Jump to content

Please help me figure out


foxdn

Recommended Posts

my IP is 207.193.173.85

listing shows only spamtrap, no reports. I've read most of the FAQ's. This is all kinda confusing to me. I was on an open relay black list a few weeks ago. I've patched windows and exchange 2000 and enabled strong passwords. Got off the orbl. have ran tests and am reasonably sure we don't have an open relay.

But I can't seem to get off Spamcop's list. We have clients we can't respond to and we're losing business. Please help me figure out what I'm missing, doing wrong, or whatever. Any comments, questions, or instructions that will lead me in the right direction would be greatly appreciated.

Thanks!

Link to comment
Share on other sites

my IP is 207.193.173.85 

listing shows only spamtrap, no reports. I've read most of the FAQ's. This is all kinda confusing to me. I was on an open relay black list a few weeks ago. I've patched windows and exchange 2000 and enabled strong passwords.  Got off the orbl.  have ran tests and am reasonably sure we don't have an open relay. 

But I can't seem to get off Spamcop's list.  We have clients we can't respond to and we're losing business.  Please help me figure out what I'm  missing, doing wrong, or whatever.  Any comments, questions, or instructions that will lead me in the right direction would be greatly appreciated.

A null administrator password is anything but strong. I would suggest changing it right away.

If you don't require remote users to be able to relay mail through your server, you should turn off the option that allows authenticated users not in the list of authorised IP addresses to relay. This will stop spammers having any chance of using a similar exploit in the future.

Link to comment
Share on other sites

207.193.173.85

220 lsf-exchange.lonestarfasteners.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Tue, 19 Oct 2004 12:51:31 -0500

Looks like an SMTP AUTH Hack. The spammers have more control of your machine than you do.

Here is some of the junk coming from your insecure machine......

From scoldedhung[at]netzero.net Mon Oct 18 10:50:48 2004

Delivery-date: Mon, 18 Oct 2004 10:50:48 -0400

Received: from [207.193.173.85] (helo=lsf-exchange.lonestarfasteners.com)

by mail.victim.example with esmtp (Exim 4.41)

id 1CJYqW-0006ho-1H

for spamvictim; Mon, 18 Oct 2004 10:50:48 -0400

Received: from abelson ([61.173.50.17] unverified) by lsf-exchange.lonestarfasteners.com with Microsoft SMTPSVC(5.0.2195.6713);

Mon, 18 Oct 2004 09:50:05 -0500

From: "Christopher Khosrowjah"<scoldedhung[at]netzero.net>

To: spamvictim

Subject: FIND THE MED1lCAT|0N YOU ARE l0OK|NG F0R QUICKI||1Y!

Mime-Version: 1.0

Date: 18 Oct 2004 09:50:07 -0500

Take the machine off the internet until you secure it.

Link to comment
Share on other sites

A null administrator password is anything but strong. I would suggest changing it right away.

If you don't require remote users to be able to relay mail through your server, you should turn off the option that allows authenticated users not in the list of authorised IP addresses to relay. This will stop spammers having any chance of using a similar exploit in the future.

18987[/snapback]

I thought I'd covered them. Can you tell what I missed?

Link to comment
Share on other sites

Does "enabled strong passwords" actually equate to "am using strong passwords" ..???? There's an ocean of difference there. More often than not, the usual "final" solution for the use of an Exchange server on the Internet is to place a *NIX box in between ... let the *NIX box handle the flow of stuff to/from the net (to include firewalling both sides of that connection), leaving the Exchange box to do what it was (allegedly) designed to do .. handle the internal distribution of e-mail. This is not a *NIX rant here, just repeating many other stories of actual solutions.

Link to comment
Share on other sites

I thought I'd covered them.  Can you tell what I missed?

First, set an administrator password. This is the local administrator account I'm talking about, not the domain account. Do it now. Run to the machine and do it. Come back and read the rest of the reply once the machine has a password set.

