[Dshield] Exchange Open Relay

Lou Hablas Louis.Hablas at rzim.org
Thu Feb 23 02:26:30 GMT 2006


What version of Exchange, Arthur?

If it's anything less than Exchange 2003, you're probably so "owned"
that a complete rebuild may be necessary.  Also, what kind of shape is
your network in?  Do you have solid desktop AV and Spyware protection?
If "Yes" on the latter question, I'd focus on your Exchange box
immediately.

I inherited a network several years ago that was running Exchange 5.5
Unfortunately, my predecessor was not a "network guy" and this box was
in bad shape - I was able to verify that it was not acting as an open
relay and the server was not on any RBL's, but it was spewing SPAM
internally to the tune of thousands of emails per day and despite my
efforts to identify how/why, it continued.  Trend ScanMail did a job of
grabbing a lot of it, but a lot got through.  Eventually I was able to
purchase a new box and the transition from 5.5 to 2003 began...using
MSFT's documentation, it was actually a very easy migration.  Once
migrated, I put GFI's MailEssentials and MailSecurity in place and
watched total incoming SPAM drop to a paltry 16% of total incoming mail
and most of the SPAM is dropped once identified as such.  The difference
has been HUGE.

All of this said (and assuming you are running Exchange 5.5), I'd work
fast and furious on migrating to 2003...then I'd work on getting
delisted from the RBL's.

Good luck!!

Lou


Louis Hablas
IT Manager 
lou.hablas at rzim.org 
Main: (770) 810-4214	  	
 
www.rzim.org	   Office (770) 449-6766 	
4725 Peachtree Corners Circle Suite 250 	
Norcross, GA 30092 	


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Arthur Neville
Sent: Wednesday, February 22, 2006 2:53 PM
To: list at lists.dshield.org
Subject: [Dshield] Exchange Open Relay

Greetings
  Q:
  I posted before about how my domain is being whacked by Spam and how
some users are contsantly getting hammered
  I checked our public facing email server to see if its an Open
Relay....
  I was able to telnet into 25 and send mail from the outside hmmmmm
  We use an intranet and within that intranet there is windows
integrated authenticated, we are using Outlook Web Access and Outlook
Mobile Access for our smartphones
   
  I heard one of the WinAdmins speak about needing SMTP to communicate
between the servers and that there are no open relay's.... duhhhh guess
what
  I went to one of the sites that checks the site to see if it is on any
DNSBNL's and voila we are on about 50 dnsbl's on the net.....
  Does that mean we have someone using our server as an open relay ???
  Or we have someone who has some bots on his box or boxes....
   
  In any event....thats the scoopla, I am well versed in the art of
reading so if you have some links or info that would be helpful that
would be kewl
  thanks
  art
   

		
---------------------------------
Brings words and photos together (easily) with  PhotoMail  - it's free
and works with Yahoo! Mail.
_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own
couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

Lou Hablas



More information about the list mailing list