|
|
You're in the
iis smtp nntp
group:IIS SMTP relay spam problem
iis smtp nntp:
I've set up a new Server 2003 x64 Ed. server for IIS Web serving and POP3 and
SMTP e-mail. I'm using the basic POP3 and SMTP that comes with Server 2003. I'd been getting e-mail the past few days, but when it came time to send an e-mail, I noticed it wouldn't work. I got Non Delivery Reports and did some searching and found I had to enable Relaying on the SMTP server for my e-mails to send. I set it to allow e-mail to go through from my local PC, which had an internal 192 IP of .64. I figured with an internal IP, I should have no problems if I make sure my PC is set at .64. A week later I notice Today when I just happened to go into my event viewer that I had yellow exclaimation points for SMTPSVC at 3 different times today, saying a message failed to be delivered to some domain in Germany or some IP address. (I'm in the U.S.) Looking through the event, this has only happened today. I assume spam was relayed through my server. I didn't have SMTP logging turned on until just now. :( I decided to remove my PC's IP from being allowed to relay and just go through my ISP. So I'd like to know, how this could happen, or how I could enable a safe relay through my own domain? I'm not using a Windows Server Domain, just a simple network with a modem/broadband router/4-port switch device. My ISP calls this device 'Enterprise class', but I'm wondering if a real separate
Ok, as an update, it looks like whenever an e-mail cannot be delivered, the
SMTP server sends an NDR e-mail to the recipient as well as leaving a copy of the message in the badmail folder. I've gotten a handful of e-mails over the past month that were dumped in badmail that were intended to be spam, but they were addressed to nonexistent addresses at my domain. But it seems, the e-mail message that was referenced in my event viewer system log was actually one of those NDR's that was itself unable to be delivered to the spammer because a made-up account name was used to send it from optinet.de. I found the NDR message in my c:\Mailroot\Queue folder and just deleted it to cancel the sending of it. So I guess that is all that it was and my server was not compromised to mail out spams. Personally I'd think if a mail gets sent to an address that doesn't exist, the mail receipt process should stop and communicate to the mail sender that no such address exists. So I guess I may have to kind of routinely weed out my Queue folder for NDRs for spammers that can't be delivered. Are these problems just limitations from using the 'free' IIS POP3 and SMTP instead of going for the full blown Exchange server? Any more advice or opinions?
The point at which a message is deemed to be spam or not is a hotly
contested one between SMTP purists. To figure out that a message doesn't belong at this host and therefore stop the transaction and return a hard error to the sending host, you'd have to look up the recipients at the TO verb. The other option is to accept the entire message then look it up in a background thread. Why? Performance. Raising the bar for the potential DoS that could result on your directory and the lookups. Neither method violates any rfc, although the anti-spam rfc suggests that it would be good to reject the message at the TO verb. In your case, Microsoft decided to accept the whole message than deal with disposition after the message was received. If an NDR is needed, that's what that function is there for and one is sent. Your best bet is to clean that folder from time to time else invest in an anti-spam solution of some sort that can give some more control. Al [quoted text, click to view] "HostMasterX" <HostMasterX@discussions.microsoft.com> wrote in message news:EFB59A99-54D7-4B04-8FB7-F95B2741155C@microsoft.com... > Ok, as an update, it looks like whenever an e-mail cannot be delivered, > the > SMTP server sends an NDR e-mail to the recipient as well as leaving a copy > of > the message in the badmail folder. I've gotten a handful of e-mails over > the > past month that were dumped in badmail that were intended to be spam, but > they were addressed to nonexistent addresses at my domain. But it seems, > the > e-mail message that was referenced in my event viewer system log was > actually > one of those NDR's that was itself unable to be delivered to the spammer > because a made-up account name was used to send it from optinet.de. > > I found the NDR message in my c:\Mailroot\Queue folder and just deleted it > to cancel the sending of it. So I guess that is all that it was and my > server was not compromised to mail out spams. > > Personally I'd think if a mail gets sent to an address that doesn't exist, > the mail receipt process should stop and communicate to the mail sender > that > no such address exists. So I guess I may have to kind of routinely weed > out > my Queue folder for NDRs for spammers that can't be delivered. Are these > problems just limitations from using the 'free' IIS POP3 and SMTP instead > of > going for the full blown Exchange server? > > Any more advice or opinions? >
Weeeell, I notice that removing the NDR from the Queue folder did not take it
permanently out of the queue! What I did do today though, is stop the Web Publishing service, stop the SMTP Service and reboot, and that got it purged. FYI for anybody in the future. And thank you Mr. Mulnick for your insightful reply. [quoted text, click to view] "HostMasterX" wrote:
> I found the NDR message in my c:\Mailroot\Queue folder and just deleted it > to cancel the sending of it. So I guess that is all that it was and my > server was not compromised to mail out spams. > > Any more advice or opinions?
