I've set up a new Server 2003 x64 Ed. server for IIS Web serving and POP3 an
d
SMTP e-mail.  I'm using the basic POP3 and SMTP that comes with Server 2003.
I'd been getting e-mail the past few days, but when it came time to send an
e-mail, I noticed it wouldn't work.  I got Non Delivery Reports and did some
searching and found I had to enable Relaying on the SMTP server for my
e-mails to send.  I set it to allow e-mail to go through from my local PC,
which had an internal 192 IP of .64.  I figured with an internal IP, I shoul
d
have no problems if I make sure my PC is set at .64.

A week later I notice Today when I just happened to go into my event viewer
that I had yellow exclaimation points for SMTPSVC at 3 different times today
,
saying a message failed to be delivered to some domain in Germany or some IP
address.  (I'm in the U.S.)  Looking through the event, this has only
happened today.  I assume spam was relayed through my server.  I didn't have
SMTP logging turned on until just now.  I decided to remove my PC's IP fro
m
being allowed to relay and just go through my ISP.

So I'd like to know, how this could happen, or how I could enable a safe
relay through my own domain?  I'm not using a Windows Server Domain, just a
simple network with a modem/broadband router/4-port switch device.  My ISP
calls this device 'Enterprise class', but I'm wondering if a real separate
firewall would fix this.

[ Post a follow-up to this message ]

Ok, as an update, it looks like whenever an e-mail cannot be delivered, the
SMTP server sends an NDR e-mail to the recipient as well as leaving a copy o
f
the message in the badmail folder.  I've gotten a handful of e-mails over th
e
past month that were dumped in badmail that were intended to be spam, but
they were addressed to nonexistent addresses at my domain.  But it seems, th
e
e-mail message that was referenced in my event viewer system log was actuall
y
one of those NDR's that was itself unable to be delivered to the spammer
because a made-up account name was used to send it from optinet.de.

I found the NDR message in my c:\Mailroot\Queue folder and just deleted it
to cancel the sending of it.  So I guess that is all that it was and my
server was not compromised to mail out spams.

Personally I'd think if a mail gets sent to an address that doesn't exist,
the mail receipt process should stop and communicate to the mail sender that
no such address exists.  So I guess I may have to kind of routinely weed out
my Queue folder for NDRs for spammers that can't be delivered.  Are these
problems just limitations from using the 'free' IIS POP3 and SMTP instead of
going for the full blown Exchange server?

Any more advice or opinions?

[ Post a follow-up to this message ]

The point at which a message is deemed to be spam or not is a hotly
contested one between SMTP purists.
To figure out that a message doesn't belong at this host and therefore stop
the transaction and return a hard error to the sending host, you'd have to
look up the recipients at the TO verb.  The other option is to accept the
entire message then look it up in a background thread.  Why? Performance.
Raising the bar for the potential DoS that could result on your directory
and the lookups. Neither method violates any rfc, although the anti-spam rfc
suggests that it would be good to reject the message at the TO verb.

In your case, Microsoft decided to accept the whole message than deal with
disposition after the message was received. If an NDR is needed, that's what
that function is there for and one is sent.

Your best bet is to clean that folder from time to time else invest in an
anti-spam solution of some sort that can give some more control.

Al


"HostMasterX" <HostMasterX@discussions.microsoft.com> wrote in message
news:EFB59A99-54D7-4B04-8FB7-F95B2741155C@microsoft.com...
> Ok, as an update, it looks like whenever an e-mail cannot be delivered,
> the
> SMTP server sends an NDR e-mail to the recipient as well as leaving a copy
> of
> the message in the badmail folder.  I've gotten a handful of e-mails over
> the
> past month that were dumped in badmail that were intended to be spam, but
> they were addressed to nonexistent addresses at my domain.  But it seems,
> the
> e-mail message that was referenced in my event viewer system log was
> actually
> one of those NDR's that was itself unable to be delivered to the spammer
> because a made-up account name was used to send it from optinet.de.
>
> I found the NDR message in my c:\Mailroot\Queue folder and just deleted it
> to cancel the sending of it.  So I guess that is all that it was and my
> server was not compromised to mail out spams.
>
> Personally I'd think if a mail gets sent to an address that doesn't exist,
> the mail receipt process should stop and communicate to the mail sender
> that
> no such address exists.  So I guess I may have to kind of routinely weed
> out
> my Queue folder for NDRs for spammers that can't be delivered.  Are these
> problems just limitations from using the 'free' IIS POP3 and SMTP instead
> of
> going for the full blown Exchange server?
>
> Any more advice or opinions?
>

[ Post a follow-up to this message ]

Weeeell, I notice that removing the NDR from the Queue folder did not take i
t
permanently out of the queue!  What I did do today though, is stop the Web
Publishing service, stop the SMTP Service and reboot, and that got it purged
.

FYI for anybody in the future.

And thank you Mr. Mulnick for your insightful reply.

"HostMasterX" wrote:

> I found the NDR message in my c:\Mailroot\Queue folder and just deleted it
> to cancel the sending of it.  So I guess that is all that it was and my
> server was not compromised to mail out spams.
>
> Any more advice or opinions?
>

[ Post a follow-up to this message ]

I've been getting the same problem.
In my situation the Domain Controller is smtp server and the badmail folder
was on the systems partion. The whole shebang came to a grinding halt a
couple of days ago.
With a little ferretting I found that my badmail folder was enormous. Right
click properties.....   waited 2.5 hours until I cancelled at which stage it
was over a million files and several gigabytes. To big to delete with
windows. So I made a new folder Badmail2 and redirected. At DOS prompt
deleted Badmail\*.* which I might add took 12 hours. I then moved the Badmai
l
folder to it own partion.
I am still being spammed at the rate of between 200 and 4000 an hour. The
badmails are all NDRs.
The original emails usually have no subject or content, although in one set
I appear to have been sent the entire LORD OF THE RINGS in 1K blocks. and th
e
addresses well arnoldschwezzernagger@........ etc.
I've set the retry interval to 1 - 2 - 3 minutes and  time to live at 3
minutes just to get the queue to a reasonable level and delete the badmail
twice daily.
By the way the server is on the other side of a firewall router with only
ports 25 and 100 open.
Anything else I can do.




