[Dshield] Exchange Open Relay

DigitalNation dshield at digitalnation.ca
Thu Feb 23 12:45:48 GMT 2006


*Example of how to get blacklisted and not be an open relay*

You can get on the DNSBL by having too many "out of office" responders in
place. SPAMCOP advises that mail-admins turn off that feature....I know this
because it happened to us last month.

------------------
M. McBride
Security Admin
DigitalNation
Vancouver, Canada
 




-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Lou Hablas
Sent: Wednesday, February 22, 2006 6:27 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Exchange Open Relay


What version of Exchange, Arthur?

If it's anything less than Exchange 2003, you're probably so "owned" that a
complete rebuild may be necessary.  Also, what kind of shape is your network
in?  Do you have solid desktop AV and Spyware protection? If "Yes" on the
latter question, I'd focus on your Exchange box immediately.

I inherited a network several years ago that was running Exchange 5.5
Unfortunately, my predecessor was not a "network guy" and this box was in
bad shape - I was able to verify that it was not acting as an open relay and
the server was not on any RBL's, but it was spewing SPAM internally to the
tune of thousands of emails per day and despite my efforts to identify
how/why, it continued.  Trend ScanMail did a job of grabbing a lot of it,
but a lot got through.  Eventually I was able to purchase a new box and the
transition from 5.5 to 2003 began...using MSFT's documentation, it was
actually a very easy migration.  Once migrated, I put GFI's MailEssentials
and MailSecurity in place and watched total incoming SPAM drop to a paltry
16% of total incoming mail and most of the SPAM is dropped once identified
as such.  The difference has been HUGE.

All of this said (and assuming you are running Exchange 5.5), I'd work fast
and furious on migrating to 2003...then I'd work on getting delisted from
the RBL's.

Good luck!!

Lou


Louis Hablas
IT Manager 
lou.hablas at rzim.org 
Main: (770) 810-4214	  	
 
www.rzim.org	   Office (770) 449-6766 	
4725 Peachtree Corners Circle Suite 250 	
Norcross, GA 30092 	


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Arthur Neville
Sent: Wednesday, February 22, 2006 2:53 PM
To: list at lists.dshield.org
Subject: [Dshield] Exchange Open Relay

Greetings
  Q:
  I posted before about how my domain is being whacked by Spam and how some
users are contsantly getting hammered
  I checked our public facing email server to see if its an Open Relay....
  I was able to telnet into 25 and send mail from the outside hmmmmm
  We use an intranet and within that intranet there is windows integrated
authenticated, we are using Outlook Web Access and Outlook Mobile Access for
our smartphones
   
  I heard one of the WinAdmins speak about needing SMTP to communicate
between the servers and that there are no open relay's.... duhhhh guess what
  I went to one of the sites that checks the site to see if it is on any
DNSBNL's and voila we are on about 50 dnsbl's on the net.....
  Does that mean we have someone using our server as an open relay ???
  Or we have someone who has some bots on his box or boxes....
   
  In any event....thats the scoopla, I am well versed in the art of reading
so if you have some links or info that would be helpful that would be kewl
  thanks
  art
   

		
---------------------------------
Brings words and photos together (easily) with  PhotoMail  - it's free and
works with Yahoo! Mail. _________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own
couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Lou Hablas

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list