Prev: Exchange 2007 to Exchange 2010 mail flow problem
Next: Physically moving a 2007 SCR system
From: Jeff on 3 Jun 2010 09:08
Hello,

Several weeks ago I posted to the group that Comcast was blocking our
domain. I would fill out their form and an hour later they would unblock us
but only to block us again in about a week or two. Their automated reply
indicates that mail from our domain "has the pattern of spam."

Well, I decided to do some checking. I went into my SMTP Virtural Server and
found out that relaying was on! How could this happen? Was I hacked? There
was actually an IP address of a workstation that was granted access to relay
(192.168.1.90)

Also, the option "Allow all computers which successfully authenticate to
replay, regardless of the list above" was enabled. I disabled this option.

Now, my question, if I click on the Users button to "Grant or deny relay
permissions to specific users or groups," Authenticated Users have the Allow
Permission to Submit Permission. Should I uncheck this?

We are on Exchange 2003 with all the latest service packs, etc.
We do not use a relay account to send email. It's just a plain old Exchange
server.

Am I disabling relaying properly? How can I prevent this in the future?
From: M on 3 Jun 2010 12:08
Hello:

Read my post at http://sysadmin-e.com/2010/02/06/relay-smtp/ and check out
the links there. This topic, IMO, is very confusing. Some of the settings
that you mentioned are the default, so don't panic about that. There
shouldn't be any IP allowed to relay though, unless perhaps you have some
application servers, but not a regular workstation.

--
Regards,
M
MCTS, MCSA
http://SysAdmin-E.com

"Jeff" <Jeff(a)discussions.microsoft.com> wrote in message
news:1B8E2E59-0742-4CC3-8C75-D3CB0DA09465(a)microsoft.com...
> Hello,
>
> Several weeks ago I posted to the group that Comcast was blocking our
> domain. I would fill out their form and an hour later they would unblock
> us
> but only to block us again in about a week or two. Their automated reply
> indicates that mail from our domain "has the pattern of spam."
>
> Well, I decided to do some checking. I went into my SMTP Virtural Server
> and
> found out that relaying was on! How could this happen? Was I hacked? There
> was actually an IP address of a workstation that was granted access to
> relay
> (192.168.1.90)
>
> Also, the option "Allow all computers which successfully authenticate to
> replay, regardless of the list above" was enabled. I disabled this option.
>
> Now, my question, if I click on the Users button to "Grant or deny relay
> permissions to specific users or groups," Authenticated Users have the
> Allow
> Permission to Submit Permission. Should I uncheck this?
>
> We are on Exchange 2003 with all the latest service packs, etc.
> We do not use a relay account to send email. It's just a plain old
> Exchange
> server.
>
> Am I disabling relaying properly? How can I prevent this in the future?


From: Jeff on 3 Jun 2010 13:18
Thanks for the informative article. It shed some light for me.

Do you have any idea how an IP address was added and given relaying
permissions? I setup this exchange server and I know I did not add it there.

I'm going to check out the workstation that has this IP address.


"M" wrote:

> Hello:
>
> Read my post at http://sysadmin-e.com/2010/02/06/relay-smtp/ and check out
> the links there. This topic, IMO, is very confusing. Some of the settings
> that you mentioned are the default, so don't panic about that. There
> shouldn't be any IP allowed to relay though, unless perhaps you have some
> application servers, but not a regular workstation.
>
> --
> Regards,
> M
> MCTS, MCSA
> http://SysAdmin-E.com
>
> "Jeff" <Jeff(a)discussions.microsoft.com> wrote in message
> news:1B8E2E59-0742-4CC3-8C75-D3CB0DA09465(a)microsoft.com...
> > Hello,
> >
> > Several weeks ago I posted to the group that Comcast was blocking our
> > domain. I would fill out their form and an hour later they would unblock
> > us
> > but only to block us again in about a week or two. Their automated reply
> > indicates that mail from our domain "has the pattern of spam."
> >
> > Well, I decided to do some checking. I went into my SMTP Virtural Server
> > and
> > found out that relaying was on! How could this happen? Was I hacked? There
> > was actually an IP address of a workstation that was granted access to
> > relay
> > (192.168.1.90)
> >
> > Also, the option "Allow all computers which successfully authenticate to
> > replay, regardless of the list above" was enabled. I disabled this option.
> >
> > Now, my question, if I click on the Users button to "Grant or deny relay
> > permissions to specific users or groups," Authenticated Users have the
> > Allow
> > Permission to Submit Permission. Should I uncheck this?
> >
> > We are on Exchange 2003 with all the latest service packs, etc.
> > We do not use a relay account to send email. It's just a plain old
> > Exchange
> > server.
> >
> > Am I disabling relaying properly? How can I prevent this in the future?
>
>
> .
>
From: M on 3 Jun 2010 14:31
In a default Exchange install, no IP addresses should be in there, and none
is necessary for normal Exchange functionality.

