Jump to content


  • Posts

  • Joined

  • Last visited

mkern's Achievements


Member (2/6)



  1. I can't seem to find out where in the Internet Mail Service you can disable the SMTP AUTH. All the articles I have read refer to going into the protocol section and disabling certain things under the SMTP protocol. However that is handled in Internet Mail Service. Anyone know how to do this? I have read through the articles but they don't seem to say anything other than clicking a few things to close down relays. EDIT: I enabled some logging and went through the logs and noticed the info account was authenticating smtp which should never happen. That looks like the culprit in the matter. The password has been changed and I guess its just a time will tell by watching the queues/logs and usage reports on whether or not that resolved that issue.
  2. Yeah all of those are located on a server outside of the one in question regarding the spam issues (except for acg-us.com), while still a noted problem I am working on the issues at hand with that server. Those are all on a linux machine that is obviously allowing directory browsing. I made some modifications to that this morning if you can rerun your testing to verify on your part if they seem resolved. If not then I will need to readdress the issue and see why there allowing something there setup not to do. I think alot of those problems were brought up in a new install of apache awhile back. However the specific server associated to the spam problems are the machine that sits in front of the exchange server and which is the exchange server itself. Thanks, Michael
  3. I went through a few guides on how to disable SMTP AUTH in exchange 5.5 and they all referred me to a protocol in a section that did not have what they were referring to. However by disabling all rerouting of SMTP would this in turn resolve the issue at hand? EDIT: Well that deffinately doesn't work by disabling the rerouting section because it now prevents all mail incoming from outside sources.
  4. There should not be 10 sites being hosted on this server, the only actual site is the acg-us.com web access. However you may be referring to other sites hosted on other servers in the office. They would be running Apache. If that is the case I will need to adjust the setting in that. Which domains are you referring to?
  5. I just misread what you said. I see what you're saying now. Sorry for the misundestanding. I read remote users and access. Overlooking the fact of them needing to send outbound via us (SMTP). As it is right now the pop3 users are generally not using our smtp server to send mail out there using there ISP's outbound smtp. I will look into where SMTP AUTH is being enabled and start from there.
  6. Thanks for more info, I also got an email back from the spamcop people with a evidence email, Im trying to figure out which user it is originating from now.
  7. The box is online and i have turned logging on to maximum. Let me know what you find out and I will check logging as well to see if I can iron out which users are being manipulated.
  8. There are various different servers being ran on those domains. Some controlled by myself some by others. If you could be more specific under which domains/servers you located a problem I could look into what you found further. The specific server in question is (the actual mail server) the ip that gets logged is which is a linux machine sitting in between the mail server and the internet. Im not sure which servers/server you noticed the problem with, it could be that the issue you noticed is with a specific server which could be totally unrelated to the issue at hand but still a problem. Maybe you could PM me or post here the specfics. Any reason I would have anything like that would be fore internal testing purposes to verify if the interal machines are vuln to said exploits. I have another admin handle any linux testing like that. They look quite old so its possible they were from past issues. Were these from a website or somethign a user is hosting or were you able to get into the system somehow via an insecure ftp maybe. It sounds like there is another server other than the one being discussed that has serious issues. If you could give more information to what you found I can then assess that more carefuly. Thanks for the input in general.
  9. Well doing the basic testing it appears not to relay, then doing various other testing it appears that it could. I have done everything I can read up on via the articles and there pretty basic things. Click this click that. SHould be fixed do this and it is or isn't. Then you do it and it appears fine by microsoft then further testing from various open relay testers give all sorts of mixed results. The only blacklist that seemed to include me was spamcop, I looked it up and it says its possible that autoresponders (assuming the virus detection/out of office reply's) were causing it. I disabled those and the problem seemed to go away then lately a few users had reported not being able to send mail to certain people. In the past the kick back was bl.spamcop.net etc. However lately its been user uknown even when its a legit user. Come to find out thats how alot of email servers are kicking the error back as that. So now that it seems to be more of an issue and work stopping related I did more research on it. If it is in case the smtp/auth hack, and there are passwords being manipulated is there any way to actually find out what user is being used?
  10. I took it offline just a few mintutes ago to reboot the server. I applied an exchange 5.5 patch. It will be back online shortly. I have about 5-6 users in the field that require pop3 remote access. I have disabled guest and looked through the user accounts and did not notice any others outstanding that needed to be disabled. Is there a way to identify log wise which accounts might be being used to transmit mail, if that is in case the problem. After looking through some of the logs it does seem that mail is getting spammed through the queues. Im not sure where/who it is originating from. There is 50-60+ users on the domain so changing every email account password is a quite lengthy process. Would be easier and more efficient if there was a way I could identify the user. I have read through the faqs and microsoft articles and have done what they suggested but it doesn't see to fix the problem. I will let you know when the server is back online so that you can possible assist further.
  11. listed in bl.spamcop.net ( Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) Listing History In the past 250.1 days, it has been listed 11 times for a total of 38.0 days I have been having on again off again problems with being tossed in this blacklist, I have been trying to verify any open relay issues I might have and following through FAQ's and procedures to secure the mail server. From basic testing it appears to not be relaying. I am trying to nail down what exactly my system is sending causing the spam traps to go off, I checked the increase in usage in the report and it seems today alone has gone up. What exactly can I do to verify that the relay is closed and find out exactly what is causing me to be on this blacklist. Any help is appreciated, as this is starting to be a pain. Upon some further testing it appears the server may be accepting relays. Im getting mixed responces on testing. I followed the exchange 5.5 guides to closing the relay. Does anyone have any further info that might help?
  • Create New...