| Groups | Blog | Home |
iis smtp nntp : Help, I've been hijacked! :-(
I'm running the POP3/SMTP package that comes with Windows 2003 Server. I've
got it setup with about ten or twenty user accounts in three different domains. Authentication is done with the encrypted password file method. The SMTP server is configured to allow relay for authenticated users only. I installed a server level virus package this weekend and noticed today that the system was pulled to it's knees by something (quad Xeon P3s with a bit more than a gig of ram). On checking, I find that there are something like 26,000 messages queued up for transmit and my System logfile is full. I'm thinking the bogged down portion of my problem is just the virus scanner doing it's job of checking all these messages for viruses. The fact that there are so many messages to check, however, is a different problem. Anyone have ideas on how I was hijacked to relay all this SPAM? And, more importantly, how to fix it? For now, I've just disconnected the router, but that makes it a little tough for legitimate users to do their thing... (When I just shut the SMTP and POP3 services down, I was still seeing way too many incoming message requests on my sniffer.) Bill
a) Allowing authenticated users to relay means that someone can attempt to
guess a password - are you sure all your users have "good" passwords? b) Are you sure the spam is 3rd party spam (ie it's not spam addressed to one of your users - I would doubt that if it was 28,000 messages...) c) What do you mean "hijacked"? Do you mean that someone compromised your server and changed the settings to allow 3rd party relay? d) In IIS Manager, right-click on "default SMTP virtual server". On the "Access" tab click the "Relay" button. What do you have listed in the "computer" section? And is the radio button set to "Only the list below" or "All except the list below"? Cheers Ken [quoted text, click to view] "Bill Seymour" <billsey@dsl-only.net> wrote in message news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl... > I'm running the POP3/SMTP package that comes with Windows 2003 Server. > I've got it setup with about ten or twenty user accounts in three > different domains. Authentication is done with the encrypted password > file method. The SMTP server is configured to allow relay for > authenticated users only. I installed a server level virus package this > weekend and noticed today that the system was pulled to it's knees by > something (quad Xeon P3s with a bit more than a gig of ram). On checking, > I find that there are something like 26,000 messages queued up for > transmit and my System logfile is full. I'm thinking the bogged down > portion of my problem is just the virus scanner doing it's job of checking > all these messages for viruses. The fact that there are so many messages > to check, however, is a different problem. Anyone have ideas on how I was > hijacked to relay all this SPAM? And, more importantly, how to fix it? > For now, I've just disconnected the router, but that makes it a little > tough for legitimate users to do their thing... (When I just shut the SMTP > and POP3 services down, I was still seeing way too many incoming message > requests on my sniffer.) > > Bill >
Thanks for the response Ken.
a) All the users have reasonably good passwords, ie., ones that won't be found with a simple dictionary lookup scheme. I don't know that all users are using unique passwords on my system though, and it'd be feasible for someone to have been careless with their password elsewhere. b) It's all (or at least the messages I went through) 3rd party SPAM. Sent from some server in Korea, routed to email users who read one of the Asian languages (I can't read it, and don't easily recognize the different between Chinese, Korean or Japanese text). c) I don't know if someone has compromised my server, or if I missed a step when setting it up originally... I'd guess the second choice is more likely. :-( d) Nothing is listed in the computer section. Radio button is set to 'All except the list below'. 'Allow all computers which successfully authenticate to relay' box is checked. Here's an example header (filename is NTFS_ffdb994a01c49d4b0000942b.EML (7.20 KB).msg.msg): From: <aalou@°í°´´Ô> To: <aalou@weppy.com> Subject: aalou °í°´´Ô...Á¦24ȸ ±Ý»êÀλïÃàÁ¦±â³ä ¼³¹® À̺¥Æ®~~@ MIME-Version: 1.0 Content-Type: multipart/mixed;boundary= "----=_NextPart_000_00F6_CA6F584E.59CA2DE7" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Return-Path: bbbb@65.183.221.249 Message-ID: <SERVERNEVJpjc0D543T0000238a@server> X-OriginalArrivalTime: 18 Sep 2004 06:52:01.0421 (UTC) FILETIME=[FFE03BD0:01C49D4B] Date: 17 Sep 2004 23:52:01 -0700 Is there a way I can check to see how message got through to my system? I'm assuming it was authenticated, and therefore there should be some way to tell me which user's info was used... Best regards, Bill Seymour [quoted text, click to view] "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:%2389QiIrnEHA.324@TK2MSFTNGP11.phx.gbl... > a) Allowing authenticated users to relay means that someone can attempt to > guess a password - are you sure all your users have "good" passwords? > > b) Are you sure the spam is 3rd party spam (ie it's not spam addressed to > one of your users - I would doubt that if it was 28,000 messages...) > > c) What do you mean "hijacked"? Do you mean that someone compromised your > server and changed the settings to allow 3rd party relay? > > d) In IIS Manager, right-click on "default SMTP