|
exchange
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Exchange Server CompromiseWe are having issues that make think that my server might be used as a relay for some spammers: some external recipients can't receive the mails that we send to them, my fixed public IP adress is listed on 6 majors RBL such as: cbl.abuseat.org dnsbl-1.uceprotect.net ix.dnsbl.manitu.net sbl-xbl.spamhaus.org bl.spamcop.net xbl.spamhaus.org I hava done many things so far to try to secure the server: ++ Fully patched ++ Run Exchange Server Best Practice Analyzer, but nothing outstanding was discovered ++ Made sure that I am not a relay: under Exchange System Manager, Administrative Groups, First Administrative Group, Servers, SERVERNAME, Protocols, SMTP, Default SMTP Virtual Server and right click Properties : On the Access tab then the Relay button, I unchecked everything, and in the Users button only set the Submit permission for the Authenticated users ++ I turned on the SMTP Logging but I am not sure it really helps to understand what's happening... What can I do then to be sure that my server is safe? Help greatly appreciated Nicolas Nicolas Macarez wrote:
> May not be your server. If you have PCs on your network that shares the > What can I do then to be sure that my server is safe? same gateway as your Exchange server, if one of them gets infected with any of a myriad of rootkit bots, then your gateway IP will get tagged for spam, even though your Exchange server is fine. Just something else to consider. I would, at the firewall, create a rule that restricts outbound connections to port 25 to only the IP of your Exchange server. That should prevent such PCs from sending out mail from your network. Venger Thanks for the advice.
I'll do that right now. Regards Nicolas "Venger" <ven***@mail.com> a écrit dans le message de news: A384m.3458$bq1.3***@nlpi066.nbdc.sbc.com...Show quoteHide quote > Nicolas Macarez wrote: >> >> What can I do then to be sure that my server is safe? > > May not be your server. If you have PCs on your network that shares the > same gateway as your Exchange server, if one of them gets infected with > any of a myriad of rootkit bots, then your gateway IP will get tagged for > spam, even though your Exchange server is fine. Just something else to > consider. I would, at the firewall, create a rule that restricts outbound > connections to port 25 to only the IP of your Exchange server. That should > prevent such PCs from sending out mail from your network. > > Venger Nicolas Macarez <maca***@free.fr> wrote:
Show quoteHide quote > I have an Exchange Server 2003 with just a few users. Disable authenticated relay if you don't need it (and you likely don't).> > We are having issues that make think that my server might be used as > a relay for some spammers: some external recipients can't receive > the mails that we send to them, my fixed public IP adress is listed > on 6 majors RBL such as: > cbl.abuseat.org > dnsbl-1.uceprotect.net > ix.dnsbl.manitu.net > sbl-xbl.spamhaus.org > bl.spamcop.net > xbl.spamhaus.org > > I hava done many things so far to try to secure the server: > > ++ Fully patched > ++ Run Exchange Server Best Practice Analyzer, but nothing > outstanding was discovered > ++ Made sure that I am not a relay: under Exchange System Manager, > Administrative Groups, First Administrative Group, Servers, > SERVERNAME, Protocols, SMTP, Default SMTP Virtual Server and right > click Properties : On the Access tab then the Relay button, I > unchecked everything, and in the Users button only set the Submit > permission for the Authenticated users ++ I turned on the SMTP > Logging but I am not sure it really helps to understand what's > happening... > What can I do then to be sure that my server is safe? > Help greatly appreciated > Nicolas In your perimeter firewall or proxy server, make sure your workstation IP range can access only TCP 80 and 443 outbound. "Lanwench [MVP - Exchange]"
<lanwe***@heybuddy.donotsendme.unsolicitedmailatyahoo.com> a écrit dans le message de news: %23RZ7Fbk$JHA.1***@TK2MSFTNGP05.phx.gbl... Show quoteHide quote > Nicolas Macarez <maca***@free.fr> wrote: Done - thanks a lot.>> I have an Exchange Server 2003 with just a few users. >> >> We are having issues that make think that my server might be used as >> a relay for some spammers: some external recipients can't receive >> the mails that we send to them, my fixed public IP adress is listed >> on 6 majors RBL such as: >> cbl.abuseat.org >> dnsbl-1.uceprotect.net >> ix.dnsbl.manitu.net >> sbl-xbl.spamhaus.org >> bl.spamcop.net >> xbl.spamhaus.org >> >> I hava done many things so far to try to secure the server: >> >> ++ Fully patched >> ++ Run Exchange Server Best Practice Analyzer, but nothing >> outstanding was discovered >> ++ Made sure that I am not a relay: under Exchange System Manager, >> Administrative Groups, First Administrative Group, Servers, >> SERVERNAME, Protocols, SMTP, Default SMTP Virtual Server and right >> click Properties : On the Access tab then the Relay button, I >> unchecked everything, and in the Users button only set the Submit >> permission for the Authenticated users ++ I turned on the SMTP >> Logging but I am not sure it really helps to understand what's >> happening... >> What can I do then to be sure that my server is safe? >> Help greatly appreciated >> Nicolas > > Disable authenticated relay if you don't need it (and you likely don't). > In your perimeter firewall or proxy server, make sure your workstation IP > range can access only TCP 80 and 443 outbound. > > Regards Nicolas 
Other interesting topics
Attachment Size after security update installation
Entirely disable OWA/Port 80 Outlook Auto Complete Cache Data from exchange 2003. Information Store (DB) & Transaction logs growing to fast/ to quic hosted exchange email Exchange 2k3 backup and restore using ntbackup Method followed for assigning users to a mail store? Outbound mail from new E2K7 server Exch2003 - Connection reset how to change mapi format to smtp format for outbound message |
|||||||||||||||||||||||
