I have a W2k3 server set up with SMTP/POP on it and I seem to be having a
problem with closing the SMTP service down as an open relay....

The thing is, I have got the SMTP service to only allow relaying for
authenticated users although, I do have anonymous access turned on to allow
the incoming mail to my POP accounts...

However.... Looking through my logs after an ORDB test is showing that some
of the mails that it attempted to send were accepted and sure enough, there
is a whole bunch of mails in my DROP folder that will never go anywhere
because the addresses are just so wrong but the SMTP service accepted even
though it should have either denied relay or bounced as being invalid
addresses for the POP service.... Anyhow, here is an example of the log.....

Server names and domains have been altered to protect the innocent!

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2004-04-10 00:00:53
#Fields: date time c-ip cs-method cs-uri-stem cs-uri-query sc-status
2004-04-10 00:03:57 212.242.88.2 EHLO - +localhost.localdomain 250
2004-04-10 00:03:57 212.242.88.2 MAIL - +FROM:<spamtest@mail.domain.co.uk>
250
2004-04-10 00:03:57 212.242.88.2 RCPT - +TO:<"marvin%marvin.ordb.org"> 250
2004-04-10 00:03:57 212.242.88.2 DATA -
<SERVERDVAPo9qxHZF0000000b@server.domain.co.uk> 250
2004-04-10 00:03:57 212.242.88.2 QUIT - localhost.localdomain 240
2004-04-10 00:04:58 212.242.88.2 EHLO - +localhost.localdomain 250
2004-04-10 00:04:58 212.242.88.2 MAIL - +FROM:<spamtest@mail.domain.co.uk>
250
2004-04-10 00:04:58 212.242.88.2 RCPT -
+TO:<"marvin@marvin.ordb.org@mail.domain.co.uk"> 250
2004-04-10 00:04:58 212.242.88.2 DATA -
<SERVERFJX9kvfj9Jt0000000c@server.domain.co.uk> 250
2004-04-10 00:04:58 212.242.88.2 QUIT - localhost.localdomain 240
2004-04-10 00:06:01 212.242.88.2 EHLO - +localhost.localdomain 250
2004-04-10 00:06:01 212.242.88.2 MAIL - +FROM:<root@mail.domain.co.uk> 250
2004-04-10 00:06:01 212.242.88.2 RCPT - +TO:<marvin@marvin.ordb.org> 550
2004-04-10 00:06:01 212.242.88.2 QUIT - localhost.localdomain 240

As you can see, the first two attempts listed allowed the mails to go
through the third which is a more straightforward relay attempt was
correctly denied.

I've checked and double checked and the only thing I can think of is that
because I'm allowing anonymous access from any IP for inbound, that the SMTP
engine under this type of configuration is not as tight as it could be.

If anyone can shed any light on this whatsoever so that I can either resolve
it or raise it as a problem, I'd be very very grateful!!

Paul Vernon

[ Post a follow-up to this message ]

The relay settings are set to

Only the list below .... the list is empty

Allow all computers which successfully authenticate to relay...... is on.

Thanks

Paul

[ Post a follow-up to this message ]

"Paul Vernon" <paul.vernon@ntlworld.com> wrote in message
news:up7jitpHEHA.1048@TK2MSFTNGP12.phx.gbl...
> I have a W2k3 server set up with SMTP/POP on it and I seem to be having a
> problem with closing the SMTP service down as an open relay....
>
> The thing is, I have got the SMTP service to only allow relaying for
> authenticated users although, I do have anonymous access turned on to
allow
> the incoming mail to my POP accounts...
>
> However.... Looking through my logs after an ORDB test is showing that
some
> of the mails that it attempted to send were accepted and sure enough,
there
> is a whole bunch of mails in my DROP folder that will never go anywhere
> because the addresses are just so wrong but the SMTP service accepted even
> though it should have either denied relay or bounced as being invalid
> addresses for the POP service.... Anyhow, here is an example of the
log.....

I understand what you think. Believe me IIS 6 is not leaking settings or not
know for being hacked so that it allows relay.
What you see, is NDR emails. (Non Delivery Reports) since spammers give up
false email addresses you are seeing the queu growing.

[ Post a follow-up to this message ]

> I understand what you think. Believe me IIS 6 is not leaking settings or
not
> know for being hacked so that it allows relay.
> What you see, is NDR emails. (Non Delivery Reports) since spammers give up
> false email addresses you are seeing the queu growing.

I see what you are saying and indeed the mails never go anywhere. Although
if I open them up, they are not NDR mails they are the mails as sent by
ORDB....

I got a mail from ORDB about 36 hours after the logs were made saying that
the server was found to be closed and was not relaying mail. Which is good
as It should only relay for authenticated users as I have it set up.

I guess the question is now why does the service accept the mails if all
they are going to do is sit in the drop mailbox for a long while and then
generate the NDR mails....

On closer inspection of the mails that it did accept, I have a tenuous
theory that the SMTP service thinks the mails are for some kind of local
address and that the ORDB tests are trying to exploit some kind of SMTP
forwarding loophole by tricking the server into thinking they came from the
local domain.

If anyone can confirm any of this I'd be grateful as I don't like loose ends


Thanks

Paul

[ Post a follow-up to this message ]