How to disable SMTP AUTH from one of the links in the FAQ:

To disable authentication on these servers, start ESM, and go to Organization, Administrative Groups, Organizational Unit, Servers, ServerName, Protocols, SMTP, and right-click the Default SMTP Virtual Server. Select Properties, open the Access tab, and click Authentication. Leave Anonymous access enabled, but clear the Basic authentication and Integrated Windows Authentication checkboxes. Clearing these checkboxes essentially disables the Auth command on the SMTP server. Enable relaying for other internal Exchange Servers. If you have other internal Exchange Servers, make sure to enable relaying for these servers. On the Access tab, click Relay, select Only the List Below, and explicitly list the internal mail servers that are allowed to relay to this mail server. This action ensures that the internal mail servers can send mail to this server.
Link to comment
Share on other sites

First, set an administrator password. This is the local administrator account I'm talking about, not the domain account. Do it now. Run to the machine and do it. Come back and read the rest of the reply once the machine has a password set.

How to disable SMTP AUTH from one of the links in the FAQ:

18996[/snapback]

HOLY #$%* ! I can't believe I missed that! I'm embarassed. I've got a VP with a handspring device; will disabling SMTP AUTH cut off his email?

Link to comment
Share on other sites

HOLY #$%*  !  I can't believe I missed that!  I'm embarassed. I've got a VP with a handspring device; will disabling SMTP AUTH cut off his email?

Even the best make mistakes sometimes. Glad to see you have it plugged now. You should (hopefully) drop off the list in 48 hours as I couldn't find any other weak accounts on your box.

If the VP connects to your own network, you don't need AMTP AUTH. If he connects to another ISP/service, then you probably need to leave it enabled. Just make sure that when you install any additional software, that it doesn't create any accounts with weak passwords and you should be OK.

Link to comment
Share on other sites

HOLY #$%*  !  I can't believe I missed that!  I'm embarassed.

Not wishing to upset you, but damn .. thanks for that feedback! Imagining the look that went along with that staement has caused the first really good laugh here in weeks. I feel for your pain and am sorry for the learning curve you had to go through, but again ... Thanks! <g>

Link to comment
Share on other sites

Even the best make mistakes sometimes. Glad to see you have it plugged now. You should (hopefully) drop off the list in 48 hours as I couldn't find any other weak accounts on your box.

If the VP connects to your own network, you don't need AMTP AUTH. If he connects to another ISP/service, then you probably need to leave it enabled. Just make sure that when you install any additional software, that it doesn't create any accounts with weak passwords and you should be OK.

19003[/snapback]

Thank you for your knowledge and assistance! I appreciate your working with me.

Link to comment
Share on other sites

  • 2 weeks later...

At present, http://www.spamcop.net/w3m?action=checkblo...=207.193.173.85 reports "207.193.173.85 not listed in bl.spamcop.net". HOWEVER:

Your mailserver appears to be running Microsoft Exchange Server 5.0 - according to MAPS:

Microsoft Exchange Server

    Status:  Commercial (Microsoft Corp.)

    Systems: Win/NT

    Info:    http://www.microsoft.com/

Versions through 5.0 are vulnerable to relay if they permit any local SMTP users. (Servers that only act as a gateway between internal non-SMTP mail and the Internet don't have relay problems.)

In other words, if your Exchange 5.0 server is connected to the Internet, it WILL relay for anyone, and that cannot be stopped.

Starting with version 5.5, provisions have been made to prevent unauthorized relay. These are described in detail in an article from Windows NT Magazine [which was formerly here]. If you're running an older version, it's time to upgrade.

Microsoft has an article on their TechNet site that discusses securing Exchange 2000 and 5.5.

It is also possible that your exchange server may be abused by spammers using the SMTP/AUTH exploit:

http://news.spamcop.net/cgi-bin/fom?file=372

http://www.winnetmag.com/article/articleid/40507/40507.html

http://www.winnetmag.com/article/articleid/42406/42406.html

http://support.microsoft.com/default.aspx?...;EN-US;324958#4

http://www.slipstick.com/exs/relay.htm

http://www.msexchange.org/tutorials/Preven..._Server_55.html

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...