virtual server". On the > "Access" tab click the "Relay" button. What do you have listed in the > "computer" section? And is the radio button set to "Only the list below" > or "All except the list below"? > > Cheers > Ken > > "Bill Seymour" <billsey@dsl-only.net> wrote in message > news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl... >> I'm running the POP3/SMTP package that comes with Windows 2003 Server. >> I've got it setup with about ten or twenty user accounts in three >> different domains. Authentication is done with the encrypted password >> file method. The SMTP server is configured to allow relay for >> authenticated users only. I installed a server level virus package this >> weekend and noticed today that the system was pulled to it's knees by >> something (quad Xeon P3s with a bit more than a gig of ram). On >> checking, I find that there are something like 26,000 messages queued up >> for transmit and my System logfile is full. I'm thinking the bogged down >> portion of my problem is just the virus scanner doing it's job of >> checking all these messages for viruses. The fact that there are so many >> messages to check, however, is a different problem. Anyone have ideas on >> how I was hijacked to relay all this SPAM? And, more importantly, how to >> fix it? For now, I've just disconnected the router, but that makes it a >> little tough for legitimate users to do their thing... (When I just shut >> the SMTP and POP3 services down, I was still seeing way too many incoming >> message requests on my sniffer.) >> >> Bill >> > >
Hi Peter, there is a Guest account (as expected) and it is disabled (also as
expected). Should I delete it entirely, or is having the guest account disabled not enough by itself? Bill [quoted text, click to view] "Peter Karsai" <peter.karsai@enternet.hu> wrote in message news:eMTpVm0nEHA.1160@tk2msftngp13.phx.gbl... > Hello Bill, > > Make sure that you do not have the Guest account enabled (see > www.vamsoft.com/orf/authattack.asp). > > Peter > > "Bill Seymour" <billsey@dsl-only.net> wrote in message > news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl... >> I'm running the POP3/SMTP package that comes with Windows 2003 Server. > I've >> got it setup with about ten or twenty user accounts in three different >> domains. Authentication is done with the encrypted password file method. >> The SMTP server is configured to allow relay for authenticated users >> only. >> I installed a server level virus package this weekend and noticed today > that >> the system was pulled to it's knees by something (quad Xeon P3s with a >> bit >> more than a gig of ram). On checking, I find that there are something > like >> 26,000 messages queued up for transmit and my System logfile is full. >> I'm >> thinking the bogged down portion of my problem is just the virus scanner >> doing it's job of checking all these messages for viruses. The fact that >> there are so many messages to check, however, is a different problem. >> Anyone have ideas on how I was hijacked to relay all this SPAM? And, >> more >> importantly, how to fix it? For now, I've just disconnected the router, > but >> that makes it a little tough for legitimate users to do their thing... >> (When I just shut the SMTP and POP3 services down, I was still seeing way >> too many incoming message requests on my sniffer.) >> >> Bill > >
OK, I changed that checkbox and I don't seem to be getting new messages into
the queue, but then they might have been coming in bursts, so I won't know for sure for a day or so. The problem is that now the legitimate users also can't send or receive email. Perhaps the authentication process is set wrong... Bill [quoted text, click to view] "m.marien" <mm AT RiverCityCanada DOT com> wrote in message news:10kuuomacsc9l44@corp.supernews.com... > > That lets everybody relay. It doesn't matter is they authenticate or not. > I think you want to change this to: > > Only the list below > > This will stop all relaying. The exception then is if they can > authenticate, then they can relay. You might also want to make sure the > Anonymous access is unchecked.
[quoted text, click to view] "Bill Seymour" <billsey@dsl-only.net> wrote in message news:OGQEVI1nEHA.2684@TK2MSFTNGP11.phx.gbl... > Thanks for the response Ken. > > a) All the users have reasonably good passwords, ie., ones that won't be > found with a simple dictionary lookup scheme. I don't know that all users > are using unique passwords on my system though, and it'd be feasible for > someone to have been careless with their password elsewhere. > > b) It's all (or at least the messages I went through) 3rd party SPAM. > Sent from some server in Korea, routed to email users who read one of the > Asian languages (I can't read it, and don't easily recognize the different > between Chinese, Korean or Japanese text). > > c) I don't know if someone has compromised my server, or if I missed a > step when setting it up originally... I'd guess the second choice is more > likely. :-( > > d) Nothing is listed in the computer section. Radio button is set to > 'All except the list below'. 'Allow all computers which successfully > authenticate to relay' box is checked. > That lets everybody relay. It doesn't matter is they authenticate or not. I think you want to change this to: Only the list below This will stop all relaying. The exception then is if they can authenticate, then they can relay. You might also want to make sure the Anonymous access is unchecked. [snip the rest]
Thanks again Ken.
a) I've been working my way through the documentation for a long time now, but I'm sorry to say that I'm still too much in the dark. :-( b) The users are all out there on the internet. I'm not able to use IP addresses, since most have dynamic addresses, and they often connect through different computers (ie., from work and from home). I'm setup for encrypted password file authentication, since I understand that using Windows authentication requires that I setup a Windows account for each user, rather than just an account for the POP3/SMTP server. I haven't enabled TLS, I'd like to get things at least working again before I complicate things. Right now, no one is able to authenticate, so no one can send or receive email... Does the encrypted password file stuff work? C) Thanks, I placed an order. It's liable to be a week or so before it arrives though... [quoted text, click to view] "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:eQasbN4nEHA.2340@TK2MSFTNGP11.phx.gbl... > Hi, > > a) Reading the documentation is a good start. It covers a lot of > information, and gives you a good background on what you need to do (eg > what clients you can use) for authentication purposes > > b) Are your users on an internal trusted LAN? or are they roaming out on > the internet? If they are on the trusted LAN, add your LAN's IP > addresses/subnets to the "only the list below" in the dialogue. If they > are roaming out on the internet you will need to: > - select an authentication mechanism. IIS supports Basic and Integrated > Windows Authentication (this is actually NTLM v2 authentication) > - ensure that the users have a compatible email client. Only Microsoft > email clients (eg Outlook Express and Outlook), and maybe a handful of 3rd > party clients support NTLM v2 authentication. The rest only support Basic. > If you are using Basic auth, then the user's username/password is passed > in clear-text across the internet *unless* you enable TLS (Transport Layer > Security). TLS is basically the same as SSL (that websites use), and > encrypts the traffic between the server and client. If you already have a > certificate for your website, then you can reuse that for your SMTP server > (if the DNS names are the same). > > c) <shameless plug> There's a whole chapter on securing MS SMTP server and > MS POP3 server in the IIS6 security book that I co-wrote: > http://www.amazon.com/exec/obidos/ASIN/1931836256/adopenstati0f-20 If you > want to get up-to-speed on IIS6 security quickly, then this might be a > worthwhile investment</shameless plug> > > Cheers > Ken
Hello Bill,
Make sure that you do not have the Guest account enabled (see www.vamsoft.com/orf/authattack.asp). Peter [quoted text, click to view] "Bill Seymour" <billsey@dsl-only.net> wrote in message news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl... > I'm running the POP3/SMTP package that comes with Windows 2003 Server. I've > got it setup with about ten or twenty user accounts in three different > domains. Authentication is done with the encrypted password file method. > The SMTP server is configured to allow relay for authenticated users only. > I installed a server level virus package this weekend and noticed today that > the system was pulled to it's knees by something (quad Xeon P3s with a bit > more than a gig of ram). On checking, I find that there are something like > 26,000 messages queued up for transmit and my System logfile is full. I'm > thinking the bogged down portion of my problem is just the virus scanner > doing it's job of checking all these messages for viruses. The fact that > there are so many messages to check, however, is a different problem. > Anyone have ideas on how I was hijacked to relay all this SPAM? And, more > importantly, how to fix it? For now, I've just disconnected the router, but > that makes it a little tough for legitimate users to do their thing... > (When I just shut the SMTP and POP3 services down, I was still seeing way > too many incoming message requests on my sniffer.) > > Bill
Hi Bill,
It is enough to disable the Guest account, but you should also check other accounts with common names. In one particular case the hijacked user name was "test" (no password configured), it took maybe 15 minutes for the spammers to discover the account and start relaying spam via the server. If you suspect that there is authenticated relaying, you may want to monitor the authenticated session usage. You can do that easily ORF (http://www.vamsoft.com/orf -- yes, it's a shameless self-plug :), because it logs the authenticated user by default (the 30-day trial will also log that, no need to buy if you don't want). Peter [quoted text, click to view] "Bill Seymour" <billsey@dsl-only.net> wrote in message news:u590T21nEHA.1712@tk2msftngp13.phx.gbl... > Hi Peter, there is a Guest account (as expected) and it is disabled (also as > expected). Should I delete it entirely, or is having the guest account > disabled not enough by itself? > > Bill > > "Peter Karsai" <peter.karsai@enternet.hu> wrote in message > news:eMTpVm0nEHA.1160@tk2msftngp13.phx.gbl... > > Hello Bill, > > > > Make sure that you do not have the Guest account enabled (see > > www.vamsoft.com/orf/authattack.asp). > > > > Peter > > > > "Bill Seymour" <billsey@dsl-only.net> wrote in message > > news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl... > >> I'm running the POP3/SMTP package that comes with Windows 2003 Server. > > I've > >> got it setup with about ten or twenty user accounts in three different > >> domains. Authentication is done with the encrypted password file method. > >> The SMTP server is configured to allow relay for authenticated users > >> only. > >> I installed a server level virus package this weekend and noticed today > > that > >> the system was pulled to it's knees by something (quad Xeon P3s with a > >> bit > >> more than a gig of ram). On checking, I find that there are something > > like > >> 26,000 messages queued up for transmit and my System logfile is full. > >> I'm > >> thinking the bogged down portion of my problem is just the virus scanner > >> doing it's job of checking all these messages for viruses. The fact that > >> there are so many messages to check, however, is a different problem. > >> Anyone have ideas on how I was hijacked to relay all this SPAM? And, > >> more > >> importantly, how to fix it? For now, I've just disconnected the router, > > but > >> that makes it a little tough for legitimate users to do their thing... > >> (When I just shut the SMTP and POP3 services down, I was still seeing way > >> too many incoming message requests on my sniffer.) > >> > >> Bill > > > > > >
But if I have two users ('user@domain1.com' & 'user@domain2.com') who have
the same username, how can I setup Windows accounts for them? I'm running three different domains right now, and anticipate wanting to support email for more in the future. I've never tried to create a Windows account for a fully qualified name, I just assumed that wasn't possible... Bill [quoted text, click to view] "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:e46EVk6nEHA.3460@tk2msftngp13.phx.gbl... > > "Bill Seymour" <billsey@dsl-only.net> wrote in message > news:u3aR$m4nEHA.4032@TK2MSFTNGP15.phx.gbl... >> Thanks again Ken. >> >> b) I'm setup for encrypted password file authentication, since I >> understand that using Windows authentication requires that I setup a >> Windows account for each user, rather than just an account for the >> POP3/SMTP server. I haven't enabled TLS, I'd like to get things at least >> working again before I complicate things. Right now, no one is able to >> authenticate, so no one can send or receive email... Does the encrypted >> password file stuff work? > > OK, the "encrypted file" thing - that's for the POP3 server *only* (as far > as I remember - I'll look into this for you). It's not something that > users can use to authenticate to the SMTP service to relay mail. To use > the "allow computers who authenticate to relay" option (again, as far as I > can remember - I could be wrong here), the user will need a Windows > account, and use that username/password to authenticate to the SMTP > server. If you enable Basic Auth here, then you should consider using TLS > to ensure that the credentials are encrypted between user and server. > > Cheers > Ken
The guest account should be disabled, and in any case it's not the source of
your spam. Cheers Ken [quoted text, click to view] "Bill Seymour" <billsey@dsl-only.net> wrote in message news:u590T21nEHA.1712@tk2msftngp13.phx.gbl... > Hi Peter, there is a Guest account (as expected) and it is disabled (also > as expected). Should I delete it entirely, or is having the guest account > disabled not enough by itself? > > Bill > > "Peter Karsai" <peter.karsai@enternet.hu> wrote in message > news:eMTpVm0nEHA.1160@tk2msftngp13.phx.gbl... >> Hello Bill, >> >> Make sure that you do not have the Guest account enabled (see >> www.vamsoft.com/orf/authattack.asp). >> >> Peter >> >> "Bill Seymour" <billsey@dsl-only.net> wrote in message >> news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl... >>> I'm running the POP3/SMTP package that comes with Windows 2003 Server. >> I've >>> got it setup with about ten or twenty user accounts in three different >>> domains. Authentication is done with the encrypted password file >>> method. >>> The SMTP server is configured to allow relay for authenticated users >>> only. >>> I installed a server level virus package this weekend and noticed today >> that >>> the system was pulled to it's knees by something (quad Xeon P3s with a >>> bit >>> more than a gig of ram). On checking, I find that there are something >> like >>> 26,000 messages queued up for transmit and my System logfile is full. >>> I'm >>> thinking the bogged down portion of my problem is just the virus scanner >>> doing it's job of checking all these messages for viruses. The fact >>> that >>> there are so many messages to check, however, is a different problem. >>> Anyone have ideas on how I was hijacked to relay all this SPAM? And, >>> more >>> importantly, how to fix it? For now, I've just disconnected the router, >> but >>> that makes it a little tough for legitimate users to do their thing... >>> (When I just shut the SMTP and POP3 services down, I was still seeing >>> way >>> too many incoming message requests on my sniffer.) >>> >>> Bill >> >> > >
[quoted text, click to view] "Bill Seymour" <billsey@dsl-only.net> wrote in message news:OGQEVI1nEHA.2684@TK2MSFTNGP11.phx.gbl... > d) Nothing is listed in the computer section. Radio button is set to > 'All except the list below'. 'Allow all computers which successfully > authenticate to relay' box is checked. This is the reason you are getting the spam. You are allowing anyone to relay through your server. Change the checkbox to "only the list below". Add any trusted IP addresses (eg IP subnets on your internal LAN) Cheers Ken
