Re: FW: Postmaster notify: User unknown

[RC <Robert () CUTTLE COM>]

Funny how these things come up, I received this today in my admin mailbox.
Exchange Server 5.5 sp3 NT 4.0 sp5

I'm currently reading Technet article on Exchange Relay, interesting.

Robert Cuttle
**********
The following recipients did not receive the attached mail. Reasons are
listed with each recipient:

<mailrelay () aol net> mailrelay () aol net
 MSEXCH:IMS:MLM:GR1:EXCHANGE 0 (000C05A6) Unknown Recipient
<mailrelay%aol.net () aol com> mailrelay%aol.net () aol com
 MSEXCH:IMS:MLM:GR1:EXCHANGE 0 (000C05A6) Unknown Recipient

The message that caused this notification was:

SUBJECT:  ORT:1:63.209.140.30:STD_RELAY|PCT_DOMAIN:1

63.209.140.30 is an open relay!!!!



----- Original Message -----
From: "Jim Roland" <jroland () ROLAND NET>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, December 19, 2000 14:15
Subject: Re: FW: Postmaster notify: User unknown


Not entirely odd.  A frequent trick of spammers is to "test" a system first
to see if it's an open relay.  If it attempts to pass an email through an
open relay (returning 550 errors for a domain that you're not a part of, and
you're not authenticated on the mail server), then you have an open relay.
Lock your system down before you see real traffic get relayed.



----- Original Message -----
From: "Nexus" <nexus () PATROL I-WAY CO UK>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, December 19, 2000 2:42 AM
Subject: Re: FW: Postmaster notify: User unknown


> Hi folks,
>     Could be a brute force attempt to enumerate valid usernames, or maybe
> somethings silly like that - do you have the full, original SMTP header at
> all ?
> ie they may have been playing with the reply to: field and the like.
> That would be very useful in trying to establish what has occured.
> It is odd that you rec'd a bounced mail from a hotmail address
>
> Regards,
>             JJ
>
> ----- Original Message -----
> From: "Paul Snedden" <psnedden () GBMLOGIC COM AU>
> To: <INCIDENTS () SECURITYFOCUS COM>
> Sent: Tuesday, December 19, 2000 1:14 AM
> Subject: FW: Postmaster notify: User unknown
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > All,
> >
> > This mail appeared in my Inbox last Friday morning.  I present this
> > unto you all for your evaluation and recommendation.  I believe an
> > intruder has accessed my email server for their own purposes.  Am I
> > correct?
> >
> > > -----Original Message-----
> > > From: Mail Delivery Subsystem
> > > [mailto:MAILER-DAEMON () nsw gbmlogic com au] Sent: Thursday, December
> > > 14, 2000 9:53 PM To: postmaster () nsw gbmlogic com au Subject:
> > > Postmaster notify: User unknown
> > >
> > >
> > > The original message was received at Thu, 14 Dec 2000 21:53:06
> > > +1100 from localhost
> > >
> > >    ----- The following addresses had permanent fatal errors -----
> > > <davidputty12 () hotmail com>
> > >
> > >    ----- Transcript of session follows -----
> > > ... while talking to mc5.law5.hotmail.com.:
> > > > > > RCPT To:<davidputty12 () hotmail com>
> > > <<< 550 Requested action not taken:user account inactive
> > > 550 <davidputty12 () hotmail com>... User unknown
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 6.5.1 Int. for non-commercial use
> > <http://www.pgpinternational.com>
> >
> > iQA/AwUBOj4p0Xz2HXQUsCJOEQKSMgCgnY0fIToqS2kPqXjbdEZEQ2EXESUAoMm5
> > SQA//mRJpICpBtF8uBuXY0wh
> > =OZhA
> > -----END PGP SIGNATURE-----
>
> ____________________________________________
> http://1cis.com
> Free E-mail Servers with unlimited mailboxes
> 1st Class Internet Solutions