I don't think your spam problem has something to do within week SMTP AUTH
credentials. As you have written, you are using ISA, which could log that
traffic. I think what you see is normal behavior of the MS SMTP. You may
want to have a look at this KB article:
The problem lies within the generated NDR, which normally has the original
spam message attached. All that the spammers now have to do is fill in their
desired recipient in the SMTP FROM envelope and your server will happily
send their message via the NDR. This could be thought as some form of "NDR
relay technique".
Thilo
-----Ursprüngliche Nachricht-----
Von: Tom Burns [mailto:tburns (at) torcausa (dot) com [email concealed]]
Gesendet: Dienstag, 11. November 2003 16:59
An: focus-ms (at) securityfocus (dot) com [email concealed]
Betreff: EXCHANGE SMTP HOLE?
Its using exchange 2000.
The ONLY relay that is passing is <emailaddress (at) mailserver (dot) com [email concealed]>
<<< 220 torca1.torca.biz Microsoft ESMTP MAIL Service, Version:
5.0.2195.5329 ready at Tue, 11 Nov 2003 09:09:22 -0500
>>>> HELO staff.iinet.net.au
<<< 250 torca1.torca.biz Hello [203.59.3.83]
To: thomas (at) lazurs (dot) com [email concealed]
From: spamtest@localhost
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest (at) localhost... (dot) Send [email concealed]er OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas (at) lazurs (dot) com [email concealed]
To: thomas (at) lazurs (dot) com [email concealed]
From: spamtest
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest (at) TorcaUSA.com... (dot) Send [email concealed]er OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas (at) lazurs (dot) com [email concealed]
To: thomas (at) lazurs (dot) com [email concealed]
From:
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:<>
<<< 250 2.1.0 <>....Sender OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas (at) lazurs (dot) com [email concealed]
To: thomas (at) lazurs (dot) com [email concealed]
From: spamtest (at) mail1.torcausa (dot) com [email concealed]
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest (at) mail1.torcausa.com... (dot) Send [email concealed]er OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas (at) lazurs (dot) com [email concealed]
To: thomas (at) lazurs (dot) com [email concealed]
From: spamtest@[65.203.79.50]
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest@[65.203.79.50]....Sender OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas (at) lazurs (dot) com [email concealed]
To: thomas%lazurs.com (at) mail1.torcausa (dot) com [email concealed]
From: spamtest (at) mail1.torcausa (dot) com [email concealed]
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest (at) mail1.torcausa.com... (dot) Send [email concealed]er OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas%lazurs.com (at) mail1.torcausa (dot) com [email concealed]
To: thomas%lazurs.com@[65.203.79.50]
From: spamtest (at) mail1.torcausa (dot) com [email concealed]
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest (at) mail1.torcausa.com... (dot) Send [email concealed]er OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas%lazurs.com@[65.203.79.50]
To: "thomas (at) lazurs (dot) com [email concealed]"
From: spamtest (at) mail1.torcausa (dot) com [email concealed]
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest (at) mail1.torcausa.com... (dot) Send [email concealed]er OK
>>>> RCPT TO:<"thomas (at) lazurs (dot) com [email concealed]">
<<< 250 2.1.5 "thomas (at) lazurs (dot) com [email concealed]"@TorcaUSA.com
>>>> DATA
<<< 354 Start mail input; end with .
>>>> MESSAGE
<<< 250 2.6.0 Queued mail for delivery
SUCCESS
Relay Accepted - final response code 250
If you dont recieve it then its not a relay (Its still a Bad Thing (TM)
that it accepted)
Check your email
------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---
I don't think your spam problem has something to do within week SMTP AUTH
credentials. As you have written, you are using ISA, which could log that
traffic. I think what you see is normal behavior of the MS SMTP. You may
want to have a look at this KB article:
http://support.microsoft.com/default.aspx?scid=kb;[LN];304897
The problem lies within the generated NDR, which normally has the original
spam message attached. All that the spammers now have to do is fill in their
desired recipient in the SMTP FROM envelope and your server will happily
send their message via the NDR. This could be thought as some form of "NDR
relay technique".
Thilo
-----Ursprüngliche Nachricht-----
Von: Tom Burns [mailto:tburns (at) torcausa (dot) com [email concealed]]
Gesendet: Dienstag, 11. November 2003 16:59
An: focus-ms (at) securityfocus (dot) com [email concealed]
Betreff: EXCHANGE SMTP HOLE?
Its using exchange 2000.
The ONLY relay that is passing is <emailaddress (at) mailserver (dot) com [email concealed]>
<<< 220 torca1.torca.biz Microsoft ESMTP MAIL Service, Version:
5.0.2195.5329 ready at Tue, 11 Nov 2003 09:09:22 -0500
>>>> HELO staff.iinet.net.au
<<< 250 torca1.torca.biz Hello [203.59.3.83]
To: thomas (at) lazurs (dot) com [email concealed]
From: spamtest@localhost
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest (at) localhost... (dot) Send [email concealed]er OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas (at) lazurs (dot) com [email concealed]
To: thomas (at) lazurs (dot) com [email concealed]
From: spamtest
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest (at) TorcaUSA.com... (dot) Send [email concealed]er OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas (at) lazurs (dot) com [email concealed]
To: thomas (at) lazurs (dot) com [email concealed]
From:
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:<>
<<< 250 2.1.0 <>....Sender OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas (at) lazurs (dot) com [email concealed]
To: thomas (at) lazurs (dot) com [email concealed]
From: spamtest (at) mail1.torcausa (dot) com [email concealed]
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest (at) mail1.torcausa.com... (dot) Send [email concealed]er OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas (at) lazurs (dot) com [email concealed]
To: thomas (at) lazurs (dot) com [email concealed]
From: spamtest@[65.203.79.50]
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest@[65.203.79.50]....Sender OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas (at) lazurs (dot) com [email concealed]
To: thomas%lazurs.com (at) mail1.torcausa (dot) com [email concealed]
From: spamtest (at) mail1.torcausa (dot) com [email concealed]
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest (at) mail1.torcausa.com... (dot) Send [email concealed]er OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas%lazurs.com (at) mail1.torcausa (dot) com [email concealed]
To: thomas%lazurs.com@[65.203.79.50]
From: spamtest (at) mail1.torcausa (dot) com [email concealed]
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest (at) mail1.torcausa.com... (dot) Send [email concealed]er OK
>>>> RCPT TO:
<<< 550 5.7.1 Unable to relay for thomas%lazurs.com@[65.203.79.50]
To: "thomas (at) lazurs (dot) com [email concealed]"
From: spamtest (at) mail1.torcausa (dot) com [email concealed]
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest (at) mail1.torcausa.com... (dot) Send [email concealed]er OK
>>>> RCPT TO:<"thomas (at) lazurs (dot) com [email concealed]">
<<< 250 2.1.5 "thomas (at) lazurs (dot) com [email concealed]"@TorcaUSA.com
>>>> DATA
<<< 354 Start mail input; end with .
>>>> MESSAGE
<<< 250 2.6.0 Queued mail for delivery
SUCCESS
Relay Accepted - final response code 250
If you dont recieve it then its not a relay (Its still a Bad Thing (TM)
that it accepted)
Check your email
------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---
[ reply ]