relay settings
in ESM? See
>http://www.msexchange.org/tutorials/MF005.html - also
note that E2k/E2003
>enable open relay by default, so if a) you've enabled
guest (bad idea!)
>and/or b) don't have a good complex password policy
enabled, with regular
>forced changes for users, someone may be exploiting your
authenticated
>relay. See http://www.vamsoft.com/orf/authattack.asp for
info on this. I
>always disable authenticated relay the moment I set up an
Exchange server -
>if anyone *does* need POP access from the outside, which
I discourage, I
>have them use their own ISP's SMTP server for outbound
mail....
>
>Hope this helps.
>
>
>
>>
>> PLease let me know
>
>
>.
>
Top

Re: Partition filling up quickly Part 2 by Lanwench

Lanwench
Sat Aug 07 13:58:18 CDT 2004

John JUmp wrote:
> Thanks, very insightful your question. The message is from
> the postmaster@mydomain.com to "envelope recipient" "SMTP:
> efdsas9567@e-wholesaler.net. Now I do not have that domain
> in my spam filter.
>
> WHat's the meaning of this?

If it's from your own server, dollars to doughnuts it's your server trying
to send an NDR to a spammer. I don't recommend disabling NDRs - they are
useful things, and it would really be just a bandaid. The solution is to get
good content filtering/anti-spam stuff to keep the junkmail from coming into
your server in the first place.

Some options:

www.gfi.com
www.readymaids.com (owned by an Active Directory MVP who is also an Exchange
guru)
www.postini.com (a third party relay service)
>
>
>
>
>> -----Original Message-----
>> John JUmp wrote:
>>> ***Part 1 posted yesterday*****
>>>
>>> Thanks Chad for your help, I found 3 queues on there. It's
>>> not creating those logs at that rate. However this morning
>>> I found a queue that was labeled "SmallBusiness SMTP
>>> connector - e-wholesaler.net(SMTP Connector - Remote
>>> Delivery)". Is this considered a spammer using my server
>>> as an open relay still? I followed all the steps as I was
>>> supposed to. SHould I start using a different port for my
>>> SMTP server or it has to be port 25 always?. If I do that
>>> I might have to do some changes on my Cisco PIX firewall.
>>
>> Well, If you change the port from 25 to something else, nobody on the
>> Internet will be able to send mail to your server. So I guess that
>> would resolve the problem, but it's kind of like someone saying you
>> should unplug your server from the network or power it off entirely
>> in order to save it. ;-)
>>
>> E2k isn't an open relay by default. Who are the messages in the
>> queues *from*?
>>
>> If they're from <>, that's your own server trying to send out an NDR
>> to a spammer (<> is null sender; is used to prevent mail loops). If
>> you're seeing a lot of this, you need to look into third party anti-
>> spam solutions -
>>
>> If they're from addresses on domains you don't manage on your
>> server, you're being used as a relay. Did you change your relay
>> settings in ESM? See http://www.msexchange.org/tutorials/MF005.html
>> - also
> note that E2k/E2003
>> enable open relay by default, so if a) you've enabled guest (bad
>> idea!) and/or b) don't have a good complex password policy enabled,
>> with regular forced changes for users, someone may be exploiting
>> your authenticated relay. See
>> http://www.vamsoft.com/orf/authattack.asp for info on this. I always
>> disable authenticated relay the moment I set up an Exchange server -
>> if anyone *does* need POP access from the outside, which
> I discourage, I
>> have them use their own ISP's SMTP server for outbound mail....
>>
>> Hope this helps.
>>
>>
>>
>>>
>>> PLease let me know
>>
>>
>> .


Top