locked
Exchange 2003 sending out spam - authenticated relay RRS feed

  • Question

  • Hi,

    My Exchange 2003 server is sending out spam via authenticated relay. How do I stop this? We have an Exchange 2003 and an Exchange 2007 server.

    I have followed this microsoft kb article to see which account is sending out authenticated relayed emails.

    http://support.microsoft.com/kb/895853

    This is what I got in the log after enabling 'MSExchange Transport -> Authentication logging' on Exchange 2003

    Event Type: Information
    Event Source: MSExchangeTransport
    Event Category: Authentication
    Event ID: 1708
    Date:  7/10/2012
    Time:  9:30:02 AM
    User:  N/A
    Computer: ex03svr
    Description:
    SMTP Authentication was performed successfully with client "ex07svr.mydomain.local".  The authentication method was "GSSAPI" and the username was "MYDOMAIN\ex07svr$".

    Is Exchange 2007 using Exchange 2003 to sending out authenticated spam emails? How do I stop this? What is 'GSSAPI' authentication? Which account is "MYDOMAIN\ex07svr$" ?

    Thanks


    • Edited by kungpow112 Tuesday, July 10, 2012 4:46 PM
    Tuesday, July 10, 2012 4:44 PM

Answers

  • On Wed, 11 Jul 2012 16:24:35 +0000, kungpow112 wrote:
     
    >Is Exchange 2007 using Exchange 2003 to sending out authenticated spam emails? Do you have a Send Connector in Exchange 2007? If not then 2007 is just routing the messages to your SMTP Connector (which probably has an address space of "*"). >How do I stop this? You need to find the source that's using the Exchange 2007 server.
    >
    >I have a Send Connector in Exchange 2007 so for external email addresses, they go out the ex07 send connector. I think Exchange 2007 is also using another connector to route messages between ex03 and ex07 mailboxes thus the 'GSSAPI' authentication.
     
    Yes, it is. The Routing Group Connector. What address space values do
    you have in your SMTP Connector(s)? And what's the "Cost" assigned to
    your RGC? The only thing you want the RGC to be used for is sending
    and receiving e-mail to/from the "other" Exchange routing group. IOW,
    only to/from mailboxes in your own organization.
     
    >On Exchange 2003, after enabling logging for 'MSExchange Transport -> Authentication', I just check Event Viewer for EventID 1708 for any authenticated relaying.
    >
    >How do I check for authenticated relaying on Exchange 2007?
     
    Unless you've change the defaults on the Receive Connector(s) Exchange
    2007 isn't going to allow anonymous relay. It'll only accept mail to
    the domains in the "Accepted Domains" list.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Zi Feng Wednesday, July 18, 2012 1:58 AM
    Wednesday, July 11, 2012 9:32 PM

All replies

  • On Tue, 10 Jul 2012 16:44:28 +0000, kungpow112 wrote:
     
    >My Exchange 2003 server is sending out spam via authenticated relay. How do I stop this? We have an Exchange 2003 and an Exchange 2007 server.
    >
    >I have followed this microsoft kb article to see which account is sending out authenticated relayed emails.
    >
    >http://support.microsoft.com/kb/895853
    >
    >This is what I got in the log after enabling 'MSExchange Transport -> Authentication logging' on Exchange 2003
    >
    >Event Type: Information Event Source: MSExchangeTransport Event Category: Authentication Event ID: 1708 Date: 7/10/2012 Time: 9:30:02 AM User: N/A Computer: ex03svr Description: SMTP Authentication was performed successfully with client "ex07svr.mydomain.local". The authentication method was "GSSAPI" and the username was "MYDOMAIN\ex07svr$".
    >
    >
    >
    >
    >
    >Is Exchange 2007 using Exchange 2003 to sending out authenticated spam emails?
     
    Do you have a Send Connector in Exchange 2007? If not then 2007 is
    just routing the messages to your SMTP Connector (which probably has
    an address space of "*").
     
    >How do I stop this?
     
    You need to find the source that's using the Exchange 2007 server.
     
    >What is 'GSSAPI' authentication?
     
    Kerberos.
     
    >Which account is "MYDOMAIN\ex07svr$" ? Thanks
     
    Probably the Exchange 2007 server's computer account.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, July 11, 2012 12:52 AM
  • Is Exchange 2007 using Exchange 2003 to sending out authenticated spam emails?
    Do you have a Send Connector in Exchange 2007? If not then 2007 is
    just routing the messages to your SMTP Connector (which probably has
    an address space of "*").
    >How do I stop this?
    You need to find the source that's using the Exchange 2007 server.

    I have a Send Connector in Exchange 2007 so for external email addresses, they go out the ex07 send connector. I think Exchange 2007 is also using another connector to route messages between ex03 and ex07 mailboxes thus the 'GSSAPI' authentication.

    On Exchange 2003, after enabling logging for 'MSExchange Transport -> Authentication', I just check Event Viewer for EventID 1708 for any authenticated relaying.

    How do I check for authenticated relaying on Exchange 2007?

    Thanks


    • Edited by kungpow112 Wednesday, July 11, 2012 4:28 PM
    Wednesday, July 11, 2012 4:24 PM
  • On Wed, 11 Jul 2012 16:24:35 +0000, kungpow112 wrote:
     
    >Is Exchange 2007 using Exchange 2003 to sending out authenticated spam emails? Do you have a Send Connector in Exchange 2007? If not then 2007 is just routing the messages to your SMTP Connector (which probably has an address space of "*"). >How do I stop this? You need to find the source that's using the Exchange 2007 server.
    >
    >I have a Send Connector in Exchange 2007 so for external email addresses, they go out the ex07 send connector. I think Exchange 2007 is also using another connector to route messages between ex03 and ex07 mailboxes thus the 'GSSAPI' authentication.
     
    Yes, it is. The Routing Group Connector. What address space values do
    you have in your SMTP Connector(s)? And what's the "Cost" assigned to
    your RGC? The only thing you want the RGC to be used for is sending
    and receiving e-mail to/from the "other" Exchange routing group. IOW,
    only to/from mailboxes in your own organization.
     
    >On Exchange 2003, after enabling logging for 'MSExchange Transport -> Authentication', I just check Event Viewer for EventID 1708 for any authenticated relaying.
    >
    >How do I check for authenticated relaying on Exchange 2007?
     
    Unless you've change the defaults on the Receive Connector(s) Exchange
    2007 isn't going to allow anonymous relay. It'll only accept mail to
    the domains in the "Accepted Domains" list.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Zi Feng Wednesday, July 18, 2012 1:58 AM
    Wednesday, July 11, 2012 9:32 PM