Printable View
I have a PIX 506e and I’m running Exchange 2003. I can see my queue filling up with messages from the postmaster (NDR’s trying to resend). I can see external connections on my SMTP virtual server. I’ve Googled spoofing and mail relays (ms Q310356). I’m coming up blank. I would appreciate it if someon :confused: e could point me in the right direction.
I'm not that falimilar with exchange but if your trying to find out about open relays check www.ordb.org/ They have a faq concerning them.
First it looks like the PIX may not be configured correctly and try to google Cisco on that one. Second it sounds like an open relay have you checked Exchange to make sure you did not change the default setting of allow no relays?. How about the virus scanners the latest MyDoom has it's own SMPT the connect may be from behind the firewall or some other spam bout or virus on an internal computer behind the firewall. Can you view or see in any interface of inbound and outbound traffic? A netstat -a will usually show that look there if you lack any other info.
Peace
Oh an after thought also. By default Exchange gives you the default postmaster mail box. Well spammers love that one big time sort of rub it in your face thing. Anyway disable the account and do an alias for it if you must have it. Or pay Microsoft for Exchange spam blocking I have no idea what the license on that one costs. Anyway abuse seems to get less spam then administrator, admin, abuse but even those see their fair share of spam without a good spam scanner. One reason why I switch from Exchange this and the Store that will at some point take up all disk space on a server no matter how many emails are deleted well that was Exchange 5.5 maybe the fixed that one.
I would not recommend ditching a postmaster@ address as it is required byQuote:
Originally posted here by Palemoon
Oh an after thought also. By default Exchange gives you the default postmaster mail box. Well spammers love that one big time sort of rub it in your face thing. Anyway disable the account and do an alias for it if you must have it.
RFC 2821
Having an abuse@ address is also required by RFC 2142
Both are a must have if following RFC's are important to ya..
I have seen domains be email blacklisted for not having them in place.
this is a microsoft product were talking about RFCs be dammed (j/k). when you have an open relay, and as palemoon pointed out you have to go out of your way to enable it, you can expect to see 80 to 150 thousand or more messages passing threw your server. is that kinf of volume your talking about. on some days i get a few hundred caused by viruses on the internet and people that have our email address in their address book. how many are you seeing?
Ok so let the state RFC your in notify me.. What Federal law says I must have these addys ss2cheif? Fact is all are there and if the email is ligit or not I'll see it..dah!
Ok post master RFC response or email challange to s spam tag reads something like this.
Tihs is an automated response our systems has failed to pass your email to the intended person. If you feel this is an error then plese contact.
Name: oh make up a good one...don't use God they spam God also.
Phone Number: area code- xxx-xxx ext:xxx
No fax number because it gets unwanted faxes like our email system.
In Short want to make the white list I get a call the old way of doing things confirm and even the phone call and the people that may answer are well versed in this is such and such I was sending a message to (go through A to Z) and it did not get through) Ah HELO this is suh and such from (some outside consulting company) what type of email system are you using? LOL sales people have to have it hard or spammers on cold calls.
Peace
P.S. Am old and found out long ago just cause it was new to me did not mean it was not unknown :)
Palemoon- If you want to make the store smaller you have to run an offline defrag. This has been available since Exchange4. "edbutil" for early exchange, "eseutil" for current exchange.Quote:
Originally posted here by Palemoon
Oh an after thought also. By default Exchange gives you the default postmaster mail box. Well spammers love that one big time sort of rub it in your face thing. Anyway disable the account and do an alias for it if you must have it. Or pay Microsoft for Exchange spam blocking I have no idea what the license on that one costs. Anyway abuse seems to get less spam then administrator, admin, abuse but even those see their fair share of spam without a good spam scanner. One reason why I switch from Exchange this and the Store that will at some point take up all disk space on a server no matter how many emails are deleted well that was Exchange 5.5 maybe the fixed that one.
For the original problem. Mail relaying is turned off by default in Exchange2003. unless you turned on relaying for some reason you should not be an open relay. You also said you can see your outbound queue growing. This makes it seem to me like you have a huge amount of inbound spam coming into your system, and postmater is replying out to the other(probably bad) email addresses... You should expect your system to process a high number of NDR attempts because of SPAM on a daily basis.
If you didn't change the default relaying, I wouldn't be to worried about it.
Spamdies I’ll check out the link.
Tedob1
The volume of messages I’ve not tracked. What I’m seeing are aprox. 250-400 NDR’s daily.
Palemoon I’ll look at the PIX again. I didn’t setup the Exchange box but all the settings seem like the default’s. I just enabled recursive lookups, I only have 80 users I figure the server should be able to handle the extra load as long as the mail is legitimate. I can see multiple connections not associated with my domain any are smtp some are not (ports 1025, 43258, 43285, 43572, 43875, 44213, and 44511. That’s an eye opener. :eek:
Mohaughn: What type of volume for NDR’s would seem unusual for 80 users?
Thanks everyone. You all have helped me a great deal. :splat:
The number of NDRs that your system will send back to other systems does not depend on the number of users on your system. It totally depends on the number of emails that come into your domain that are not addressed to valid recipients... If you are seeing hundreds of just a couple of thousand I wouldn't worry about it. Especially if you have a really common domain name, or if you do a lot of web advertising with your email addresses.
Ok lets see the problem with this statement in a real world where one do this with an email server
"Palemoon- If you want to make the store smaller you have to run an offline defrag. This has been available since Exchange4. "edbutil" for early exchange, "eseutil" for current exchange." Ok take a 200 gig array offline to defrag it.? Chances are nill to none at least in the last couple places I was at. Not saying it does not work cause it does but business owners bitch and complain and everyone want their email. It is a good way to fix the problem but it is not workable in the real world servers are not taken off line for days for a defrag and real world sometimes you step into a network where you just have to work with what was left faults and all and the owners will not listen to you but believe in M$ and one day the server dies cause you never got to defrag because the people before you MCSE Certs and all just put more drives in the array until it became to big to even conside a defrag. Hummm then again the last two systems I admin the MCSE seemed more intent upon setting up the next visit then really fix the problem.
Fact is the relay was enabled by accident because MCSE certs mean you earn the right to learn in the real world as any Cert or Degree does. An Engieer get out of college and takes his test and then in the AEC world earns the right and pays the dues to make it to the next level same in IT.
Unless you are running a very small and slow harddrive it would not take days to defrag a 200GB database. I think the slowest I ever saw a database defrag run was something like 45minutes/GB. Of course that is when the store is defragging actual data. In the case of what you are talking about, deleting data and the store doesn't shrink. That is called whitespace. When you defrag whitespace the speed at which the defrag runs increases dramatically. I have seen a 65GB database that had 40GB of white space defrag in under 1hour. On current hardware, say a 2GB/sec fiber SAN with 15k rpm drives I have seen 30-45GB databases complete in about 1 1/2 hours.
The good thing about exchange 2000 and higher is that the online defrag process has been improved and whitespace can be recovered for use by the store again. So if you have 5GB of whitespace, the store size will not grow until that 5GB of space is used up. This makes the need for offline defrags less likely. Even better is that you can create multiple databases on the same system, so you can always create a new database, move the users, and then defrag the bloated database. So they have tried to find ways to get around bad management.
Bad management is definitely to blame for a 200GB database though. I'm curious how it was possible to even back that database up several years ago, as tape drives used to be way to slow to handle that amount of data every night. I would never let a database grow over 30-50GB now because of the backup/restore time involved.
I believe that my problem has been resolved.
The main issue was with a conflict with my anti-virus software interfering with the IMC and the IS, reference Symantec article # 2004052416452048.
Thanks again for all the support.