[Dshield] Spammer

Al Reust areust at comcast.net
Fri Oct 31 04:10:38 GMT 2003


Hello Kenneth

it has been a while, but after a phone call to Support (over a year ago), 
yielded that even with 5.5 Exchange that are portions does not always work 
as advertised. This has been somewhat sanitized, but it came from the 
people that know. This was preventing a relay situation while supporting a 
child domain relay. The key was "smarthost" as I recall and the IP's with 
the 255.255.255.255 subnet mask, that requires it be a "specific" host and 
not just part of the class C etc..

<QUOTE>
Hello Al and Bxxxx,
Thanks for choosing Microsoft Product Support Services. Here is a summary 
of the troubleshooting steps we took to resolve the mail flow issues you 
were experiencing this afternoon while trying to set-up a relay domain:
1) An Exchange 5.5 server in Org 1 accepts mail for both and delivers using 
DNS. The SMTP bridgehead in Org 2 (separate domain, no trust) specifies the 
other Exchange server as a smarthost. I suggested that we make the 
following changes to the IMS in each org:
Org 1 IMS:
* Specify the other Exchange server's IP address as the smarthost
* Configure routing restrictions as normal; specify that hosts and clients 
that successfully authenticate and with these IP address (none specified) 
are allowed to relay
Org 2 IMS:
* Use DNS for message delivery
* Accept otherdomain.com as inbound and the other org (child domain) as a relay
* On routing restrictions, again specify hosts and clients that 
authenticate but also specify the SMTP gateway in the other org by IP 
address with a subnet mask of 255.255.255.255.
The following KB article describes a slightly different configuration:
Q259531 - XFOR: How to Configure SMTP Relay for Domains and Subdomains
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q259531
I will follow up with you, Barbara, tomorrow to ensure that we have 
successfully resolved the issue. In the meantime, if you have further 
questions, please do not hesitate to contact me.
Regards,
Adam
<End Quote>

Al



At 09:18 AM 10/31/2003 +0800, you wrote:

>Hi !! Jojannes
>      I've have gone to the SMTP virtual server properties, Access tab,
>Relay button and selected "only the list below" radio button and left box
>blank. Yet the spammer can get into the Exchange server. I would appreciate
>if you can suggest on how to totally stop all relay.
>
>Thanks & Regards
>Kenneth Soong
>
>
>
> 
>
>                     Johannes 
>
>                     Ullrich              To:     General DShield 
> Discussion List <list at dshield.org>
>                     <jullrich at eucl       cc: 
>
>                     idian.com>           Subject:     Re: [Dshield] 
> Spammer
>                     Sent 
> by: 
>
>                     list-bounces at d 
>
>                     shield.org 
>
> 
>
> 
>
>                     29-10-03 
> 08:56 
>
>                     PM 
>
>                     Please 
> respond 
>
>                     to 
> General 
>
>                     DShield 
>
>                     Discussion 
>
>                     List 
>
> 
>
> 
>
>
>
>
>
>
>The IP is owned by 'Dishnet', which is a US Satellite ISP for consumers.
>I would assume that they got their fair share of hacked consumer boxes.
>
>BTW: You say they are using your Exchange server to relay. I hope you
>locked it down so its not an open relay ;-)
>
>
>On Wed, 2003-10-29 at 07:19, KennethSoong at tagtechnology.com.sg wrote:
> > Hi!!
> >      I seem notice a particular spammer from IP range of 61.11.0.0/16
>using
> > our MS Exchanger 2000 Server to relay their emails. Can anyone tell me
>who
> > this people are. I tried ping, tracert and even checking whois database
>but
> > each it return error or no record.
> >
> > Kenneth Soong
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
>http://www.dshield.org/mailman/listinfo/list
>--
>--------------------------------------------------------------
>Johannes Ullrich                     jullrich at euclidian.com
>pgp key: http://johannes.homepc.org/PGPKEYS
>--------------------------------------------------------------
>    "We regret to inform you that we do not enable any of the
>     security functions within the routers that we install."
>          support at covad.net
>--------------------------------------------------------------
>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
>http://www.dshield.org/mailman/listinfo/list
>
>
>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list