Maybe some Exchange anti-malware software that you installed made that
change during the install? It's unlikely that one could have accidently
added the IP address as that involves several mouse clicks along with
entering in an IP address. It's not a setting in the main screen of ESM that
you could have accidently enabled.

--
Regards,
M
MCTS, MCSA
http://SysAdmin-E.com

"Jeff" <Jeff(a)discussions.microsoft.com> wrote in message
news:168C45FC-D08F-428C-B8F8-37B7FC4D8DAB(a)microsoft.com...
> Thanks for the informative article. It shed some light for me.
>
> Do you have any idea how an IP address was added and given relaying
> permissions? I setup this exchange server and I know I did not add it
> there.
>
> I'm going to check out the workstation that has this IP address.
>
>
> "M" wrote:
>
>> Hello:
>>
>> Read my post at http://sysadmin-e.com/2010/02/06/relay-smtp/ and check
>> out
>> the links there. This topic, IMO, is very confusing. Some of the settings
>> that you mentioned are the default, so don't panic about that. There
>> shouldn't be any IP allowed to relay though, unless perhaps you have some
>> application servers, but not a regular workstation.
>>
>> --
>> Regards,
>> M
>> MCTS, MCSA
>> http://SysAdmin-E.com
>>
>> "Jeff" <Jeff(a)discussions.microsoft.com> wrote in message
>> news:1B8E2E59-0742-4CC3-8C75-D3CB0DA09465(a)microsoft.com...
>> > Hello,
>> >
>> > Several weeks ago I posted to the group that Comcast was blocking our
>> > domain. I would fill out their form and an hour later they would
>> > unblock
>> > us
>> > but only to block us again in about a week or two. Their automated
>> > reply
>> > indicates that mail from our domain "has the pattern of spam."
>> >
>> > Well, I decided to do some checking. I went into my SMTP Virtural
>> > Server
>> > and
>> > found out that relaying was on! How could this happen? Was I hacked?
>> > There
>> > was actually an IP address of a workstation that was granted access to
>> > relay
>> > (192.168.1.90)
>> >
>> > Also, the option "Allow all computers which successfully authenticate
>> > to
>> > replay, regardless of the list above" was enabled. I disabled this
>> > option.
>> >
>> > Now, my question, if I click on the Users button to "Grant or deny
>> > relay
>> > permissions to specific users or groups," Authenticated Users have the
>> > Allow
>> > Permission to Submit Permission. Should I uncheck this?
>> >
>> > We are on Exchange 2003 with all the latest service packs, etc.
>> > We do not use a relay account to send email. It's just a plain old
>> > Exchange
>> > server.
>> >
>> > Am I disabling relaying properly? How can I prevent this in the future?
>>
>>
>> .
>>


From: Ed Crowley [MVP] on 3 Jun 2010 15:35
Allowing authenticated computers to relay is not an uncommon configuration,
esepcially when you have POP and IMAP clients. If you don't, and you have
no other hosts sending outbound SMTP mail via your Exchange server, it's
fine to turn that off. For a spammer to have compromised your server,
they'd have had to have hacked a password on an account that's authorized to
send SMTP mail. If that happened, then I suggest you review your password
policy.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
..

"Jeff" <Jeff(a)discussions.microsoft.com> wrote in message
news:1B8E2E59-0742-4CC3-8C75-D3CB0DA09465(a)microsoft.com...
> Hello,
>
> Several weeks ago I posted to the group that Comcast was blocking our
> domain. I would fill out their form and an hour later they would unblock
> us
> but only to block us again in about a week or two. Their automated reply
> indicates that mail from our domain "has the pattern of spam."
>
> Well, I decided to do some checking. I went into my SMTP Virtural Server
> and
> found out that relaying was on! How could this happen? Was I hacked? There
> was actually an IP address of a workstation that was granted access to
> relay
> (192.168.1.90)
>
> Also, the option "Allow all computers which successfully authenticate to
> replay, regardless of the list above" was enabled. I disabled this option.
>
> Now, my question, if I click on the Users button to "Grant or deny relay
> permissions to specific users or groups," Authenticated Users have the
> Allow
> Permission to Submit Permission. Should I uncheck this?
>
> We are on Exchange 2003 with all the latest service packs, etc.
> We do not use a relay account to send email. It's just a plain old
> Exchange
> server.
>
> Am I disabling relaying properly? How can I prevent this in the future?

 | 
Pages: 1
Prev: Exchange 2007 to Exchange 2010 mail flow problem
Next: Physically moving a 2007 SCR system