[Dshield] Exchange Open Relay

Patrick Andry pandry at wolverinefreight.ca
Thu Feb 23 17:34:38 GMT 2006


I would first check and see what you are blacklisted for.  I would also 
consider blocking port 25 outbound at the firewall for everything but 
the exchange server.  Then I would audit the OWA setup for abuse.  Check 
for which IPs are accessing it, whether they follow normal traffic, and 
if they are even in your geographic location. 
I would also run a tap at the switch and listen in for any suspicious 
traffic.  If you have limited resources but a lot of time, you can make 
educated guesses about what is going on just by looking at your cached 
DNS lookups.   This is a real big pain to do, but you work with what you 
got.


Arthur Neville wrote:
> List here are the details of our setup......
>   Exchange 2003
>   Exchange server behind a firewall however we have an Internet address that users access via OWA that connects to our Exchange Servers
>   We are running Symantec AV Enterprise along with Symantec Mail Security ( not configured properly obviously) actually Symantec mentioned that we have to go through some sort of config because of incompatibilities with the way Exchange handles SMTP 
>   No Malware/ Spyware apps enterprise level just yet....
>    
>   Arthur
>
> Kenton Smith <listsks at yahoo.ca> wrote:
>   Can you give us some details? Like what version of
> Exchange you're using and if it's behind a firewall,
> using public IP's, if the machine has been doing other
> strange things?
> Just being on a blacklist doesn't necessarily mean
> you're an open relay.
>
> Kenton
>
> --- Arthur Neville wrote:
>
>   
>> Greetings
>> Q:
>> I posted before about how my domain is being
>> whacked by Spam and how some users are contsantly
>> getting hammered
>> I checked our public facing email server to see if
>> its an Open Relay....
>> I was able to telnet into 25 and send mail from
>> the outside hmmmmm
>> We use an intranet and within that intranet there
>> is windows integrated authenticated, we are using
>> Outlook Web Access and Outlook Mobile Access for our
>> smartphones
>>
>> I heard one of the WinAdmins speak about needing
>> SMTP to communicate between the servers and that
>> there are no open relay's.... duhhhh guess what
>> I went to one of the sites that checks the site to
>> see if it is on any DNSBNL's and voila we are on
>> about 50 dnsbl's on the net.....
>> Does that mean we have someone using our server as
>> an open relay ???
>> Or we have someone who has some bots on his box or
>> boxes....
>>
>> In any event....thats the scoopla, I am well
>> versed in the art of reading so if you have some
>> links or info that would be helpful that would be
>> kewl
>> thanks
>> art
>>
>>
>>
>> ---------------------------------
>> Brings words and photos together (easily) with
>> PhotoMail - it's free and works with Yahoo! Mail.
>> _________________________________________
>> Learn about Intrusion Detection in Depth from the
>> comfort of your own couch:
>> https://www.sans.org/athome/details.php?id=1341&d=1
>>
>> _______________________________________________
>> send all posts to list at lists.dshield.org
>> To change your subscription options (or
>> unsubscribe), see:
>> http://www.dshield.org/mailman/listinfo/list
>>
>>     
>
>
>
>
>
>
>
> __________________________________________________________ 
> Find your next car at http://autos.yahoo.ca
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>   


More information about the list mailing list