Educause Security Discussion mailing list archives

Re: Blacklisted as a Mail Relay - help!

From: "Wehner, Paul (wehnerpl)" <WEHNERPL () UCMAIL UC EDU>
Date: Tue, 17 Feb 2004 15:31:22 -0500

Check the SMTP Connector config-go to the "Address Space" tab and make sure
"Allow messages to be relayed to these domains" is *not* checked.

If it is checked that means "Allow authenticated to relay" is over-ridden.

http://www.msexchange.org/pages/article.asp?id=54
http://www.jsiinc.com/SUBJ/tip4800/rh4881.htm
http://www.spamabuse.org/content_PreventUnsolicitedE-MailinExchange2000.htm

Paul Wehner
Mail Administrator
University of Cincinnati




-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob
Sent: Tuesday, February 17, 2004 3:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Blacklisted as a Mail Relay - help!

From our mail admin...

We're running Exchange 2000 server (SP3) running on Windows 2000 Server
(SP4). In the Properties of the "Default SMTP Virtual Server" we changed
the "Relay Restrictions" by checking the box that says "Allow all computers
which successfully authenticate to relay, regardless of the list above."

This allowed those students using POP3 to send messages to off-campus
addresses using our Exchange server as their relay host. We have been
running this way for several years without a problem. That is until about 2
weeks ago... All of a sudden we were being used as a relay host for a
spammer. We've turned off all relay ability for the time being.
--

We'd like to re-enable the 'authenticated' mail relaying but not if it
continues to cause a problem. The best scenario would be to find who was
using us and stop them. The first thing I did was check for viruses on the
mail server. I didn't find any and there are no 'weird' process
running that I can see.

I'd like to find out if this is an internal or external problem. Is there
any auditing I can set up on the Win2K box or in Exchange itself?
Is there any specific type of traffic I can be watching for?

This is over my head. Can anyone point me in a direction?

Jake Barros
Network Security Administrator
Grace College
574-372-5100 x 6178

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

Current thread:

Blacklisted as a Mail Relay - help! Barros, Jacob (Feb 17)
- <Possible follow-ups>
- Re: Blacklisted as a Mail Relay - help! King, Dennis C. (Feb 17)
- Re: Blacklisted as a Mail Relay - help! Wehner, Paul (wehnerpl) (Feb 17)