Spam Relay Problem - what else can I do? Please Help.

Hi folks,

I haven't had to deal with spam relays like this before and am really
getting bombarded. Here is the scoop:

SBS 2000 w/ ISA on public IP

Server was already defined to not relay

I unticked check box so that even authenticated users can't relay

I followed MS KB article on configuring SBS for non relay, purging
queues and deleting bad mail.

I only had a few hundred emails stuck in queues, but I'm a little
upset that they even got there.

So after all of this work last night, I remote in and check the queues
and there is an smtp connector in there for the usbank scam. I
enumerated it and deleted it.

Later on this morning, there are smtp connectors for yahoo and our
local roaddunner cfl.rr.com. Is this anyway related to webmail usage?
Should I ever see any more smtp connectors than the default four that
are always there?

Does anybody know the default nature of the relay process in exchange?

If everything is configured correctly, am I going to temporarily see
a relay in the queues before it is nixed by policy?

Is it possible that a user's computer is infected and that is why we
are having this problem? All computers are running updated AV.

I also turned up the logging as defined in the KB articles and I'm
getting some events that:

EXPS is temporarily unable to provide protocol security with "matrix".
"CSessionContext::OnEXPSInNegotiate" called "HrServerNegotiateAuth"
which failed with error code 0x8007052e (
y:\transmt\src\smtpsink\exps\expslib\context.cpp@1462 ).


Thanks for any insight and help. I'm not sure where to take it from
here.

Steve

Robbie
Wed Aug 11 09:28:28 CDT 2004

I had similar problems last week, and I got some good help here.

2 things to do

1. Check in Exchange Manager under current sessions for SMTP, is there any
user listed there?
2. Make sure none of your users have blank passwords

Robbie


"Steve Stewart" <steve@nospam.com> wrote in message
news:rm9kh0pt8sa3a3uoe78t3hbmipbinbsv49@4ax.com...
>
> Hi folks,
>
> I haven't had to deal with spam relays like this before and am really
> getting bombarded. Here is the scoop:
>
> SBS 2000 w/ ISA on public IP
>
> Server was already defined to not relay
>
> I unticked check box so that even authenticated users can't relay
>
> I followed MS KB article on configuring SBS for non relay, purging
> queues and deleting bad mail.
>
> I only had a few hundred emails stuck in queues, but I'm a little
> upset that they even got there.
>
> So after all of this work last night, I remote in and check the queues
> and there is an smtp connector in there for the usbank scam. I
> enumerated it and deleted it.
>
> Later on this morning, there are smtp connectors for yahoo and our
> local roaddunner cfl.rr.com. Is this anyway related to webmail usage?
> Should I ever see any more smtp connectors than the default four that
> are always there?
>
> Does anybody know the default nature of the relay process in exchange?
>
> If everything is configured correctly, am I going to temporarily see
> a relay in the queues before it is nixed by policy?
>
> Is it possible that a user's computer is infected and that is why we
> are having this problem? All computers are running updated AV.
>
> I also turned up the logging as defined in the KB articles and I'm
> getting some events that:
>
> EXPS is temporarily unable to provide protocol security with "matrix".
> "CSessionContext::OnEXPSInNegotiate" called "HrServerNegotiateAuth"
> which failed with error code 0x8007052e (
> y:\transmt\src\smtpsink\exps\expslib\context.cpp@1462 ).
>
>
> Thanks for any insight and help. I'm not sure where to take it from
> here.
>
> Steve
>

Tim
Wed Aug 11 09:33:42 CDT 2004

Hi,

To combate this problem go to Message Delivery under
Global Settings and untick everything accept 'Accept
messages without notifying sender of filtering'. This will
stop the NDR's happening.

