[Dshield] Spam 101 Question

Al Reust areust at comcast.net
Sun Aug 7 00:34:17 GMT 2005


If you need to send "Broadcast Mail" there are better ways... If this is 
Not an Active Gateway or Email Server turn it OFF!  Just unplug the network 
cable... Then start sorting problems...

You defined that you are using the IIS SMTP engine to do the job of a Mail 
Server...  This have been full of holes since the Option Pack under NT 4.0. 
It can be done but you have to pay particular attention about what it 
accepts and what it rejects...

Yes I know that many gateway's for Exchange use an IIS SMTP engine... You 
have to be very careful that it know that anything "Outbound" comes only 
from IP 123.456.789.012 with a netmask of That would say 
that IP ONLY! You can also say reject "Inbound" from and tell it 
a CIDR block of /8 this gets stored in the metabase... Thus the connections 
get rejected for IP's other than the approved specific IP.. So if you do 
not care about the World Inbound, Block connections from the World Inbound! 
Yes see the thread as to why Blocking IP thread... It was pointed out that 
each decisions to BLOCK a whole Class A means you are losing money one way 
or the other...

So with the definitions you supplied... You are probably an open relay... 
No Microsoft does not supply a "handy guide" on how to lockdown the IIS 
SMTP... Many Gateways that you would install for SPAM Filters use it... 
They make changes that are hard to identify...

The Hints would be Technet, and Exchange Open Relay... It provides a 
handful of information...

Then use SANS checks for an Open Relay to test... You should also have a 
smarter telnet program that would make it easier to test for what you would 
expect for responses...

If you are just sending a Newsletter and have a valid email server to use 
then Consider BLAT... Google is your friend... It is scriptable and it can 
attach inline the message/attachments and more that you want to send... IF 
the script is correct you can use it to send logs and many other things... 
In the mean time turn off/stop IIS SMTP! The other thing would be only turn 
it on when you use it.. then turn it back off...

Sorry I do not have all my configuration notes handy... It can be done with 



At 10:35 AM 8/5/2005 -0400, you wrote:
>I have begun using a script cobbled together from samples I found on
>Microsoft's Web site to e-mail the library's newsletter to individual
>recipients using my local SMTP service (Windows Server 2003/IIS 6.0). I used
>the script twice in the last week and a half, sending around 300 messages
>each time. In the same period I have received about 900 returned mails,
>bounced spam with my originating e-mail address in the From: field. A random
>sample indicates the spam originated in Korea.
>How (why?) did this happen, and is it my fault? Can I do anything to stop
>I can provide headers, and the script, too, if that would help. If there is
>a more appropriate forum in which to address my questions, please feel free
>to refer me there.
>Jeffrey Pike
>Technology Services Librarian
>Groton Public Library
>Groton, MA 01450
>jpike at gpl.org
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list