SBS 2003 How to Close Open SMTP Relay

75 pts.
Tags:
Close Open Relay
Open Relay
SBS 2003
SBS 2003 Open Relay
SBS 2003 Spam
SBS 2003 Exchange is testing as an open relay accourding to spamhelp.org and instructions in TechNet Article 324958.  In the TechNet Article it lays out how to close the open relay.  All our server settings met the articles settings in the first place.  We are not using the built in firewall (ISA server) as we are using an seperate applicance (CheckPoint).  We are also routing to TrenMicro for initial spam filtering via MX record.

We have checked application logs for authentication records as the TechNet article suggests but non are to be found.  We have re-set all domain passwords and shut off all client machines for a period of time.  The spams keep populating our SMTP queue.

Frustration is now setting in as we are configured as we should be yet we are still an open relay.  Thanks for your help.



Software/Hardware used:
Small Business Server 2003
ASKED: October 19, 2009  2:00 PM
UPDATED: October 26, 2009  7:00 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Does your testing according to the first section of the KB you reference indicate that SMTP relay is disabled? Are you sure the spam messages are coming in from outside of your network? There could also be infected clients in your network causing the spam storm. Be sure your internal clients are clean. You might also check this <a href=”http://support.microsoft.com/kb/886208″>KB article about NDR backscatter spam attacks</a>. See this <a href=”http://support.microsoft.com/kb/895853″>KB article also for more troubleshooting tips</a>.

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • CASLIT
    As for your first point, for a 15 hour period of time this weekend, I shut down all internal clients. The only machine still up on the internal network was the SBS 2003 itself. I have run TrendMicro, Spybot, etc on the server and it shows clean. The spams continued to populate our smtp queue You know, I just lied. I also left up the phone server (runs the voicemail phone system). It is on the LAN but not on the domain. I just shut that down to see if the spams stop. As for the DNR article, we have read that and none of the symptoms apply to our situation. The spams populating our smtp queue are clearing spam as they have sender domains which are not our domain (mostly @yahoo.com.tw). Which brings me back to why is our server configured just like the article says and we still test as an open relay? Thanks for your help!
    75 pointsBadges:
    report
  • CASLIT
    After about 15 minutes of the phone server being shut down, another spam entered the smtp queue. So I guess that is not it. Also the article about NDR, I re-verified and our server was already configured to those settings. I also verified that we are tarpitting as was also suggested. I must be missing something or there must be a new exploit out there.
    75 pointsBadges:
    report
  • CASLIT
    Be sure that: # Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager. # In Exchange System Manager, expand the following object: ServersYour_Exchange_Server_NameProtocolsSMTP # Right-click the virtual SMTP server where you want to prevent mail relay, and then click Properties. # Click the Access tab, and then click Relay. # By default, open relay is blocked. The default settings are as follows: * The Only the list below check box is selected. (YOUR server should be listed here and no other) * The Allow all computers which successfully authenticate to relay, regardless of the list above check box is selected. # If you must permit a single computer, a group of computers, or a domain to relay through the server, click Add. In the Computer dialog box, click the appropriate selection for the computers you want to relay through the server. Then, type the required information. Note Enabling access by IP address or by domain name is helpful for users who do not authenticate with the Exchange computer. # In the Relay Restrictions dialog box, click OK. # Click Apply, and then click OK in the Default SMTP Virtual Server Properties dialog box. If your Exchange computer continues to relay messages to external domains, your Exchange computer has an SMTP connector that allows for relay. For more information about how to prevent relay through an SMTP connector, click the following article number to view the article in the Microsoft Knowledge Base: 314734 Relay restrictions on default virtual SMTP server are not working
    0 pointsBadges:
    report
  • CASLIT
    Troy Thanks for those instructions. Unfortunately, we are already set up that way. I do have 127.0.0.1 set up in the "only the list below box". As I understand it, that is for routing of internal emails I get from the server. I also went to the link and we are configured as that indicates as well. Yet we are still showing as an open relay. Wow!
    75 pointsBadges:
    report
  • CASLIT
    I have just removed my server and 127.0.0.1 in the Computers Access screen and removed my server. Now we do not show as an open relay any more. Both incoming and outgoing seem to be flowing fine and no more spams so far. It may be that this server setting was allowing spams to telnet directly to the server.
    75 pointsBadges:
    report
  • CASLIT
    Glad it was resolved.
    0 pointsBadges:
    report
  • CASLIT
    Thanks for responding. Let me attempt to cover all the points. Article 324958 tells us how to test to see if we are an opent relay. We were. The Article tells us to look for certain entries in the application log. None were to be found that even resembled those offered. We verified that our server was set exactly as the Article indicated (Configure the Exchange Server to block open SMTP relaying). Our settings were identical by default. Since we were using a seperate firewall applicance (CheckPoint Safe@Offie 500W), we could not access the ISA server portion of the instuctions. We did successfully follow the "Clean up the Exchange Server's SMTP queue" which was a huge help in getting rid of 3500 spams which would no longer go out as we had been blacklisted already. I turned off all clients on the LAN. The problem continued. I ran multiple malware product scans on the server. No malware found. Now for the solution. I removed the server IP and subnet listing and the 127.0.0.1 listing in the box under Default SMTP Virtual Server, Properties, Access tab, Raly button. As soon as we removed those default settings, the incoming spams stopped. Somone who knows more than I do (which is a ton of folks) told me that they probably had a telnet session directly into the server. We have had tarpitting and Intelligent Message Filter installed for quite some time. IMF was seeing thousands of these spams each day. As soon as we made the change mentioned above, not one came in again. Does this mean that MS recommended settings makes SBS 2003 an open relay (with or without using a seperate firewall appliance)?
    75 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following