Hi,
a) Reading the documentation is a good start. It covers a lot of information, and gives you a good background on what you need to do (eg what clients you can use) for authentication purposes b) Are your users on an internal trusted LAN? or are they roaming out on the internet? If they are on the trusted LAN, add your LAN's IP addresses/subnets to the "only the list below" in the dialogue. If they are roaming out on the internet you will need to: - select an authentication mechanism. IIS supports Basic and Integrated Windows Authentication (this is actually NTLM v2 authentication) - ensure that the users have a compatible email client. Only Microsoft email clients (eg Outlook Express and Outlook), and maybe a handful of 3rd party clients support NTLM v2 authentication. The rest only support Basic. If you are using Basic auth, then the user's username/password is passed in clear-text across the internet *unless* you enable TLS (Transport Layer Security). TLS is basically the same as SSL (that websites use), and encrypts the traffic between the server and client. If you already have a certificate for your website, then you can reuse that for your SMTP server (if the DNS names are the same). c) <shameless plug> There's a whole chapter on securing MS SMTP server and [quoted text, click to view] MS POP3 server in the IIS6 security book that I co-wrote: http://www.amazon.com/exec/obidos/ASIN/1931836256/adopenstati0f-20 If you want to get up-to-speed on IIS6 security quickly, then this might be a worthwhile investment</shameless plug> Cheers Ken [quoted text, click to view] "Bill Seymour" <billsey@dsl-only.net> wrote in message news:u3XJRa3nEHA.1712@tk2msftngp13.phx.gbl... > OK, I changed that checkbox and I don't seem to be getting new messages > into the queue, but then they might have been coming in bursts, so I won't > know for sure for a day or so. The problem is that now the legitimate > users also can't send or receive email. Perhaps the authentication > process is set wrong... > > Bill > > "m.marien" <mm AT RiverCityCanada DOT com> wrote in message > news:10kuuomacsc9l44@corp.supernews.com... >> >> That lets everybody relay. It doesn't matter is they authenticate or not. >> I think you want to change this to: >> >> Only the list below >> >> This will stop all relaying. The exception then is if they can >> authenticate, then they can relay. You might also want to make sure the >> Anonymous access is unchecked. > >
[quoted text, click to view] "Bill Seymour" <billsey@dsl-only.net> wrote in message news:u3aR$m4nEHA.4032@TK2MSFTNGP15.phx.gbl... > Thanks again Ken. > > a) I've been working my way through the documentation for a long time now, > but I'm sorry to say that I'm still too much in the dark. :-( That's OK - it'll start to make sense over time as you actually play with stuff. Too many people don't even have an idea of what they're doing at all because they don't read the instructions [quoted text, click to view] > b) I'm setup for encrypted password file authentication, since I > understand that using Windows authentication requires that I setup a > Windows account for each user, rather than just an account for the > POP3/SMTP server. I haven't enabled TLS, I'd like to get things at least > working again before I complicate things. Right now, no one is able to > authenticate, so no one can send or receive email... Does the encrypted > password file stuff work? OK, the "encrypted file" thing - that's for the POP3 server *only* (as far as I remember - I'll look into this for you). It's not something that users can use to authenticate to the SMTP service to relay mail. To use the "allow computers who authenticate to relay" option (again, as far as I can remember - I could be wrong here), the user will need a Windows account, and use that username/password to authenticate to the SMTP server. If you enable Basic Auth here, then you should consider using TLS to ensure that the credentials are encrypted between user and server. Cheers Ken [quoted text, click to view] > C) Thanks, I placed an order. It's liable to be a week or so before it > arrives though... > > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message > news:eQasbN4nEHA.2340@TK2MSFTNGP11.phx.gbl... >> Hi, >> >> a) Reading the documentation is a good start. It covers a lot of >> information, and gives you a good background on what you need to do (eg >> what clients you can use) for authentication purposes >> >> b) Are your users on an internal trusted LAN? or are they roaming out on >> the internet? If they are on the trusted LAN, add your LAN's IP >> addresses/subnets to the "only the list below" in the dialogue. If they >> are roaming out on the internet you will need to: >> - select an authentication mechanism. IIS supports Basic and >> Integrated Windows Authentication (this is actually NTLM v2 >> authentication) >> - ensure that the users have a compatible email client. Only Microsoft >> email clients (eg Outlook Express and Outlook), and maybe a handful of >> 3rd party clients support NTLM v2 authentication. The rest only support >> Basic. If you are using Basic auth, then the user's username/password is >> passed in clear-text across the internet *unless* you enable TLS >> (Transport Layer Security). TLS is basically the same as SSL (that >> websites use), and encrypts the traffic between the server and client. If >> you already have a certificate for your website, then you can reuse that >> for your SMTP server (if the DNS names are the same). >> >> c) <shameless plug> There's a whole chapter on securing MS SMTP server >> and MS POP3 server in the IIS6 security book that I co-wrote: >> http://www.amazon.com/exec/obidos/ASIN/1931836256/adopenstati0f-20 If you >> want to get up-to-speed on IIS6 security quickly, then this might be a >> worthwhile investment</shameless plug> >> >> Cheers >> Ken > >
