| Author |
Message |
Henry
Guest
|
 Posted:
Fri Jan 14, 2005 12:51 am Post subject:
Spoofed or Internal Relay? |
|
|
Relaying is not allowed on my exechange 2003 servers from outside sources,
but it is allowed internally so that other computer systems within my lan can
relay.
I have a problem where mail is attempting to be relayed through my exchange
servers that is spam. The "from" field makes it appear as it is coming from
an internal user.
I assume it is possible that an internal user is infected and is is trying
to relay.
How can i track down who is doing this using Exchange logs and monitoring?
The header isnt telling me anything.
|
|
| Back to top |
|
 |
Fitz Crittle [MSFT]
Guest
|
| Posted:
Fri Jan 14, 2005 3:28 am Post subject:
Re: Spoofed or Internal Relay? |
|
|
From the Exchange Server 2000 System Manager, right click on the Exchange
Server object and choose Properties.
On the Diagnostics Logging tab, enable logging to maximum for Transports,
SMTP Protocol.
Restart the SMTP Service.
Examine the Application log and look for event 1708, this should show you
the account Auth Login event which will indicate that this account is
Authenticating with the Exchange server to send relayed e-mail from the
server.
Thanks,
Fitz Crittle
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email to this address, post a reply to this newsgroup
"Henry" <Henry@discussions.microsoft.com> wrote in message
news:C874E06C-9A0B-4764-A308-D2A2EC881016@microsoft.com...
| Quote: | Relaying is not allowed on my exechange 2003 servers from outside sources,
but it is allowed internally so that other computer systems within my lan
can
relay.
I have a problem where mail is attempting to be relayed through my
exchange
servers that is spam. The "from" field makes it appear as it is coming
from
an internal user.
I assume it is possible that an internal user is infected and is is trying
to relay.
How can i track down who is doing this using Exchange logs and monitoring?
The header isnt telling me anything. |
|
|
| Back to top |
|
|
Lanwench [MVP - Exchange]
Guest
|
| Posted:
Sun Jan 16, 2005 11:53 pm Post subject:
Re: Spoofed or Internal Relay? |
|
|
Henry wrote:
| Quote: | Relaying is not allowed on my exechange 2003 servers from outside
sources, but it is allowed internally so that other computer systems
within my lan can relay.
|
Do they really need to? Normal Outlook+Exchange/OWA users don't need to
relay. If you have specific machines/devices that need to relay, allow just
those IP addresses.
| Quote: |
I have a problem where mail is attempting to be relayed through my
exchange servers that is spam. The "from" field makes it appear as it
is coming from an internal user.
|
Where are you seeing this? In your queues?
| Quote: |
I assume it is possible that an internal user is infected and is is
trying to relay.
|
Yes, but if you don't allow internal users to relay (disable *all* relay
except for the specific IP addresses that need it) this won't happen. And
you should be running centrally managed desktop antivirus software
anyway....
| Quote: |
How can i track down who is doing this using Exchange logs and
monitoring? The header isnt telling me anything.
|
I think Fritz answered that one -
See http://www.vamsoft.com/orf/authattack.asp . If you don't have
strong/complex password policies enabled, force regular password changes,
have enabled guest, etc., someone may exploit authenticated relay. If you
don't need authenticated relay, disable it. You can always have any external
POP users use their own ISP's SMTP server for outbound mail anyway.
See http://www.msexchange.org/tutorials/MF005.html for a good overview of
relaying and spam.
|
|
| Back to top |
|
|
PES
Guest
|
| Posted:
Tue Jan 18, 2005 6:00 am Post subject:
Re: Spoofed or Internal Relay? |
|
|
Henry wrote:
| Quote: | Relaying is not allowed on my exechange 2003 servers from outside sources,
but it is allowed internally so that other computer systems within my lan can
relay.
I have a problem where mail is attempting to be relayed through my exchange
servers that is spam. The "from" field makes it appear as it is coming from
an internal user.
I assume it is possible that an internal user is infected and is is trying
to relay.
How can i track down who is doing this using Exchange logs and monitoring?
The header isnt telling me anything.
|
I can just about guarantee that these are spoofed. Why not just look at
the headers in the message by right clicking the message in outlook
and choose options.
--
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13 |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in