"HostMasterX" wrote:
[vbcol=seagreen]
> Weeeell, I notice that removing the NDR from the Queue folder did not take
 it
> permanently out of the queue!  What I did do today though, is stop the Web
> Publishing service, stop the SMTP Service and reboot, and that got it purg
ed.
>
> FYI for anybody in the future.
>
> And thank you Mr. Mulnick for your insightful reply.
>
> "HostMasterX" wrote:
> 

[ Post a follow-up to this message ]

I've been getting the same problem.
In my situation the Domain Controller is smtp server and the badmail folder
was on the systems partion. The whole shebang came to a grinding halt a
couple of days ago.
With a little ferretting I found that my badmail folder was enormous. Right
click properties.....   waited 2.5 hours until I cancelled at which stage it
was over a million files and several gigabytes. To big to delete with
windows. So I made a new folder Badmail2 and redirected. At DOS prompt
deleted Badmail\*.* which I might add took 12 hours. I then moved the Badmai
l
folder to it own partion.
I am still being spammed at the rate of between 200 and 4000 an hour. The
badmails are all NDRs.
The original emails usually have no subject or content, although in one set
I appear to have been sent the entire LORD OF THE RINGS in 1K blocks. and th
e
addresses well arnoldschwezzernagger@........ etc.
I've set the retry interval to 1 - 2 - 3 minutes and  time to live at 3
minutes just to get the queue to a reasonable level and delete the badmail
twice daily.
By the way the server is on the other side of a firewall router with only
ports 25 and 100 open.
Anything else I can do.




"HostMasterX" wrote:
[vbcol=seagreen]
> Weeeell, I notice that removing the NDR from the Queue folder did not take
 it
> permanently out of the queue!  What I did do today though, is stop the Web
> Publishing service, stop the SMTP Service and reboot, and that got it purg
ed.
>
> FYI for anybody in the future.
>
> And thank you Mr. Mulnick for your insightful reply.
>
> "HostMasterX" wrote:
> 

[ Post a follow-up to this message ]

Investigate an anti-spam solution such as spamassassin or a commercial
product and consider moving your mailer to something other than a DC.
Otherwise, I'd say you may want to up the schedule you use for the badmail
folder or consider just not keeping badmail at all.


"Shane" <Shane@discussions.microsoft.com> wrote in message
news:B157CF03-CFB2-4370-865D-BEBF6A8630ED@microsoft.com...[vbcol=seagreen]
> I've been getting the same problem.
> In my situation the Domain Controller is smtp server and the badmail
> folder
> was on the systems partion. The whole shebang came to a grinding halt a
> couple of days ago.
> With a little ferretting I found that my badmail folder was enormous.
> Right
> click properties.....   waited 2.5 hours until I cancelled at which stage
> it
> was over a million files and several gigabytes. To big to delete with
> windows. So I made a new folder Badmail2 and redirected. At DOS prompt
> deleted Badmail\*.* which I might add took 12 hours. I then moved the
> Badmail
> folder to it own partion.
> I am still being spammed at the rate of between 200 and 4000 an hour. The
> badmails are all NDRs.
> The original emails usually have no subject or content, although in one
> set
> I appear to have been sent the entire LORD OF THE RINGS in 1K blocks. and
> the
> addresses well arnoldschwezzernagger@........ etc.
> I've set the retry interval to 1 - 2 - 3 minutes and  time to live at 3
> minutes just to get the queue to a reasonable level and delete the badmail
> twice daily.
> By the way the server is on the other side of a firewall router with only
> ports 25 and 100 open.
> Anything else I can do.
>
>
>
>
> "HostMasterX" wrote:
> 

[ Post a follow-up to this message ]

Investigate an anti-spam solution such as spamassassin or a commercial
product and consider moving your mailer to something other than a DC.
Otherwise, I'd say you may want to up the schedule you use for the badmail
folder or consider just not keeping badmail at all.


"Shane" <Shane@discussions.microsoft.com> wrote in message
news:B157CF03-CFB2-4370-865D-BEBF6A8630ED@microsoft.com...[vbcol=seagreen]
> I've been getting the same problem.
> In my situation the Domain Controller is smtp server and the badmail
> folder
> was on the systems partion. The whole shebang came to a grinding halt a
> couple of days ago.
> With a little ferretting I found that my badmail folder was enormous.
> Right
> click properties.....   waited 2.5 hours until I cancelled at which stage
> it
> was over a million files and several gigabytes. To big to delete with
> windows. So I made a new folder Badmail2 and redirected. At DOS prompt
> deleted Badmail\*.* which I might add took 12 hours. I then moved the
> Badmail
> folder to it own partion.
> I am still being spammed at the rate of between 200 and 4000 an hour. The
> badmails are all NDRs.
> The original emails usually have no subject or content, although in one
> set
> I appear to have been sent the entire LORD OF THE RINGS in 1K blocks. and
> the
> addresses well arnoldschwezzernagger@........ etc.
> I've set the retry interval to 1 - 2 - 3 minutes and  time to live at 3
> minutes just to get the queue to a reasonable level and delete the badmail
> twice daily.
> By the way the server is on the other side of a firewall router with only
> ports 25 and 100 open.
> Anything else I can do.
>
>
>
>
> "HostMasterX" wrote:
> 

[ Post a follow-up to this message ]