Hi,
Personally I would recommend using a 3rd party mail server :-) www.mailenable.com is pretty well featured (even the free version), and I've found it rock solid. However, if you want to continue using the Windows 2003 SMTP/POP3 server then: a) you can (usually) create any arbitary Windows account you want. However, as you point out, you can't create them both as "user". b) In the user's email client there are usually places to enter both a username/password to collect mail (POP3) -and- a separate place to specify user account settings to authenticate to send mail (SMTP). My ISP has a single username/password that all users use to send mail, but we each have a separate username/password to collect our individual mail (I don't know if that's the most secure way to setting things up though!). So, usernames to send mail are not tied to the user's mailbox name per se. To see this, have a look in Outlook Express. Goto the properties of your mail account. On the "servers" tab, there is an option to enter your mailbox name + password. There is also a checkbox for "my outgoing mailserver requires authentication". You can select that, and enter alternate credentials to be used for sending mail. Cheers Ken [quoted text, click to view] "Bill Seymour" <billsey@dsl-only.net> wrote in message news:%235eM0v$nEHA.324@TK2MSFTNGP11.phx.gbl... > But if I have two users ('user@domain1.com' & 'user@domain2.com') who have > the same username, how can I setup Windows accounts for them? I'm running > three different domains right now, and anticipate wanting to support email > for more in the future. I've never tried to create a Windows account for > a fully qualified name, I just assumed that wasn't possible... > > Bill > > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message > news:e46EVk6nEHA.3460@tk2msftngp13.phx.gbl... >> >> "Bill Seymour" <billsey@dsl-only.net> wrote in message >> news:u3aR$m4nEHA.4032@TK2MSFTNGP15.phx.gbl... >>> Thanks again Ken. >>> >>> b) I'm setup for encrypted password file authentication, since I >>> understand that using Windows authentication requires that I setup a >>> Windows account for each user, rather than just an account for the >>> POP3/SMTP server. I haven't enabled TLS, I'd like to get things at >>> least working again before I complicate things. Right now, no one is >>> able to authenticate, so no one can send or receive email... Does the >>> encrypted password file stuff work? >> >> OK, the "encrypted file" thing - that's for the POP3 server *only* (as >> far as I remember - I'll look into this for you). It's not something that >> users can use to authenticate to the SMTP service to relay mail. To use >> the "allow computers who authenticate to relay" option (again, as far as >> I can remember - I could be wrong here), the user will need a Windows >> account, and use that username/password to authenticate to the SMTP >> server. If you enable Basic Auth here, then you should consider using TLS >> to ensure that the credentials are encrypted between user and server. >> >> Cheers >> Ken > >
You need a decent AntiSPAM Solution which is able
- to reject SPAM - to reject everything with non existing recipients - check SPF - reject NDR's (not RFC compliant - but helps a lot) You could check www.aloaha.com or www.vamsoft.org FH "Bill Seymour" <billsey@dsl-only.net> schrieb im Newsbeitrag news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl... [quoted text, click to view] > I'm running the POP3/SMTP package that comes with Windows 2003 Server. I've > got it setup with about ten or twenty user accounts in three different > domains. Authentication is done with the encrypted password file method. > The SMTP server is configured to allow relay for authenticated users only. > I installed a server level virus package this weekend and noticed today that > the system was pulled to it's knees by something (quad Xeon P3s with a bit > more than a gig of ram). On checking, I find that there are something like > 26,000 messages queued up for transmit and my System logfile is full. I'm > thinking the bogged down portion of my problem is just the virus scanner > doing it's job of checking all these messages for viruses. The fact that > there are so many messages to check, however, is a different problem. > Anyone have ideas on how I was hijacked to relay all this SPAM? And, more > importantly, how to fix it? For now, I've just disconnected the router, but > that makes it a little tough for legitimate users to do their thing... > (When I just shut the SMTP and POP3 services down, I was still seeing way > too many incoming message requests on my sniffer.) > > Bill > >
Hi Frank,
