Open relay settings on Exchange server 3

[bdoub1eu]

I know there have been a few postings on open relay already so forgive me if this is redundant...Right now, the only setting on Internet Mail Service is: Reroute incoming SMTP mail and there are 5 of our domain names we use for email...and then on routing restrictions, we have checked on the option for: hosts and clients with these ip addresses and in the box below this option, there are no ip addresses listed. Is this the best method to prevent against open relay?

I have been getting undeliverable messages sent back to our administrator account because apparently someone is sending emails on behalf of our domain name. When these emails are not deliverable, a message is sent back to the user which doesn't exist on our domain and therefore the admin mailbox receives the undeliverable email...Sounds more like spoofing than relaying, but wanted to make sure...

So my question is:
1. Are my routing options selected correctly?
2. How do I prevent someone from sending emails on behalf our domain name?

Thanks so much for your help! This is a great site and I really appreciate your time in answering my questions!!

 

[rdroske]

That will stop the relays but you will also effectively disable any Pop3 access (they won't be able to send to anyone outside your domains).

I need pop3 for a few people so I use the "Allow for hosts and clients that successfully authenticate".

Either will stop the relays but you are already on the blacklist if some sites are rejecting you. Go to http:\\

http://www.ordb.org

to get your server removed.

 

[bdoub1eu]

We don't really need POP3 for any of our users so should I leave the "allow for hosts and clients that successfully aunthenticate" unchecked?

Also, any idea how to stop other spammers from sending email on behalf of our domain name if they aren't using us as a relay? I can see us being blacklisted if we don't figure this out...thanks in advance!

 

[rdroske]

You can't do anything about someone sending and email with your domain listed as the sender but thats not what gets you blacklisted.

You get blacklisted when spammers can actually use your server to relay messages (header shows your servers IP) which you have stopped.

If you don't need POP3 your current setup is fine (you can also test your server for open relay at ordb.org)

 

[bdoub1eu]

So there's no way to stop someone from sending an email to someone else with our domain name? Seems like that would get us blacklisted as well because the receiver doesn't know if someone else is sending it or not...it just looks like someone from our company really sent it.

 

[rdroske]

No can do. If you look at the commands issued to send an email during an SMTP session you will see that you can put in whatever address you want as a from address.

Everyone has this vulnerability so no one can black list based on it.

 

[bdoub1eu]

Can you explain that a little further? How would someone send an email on behalf of our domain name? One of our managers received an undeliverable email from an email from his email address that he never sent...

Basically someone sent an email using his email address and the recipient was wrong so he received the undeliverable message. How can I explain this to him? Thanks!

 

[rdroske]

I'll try. Here is an example of an SMTP session. You can open one up to any internet mail server via telnet to port 25.

All it takes to send a message after you connect is :

helo
250 OK
mail from: fred@nowhere.com
250 OK - mail from <fred@nowhere.com>
rcpt to: any-valid-recipient@this-servers-domain.com
250 OK - Recipient <rdroske@frontrunnernetworks.com>
data
354 Send data. End with CRLF.CRLF
message goes here

.
250 OK

The receiving server has no way to verify that this is really coming from fred@nowhere.com so it doesn't even try. If the recipient is valid the mail gets delivered to it.

What happened to your manager (same thing happened to my VP) is that someone who had his email address in their address book got a virus. The virus very easily opened up a connection to some mail server (as above) and attempted to send an email to some else in that persons email list using your manager's address as the from address (to make it more likely that the receiver would open it).

In the case you found out about the To address turned out to be no longer valid but it is very likely that some people who's valid addresses were in that list got emails from the virus purporting to be from your manager.

 

[bdoub1eu]

Thanks rdroske!

That makes perfect sense...Thanks for your help!!!

 

[bdoub1eu]

So there's basically nothing we can do about it? How do you tell your managers/users that other people can send mail on behalf of them?

 

[rdroske]

Not too much you can tell them except everyone has the same problem and there is currently no solution.

I showed the VP a Google search on SPAM forged addresses, lots of hits on Congressional committees etc and one page about the Org that is trying to fix it (official looking page that confirmed no solution).

You could also use the SMTP method above to send them an email that appears to come from BillGates@Microsoft.com
or GBush@WhiteHouse.org I suppose....

 

[quell]

Thank you rdroske for explaining this.
This is not my thread but I have the same configuration in the routing tab as bdoub1eu and I just noticed today that they are a few outbound emails that the originator did not originate from our domain. We have a few outboung <> but I'm more worried about the outbound emails that actually have a email address that is not from our domain. Makeing changes in the routing tab, is this the only relay settings we can add to the exchange server without purchaseing any third party software?

 

[rdroske]

If you have outbound messages with a foreign domain then you are an open relay. After you make the changes go to

http://www.ordb.org

to test and remove your server.

The ones with the <> are not a rely problem, I still get a few of those also and never have found out where they come from exactly.

Anyone?

 

[HD101]

The <> messages are Non-Delivery Reply your exchange server sends out for messages that weren't deliverable to your address. Some people try to relay thru your server and if you server is set so it can't relay, it sends a NDR message back to the sender. This isn't a good idea because they now know about your server and keep trying. What I want to know is how to stop sending NDR's all together, but nothing seems to work. I've been thru all the threads and FAQs here as well as M$ with no luck.

 

[rdroske]

Thanks HD101, thats been bugging me for a long time.

I'm not sure I would want to stop sending all NDR's, I'll have to think about that one. But if I find a way to stop sending them for relay attempts I would definitely do it (I do see the same addresses over and over). I'll post here if I find anything.

 

[rdroske]

Het that star should have gone to HD101 and I tried again and it still won't go there????

 

[rdroske]

Found it, popup was hidden but why do all of my posts keep getting them now, I'm not doing that....honest....

 

[quell]

I have the same settings as bdoub1eu

>the only setting on Internet Mail Service is: Reroute incoming SMTP mail and there are 5 of our domain names we use for email...and then on routing restrictions, we have checked on the option for: hosts and clients with these ip addresses and in the box below this option, there are no ip addresses listed.

Is there any other settings that I can make?

 

[rdroske]

If you have clients that connect using Pop3 you need to change the second on to Hosts and clients that successfully authenticate.

I don't use the Only these IPs so I can't say for sure that that one works (it should) but you can test your server at

http://www.ordb.org

There are no other settings related to relay except what are on those two pages.

 

[quell]

Thank you for such a quick responce and the info