Educause Security Discussion mailing list archives

Re: Blacklisted as a Mail Relay - help!

From: "King, Dennis C." <dck22 () ALFRED EDU>
Date: Tue, 17 Feb 2004 15:15:24 -0500

We were doing exactly the same thing and sad to say with the same result.  I
was told by the operator of one of the blacklists that some spammers will
run brute force password attacks until they get a valid one, then spam away.
I believe that is what happened to us.  Implementing a strong(er) password
policy may be a solution.

Dennis C King
Information Security Officer
IT Project Manager
Alfred University
McMahon 247 , Alfred, NY 14802
email: dck22 () alfred edu - phone: 607.871.2379


-----Original Message-----
From: Barros, Jacob [mailto:jkbarros () GRACE EDU]
Sent: Tuesday, February 17, 2004 3:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Blacklisted as a Mail Relay - help!

From our mail admin...

We're running Exchange 2000 server (SP3) running on Windows 2000 Server
(SP4). In the Properties of the "Default SMTP Virtual Server" we
changed the "Relay Restrictions" by checking the box that says "Allow
all computers which successfully authenticate to relay, regardless of
the list above."

This allowed those students using POP3 to send messages to off-campus
addresses using our Exchange server as their relay host. We have been
running this way for several years without a problem. That is until
about 2 weeks ago... All of a sudden we were being used as a relay host
for a spammer. We've turned off all relay ability for the time being.
--

We'd like to re-enable the 'authenticated' mail relaying but not if it
continues to cause a problem. The best scenario would be to find who
was using us and stop them. The first thing I did was check for viruses
on the mail server. I didn't find any and there are no 'weird' process
running that I can see.

I'd like to find out if this is an internal or external problem. Is
there any auditing I can set up on the Win2K box or in Exchange itself?
Is there any specific type of traffic I can be watching for?

This is over my head. Can anyone point me in a direction?

Jake Barros
Network Security Administrator
Grace College
574-372-5100 x 6178

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

Attachment: smime.p7s
Description:

Current thread:

Blacklisted as a Mail Relay - help! Barros, Jacob (Feb 17)
- <Possible follow-ups>
- Re: Blacklisted as a Mail Relay - help! King, Dennis C. (Feb 17)
- Re: Blacklisted as a Mail Relay - help! Wehner, Paul (wehnerpl) (Feb 17)