I've been getting the same problem.
In my situation the Domain Controller is smtp server and the badmail folder was on the systems partion. The whole shebang came to a grinding halt a couple of days ago. With a little ferretting I found that my badmail folder was enormous. Right click properties..... waited 2.5 hours until I cancelled at which stage it was over a million files and several gigabytes. To big to delete with windows. So I made a new folder Badmail2 and redirected. At DOS prompt deleted Badmail\*.* which I might add took 12 hours. I then moved the Badmail folder to it own partion. I am still being spammed at the rate of between 200 and 4000 an hour. The badmails are all NDRs. The original emails usually have no subject or content, although in one set I appear to have been sent the entire LORD OF THE RINGS in 1K blocks. and the addresses well arnoldschwezzernagger@........ etc. I've set the retry interval to 1 - 2 - 3 minutes and time to live at 3 minutes just to get the queue to a reasonable level and delete the badmail twice daily. By the way the server is on the other side of a firewall router with only ports 25 and 100 open. Anything else I can do. [quoted text, click to view] "HostMasterX" wrote:
> Weeeell, I notice that removing the NDR from the Queue folder did not take it > permanently out of the queue! What I did do today though, is stop the Web > Publishing service, stop the SMTP Service and reboot, and that got it purged. > > FYI for anybody in the future. > > And thank you Mr. Mulnick for your insightful reply. > > "HostMasterX" wrote: > > > I found the NDR message in my c:\Mailroot\Queue folder and just deleted it > > to cancel the sending of it. So I guess that is all that it was and my > > server was not compromised to mail out spams. > > > > Any more advice or opinions?
Investigate an anti-spam solution such as spamassassin or a commercial
product and consider moving your mailer to something other than a DC. Otherwise, I'd say you may want to up the schedule you use for the badmail folder or consider just not keeping badmail at all. [quoted text, click to view] "Shane" <Shane@discussions.microsoft.com> wrote in message news:B157CF03-CFB2-4370-865D-BEBF6A8630ED@microsoft.com... > I've been getting the same problem. > In my situation the Domain Controller is smtp server and the badmail > folder > was on the systems partion. The whole shebang came to a grinding halt a > couple of days ago. > With a little ferretting I found that my badmail folder was enormous. > Right > click properties..... waited 2.5 hours until I cancelled at which stage > it > was over a million files and several gigabytes. To big to delete with > windows. So I made a new folder Badmail2 and redirected. At DOS prompt > deleted Badmail\*.* which I might add took 12 hours. I then moved the > Badmail > folder to it own partion. > I am still being spammed at the rate of between 200 and 4000 an hour. The > badmails are all NDRs. > The original emails usually have no subject or content, although in one > set > I appear to have been sent the entire LORD OF THE RINGS in 1K blocks. and > the > addresses well arnoldschwezzernagger@........ etc. > I've set the retry interval to 1 - 2 - 3 minutes and time to live at 3 > minutes just to get the queue to a reasonable level and delete the badmail > twice daily. > By the way the server is on the other side of a firewall router with only > ports 25 and 100 open. > Anything else I can do. > > > > > "HostMasterX" wrote: > >> Weeeell, I notice that removing the NDR from the Queue folder did not >> take it >> permanently out of the queue! What I did do today though, is stop the >> Web >> Publishing service, stop the SMTP Service and reboot, and that got it >> purged. >> >> FYI for anybody in the future. >> >> And thank you Mr. Mulnick for your insightful reply. >> >> "HostMasterX" wrote: >> >> > I found the NDR message in my c:\Mailroot\Queue folder and just deleted >> > it >> > to cancel the sending of it. So I guess that is all that it was and my >> > server was not compromised to mail out spams. >> > >> > Any more advice or opinions? >> >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |