Question : Exchange 2003 used for relaying, sending thousands of messages

Hello Experts,

For a while now I am trying to figure out why an Exchange 2003 SP2 server is sending thousands of mails to the internet. I am absolutely sure that the server is not configured as an open relay (confirmed using Telnet) and that the mail is not originating from the local network. All AV is up-to-date and a recent scan has been performed. Anti-Spam software is not installed on this server.

The sender appears to come from somewhere in Taiwan (IP 124.11.133.16) but it is using many other IP addresses from Taiwan. Also, the mail is addressed to mainly .TW domains. In the code I will paste a copy of the headers from 1 of those mails

I configured the SMTP service to only allow mail relaying from the 192.168.0.0/24 subnet and even not to relay for authenticated users. How in earth could it then be possible for someone to still use this server to send his mail?

Can anyone tell me how to further diagnose this problem or explain how this could still be possible? If needed I can PM you the IP address of this server so you can test a few things for yourself.

Thanks in advance,

Matthijs

Code Snippet:

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46:

Received: from 62.132.xxx.8x ([192.168.0.1]) by xxxxxxx.nl with Microsoft SMTPSVC(6.0.3790.3959); Tue, 9 Jun 2009 21:25:25 +0200 Received: from zailss.yahoo.com (zailss.yahoo.com [238.120.77.0]) by with SMTP; Sun, 14 Jun 2009 01:21:34 +0600 Message-ID: Date: Sun, 14 Jun 2009 01:23:34 +0600 From: "¡»¢i¢i¡´¡´¡»«HÅA²Ä¤@ ºô¸ô­qÁÊ °ªµe½èDVD~¥þ¥x³Ì§C»ù40¤¸!" Reply-To: "¡»¡´¡»¡»¡»Fw: ¥þ¥x³Ì¤j¼v­µºô,¨C©P§ó·s,§ó¦³·s¤ù¤j©ñ°e!" To: [email protected] Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] Subject: ªL§ÓµY¤º¦ç¼g¯u»P¸`¥Ø¨«¥ú Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--NextParty_un_gh27_p_3x6u1afk5vsdzzq" Return-Path: [email protected] X-OriginalArrivalTime: 09 Jun 2009 19:25:26.0194 (UTC) FILETIME=[0A97F120:01C9E938] ----NextParty_un_gh27_p_3x6u1afk5vsdzzq Content-Type: text/html; Content-Transfer-Encoding: quoted-printable =B6W=B2r=B7s=A4=F9.=B7m=C2A=A4W=AC= [,DVD=B7P=AE=A6=A6^=F5X=A4j=AFS=BB=F9,=BA=C6=A8g=B7m=C1=CA=A4=A4!! =A1@ =A2=B1=A2=AF=A4=F9=A5u=ADn=A2=B6=A2=AF= =A2=AF=A4=B8=A1A=B6R=A4G=A6b=B0e=A4@~!! =A1@ =A8=C8=B8=C7=A9=CA=B7P=A6W=BC=D2=B6W= =B2]=BF=BA=BC=BA=A4H=BAt=A5X =A1B=A4]=A7_=B1=FE=B9D1=B8=A3=A9O=A4=C0=BBX= ----NextParty_un_gh27_p_3x6u1afk5vsdzzq--

Open in New Window Select All

Answer : Exchange 2003 used for relaying, sending thousands of messages

Some firewalls make the traffic from outside appear to come from an internal IP address. If you have subnet relaying enabled then Exchange will allow the external traffic to relay. This is what looks like is happening here.

For the correct operation of Exchange you do NOT need to have any relay option enabled. If you do need to have relaying enabled on an IP address basis then lock it down to either specific IP addresses or use a second SMTP virtual server that cannot be seen from the outside world.

Simon.