Just a little fix, our site URL is http://www.vamsoft.com/orf :) BTW I agree with Ken, the relaying issue should be fixed in the server/domain configuration. Peter [quoted text, click to view] "Frank Hellmann" <frank.hellmann@aloaha.com> wrote in message news:OhvkDyboEHA.648@tk2msftngp13.phx.gbl... > You need a decent AntiSPAM Solution which is able > > - to reject SPAM > - to reject everything with non existing recipients > - check SPF > - reject NDR's (not RFC compliant - but helps a lot) > > You could check www.aloaha.com or www.vamsoft.org > > FH > > > "Bill Seymour" <billsey@dsl-only.net> schrieb im Newsbeitrag > news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl... > > I'm running the POP3/SMTP package that comes with Windows 2003 Server. > I've > > got it setup with about ten or twenty user accounts in three different > > domains. Authentication is done with the encrypted password file method. > > The SMTP server is configured to allow relay for authenticated users only. > > I installed a server level virus package this weekend and noticed today > that > > the system was pulled to it's knees by something (quad Xeon P3s with a bit > > more than a gig of ram). On checking, I find that there are something > like > > 26,000 messages queued up for transmit and my System logfile is full. I'm > > thinking the bogged down portion of my problem is just the virus scanner > > doing it's job of checking all these messages for viruses. The fact that > > there are so many messages to check, however, is a different problem. > > Anyone have ideas on how I was hijacked to relay all this SPAM? And, more > > importantly, how to fix it? For now, I've just disconnected the router, > but > > that makes it a little tough for legitimate users to do their thing... > > (When I just shut the SMTP and POP3 services down, I was still seeing way > > too many incoming message requests on my sniffer.) > > > > Bill > > > > > >
Uh, do you even read the thread? He's being used as a 3rd party relay (ie an
open relay)... Cheers Ken [quoted text, click to view] "Frank Hellmann" <frank.hellmann@aloaha.com> wrote in message news:OhvkDyboEHA.648@tk2msftngp13.phx.gbl... > You need a decent AntiSPAM Solution which is able > > - to reject SPAM > - to reject everything with non existing recipients > - check SPF > - reject NDR's (not RFC compliant - but helps a lot) > > You could check www.aloaha.com or www.vamsoft.org > > FH > > > "Bill Seymour" <billsey@dsl-only.net> schrieb im Newsbeitrag > news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl... >> I'm running the POP3/SMTP package that comes with Windows 2003 Server. > I've >> got it setup with about ten or twenty user accounts in three different >> domains. Authentication is done with the encrypted password file method. >> The SMTP server is configured to allow relay for authenticated users >> only. >> I installed a server level virus package this weekend and noticed today > that >> the system was pulled to it's knees by something (quad Xeon P3s with a >> bit >> more than a gig of ram). On checking, I find that there are something > like >> 26,000 messages queued up for transmit and my System logfile is full. >> I'm >> thinking the bogged down portion of my problem is just the virus scanner >> doing it's job of checking all these messages for viruses. The fact that >> there are so many messages to check, however, is a different problem. >> Anyone have ideas on how I was hijacked to relay all this SPAM? And, >> more >> importantly, how to fix it? For now, I've just disconnected the router, > but >> that makes it a little tough for legitimate users to do their thing... >> (When I just shut the SMTP and POP3 services down, I was still seeing way >> too many incoming message requests on my sniffer.) >> >> Bill >> >> > >
I found a similar problem, not quite 26,000 messages though. I found a very
good solution. Instead of my server checking every message for viruses and spam (yes, I still have an anti-virus solution running on my server), I outsourced it to emailsifter (www.emailsifter.com) a service of ipop.com. You route all of you mail through emailsifters servers so that they do all of the virus checking and spam filtering before a message ever hits your network. After checking the messages, clean mail is then routed to your in-house mail server and distributed to the appropriate mailboxes. What I found was that a lot of spammers where not using the DNS MX records to send mail to my users. They were sending mail directly to my users through my mail server, no matter what the MX records were. If the user did not exist, it was just filling up the badmail queue and the drop queue to send a bounce message back to the non-existant spammer. I then set up an IPsec policy that only allowed incomming mail connections from the subnets of the 3 emailsifter data centers. This guarentees that all incomming email is filtered using the emailsifter servers (which all genuine mail should be comming through) since my MX records point to emailsifters data centers and not my in-house server. Travis Lingenfelder [quoted text, click to view] "Bill Seymour" wrote:
