Jump to content
Sign in to follow this  
TomMynar

Servers incorrectly identified as spam source

Recommended Posts

Wazoo: The http(s)://domain/Exchange format is typical for Outlook Web Access (OWA), the "webmail" included with Exchange 2003 (and maybe 2000). I know it was dropped from the 2008 version, causing most people I know not to upgrade. Most people I know would not be advertizing that link on a public web page, however. At my current company, we use a seperate domain just for OWA access.

Thanks for that information. As seen, I've not come across this before, so blame my responses on the paranoia involved when administrating a server (not Windows-based, obviously <g>) Although noting, I'm still not sure of the telnet bit of the conversation brought up by the Topic starter .. what has that got to do with 99% of users logging into what you have identified as OWA?

Share this post


Link to post
Share on other sites

The comment on the telnet was that "I am announcing my Exchange server". Well, if you telnet to port 25 on mail.blahblah.com, does the Exchange server not say (in not so many words): "Hi, I'm Exchange, what do you want today" to the EHLO command ?

So WHO cares if some searching BOT looks for Exchange Servers and attempts to find unpatched machines. ARE THEY NOT DOING THAT ANYWAYS ?

In regards to the comment of a security issue logging into the Exchange Server to get email. Ah hem, HOW exactly to you retrieve email from a SERVER that is NOT the EMAIL SERVER ? I guess this is a LINUX thing. I know that M/S changed things in Exchange/WindowServer 2008 that you have roles defined by different servers. Such that the server for communicating to phones and OWA and things like that can be separate from the server doing the actual storage of data. However, that requires investment in additional servers (hardware) for handling 11 mailboxes. Not exactly cost effective.

Of course now that I've gotten ourselves removed from all the blacklists, our email addresses are now out there and the amount of spam attributed to us is multiplied. Several users (ex-infected machines) are now receiving "cannot be delivered" spoofed mails (I can see that some of the replies back contain the original email header with an IP address unknown to me).

Man, 1 little problem...

Thanks

Tom

Sorry to hear about your family illnesses. Try and take it easy.

Share this post


Link to post
Share on other sites

The comment on the telnet was that "I am announcing my Exchange server". Well, if you telnet to port 25 on mail.blahblah.com, does the Exchange server not say (in not so many words): "Hi, I'm Exchange, what do you want today" to the EHLO command ?

Not on my systems it doesn't. Of course we also do not let direct connections from the internet touch our Exchange box.

Let me amend, as I was wrong... I thought there was a way to do this in Exchange as I thought I had at my last place of business, but we may have used the firewall to proxy the SMTP connections. Looking closer into ti, I do not see an option (unless it is a registry hack of some sort) and the current place of employment returns: 220 CENTMAIL.carroll-ent.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Thu, 1 May 2008 16:27:33 -0400. As I said however, we do not allow direct SMTP access from the internet.

Share this post


Link to post
Share on other sites

The comment on the telnet was that "I am announcing my Exchange server". Well, if you telnet to port 25 on mail.blahblah.com, does the Exchange server not say (in not so many words): "Hi, I'm Exchange, what do you want today" to the EHLO command ?

My Exchange 2003 Server says:

220 mail.mydomain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 ready at Thu, 1 May 2008 15:35:04 -0500

on a telnet connection to port 25.

Pretty much any mail server should announce something similar upon connection to the mail port. The important part is the 220, as it tells the sending mail server "Hey, I'm ready to do some stuff".

Then of course that would be followed by the typical mail sequence:

HELO OR EHLO

RCPT

DATA

QUIT

Exchange as your direct internet facing MTA is fine as long as you are using a reasonably current version. By default, 2003 has no major exploitable issues. 2000 had some with default configuration, like relaying, that had to be turned off. Anything older than 2000 I would not suggest putting on the internet, as 5.5 and earlier did have some major issues that require downloading hotfixes from Microsoft to correct. Those older versions are, of course, also unsupported now.

In regards to the comment of a security issue logging into the Exchange Server to get email. Ah hem, HOW exactly to you retrieve email from a SERVER that is NOT the EMAIL SERVER ? I guess this is a LINUX thing. I know that M/S changed things in Exchange/WindowServer 2008 that you have roles defined by different servers. Such that the server for communicating to phones and OWA and things like that can be separate from the server doing the actual storage of data. However, that requires investment in additional servers (hardware) for handling 11 mailboxes. Not exactly cost effective.

Actually, Exchange operates quite nicely in a front-end/back-end multi-server configuration. However, this is more for load balancing for huge organizations than for security, though supposedly it does tighten it down somewhat. As you point out, this would not be a very ecconomical way for an organization with 11 mailboxes to operate. Currently I have a single server doing double duty as web server and exchange server with 40 mailboxes, and still have a LOT of capacity left over for growth.

Edited by Telarin

Share this post


Link to post
Share on other sites

My Exchange 2003 Server says:

on a telnet connection to port 25.

Pretty much any mail server should announce something similar upon connection to the mail port. The important part is the 220, as it tells the sending mail server "Hey, I'm ready to do some stuff".

Then of course that would be followed by the typical mail sequence:

HELO OR EHLO

RCPT

DATA

QUIT

TomMynar's says:

220 xxxx.xxx Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Thu, 1 May 2008 14:14:46 -0700

Much the same

Share this post


Link to post
Share on other sites
The comment on the telnet was that "I am announcing my Exchange server". Well, if you telnet to port 25 on mail.blahblah.com, does the Exchange server not say (in not so many words): "Hi, I'm Exchange, what do you want today" to the EHLO command ?

In regards to the comment of a security issue logging into the Exchange Server to get email. Ah hem, HOW exactly to you retrieve email from a SERVER that is NOT the EMAIL SERVER ? I guess this is a LINUX thing.

Perhaps context is the thing here. My initial read of data discovered said nothing about folks logging in to get their e-mail. What I recall was something like "Members log in here" that included the "Exchange" bit in the URL. Visions of some multi-level-marketing thing going on, with 'Members' logging to check their stats, etc. is what crossed my mind .. thus the 'why have these folks logging directly onto the Exchange server to play those types of games?' question.

Although not a Linux thing, that is more of what I'm familiar with since my days of working with mini/main-frames. And I suppose, other than my personal stuff here at the house, I haven't dealt with 'small networks/systems' in a long while. More from an Administrator's perception, the rules and configurations between a web server and an e-mail server are quite different, so the networks I do and have supported separate those servers. This Forum server is an exception, but ... the e-mail side of things is very small for the applications I have running here. (and yes, Linux based)

Of course now that I've gotten ourselves removed from all the blacklists, our email addresses are now out there and the amount of spam attributed to us is multiplied. Several users (ex-infected machines) are now receiving "cannot be delivered" spoofed mails (I can see that some of the replies back contain the original email header with an IP address unknown to me).

In general, that situation would be addressed in the various 'Misdirected Bounces' type FAQ/Wiki entries, to include the Why am I receiving all these Bounces/ entry .....Note also some Botnet items posted over in the Lounge. When you're talking about the capability of sending millions upon millions spem e-mails a day, the means of creating the forged addresses (both the Sending and Recipient) involved is yet another set of tools that continues to be 'improved' ....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×