Regards

TIM
>-----Original Message-----
>I had similar problems last week, and I got some good
help here.
>
>2 things to do
>
>1. Check in Exchange Manager under current sessions for
SMTP, is there any
>user listed there?
>2. Make sure none of your users have blank passwords
>
>Robbie
>
>
>"Steve Stewart" <steve@nospam.com> wrote in message
>news:rm9kh0pt8sa3a3uoe78t3hbmipbinbsv49@4ax.com...
>>
>> Hi folks,
>>
>> I haven't had to deal with spam relays like this before
and am really
>> getting bombarded. Here is the scoop:
>>
>> SBS 2000 w/ ISA on public IP
>>
>> Server was already defined to not relay
>>
>> I unticked check box so that even authenticated users
can't relay
>>
>> I followed MS KB article on configuring SBS for non
relay, purging
>> queues and deleting bad mail.
>>
>> I only had a few hundred emails stuck in queues, but
I'm a little
>> upset that they even got there.
>>
>> So after all of this work last night, I remote in and
check the queues
>> and there is an smtp connector in there for the usbank
scam. I
>> enumerated it and deleted it.
>>
>> Later on this morning, there are smtp connectors for
yahoo and our
>> local roaddunner cfl.rr.com. Is this anyway related to
webmail usage?
>> Should I ever see any more smtp connectors than the
default four that
>> are always there?
>>
>> Does anybody know the default nature of the relay
process in exchange?
>>
>> If everything is configured correctly, am I going to
temporarily see
>> a relay in the queues before it is nixed by policy?
>>
>> Is it possible that a user's computer is infected and
that is why we
>> are having this problem? All computers are running
updated AV.
>>
>> I also turned up the logging as defined in the KB
articles and I'm
>> getting some events that:
>>
>> EXPS is temporarily unable to provide protocol security
with "matrix".
>> "CSessionContext::OnEXPSInNegotiate"
called "HrServerNegotiateAuth"
>> which failed with error code 0x8007052e (
>> y:\transmt\src\smtpsink\exps\expslib\context.cpp@1462 ).
>>
>>
>> Thanks for any insight and help. I'm not sure where to
take it from
>> here.
>>
>> Steve
>>
>
>
>.
>

Steve
Wed Aug 11 18:22:03 CDT 2004


So the queues that I am seeing open up and then disappear are most
likely generated by NDRs from bogus incoming emails?



On Wed, 11 Aug 2004 07:33:42 -0700, "Tim Pilcher"
<anonymous@discussions.microsoft.com> wrote:

>Hi,
>
>To combate this problem go to Message Delivery under
>Global Settings and untick everything accept 'Accept
>messages without notifying sender of filtering'. This will
>stop the NDR's happening.
>
>Regards
>
>TIM
>>-----Original Message-----
>>I had similar problems last week, and I got some good
>help here.
>>
>>2 things to do
>>
>>1. Check in Exchange Manager under current sessions for
>SMTP, is there any
>>user listed there?
>>2. Make sure none of your users have blank passwords
>>
>>Robbie
>>
>>
>>"Steve Stewart" <steve@nospam.com> wrote in message
>>news:rm9kh0pt8sa3a3uoe78t3hbmipbinbsv49@4ax.com...
>>>
>>> Hi folks,
>>>
>>> I haven't had to deal with spam relays like this before
>and am really
>>> getting bombarded. Here is the scoop:
>>>
>>> SBS 2000 w/ ISA on public IP
>>>
>>> Server was already defined to not relay
>>>
>>> I unticked check box so that even authenticated users
>can't relay
>>>
>>> I followed MS KB article on configuring SBS for non
>relay, purging
>>> queues and deleting bad mail.
>>>
>>> I only had a few hundred emails stuck in queues, but
>I'm a little
>>> upset that they even got there.
>>>
>>> So after all of this work last night, I remote in and
>check the queues
>>> and there is an smtp connector in there for the usbank
>scam. I
>>> enumerated it and deleted it.
>>>
>>> Later on this morning, there are smtp connectors for
>yahoo and our
>>> local roaddunner cfl.rr.com. Is this anyway related to
>webmail usage?
>>> Should I ever see any more smtp connectors than the
>default four that
>>> are always there?
>>>
>>> Does anybody know the default nature of the relay
>process in exchange?
>>>
>>> If everything is configured correctly, am I going to
>temporarily see
>>> a relay in the queues before it is nixed by policy?
>>>
>>> Is it possible that a user's computer is infected and
>that is why we
>>> are having this problem? All computers are running
>updated AV.
>>>
>>> I also turned up the logging as defined in the KB
>articles and I'm
>>> getting some events that:
>>>
>>> EXPS is temporarily unable to provide protocol security
>with "matrix".
>>> "CSessionContext::OnEXPSInNegotiate"
>called "HrServerNegotiateAuth"
>>> which failed with error code 0x8007052e (
>>> y:\transmt\src\smtpsink\exps\expslib\context.cpp@1462 ).
>>>
>>>
>>> Thanks for any insight and help. I'm not sure where to
>take it from
>>> here.
>>>
>>> Steve
>>>
>>
>>
>>.
>>

Robbie
Thu Aug 12 04:38:34 CDT 2004

Not necessarily.

There could be a user relaying off your server. Just because you have closed
relay doesn't mean someone can't do this.

I had a problem recently were a test account was created with a blank
password, and I forgot to remove it.

Did you set the ExchangeTransport/SMTP Protocol logging to maximum and look
in the event logs?

Robbie

"Steve Stewart" <steve@nospam.com> wrote in message
news:5lalh05k104p02e0t9jagc0l8n6lr0n5i5@4ax.com...
>
> So the queues that I am seeing open up and then disappear are most
> likely generated by NDRs from bogus incoming emails?
>
>
>
> On Wed, 11 Aug 2004 07:33:42 -0700, "Tim Pilcher"
> <anonymous@discussions.microsoft.com> wrote:
>
> >Hi,
> >
> >To combate this problem go to Message Delivery under
> >Global Settings and untick everything accept 'Accept
> >messages without notifying sender of filtering'. This will
> >stop the NDR's happening.
> >
> >Regards
> >
> >TIM
> >>-----Original Message-----
> >>I had similar problems last week, and I got some good
> >help here.
> >>
> >>2 things to do
> >>
> >>1. Check in Exchange Manager under current sessions for
> >SMTP, is there any
> >>user listed there?
> >>2. Make sure none of your users have blank passwords
> >>
> >>Robbie
> >>
> >>
> >>"Steve Stewart" <steve@nospam.com> wrote in message
> >>news:rm9kh0pt8sa3a3uoe78t3hbmipbinbsv49@4ax.com...
> >>>
> >>> Hi folks,
> >>>
> >>> I haven't had to deal with spam relays like this before
> >and am really
> >>> getting bombarded. Here is the scoop:
> >>>
> >>> SBS 2000 w/ ISA on public IP
> >>>
> >>> Server was already defined to not relay
> >>>
> >>> I unticked check box so that even authenticated users
> >can't relay
> >>>
> >>> I followed MS KB article on configuring SBS for non
> >relay, purging
> >>> queues and deleting bad mail.
> >>>
> >>> I only had a few hundred emails stuck in queues, but
> >I'm a little
> >>> upset that they even got there.
> >>>
> >>> So after all of this work last night, I remote in and
> >check the queues
> >>> and there is an smtp connector in there for the usbank
> >scam. I
> >>> enumerated it and deleted it.
> >>>
> >>> Later on this morning, there are smtp connectors for
> >yahoo and our
> >>> local roaddunner cfl.rr.com. Is this anyway related to
> >webmail usage?
> >>> Should I ever see any more smtp connectors than the
> >default four that
> >>> are always there?
> >>>
> >>> Does anybody know the default nature of the relay
> >process in exchange?
> >>>
> >>> If everything is configured correctly, am I going to
> >temporarily see
> >>> a relay in the queues before it is nixed by policy?
> >>>
> >>> Is it possible that a user's computer is infected and
> >that is why we
> >>> are having this problem? All computers are running
> >updated AV.
> >>>
> >>> I also turned up the logging as defined in the KB
> >articles and I'm
> >>> getting some events that:
> >>>
> >>> EXPS is temporarily unable to provide protocol security
> >with "matrix".
> >>> "CSessionContext::OnEXPSInNegotiate"
> >called "HrServerNegotiateAuth"
> >>> which failed with error code 0x8007052e (
> >>> y:\transmt\src\smtpsink\exps\expslib\context.cpp@1462 ).
> >>>
> >>>
> >>> Thanks for any insight and help. I'm not sure where to
> >take it from
> >>> here.
> >>>
> >>> Steve
> >>>
> >>
> >>
> >>.
> >>
>

Andrew
Mon Aug 16 06:59:10 CDT 2004

I had a similar problem with a client who had a user with a weak password.
Fortunately I had Trend CSM for SMB installed that filtered SPAM out. I was
the only one who received 11,000 emails in 8 hours (overnight) as Trend had
blocked the SPAM being routed via the server (I was receiving the alert
email).

I turned on the Exchange logs, found out which account was being logged in
and quickly changed the password. SPAM alerts stopped (so did the SPAM).
Now the client believes in strong passords.

Andrew
Country NSW
Australia




"Robbie Niblock" <robbie@nospam.systemsencore.co.uk> wrote in message
news:cffdqk$p6k$1$8300dec7@news.demon.co.uk...
> Not necessarily.
>
> There could be a user relaying off your server. Just because you have
closed
> relay doesn't mean someone can't do this.
>
> I had a problem recently were a test account was created with a blank
> password, and I forgot to remove it.
>
> Did you set the ExchangeTransport/SMTP Protocol logging to maximum and
look
> in the event logs?
>
> Robbie
>
> "Steve Stewart" <steve@nospam.com> wrote in message
> news:5lalh05k104p02e0t9jagc0l8n6lr0n5i5@4ax.com...
> >
> > So the queues that I am seeing open up and then disappear are most
> > likely generated by NDRs from bogus incoming emails?
> >
> >
> >
> > On Wed, 11 Aug 2004 07:33:42 -0700, "Tim Pilcher"
> > <anonymous@discussions.microsoft.com> wrote:
> >
> > >Hi,
> > >
> > >To combate this problem go to Message Delivery under
> > >Global Settings and untick everything accept 'Accept
> > >messages without notifying sender of filtering'. This will
> > >stop the NDR's happening.
> > >
> > >Regards
> > >
> > >TIM
> > >>-----Original Message-----
> > >>I had similar problems last week, and I got some good
> > >help here.
> > >>
> > >>2 things to do
> > >>
> > >>1. Check in Exchange Manager under current sessions for
> > >SMTP, is there any
> > >>user listed there?
> > >>2. Make sure none of your users have blank passwords
> > >>
> > >>Robbie
> > >>
> > >>
> > >>"Steve Stewart" <steve@nospam.com> wrote in message
> > >>news:rm9kh0pt8sa3a3uoe78t3hbmipbinbsv49@4ax.com...
> > >>>
> > >>> Hi folks,
> > >>>
> > >>> I haven't had to deal with spam relays like this before
> > >and am really
> > >>> getting bombarded. Here is the scoop:
> > >>>
> > >>> SBS 2000 w/ ISA on public IP
> > >>>
> > >>> Server was already defined to not relay
> > >>>
> > >>> I unticked check box so that even authenticated users
> > >can't relay
> > >>>
> > >>> I followed MS KB article on configuring SBS for non
> > >relay, purging
> > >>> queues and deleting bad mail.
> > >>>
> > >>> I only had a few hundred emails stuck in queues, but
> > >I'm a little
> > >>> upset that they even got there.
> > >>>
> > >>> So after all of this work last night, I remote in and
> > >check the queues
> > >>> and there is an smtp connector in there for the usbank
> > >scam. I
> > >>> enumerated it and deleted it.
> > >>>
> > >>> Later on this morning, there are smtp connectors for
> > >yahoo and our
> > >>> local roaddunner cfl.rr.com. Is this anyway related to
> > >webmail usage?
> > >>> Should I ever see any more smtp connectors than the
> > >default four that
> > >>> are always there?
> > >>>
> > >>> Does anybody know the default nature of the relay
> > >process in exchange?
> > >>>
> > >>> If everything is configured correctly, am I going to
> > >temporarily see
> > >>> a relay in the queues before it is nixed by policy?
> > >>>
> > >>> Is it possible that a user's computer is infected and
> > >that is why we
> > >>> are having this problem? All computers are running
> > >updated AV.
> > >>>
> > >>> I also turned up the logging as defined in the KB
> > >articles and I'm
> > >>> getting some events that:
> > >>>
> > >>> EXPS is temporarily unable to provide protocol security
> > >with "matrix".
> > >>> "CSessionContext::OnEXPSInNegotiate"
> > >called "HrServerNegotiateAuth"
> > >>> which failed with error code 0x8007052e (
> > >>> y:\transmt\src\smtpsink\exps\expslib\context.cpp@1462 ).
> > >>>
> > >>>
> > >>> Thanks for any insight and help. I'm not sure where to
> > >take it from
> > >>> here.
> > >>>
> > >>> Steve
> > >>>
> > >>
> > >>
> > >>.
> > >>
> >
>
>