> I'm running the POP3/SMTP package that comes with Windows 2003 Server. I've > got it setup with about ten or twenty user accounts in three different > domains. Authentication is done with the encrypted password file method. > The SMTP server is configured to allow relay for authenticated users only. > I installed a server level virus package this weekend and noticed today that > the system was pulled to it's knees by something (quad Xeon P3s with a bit > more than a gig of ram). On checking, I find that there are something like > 26,000 messages queued up for transmit and my System logfile is full. I'm > thinking the bogged down portion of my problem is just the virus scanner > doing it's job of checking all these messages for viruses. The fact that > there are so many messages to check, however, is a different problem. > Anyone have ideas on how I was hijacked to relay all this SPAM? And, more > importantly, how to fix it? For now, I've just disconnected the router, but > that makes it a little tough for legitimate users to do their thing... > (When I just shut the SMTP and POP3 services down, I was still seeing way > too many incoming message requests on my sniffer.) > > Bill > >
Hello, I've been following this thread since the beginning, I found it very
helpful, thanks everyone. I found very interesting post from Ken (9/22/04): "Personally I would recommend using a 3rd party mail server :-) www.mailenable.com is pretty well featured (even the free version), and I've found it rock solid." I have a computer running three different servers: web (Fastream NFServer), mail (MDaemon), and FTP (Serv-U). They all run without any problem. Few days ago I installed Win2k3 enterprise edition (trial) because current webserver from Fastream doesnot support .asp. I wanted to use .asp ONLY for simple "mail form", nothing fancy. First few hours of playing around, I manage to run the IIS web server without any problem. The POP3/SMTP server is different. I decided to keep mycurrent mailserver and use only the IIS webserver. From a short playing around, I still could not send the mail form, perhaps I need to tweak the .asp file or something. I did disable my current mailserver and enable IIS SMTP virtual server. Anyway, now the question: Is it possible to run both IIS webserver and 3rd party mail server together, and still use the .asp for sending "mail form"? How do I set them up? I understand that the SMTP virtual server is needed to send the asp script form, so I should not disable it, right? But the problem is, my current mailserver already occupied port 25. Will it work if I change the SMTP virtual server to different port, say 26? Or is there anyway that the asp mail form will be send through 3rd party mail server instead of IIS? Second question: I have a linksys router, do I need also to open port 26 in my router setu? I wanted to minimize open ports. Thanks in advance for any respond.
Hi,
I have used IIS Webserver (and ASP) with 3rd party mailserver. HOWEVER You will see a lot of CDONTS code on the web. CDONTS doesn't use TCP sockets to send mail. Instead it creates a text file and drops it into the "drop" folder of the MS SMTP server. So, to use CDONTS code you must be running MS SMTP server (you can run this on port 26 if you want). Otherwise, if you use any component that does sockets based sending (eg JMail from www.dimac.net) or CDOSYS (you should also have that on your IIS box), then you can have the server set to "localhost" and port 25, and you can use any 3rd party mailserver. Just make sure the relay settings are set correctly so that localhost can relay. Cheers Ken [quoted text, click to view] "zevia" <zevia@discussions.microsoft.com> wrote in message news:6371F638-87FF-4626-B089-F39CC2C1821C@microsoft.com... > Hello, I've been following this thread since the beginning, I found it > very > helpful, thanks everyone. > > I found very interesting post from Ken (9/22/04): > "Personally I would recommend using a 3rd party mail server :-) > www.mailenable.com is pretty well featured (even the free version), and > I've > found it rock solid." > > I have a computer running three different servers: web (Fastream > NFServer), > mail (MDaemon), and FTP (Serv-U). They all run without any problem. Few > days > ago I installed Win2k3 enterprise edition (trial) because current > webserver > from Fastream doesnot support .asp. I wanted to use .asp ONLY for simple > "mail form", nothing fancy. First few hours of playing around, I manage to > run the IIS web server without any problem. The POP3/SMTP server is > different. I decided to keep mycurrent mailserver and use only the IIS > webserver. > > From a short playing around, I still could not send the mail form, perhaps > I > need to tweak the .asp file or something. I did disable my current > mailserver > and enable IIS SMTP virtual server. > > Anyway, now the question: Is it possible to run both IIS webserver and 3rd > party mail server together, and still use the .asp for sending "mail > form"? > How do I set them up? I understand that the SMTP virtual server is needed > to > send the asp script form, so I should not disable it, right? But the > problem > is, my current mailserver already occupied port 25. Will it work if I > change > the SMTP virtual server to different port, say 26? Or is there anyway that > the asp mail form will be send through 3rd party mail server instead of > IIS? > > Second question: I have a linksys router, do I need also to open port 26 > in > my router setu? I wanted to minimize open ports. > > Thanks in advance for any respond. >
This thread has been a huge help to me, setting up SMTP relay. I have found
that when using "Secure Password file Integration" for POP3, the easiest way to allow users to realy through SMTP is to reat up windows account that is used soley for this purpose, this seams to work fine.. but I was wondering how the 3rd party mail server form www.mailenable.com solves the problem of
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |