virus issues

We are using exchange 2003.
Apparently we have been hit by a virus. All the users are being constantly 
hit with emails that are from either:
system administrator    undeliverable: bla bla bal (password has been 
updated or account suspended..which is the virus package I think)
or from

administrator@mydomain.com   : you have successfully updated your password 
(this is the virus package)


I have antivirus software running on all systems, including the server.
I have run the FXmydoom.exe package from symantec on  all the servers and 
many (not all) of the workstations..
...I did a google on 'your password has been updated" that led me to 
MyDoom......

but still everyone gets these emails...

What can I do? where do I go from here?

thanks for the help ;)


0
mark7111 (54)
6/14/2005 1:59:28 PM
exchange.admin 57650 articles. 2 followers. Follow

19 Replies
541 Views

Similar Articles

[PageSpeed] 27

What type of AV software are you running on the server?  Do you have the 
ability to blacklist any domains or IP addresses?

Greg

"markus" <mark@nospam.com> wrote in message 
news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
> We are using exchange 2003.
> Apparently we have been hit by a virus. All the users are being constantly 
> hit with emails that are from either:
> system administrator    undeliverable: bla bla bal (password has been 
> updated or account suspended..which is the virus package I think)
> or from
>
> administrator@mydomain.com   : you have successfully updated your password 
> (this is the virus package)
>
>
> I have antivirus software running on all systems, including the server.
> I have run the FXmydoom.exe package from symantec on  all the servers and 
> many (not all) of the workstations..
> ..I did a google on 'your password has been updated" that led me to 
> MyDoom......
>
> but still everyone gets these emails...
>
> What can I do? where do I go from here?
>
> thanks for the help ;)
>
> 


0
replyto1 (32)
6/14/2005 1:56:52 PM
I am running Norton Small Business V7.5 antivirus and the IMF filter so am 
sorta limited..
But I'm really not understanding what is going on..  where are these emails 
coming from?
Is a system in my network sending them?
many are for users that do not exist in the network ......these are the 
'undeliverable' ones...  but many go to legit users too..
I'm really trying to understand just what is going on...........who or shat 
is sending these mails. Is it internal or external?

thanks
..
"markus" <mark@nospam.com> wrote in message 
news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
> We are using exchange 2003.
> Apparently we have been hit by a virus. All the users are being constantly 
> hit with emails that are from either:
> system administrator    undeliverable: bla bla bal (password has been 
> updated or account suspended..which is the virus package I think)
> or from
>
> administrator@mydomain.com   : you have successfully updated your password 
> (this is the virus package)
>
>
> I have antivirus software running on all systems, including the server.
> I have run the FXmydoom.exe package from symantec on  all the servers and 
> many (not all) of the workstations..
> ..I did a google on 'your password has been updated" that led me to 
> MyDoom......
>
> but still everyone gets these emails...
>
> What can I do? where do I go from here?
>
> thanks for the help ;)
>
> 


0
mark7111 (54)
6/14/2005 2:21:11 PM
You can view the originator through the Message Header. Open the email and 
click on View/Options. You can block the IP and originating domain which may 
or may not do you any good as spammers are always constantly changing them. 
However I've had good results blocking the ISP IP which is usually foreign 
and does not affect legitimate emails. Also you may want to turn off Relay 
in case they are relaying through your SMTP. Do you use the IMF Companion? 
You may want to turn on Performance Counters for IMF so you can determine 
the correct SCL level you need to apply. Also using RBL's is a good thing to 
do also.


"markus" <mark@nospam.com> wrote in message 
news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>I am running Norton Small Business V7.5 antivirus and the IMF filter so am 
>sorta limited..
> But I'm really not understanding what is going on..  where are these 
> emails coming from?
> Is a system in my network sending them?
> many are for users that do not exist in the network ......these are the 
> 'undeliverable' ones...  but many go to legit users too..
> I'm really trying to understand just what is going on...........who or 
> shat is sending these mails. Is it internal or external?
>
> thanks
> .
> "markus" <mark@nospam.com> wrote in message 
> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>> We are using exchange 2003.
>> Apparently we have been hit by a virus. All the users are being 
>> constantly hit with emails that are from either:
>> system administrator    undeliverable: bla bla bal (password has been 
>> updated or account suspended..which is the virus package I think)
>> or from
>>
>> administrator@mydomain.com   : you have successfully updated your 
>> password (this is the virus package)
>>
>>
>> I have antivirus software running on all systems, including the server.
>> I have run the FXmydoom.exe package from symantec on  all the servers and 
>> many (not all) of the workstations..
>> ..I did a google on 'your password has been updated" that led me to 
>> MyDoom......
>>
>> but still everyone gets these emails...
>>
>> What can I do? where do I go from here?
>>
>> thanks for the help ;)
>>
>>
>
> 


0
allen.miyake (137)
6/14/2005 4:25:15 PM
Ok...

this is what I'm not understanding. There are basically 2 types of email 
that concern me.

Is the users box (outlook 2003) he will have a bunch of email to:

from: System Administrator                     subject: undeliverable: You 
have sucessfully updated your password.

*******This is the header from one of those

Microsoft Mail Internet Headers Version 2.0

From: postmaster@mydomain.com

To: user@mydomain.com

Date: Tue, 14 Jun 2005 16:52:54 -0400

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status;

boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."

X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546

Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>

Subject: Delivery Status Notification (Failure)

--9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.

Content-Type: text/plain; charset=unicode-1-1-utf-7

--9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.

Content-Type: message/delivery-status

--9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.

Content-Type: message/rfc822

Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP address of 
my server))) by EXCHANGE.mydomain.local with Microsoft 
SMTPSVC(6.0.3790.1830);

Tue, 14 Jun 2005 16:52:54 -0400

From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
EXIST.************************

To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******

****Ok, the mail was undeliverable because josh does not exist... but where 
is the sender (info@mydomain.com) coming from?

Subject: You have successfully updated your password

Date: Tue, 14 Jun 2005 16:52:54 -0400

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0008_9AC13455.6335A418"

X-Priority: 3

X-MSMail-Priority: Normal

Return-Path: info@mydomain.com

Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>

X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
FILETIME=[098348C0:01C57123]

------=_NextPart_000_0008_9AC13455.6335A418

Content-Type: text/html;

charset="ISO-8859-1"

Content-Transfer-Encoding: 7bit

------=_NextPart_000_0008_9AC13455.6335A418

Content-Type: application/octet-stream;

name="email-password.zip"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename="email-password.zip"



------=_NextPart_000_0008_9AC13455.6335A418--

--9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--



?????? if he is getting this mail returned to him, does it not mean that he 
is sending it?... but he's not. Does that mean that the virus is on his PC?? 
But I've scanned for it several times and not found it at all, ever...

Where are these mails coming from? Is the server sending them out somehow? 
is his PC sending them out somehow? I don't know where to begin to figure 
this out......

********************************************************************************

The other type pof email he will receive is from, for instance,

Administrator@mydomain.com Subject; You have sucessfully updated your 
password

Here is the header info from one of those:

Microsoft Mail Internet Headers Version 2.0

Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local with 
Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP address 
of the server here...*****************8

Tue, 14 Jun 2005 09:07:59 -0400

From: administrator@mydomain.com

To: real user@mydomain.com

Subject: You have successfully updated your password

Date: Tue, 14 Jun 2005 09:07:59 -0400

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0001_4FC13ACF.85304567"

X-Priority: 3

X-MSMail-Priority: Normal

Return-Path: administrator@mydomain.com

Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>

X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
FILETIME=[16867EC0:01C570E2]

------=_NextPart_000_0001_4FC13ACF.85304567

Content-Type: text/html;

charset="ISO-8859-1"

Content-Transfer-Encoding: 7bit

------=_NextPart_000_0001_4FC13ACF.85304567

Content-Type: application/octet-stream;

name="new-password.zip"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename="new-password.zip"



------=_NextPart_000_0001_4FC13ACF.85304567--



So... block what address?? it says the email is coming from my own 
server...?

Plus, what about the system administrator returned email? where is that 
coming from... Im so confused......

"AllenM" <allen.miyake@gmail.com> wrote in message 
news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
> You can view the originator through the Message Header. Open the email and 
> click on View/Options. You can block the IP and originating domain which 
> may or may not do you any good as spammers are always constantly changing 
> them. However I've had good results blocking the ISP IP which is usually 
> foreign and does not affect legitimate emails. Also you may want to turn 
> off Relay in case they are relaying through your SMTP. Do you use the IMF 
> Companion? You may want to turn on Performance Counters for IMF so you can 
> determine the correct SCL level you need to apply. Also using RBL's is a 
> good thing to do also.
>
>
> "markus" <mark@nospam.com> wrote in message 
> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>I am running Norton Small Business V7.5 antivirus and the IMF filter so am 
>>sorta limited..
>> But I'm really not understanding what is going on..  where are these 
>> emails coming from?
>> Is a system in my network sending them?
>> many are for users that do not exist in the network ......these are the 
>> 'undeliverable' ones...  but many go to legit users too..
>> I'm really trying to understand just what is going on...........who or 
>> shat is sending these mails. Is it internal or external?
>>
>> thanks
>> .
>> "markus" <mark@nospam.com> wrote in message 
>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>> We are using exchange 2003.
>>> Apparently we have been hit by a virus. All the users are being 
>>> constantly hit with emails that are from either:
>>> system administrator    undeliverable: bla bla bal (password has been 
>>> updated or account suspended..which is the virus package I think)
>>> or from
>>>
>>> administrator@mydomain.com   : you have successfully updated your 
>>> password (this is the virus package)
>>>
>>>
>>> I have antivirus software running on all systems, including the server.
>>> I have run the FXmydoom.exe package from symantec on  all the servers 
>>> and many (not all) of the workstations..
>>> ..I did a google on 'your password has been updated" that led me to 
>>> MyDoom......
>>>
>>> but still everyone gets these emails...
>>>
>>> What can I do? where do I go from here?
>>>
>>> thanks for the help ;)
>>>
>>>
>>
>>
>
> 


0
mark7111 (54)
6/14/2005 9:36:51 PM
Looks like someone is using your SMTP virtual server for relaying. You need 
to turn that off unless you have a specific reason to have it on. You should 
only "allow" the internal IP address of your mail server to use relay on 
this server.


"markus" <mark@nospam.com> wrote in message 
news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
> Ok...
>
> this is what I'm not understanding. There are basically 2 types of email 
> that concern me.
>
> Is the users box (outlook 2003) he will have a bunch of email to:
>
> from: System Administrator                     subject: undeliverable: You 
> have sucessfully updated your password.
>
> *******This is the header from one of those
>
> Microsoft Mail Internet Headers Version 2.0
>
> From: postmaster@mydomain.com
>
> To: user@mydomain.com
>
> Date: Tue, 14 Jun 2005 16:52:54 -0400
>
> MIME-Version: 1.0
>
> Content-Type: multipart/report; report-type=delivery-status;
>
> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>
> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>
> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>
> Subject: Delivery Status Notification (Failure)
>
> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>
> Content-Type: text/plain; charset=unicode-1-1-utf-7
>
> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>
> Content-Type: message/delivery-status
>
> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>
> Content-Type: message/rfc822
>
> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP address 
> of my server))) by EXCHANGE.mydomain.local with Microsoft 
> SMTPSVC(6.0.3790.1830);
>
> Tue, 14 Jun 2005 16:52:54 -0400
>
> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
> EXIST.************************
>
> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>
> ****Ok, the mail was undeliverable because josh does not exist... but 
> where is the sender (info@mydomain.com) coming from?
>
> Subject: You have successfully updated your password
>
> Date: Tue, 14 Jun 2005 16:52:54 -0400
>
> MIME-Version: 1.0
>
> Content-Type: multipart/mixed;
>
> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>
> X-Priority: 3
>
> X-MSMail-Priority: Normal
>
> Return-Path: info@mydomain.com
>
> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>
> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
> FILETIME=[098348C0:01C57123]
>
> ------=_NextPart_000_0008_9AC13455.6335A418
>
> Content-Type: text/html;
>
> charset="ISO-8859-1"
>
> Content-Transfer-Encoding: 7bit
>
> ------=_NextPart_000_0008_9AC13455.6335A418
>
> Content-Type: application/octet-stream;
>
> name="email-password.zip"
>
> Content-Transfer-Encoding: base64
>
> Content-Disposition: attachment;
>
> filename="email-password.zip"
>
>
>
> ------=_NextPart_000_0008_9AC13455.6335A418--
>
> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>
>
>
> ?????? if he is getting this mail returned to him, does it not mean that 
> he is sending it?... but he's not. Does that mean that the virus is on his 
> PC?? But I've scanned for it several times and not found it at all, 
> ever...
>
> Where are these mails coming from? Is the server sending them out somehow? 
> is his PC sending them out somehow? I don't know where to begin to figure 
> this out......
>
> ********************************************************************************
>
> The other type pof email he will receive is from, for instance,
>
> Administrator@mydomain.com Subject; You have sucessfully updated your 
> password
>
> Here is the header info from one of those:
>
> Microsoft Mail Internet Headers Version 2.0
>
> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local with 
> Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP address 
> of the server here...*****************8
>
> Tue, 14 Jun 2005 09:07:59 -0400
>
> From: administrator@mydomain.com
>
> To: real user@mydomain.com
>
> Subject: You have successfully updated your password
>
> Date: Tue, 14 Jun 2005 09:07:59 -0400
>
> MIME-Version: 1.0
>
> Content-Type: multipart/mixed;
>
> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>
> X-Priority: 3
>
> X-MSMail-Priority: Normal
>
> Return-Path: administrator@mydomain.com
>
> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>
> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
> FILETIME=[16867EC0:01C570E2]
>
> ------=_NextPart_000_0001_4FC13ACF.85304567
>
> Content-Type: text/html;
>
> charset="ISO-8859-1"
>
> Content-Transfer-Encoding: 7bit
>
> ------=_NextPart_000_0001_4FC13ACF.85304567
>
> Content-Type: application/octet-stream;
>
> name="new-password.zip"
>
> Content-Transfer-Encoding: base64
>
> Content-Disposition: attachment;
>
> filename="new-password.zip"
>
>
>
> ------=_NextPart_000_0001_4FC13ACF.85304567--
>
>
>
> So... block what address?? it says the email is coming from my own 
> server...?
>
> Plus, what about the system administrator returned email? where is that 
> coming from... Im so confused......
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>> You can view the originator through the Message Header. Open the email 
>> and click on View/Options. You can block the IP and originating domain 
>> which may or may not do you any good as spammers are always constantly 
>> changing them. However I've had good results blocking the ISP IP which is 
>> usually foreign and does not affect legitimate emails. Also you may want 
>> to turn off Relay in case they are relaying through your SMTP. Do you use 
>> the IMF Companion? You may want to turn on Performance Counters for IMF 
>> so you can determine the correct SCL level you need to apply. Also using 
>> RBL's is a good thing to do also.
>>
>>
>> "markus" <mark@nospam.com> wrote in message 
>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>I am running Norton Small Business V7.5 antivirus and the IMF filter so 
>>>am sorta limited..
>>> But I'm really not understanding what is going on..  where are these 
>>> emails coming from?
>>> Is a system in my network sending them?
>>> many are for users that do not exist in the network ......these are the 
>>> 'undeliverable' ones...  but many go to legit users too..
>>> I'm really trying to understand just what is going on...........who or 
>>> shat is sending these mails. Is it internal or external?
>>>
>>> thanks
>>> .
>>> "markus" <mark@nospam.com> wrote in message 
>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>> We are using exchange 2003.
>>>> Apparently we have been hit by a virus. All the users are being 
>>>> constantly hit with emails that are from either:
>>>> system administrator    undeliverable: bla bla bal (password has been 
>>>> updated or account suspended..which is the virus package I think)
>>>> or from
>>>>
>>>> administrator@mydomain.com   : you have successfully updated your 
>>>> password (this is the virus package)
>>>>
>>>>
>>>> I have antivirus software running on all systems, including the server.
>>>> I have run the FXmydoom.exe package from symantec on  all the servers 
>>>> and many (not all) of the workstations..
>>>> ..I did a google on 'your password has been updated" that led me to 
>>>> MyDoom......
>>>>
>>>> but still everyone gets these emails...
>>>>
>>>> What can I do? where do I go from here?
>>>>
>>>> thanks for the help ;)
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/14/2005 9:46:06 PM
Could you elaborate a bit please...
In the default SMTP virtual server properties / relay ....
i have the box:  'Only the list below'  (and nothing in the list) checked 
and
checked - 'Allow all computers which sucessfully authenticate to relay, 
regardless of the list above'

is this not right??
There is a terminal server on this network... could that be involved in this 
relay someway?





"AllenM" <allen.miyake@gmail.com> wrote in message 
news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
> Looks like someone is using your SMTP virtual server for relaying. You 
> need to turn that off unless you have a specific reason to have it on. You 
> should only "allow" the internal IP address of your mail server to use 
> relay on this server.
>
>
> "markus" <mark@nospam.com> wrote in message 
> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>> Ok...
>>
>> this is what I'm not understanding. There are basically 2 types of email 
>> that concern me.
>>
>> Is the users box (outlook 2003) he will have a bunch of email to:
>>
>> from: System Administrator                     subject: undeliverable: 
>> You have sucessfully updated your password.
>>
>> *******This is the header from one of those
>>
>> Microsoft Mail Internet Headers Version 2.0
>>
>> From: postmaster@mydomain.com
>>
>> To: user@mydomain.com
>>
>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>
>> MIME-Version: 1.0
>>
>> Content-Type: multipart/report; report-type=delivery-status;
>>
>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>
>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>
>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>
>> Subject: Delivery Status Notification (Failure)
>>
>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>
>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>
>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>
>> Content-Type: message/delivery-status
>>
>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>
>> Content-Type: message/rfc822
>>
>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP address 
>> of my server))) by EXCHANGE.mydomain.local with Microsoft 
>> SMTPSVC(6.0.3790.1830);
>>
>> Tue, 14 Jun 2005 16:52:54 -0400
>>
>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>> EXIST.************************
>>
>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>
>> ****Ok, the mail was undeliverable because josh does not exist... but 
>> where is the sender (info@mydomain.com) coming from?
>>
>> Subject: You have successfully updated your password
>>
>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>
>> MIME-Version: 1.0
>>
>> Content-Type: multipart/mixed;
>>
>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>
>> X-Priority: 3
>>
>> X-MSMail-Priority: Normal
>>
>> Return-Path: info@mydomain.com
>>
>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>
>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>> FILETIME=[098348C0:01C57123]
>>
>> ------=_NextPart_000_0008_9AC13455.6335A418
>>
>> Content-Type: text/html;
>>
>> charset="ISO-8859-1"
>>
>> Content-Transfer-Encoding: 7bit
>>
>> ------=_NextPart_000_0008_9AC13455.6335A418
>>
>> Content-Type: application/octet-stream;
>>
>> name="email-password.zip"
>>
>> Content-Transfer-Encoding: base64
>>
>> Content-Disposition: attachment;
>>
>> filename="email-password.zip"
>>
>>
>>
>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>
>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>
>>
>>
>> ?????? if he is getting this mail returned to him, does it not mean that 
>> he is sending it?... but he's not. Does that mean that the virus is on 
>> his PC?? But I've scanned for it several times and not found it at all, 
>> ever...
>>
>> Where are these mails coming from? Is the server sending them out 
>> somehow? is his PC sending them out somehow? I don't know where to begin 
>> to figure this out......
>>
>> ********************************************************************************
>>
>> The other type pof email he will receive is from, for instance,
>>
>> Administrator@mydomain.com Subject; You have sucessfully updated your 
>> password
>>
>> Here is the header info from one of those:
>>
>> Microsoft Mail Internet Headers Version 2.0
>>
>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local with 
>> Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP 
>> address of the server here...*****************8
>>
>> Tue, 14 Jun 2005 09:07:59 -0400
>>
>> From: administrator@mydomain.com
>>
>> To: real user@mydomain.com
>>
>> Subject: You have successfully updated your password
>>
>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>
>> MIME-Version: 1.0
>>
>> Content-Type: multipart/mixed;
>>
>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>
>> X-Priority: 3
>>
>> X-MSMail-Priority: Normal
>>
>> Return-Path: administrator@mydomain.com
>>
>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>
>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>> FILETIME=[16867EC0:01C570E2]
>>
>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>
>> Content-Type: text/html;
>>
>> charset="ISO-8859-1"
>>
>> Content-Transfer-Encoding: 7bit
>>
>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>
>> Content-Type: application/octet-stream;
>>
>> name="new-password.zip"
>>
>> Content-Transfer-Encoding: base64
>>
>> Content-Disposition: attachment;
>>
>> filename="new-password.zip"
>>
>>
>>
>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>
>>
>>
>> So... block what address?? it says the email is coming from my own 
>> server...?
>>
>> Plus, what about the system administrator returned email? where is that 
>> coming from... Im so confused......
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>> You can view the originator through the Message Header. Open the email 
>>> and click on View/Options. You can block the IP and originating domain 
>>> which may or may not do you any good as spammers are always constantly 
>>> changing them. However I've had good results blocking the ISP IP which 
>>> is usually foreign and does not affect legitimate emails. Also you may 
>>> want to turn off Relay in case they are relaying through your SMTP. Do 
>>> you use the IMF Companion? You may want to turn on Performance Counters 
>>> for IMF so you can determine the correct SCL level you need to apply. 
>>> Also using RBL's is a good thing to do also.
>>>
>>>
>>> "markus" <mark@nospam.com> wrote in message 
>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>I am running Norton Small Business V7.5 antivirus and the IMF filter so 
>>>>am sorta limited..
>>>> But I'm really not understanding what is going on..  where are these 
>>>> emails coming from?
>>>> Is a system in my network sending them?
>>>> many are for users that do not exist in the network ......these are the 
>>>> 'undeliverable' ones...  but many go to legit users too..
>>>> I'm really trying to understand just what is going on...........who or 
>>>> shat is sending these mails. Is it internal or external?
>>>>
>>>> thanks
>>>> .
>>>> "markus" <mark@nospam.com> wrote in message 
>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>> We are using exchange 2003.
>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>> constantly hit with emails that are from either:
>>>>> system administrator    undeliverable: bla bla bal (password has been 
>>>>> updated or account suspended..which is the virus package I think)
>>>>> or from
>>>>>
>>>>> administrator@mydomain.com   : you have successfully updated your 
>>>>> password (this is the virus package)
>>>>>
>>>>>
>>>>> I have antivirus software running on all systems, including the 
>>>>> server.
>>>>> I have run the FXmydoom.exe package from symantec on  all the servers 
>>>>> and many (not all) of the workstations..
>>>>> ..I did a google on 'your password has been updated" that led me to 
>>>>> MyDoom......
>>>>>
>>>>> but still everyone gets these emails...
>>>>>
>>>>> What can I do? where do I go from here?
>>>>>
>>>>> thanks for the help ;)
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
mark7111 (54)
6/14/2005 11:07:11 PM
you need to uncheck "'Allow all computers which sucessfully authenticate to 
relay,
 regardless of the list above" This is what is allowing outside users to to 
use your SMTP relay.
Otherwise the listed server above does no good. We want "Only the listed 
below" which should be the internal IP of your Exchange server. Give it a 
try and of course monitor it overthe next day or so.


"markus" <mark@nospam.com> wrote in message 
news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
> Could you elaborate a bit please...
> In the default SMTP virtual server properties / relay ....
> i have the box:  'Only the list below'  (and nothing in the list) checked 
> and
> checked - 'Allow all computers which sucessfully authenticate to relay, 
> regardless of the list above'
>
> is this not right??
> There is a terminal server on this network... could that be involved in 
> this relay someway?
>
>
>
>
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>> Looks like someone is using your SMTP virtual server for relaying. You 
>> need to turn that off unless you have a specific reason to have it on. 
>> You should only "allow" the internal IP address of your mail server to 
>> use relay on this server.
>>
>>
>> "markus" <mark@nospam.com> wrote in message 
>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>> Ok...
>>>
>>> this is what I'm not understanding. There are basically 2 types of email 
>>> that concern me.
>>>
>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>
>>> from: System Administrator                     subject: undeliverable: 
>>> You have sucessfully updated your password.
>>>
>>> *******This is the header from one of those
>>>
>>> Microsoft Mail Internet Headers Version 2.0
>>>
>>> From: postmaster@mydomain.com
>>>
>>> To: user@mydomain.com
>>>
>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>
>>> MIME-Version: 1.0
>>>
>>> Content-Type: multipart/report; report-type=delivery-status;
>>>
>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>
>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>
>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>
>>> Subject: Delivery Status Notification (Failure)
>>>
>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>
>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>
>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>
>>> Content-Type: message/delivery-status
>>>
>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>
>>> Content-Type: message/rfc822
>>>
>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP address 
>>> of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>> SMTPSVC(6.0.3790.1830);
>>>
>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>
>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>> EXIST.************************
>>>
>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>>
>>> ****Ok, the mail was undeliverable because josh does not exist... but 
>>> where is the sender (info@mydomain.com) coming from?
>>>
>>> Subject: You have successfully updated your password
>>>
>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>
>>> MIME-Version: 1.0
>>>
>>> Content-Type: multipart/mixed;
>>>
>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>
>>> X-Priority: 3
>>>
>>> X-MSMail-Priority: Normal
>>>
>>> Return-Path: info@mydomain.com
>>>
>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>
>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>> FILETIME=[098348C0:01C57123]
>>>
>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>
>>> Content-Type: text/html;
>>>
>>> charset="ISO-8859-1"
>>>
>>> Content-Transfer-Encoding: 7bit
>>>
>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>
>>> Content-Type: application/octet-stream;
>>>
>>> name="email-password.zip"
>>>
>>> Content-Transfer-Encoding: base64
>>>
>>> Content-Disposition: attachment;
>>>
>>> filename="email-password.zip"
>>>
>>>
>>>
>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>
>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>
>>>
>>>
>>> ?????? if he is getting this mail returned to him, does it not mean that 
>>> he is sending it?... but he's not. Does that mean that the virus is on 
>>> his PC?? But I've scanned for it several times and not found it at all, 
>>> ever...
>>>
>>> Where are these mails coming from? Is the server sending them out 
>>> somehow? is his PC sending them out somehow? I don't know where to begin 
>>> to figure this out......
>>>
>>> ********************************************************************************
>>>
>>> The other type pof email he will receive is from, for instance,
>>>
>>> Administrator@mydomain.com Subject; You have sucessfully updated your 
>>> password
>>>
>>> Here is the header info from one of those:
>>>
>>> Microsoft Mail Internet Headers Version 2.0
>>>
>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local with 
>>> Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP 
>>> address of the server here...*****************8
>>>
>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>
>>> From: administrator@mydomain.com
>>>
>>> To: real user@mydomain.com
>>>
>>> Subject: You have successfully updated your password
>>>
>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>
>>> MIME-Version: 1.0
>>>
>>> Content-Type: multipart/mixed;
>>>
>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>
>>> X-Priority: 3
>>>
>>> X-MSMail-Priority: Normal
>>>
>>> Return-Path: administrator@mydomain.com
>>>
>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>
>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>> FILETIME=[16867EC0:01C570E2]
>>>
>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>
>>> Content-Type: text/html;
>>>
>>> charset="ISO-8859-1"
>>>
>>> Content-Transfer-Encoding: 7bit
>>>
>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>
>>> Content-Type: application/octet-stream;
>>>
>>> name="new-password.zip"
>>>
>>> Content-Transfer-Encoding: base64
>>>
>>> Content-Disposition: attachment;
>>>
>>> filename="new-password.zip"
>>>
>>>
>>>
>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>
>>>
>>>
>>> So... block what address?? it says the email is coming from my own 
>>> server...?
>>>
>>> Plus, what about the system administrator returned email? where is that 
>>> coming from... Im so confused......
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>> You can view the originator through the Message Header. Open the email 
>>>> and click on View/Options. You can block the IP and originating domain 
>>>> which may or may not do you any good as spammers are always constantly 
>>>> changing them. However I've had good results blocking the ISP IP which 
>>>> is usually foreign and does not affect legitimate emails. Also you may 
>>>> want to turn off Relay in case they are relaying through your SMTP. Do 
>>>> you use the IMF Companion? You may want to turn on Performance Counters 
>>>> for IMF so you can determine the correct SCL level you need to apply. 
>>>> Also using RBL's is a good thing to do also.
>>>>
>>>>
>>>> "markus" <mark@nospam.com> wrote in message 
>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>I am running Norton Small Business V7.5 antivirus and the IMF filter so 
>>>>>am sorta limited..
>>>>> But I'm really not understanding what is going on..  where are these 
>>>>> emails coming from?
>>>>> Is a system in my network sending them?
>>>>> many are for users that do not exist in the network ......these are 
>>>>> the 'undeliverable' ones...  but many go to legit users too..
>>>>> I'm really trying to understand just what is going on...........who or 
>>>>> shat is sending these mails. Is it internal or external?
>>>>>
>>>>> thanks
>>>>> .
>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>> We are using exchange 2003.
>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>> constantly hit with emails that are from either:
>>>>>> system administrator    undeliverable: bla bla bal (password has been 
>>>>>> updated or account suspended..which is the virus package I think)
>>>>>> or from
>>>>>>
>>>>>> administrator@mydomain.com   : you have successfully updated your 
>>>>>> password (this is the virus package)
>>>>>>
>>>>>>
>>>>>> I have antivirus software running on all systems, including the 
>>>>>> server.
>>>>>> I have run the FXmydoom.exe package from symantec on  all the servers 
>>>>>> and many (not all) of the workstations..
>>>>>> ..I did a google on 'your password has been updated" that led me to 
>>>>>> MyDoom......
>>>>>>
>>>>>> but still everyone gets these emails...
>>>>>>
>>>>>> What can I do? where do I go from here?
>>>>>>
>>>>>> thanks for the help ;)
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/14/2005 11:16:41 PM
OK, I've unchecked "'Allow all computers which sucessfully authenticate to
relay', and put in the IP address of the server only...
but a question..... outside users would not be 'authenticated' users would 
they?  By authenticated, they mean logged onto the network?
Why not  allow authenticated users to relay if they are all inhouse 
anyway....
or............
could it be that a remote user, logging on thru terminal server, is actually 
doing the relaying...  if he had for instance, mydoom, which adds an SMTP 
server, infecting his remote PC... and then logged onto the network thru 
TS...  could that be then relaying  thru exchange...?
...sounds logical to me..  what you think?

"AllenM" <allen.miyake@gmail.com> wrote in message 
news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
> you need to uncheck "'Allow all computers which sucessfully authenticate 
> to relay,
> regardless of the list above" This is what is allowing outside users to to 
> use your SMTP relay.
> Otherwise the listed server above does no good. We want "Only the listed 
> below" which should be the internal IP of your Exchange server. Give it a 
> try and of course monitor it overthe next day or so.
>
>
> "markus" <mark@nospam.com> wrote in message 
> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>> Could you elaborate a bit please...
>> In the default SMTP virtual server properties / relay ....
>> i have the box:  'Only the list below'  (and nothing in the list) checked 
>> and
>> checked - 'Allow all computers which sucessfully authenticate to relay, 
>> regardless of the list above'
>>
>> is this not right??
>> There is a terminal server on this network... could that be involved in 
>> this relay someway?
>>
>>
>>
>>
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>> Looks like someone is using your SMTP virtual server for relaying. You 
>>> need to turn that off unless you have a specific reason to have it on. 
>>> You should only "allow" the internal IP address of your mail server to 
>>> use relay on this server.
>>>
>>>
>>> "markus" <mark@nospam.com> wrote in message 
>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>> Ok...
>>>>
>>>> this is what I'm not understanding. There are basically 2 types of 
>>>> email that concern me.
>>>>
>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>
>>>> from: System Administrator                     subject: undeliverable: 
>>>> You have sucessfully updated your password.
>>>>
>>>> *******This is the header from one of those
>>>>
>>>> Microsoft Mail Internet Headers Version 2.0
>>>>
>>>> From: postmaster@mydomain.com
>>>>
>>>> To: user@mydomain.com
>>>>
>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>
>>>> MIME-Version: 1.0
>>>>
>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>
>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>
>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>
>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>
>>>> Subject: Delivery Status Notification (Failure)
>>>>
>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>
>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>
>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>
>>>> Content-Type: message/delivery-status
>>>>
>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>
>>>> Content-Type: message/rfc822
>>>>
>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>> SMTPSVC(6.0.3790.1830);
>>>>
>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>
>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>> EXIST.************************
>>>>
>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>>>
>>>> ****Ok, the mail was undeliverable because josh does not exist... but 
>>>> where is the sender (info@mydomain.com) coming from?
>>>>
>>>> Subject: You have successfully updated your password
>>>>
>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>
>>>> MIME-Version: 1.0
>>>>
>>>> Content-Type: multipart/mixed;
>>>>
>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>
>>>> X-Priority: 3
>>>>
>>>> X-MSMail-Priority: Normal
>>>>
>>>> Return-Path: info@mydomain.com
>>>>
>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>
>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>> FILETIME=[098348C0:01C57123]
>>>>
>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>
>>>> Content-Type: text/html;
>>>>
>>>> charset="ISO-8859-1"
>>>>
>>>> Content-Transfer-Encoding: 7bit
>>>>
>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>
>>>> Content-Type: application/octet-stream;
>>>>
>>>> name="email-password.zip"
>>>>
>>>> Content-Transfer-Encoding: base64
>>>>
>>>> Content-Disposition: attachment;
>>>>
>>>> filename="email-password.zip"
>>>>
>>>>
>>>>
>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>
>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>
>>>>
>>>>
>>>> ?????? if he is getting this mail returned to him, does it not mean 
>>>> that he is sending it?... but he's not. Does that mean that the virus 
>>>> is on his PC?? But I've scanned for it several times and not found it 
>>>> at all, ever...
>>>>
>>>> Where are these mails coming from? Is the server sending them out 
>>>> somehow? is his PC sending them out somehow? I don't know where to 
>>>> begin to figure this out......
>>>>
>>>> ********************************************************************************
>>>>
>>>> The other type pof email he will receive is from, for instance,
>>>>
>>>> Administrator@mydomain.com Subject; You have sucessfully updated your 
>>>> password
>>>>
>>>> Here is the header info from one of those:
>>>>
>>>> Microsoft Mail Internet Headers Version 2.0
>>>>
>>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local with 
>>>> Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP 
>>>> address of the server here...*****************8
>>>>
>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>
>>>> From: administrator@mydomain.com
>>>>
>>>> To: real user@mydomain.com
>>>>
>>>> Subject: You have successfully updated your password
>>>>
>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>
>>>> MIME-Version: 1.0
>>>>
>>>> Content-Type: multipart/mixed;
>>>>
>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>
>>>> X-Priority: 3
>>>>
>>>> X-MSMail-Priority: Normal
>>>>
>>>> Return-Path: administrator@mydomain.com
>>>>
>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>
>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>> FILETIME=[16867EC0:01C570E2]
>>>>
>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>
>>>> Content-Type: text/html;
>>>>
>>>> charset="ISO-8859-1"
>>>>
>>>> Content-Transfer-Encoding: 7bit
>>>>
>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>
>>>> Content-Type: application/octet-stream;
>>>>
>>>> name="new-password.zip"
>>>>
>>>> Content-Transfer-Encoding: base64
>>>>
>>>> Content-Disposition: attachment;
>>>>
>>>> filename="new-password.zip"
>>>>
>>>>
>>>>
>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>
>>>>
>>>>
>>>> So... block what address?? it says the email is coming from my own 
>>>> server...?
>>>>
>>>> Plus, what about the system administrator returned email? where is that 
>>>> coming from... Im so confused......
>>>>
>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>> You can view the originator through the Message Header. Open the email 
>>>>> and click on View/Options. You can block the IP and originating domain 
>>>>> which may or may not do you any good as spammers are always constantly 
>>>>> changing them. However I've had good results blocking the ISP IP which 
>>>>> is usually foreign and does not affect legitimate emails. Also you may 
>>>>> want to turn off Relay in case they are relaying through your SMTP. Do 
>>>>> you use the IMF Companion? You may want to turn on Performance 
>>>>> Counters for IMF so you can determine the correct SCL level you need 
>>>>> to apply. Also using RBL's is a good thing to do also.
>>>>>
>>>>>
>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF filter 
>>>>>>so am sorta limited..
>>>>>> But I'm really not understanding what is going on..  where are these 
>>>>>> emails coming from?
>>>>>> Is a system in my network sending them?
>>>>>> many are for users that do not exist in the network ......these are 
>>>>>> the 'undeliverable' ones...  but many go to legit users too..
>>>>>> I'm really trying to understand just what is going on...........who 
>>>>>> or shat is sending these mails. Is it internal or external?
>>>>>>
>>>>>> thanks
>>>>>> .
>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>> We are using exchange 2003.
>>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>>> constantly hit with emails that are from either:
>>>>>>> system administrator    undeliverable: bla bla bal (password has 
>>>>>>> been updated or account suspended..which is the virus package I 
>>>>>>> think)
>>>>>>> or from
>>>>>>>
>>>>>>> administrator@mydomain.com   : you have successfully updated your 
>>>>>>> password (this is the virus package)
>>>>>>>
>>>>>>>
>>>>>>> I have antivirus software running on all systems, including the 
>>>>>>> server.
>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>> servers and many (not all) of the workstations..
>>>>>>> ..I did a google on 'your password has been updated" that led me to 
>>>>>>> MyDoom......
>>>>>>>
>>>>>>> but still everyone gets these emails...
>>>>>>>
>>>>>>> What can I do? where do I go from here?
>>>>>>>
>>>>>>> thanks for the help ;)
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
mark7111 (54)
6/15/2005 2:38:59 AM
This may be a bit above and beyond as to how well I can explain it so do not 
write this in stone. Here's my interpetation.
"Select which computer may relay through this virtual server" By selecting 
this we are saying that only email that passes through this email server may 
send outside.
"Allow all computers which successfully authenticate to relay, regardless of 
the list above". What this is saying is that anyone can go through this SMTP 
relay without passing through the server above. Which means they can send an 
email from another mail server.
So we only want email from our mail server to pass through our SMTP virtual 
server. SPAMMERS who use the SMTP virtual server do not send email from our 
Exchange server. Hope that makes sense and my interetaion is also correct. I 
do think it is because I was also getting those type of password 
confirmations like you are and since I closed the open relay it has not 
happened since. Maybe we can get someone else or na MVP to chime in and 
clarify this. If you do find it to be incorrect or find a better 
explaination I'd like to hear about it. Good luck.

"markus" <mark@nospam.com> wrote in message 
news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
> OK, I've unchecked "'Allow all computers which sucessfully authenticate to
> relay', and put in the IP address of the server only...
> but a question..... outside users would not be 'authenticated' users would 
> they?  By authenticated, they mean logged onto the network?
> Why not  allow authenticated users to relay if they are all inhouse 
> anyway....
> or............
> could it be that a remote user, logging on thru terminal server, is 
> actually doing the relaying...  if he had for instance, mydoom, which adds 
> an SMTP server, infecting his remote PC... and then logged onto the 
> network thru TS...  could that be then relaying  thru exchange...?
> ..sounds logical to me..  what you think?
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>> you need to uncheck "'Allow all computers which sucessfully authenticate 
>> to relay,
>> regardless of the list above" This is what is allowing outside users to 
>> to use your SMTP relay.
>> Otherwise the listed server above does no good. We want "Only the listed 
>> below" which should be the internal IP of your Exchange server. Give it a 
>> try and of course monitor it overthe next day or so.
>>
>>
>> "markus" <mark@nospam.com> wrote in message 
>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>> Could you elaborate a bit please...
>>> In the default SMTP virtual server properties / relay ....
>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>> checked and
>>> checked - 'Allow all computers which sucessfully authenticate to relay, 
>>> regardless of the list above'
>>>
>>> is this not right??
>>> There is a terminal server on this network... could that be involved in 
>>> this relay someway?
>>>
>>>
>>>
>>>
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>> Looks like someone is using your SMTP virtual server for relaying. You 
>>>> need to turn that off unless you have a specific reason to have it on. 
>>>> You should only "allow" the internal IP address of your mail server to 
>>>> use relay on this server.
>>>>
>>>>
>>>> "markus" <mark@nospam.com> wrote in message 
>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>> Ok...
>>>>>
>>>>> this is what I'm not understanding. There are basically 2 types of 
>>>>> email that concern me.
>>>>>
>>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>>
>>>>> from: System Administrator                     subject: undeliverable: 
>>>>> You have sucessfully updated your password.
>>>>>
>>>>> *******This is the header from one of those
>>>>>
>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>
>>>>> From: postmaster@mydomain.com
>>>>>
>>>>> To: user@mydomain.com
>>>>>
>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>
>>>>> MIME-Version: 1.0
>>>>>
>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>
>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>
>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>
>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>
>>>>> Subject: Delivery Status Notification (Failure)
>>>>>
>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>
>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>
>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>
>>>>> Content-Type: message/delivery-status
>>>>>
>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>
>>>>> Content-Type: message/rfc822
>>>>>
>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>>> SMTPSVC(6.0.3790.1830);
>>>>>
>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>
>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>> EXIST.************************
>>>>>
>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>>>>
>>>>> ****Ok, the mail was undeliverable because josh does not exist... but 
>>>>> where is the sender (info@mydomain.com) coming from?
>>>>>
>>>>> Subject: You have successfully updated your password
>>>>>
>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>
>>>>> MIME-Version: 1.0
>>>>>
>>>>> Content-Type: multipart/mixed;
>>>>>
>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>
>>>>> X-Priority: 3
>>>>>
>>>>> X-MSMail-Priority: Normal
>>>>>
>>>>> Return-Path: info@mydomain.com
>>>>>
>>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>
>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>> FILETIME=[098348C0:01C57123]
>>>>>
>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>
>>>>> Content-Type: text/html;
>>>>>
>>>>> charset="ISO-8859-1"
>>>>>
>>>>> Content-Transfer-Encoding: 7bit
>>>>>
>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>
>>>>> Content-Type: application/octet-stream;
>>>>>
>>>>> name="email-password.zip"
>>>>>
>>>>> Content-Transfer-Encoding: base64
>>>>>
>>>>> Content-Disposition: attachment;
>>>>>
>>>>> filename="email-password.zip"
>>>>>
>>>>>
>>>>>
>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>
>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>
>>>>>
>>>>>
>>>>> ?????? if he is getting this mail returned to him, does it not mean 
>>>>> that he is sending it?... but he's not. Does that mean that the virus 
>>>>> is on his PC?? But I've scanned for it several times and not found it 
>>>>> at all, ever...
>>>>>
>>>>> Where are these mails coming from? Is the server sending them out 
>>>>> somehow? is his PC sending them out somehow? I don't know where to 
>>>>> begin to figure this out......
>>>>>
>>>>> ********************************************************************************
>>>>>
>>>>> The other type pof email he will receive is from, for instance,
>>>>>
>>>>> Administrator@mydomain.com Subject; You have sucessfully updated your 
>>>>> password
>>>>>
>>>>> Here is the header info from one of those:
>>>>>
>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>
>>>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local 
>>>>> with Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit 
>>>>> IP address of the server here...*****************8
>>>>>
>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>
>>>>> From: administrator@mydomain.com
>>>>>
>>>>> To: real user@mydomain.com
>>>>>
>>>>> Subject: You have successfully updated your password
>>>>>
>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>
>>>>> MIME-Version: 1.0
>>>>>
>>>>> Content-Type: multipart/mixed;
>>>>>
>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>
>>>>> X-Priority: 3
>>>>>
>>>>> X-MSMail-Priority: Normal
>>>>>
>>>>> Return-Path: administrator@mydomain.com
>>>>>
>>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>
>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>
>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>
>>>>> Content-Type: text/html;
>>>>>
>>>>> charset="ISO-8859-1"
>>>>>
>>>>> Content-Transfer-Encoding: 7bit
>>>>>
>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>
>>>>> Content-Type: application/octet-stream;
>>>>>
>>>>> name="new-password.zip"
>>>>>
>>>>> Content-Transfer-Encoding: base64
>>>>>
>>>>> Content-Disposition: attachment;
>>>>>
>>>>> filename="new-password.zip"
>>>>>
>>>>>
>>>>>
>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>
>>>>>
>>>>>
>>>>> So... block what address?? it says the email is coming from my own 
>>>>> server...?
>>>>>
>>>>> Plus, what about the system administrator returned email? where is 
>>>>> that coming from... Im so confused......
>>>>>
>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>> You can view the originator through the Message Header. Open the 
>>>>>> email and click on View/Options. You can block the IP and originating 
>>>>>> domain which may or may not do you any good as spammers are always 
>>>>>> constantly changing them. However I've had good results blocking the 
>>>>>> ISP IP which is usually foreign and does not affect legitimate 
>>>>>> emails. Also you may want to turn off Relay in case they are relaying 
>>>>>> through your SMTP. Do you use the IMF Companion? You may want to turn 
>>>>>> on Performance Counters for IMF so you can determine the correct SCL 
>>>>>> level you need to apply. Also using RBL's is a good thing to do also.
>>>>>>
>>>>>>
>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF filter 
>>>>>>>so am sorta limited..
>>>>>>> But I'm really not understanding what is going on..  where are these 
>>>>>>> emails coming from?
>>>>>>> Is a system in my network sending them?
>>>>>>> many are for users that do not exist in the network ......these are 
>>>>>>> the 'undeliverable' ones...  but many go to legit users too..
>>>>>>> I'm really trying to understand just what is going on...........who 
>>>>>>> or shat is sending these mails. Is it internal or external?
>>>>>>>
>>>>>>> thanks
>>>>>>> .
>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>> We are using exchange 2003.
>>>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>>>> constantly hit with emails that are from either:
>>>>>>>> system administrator    undeliverable: bla bla bal (password has 
>>>>>>>> been updated or account suspended..which is the virus package I 
>>>>>>>> think)
>>>>>>>> or from
>>>>>>>>
>>>>>>>> administrator@mydomain.com   : you have successfully updated your 
>>>>>>>> password (this is the virus package)
>>>>>>>>
>>>>>>>>
>>>>>>>> I have antivirus software running on all systems, including the 
>>>>>>>> server.
>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>> ..I did a google on 'your password has been updated" that led me to 
>>>>>>>> MyDoom......
>>>>>>>>
>>>>>>>> but still everyone gets these emails...
>>>>>>>>
>>>>>>>> What can I do? where do I go from here?
>>>>>>>>
>>>>>>>> thanks for the help ;)
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/15/2005 3:11:30 PM
"Select which computers may relay through this VS" sets which "other" 
computers (hostname or IP) can relay (anonymously) e-mail through your 
Exchange server.  Unless you have a specific internal app that needs to 
relay, this list should be blank.  The internal IP of your Exchange server 
should NOT be in that list.  It should also be set at the default setting of 
"Only the list below".

"allow all computers which authenticate" is specifically for clients such as 
IMAP or POP3 users that must send e-mail using your server.  It further 
dictates that they MUST authenticate before being allowed to relay the 
messages.  This does not deal with anonymous smtp sessions (such as mail 
from other e-mail servers).  Outlook clients in MAPI mode do not relay 
messages, so this only needs to be checked if you have IMAP or POP3 clients. 
How clients can authenticate are determined by the settings under the 
authentication section.  I doubt that a virus would be able to initiate an 
authenticated SMTP session.

As far as where the messages are coming from, you need to look at the 
headers of one of the actual messages.  If the headers from that message 
indicate that it is internal, then you likely have an infected machine on 
your network.  If they are all destined for local addresses (even if they 
are invalid users), then there is no issue with relaying.  Relaying would 
only be an issue if the messages are being sent to external addresses.

Hope this helps.

-- 
Ben Winzenz
Exchange MVP
MessageOne


"AllenM" <allen.miyake@gmail.com> wrote in message 
news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
> This may be a bit above and beyond as to how well I can explain it so do 
> not write this in stone. Here's my interpetation.
> "Select which computer may relay through this virtual server" By selecting 
> this we are saying that only email that passes through this email server 
> may send outside.
> "Allow all computers which successfully authenticate to relay, regardless 
> of the list above". What this is saying is that anyone can go through this 
> SMTP relay without passing through the server above. Which means they can 
> send an email from another mail server.
> So we only want email from our mail server to pass through our SMTP 
> virtual server. SPAMMERS who use the SMTP virtual server do not send email 
> from our Exchange server. Hope that makes sense and my interetaion is also 
> correct. I do think it is because I was also getting those type of 
> password confirmations like you are and since I closed the open relay it 
> has not happened since. Maybe we can get someone else or na MVP to chime 
> in and clarify this. If you do find it to be incorrect or find a better 
> explaination I'd like to hear about it. Good luck.
>
> "markus" <mark@nospam.com> wrote in message 
> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>> OK, I've unchecked "'Allow all computers which sucessfully authenticate 
>> to
>> relay', and put in the IP address of the server only...
>> but a question..... outside users would not be 'authenticated' users 
>> would they?  By authenticated, they mean logged onto the network?
>> Why not  allow authenticated users to relay if they are all inhouse 
>> anyway....
>> or............
>> could it be that a remote user, logging on thru terminal server, is 
>> actually doing the relaying...  if he had for instance, mydoom, which 
>> adds an SMTP server, infecting his remote PC... and then logged onto the 
>> network thru TS...  could that be then relaying  thru exchange...?
>> ..sounds logical to me..  what you think?
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>> you need to uncheck "'Allow all computers which sucessfully authenticate 
>>> to relay,
>>> regardless of the list above" This is what is allowing outside users to 
>>> to use your SMTP relay.
>>> Otherwise the listed server above does no good. We want "Only the listed 
>>> below" which should be the internal IP of your Exchange server. Give it 
>>> a try and of course monitor it overthe next day or so.
>>>
>>>
>>> "markus" <mark@nospam.com> wrote in message 
>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>> Could you elaborate a bit please...
>>>> In the default SMTP virtual server properties / relay ....
>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>> checked and
>>>> checked - 'Allow all computers which sucessfully authenticate to relay, 
>>>> regardless of the list above'
>>>>
>>>> is this not right??
>>>> There is a terminal server on this network... could that be involved in 
>>>> this relay someway?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>> Looks like someone is using your SMTP virtual server for relaying. You 
>>>>> need to turn that off unless you have a specific reason to have it on. 
>>>>> You should only "allow" the internal IP address of your mail server to 
>>>>> use relay on this server.
>>>>>
>>>>>
>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>> Ok...
>>>>>>
>>>>>> this is what I'm not understanding. There are basically 2 types of 
>>>>>> email that concern me.
>>>>>>
>>>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>>>
>>>>>> from: System Administrator                     subject: 
>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>
>>>>>> *******This is the header from one of those
>>>>>>
>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>
>>>>>> From: postmaster@mydomain.com
>>>>>>
>>>>>> To: user@mydomain.com
>>>>>>
>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>
>>>>>> MIME-Version: 1.0
>>>>>>
>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>
>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>
>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>
>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>
>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>
>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>
>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>
>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>
>>>>>> Content-Type: message/delivery-status
>>>>>>
>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>
>>>>>> Content-Type: message/rfc822
>>>>>>
>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>>>> SMTPSVC(6.0.3790.1830);
>>>>>>
>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>
>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>> EXIST.************************
>>>>>>
>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>>>>>
>>>>>> ****Ok, the mail was undeliverable because josh does not exist... but 
>>>>>> where is the sender (info@mydomain.com) coming from?
>>>>>>
>>>>>> Subject: You have successfully updated your password
>>>>>>
>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>
>>>>>> MIME-Version: 1.0
>>>>>>
>>>>>> Content-Type: multipart/mixed;
>>>>>>
>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>
>>>>>> X-Priority: 3
>>>>>>
>>>>>> X-MSMail-Priority: Normal
>>>>>>
>>>>>> Return-Path: info@mydomain.com
>>>>>>
>>>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>
>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>
>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>
>>>>>> Content-Type: text/html;
>>>>>>
>>>>>> charset="ISO-8859-1"
>>>>>>
>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>
>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>
>>>>>> Content-Type: application/octet-stream;
>>>>>>
>>>>>> name="email-password.zip"
>>>>>>
>>>>>> Content-Transfer-Encoding: base64
>>>>>>
>>>>>> Content-Disposition: attachment;
>>>>>>
>>>>>> filename="email-password.zip"
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>
>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>
>>>>>>
>>>>>>
>>>>>> ?????? if he is getting this mail returned to him, does it not mean 
>>>>>> that he is sending it?... but he's not. Does that mean that the virus 
>>>>>> is on his PC?? But I've scanned for it several times and not found it 
>>>>>> at all, ever...
>>>>>>
>>>>>> Where are these mails coming from? Is the server sending them out 
>>>>>> somehow? is his PC sending them out somehow? I don't know where to 
>>>>>> begin to figure this out......
>>>>>>
>>>>>> ********************************************************************************
>>>>>>
>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>
>>>>>> Administrator@mydomain.com Subject; You have sucessfully updated your 
>>>>>> password
>>>>>>
>>>>>> Here is the header info from one of those:
>>>>>>
>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>
>>>>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local 
>>>>>> with Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit 
>>>>>> IP address of the server here...*****************8
>>>>>>
>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>
>>>>>> From: administrator@mydomain.com
>>>>>>
>>>>>> To: real user@mydomain.com
>>>>>>
>>>>>> Subject: You have successfully updated your password
>>>>>>
>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>
>>>>>> MIME-Version: 1.0
>>>>>>
>>>>>> Content-Type: multipart/mixed;
>>>>>>
>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>
>>>>>> X-Priority: 3
>>>>>>
>>>>>> X-MSMail-Priority: Normal
>>>>>>
>>>>>> Return-Path: administrator@mydomain.com
>>>>>>
>>>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>
>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>
>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>
>>>>>> Content-Type: text/html;
>>>>>>
>>>>>> charset="ISO-8859-1"
>>>>>>
>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>
>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>
>>>>>> Content-Type: application/octet-stream;
>>>>>>
>>>>>> name="new-password.zip"
>>>>>>
>>>>>> Content-Transfer-Encoding: base64
>>>>>>
>>>>>> Content-Disposition: attachment;
>>>>>>
>>>>>> filename="new-password.zip"
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>
>>>>>>
>>>>>>
>>>>>> So... block what address?? it says the email is coming from my own 
>>>>>> server...?
>>>>>>
>>>>>> Plus, what about the system administrator returned email? where is 
>>>>>> that coming from... Im so confused......
>>>>>>
>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>> You can view the originator through the Message Header. Open the 
>>>>>>> email and click on View/Options. You can block the IP and 
>>>>>>> originating domain which may or may not do you any good as spammers 
>>>>>>> are always constantly changing them. However I've had good results 
>>>>>>> blocking the ISP IP which is usually foreign and does not affect 
>>>>>>> legitimate emails. Also you may want to turn off Relay in case they 
>>>>>>> are relaying through your SMTP. Do you use the IMF Companion? You 
>>>>>>> may want to turn on Performance Counters for IMF so you can 
>>>>>>> determine the correct SCL level you need to apply. Also using RBL's 
>>>>>>> is a good thing to do also.
>>>>>>>
>>>>>>>
>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF filter 
>>>>>>>>so am sorta limited..
>>>>>>>> But I'm really not understanding what is going on..  where are 
>>>>>>>> these emails coming from?
>>>>>>>> Is a system in my network sending them?
>>>>>>>> many are for users that do not exist in the network ......these are 
>>>>>>>> the 'undeliverable' ones...  but many go to legit users too..
>>>>>>>> I'm really trying to understand just what is going on...........who 
>>>>>>>> or shat is sending these mails. Is it internal or external?
>>>>>>>>
>>>>>>>> thanks
>>>>>>>> .
>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>> We are using exchange 2003.
>>>>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>>>>> constantly hit with emails that are from either:
>>>>>>>>> system administrator    undeliverable: bla bla bal (password has 
>>>>>>>>> been updated or account suspended..which is the virus package I 
>>>>>>>>> think)
>>>>>>>>> or from
>>>>>>>>>
>>>>>>>>> administrator@mydomain.com   : you have successfully updated your 
>>>>>>>>> password (this is the virus package)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have antivirus software running on all systems, including the 
>>>>>>>>> server.
>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>>> ..I did a google on 'your password has been updated" that led me 
>>>>>>>>> to MyDoom......
>>>>>>>>>
>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>
>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>
>>>>>>>>> thanks for the help ;)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
Ben
6/15/2005 4:53:10 PM
Hey Ben,
I'm glad I found you and you were able to chime in. I guess at this point 
this information is more for my interest and knowledge that Marcus but he 
did start the thread. I'm a bit confused at what you just wrote.

"Unless you have a specific internal app that needs to relay, this list 
should be blank.  The internal IP of your Exchange server should NOT be in 
that list.  It should also be set at the default setting of "Only the list 
below".

Your telling me here my exchange servers internal IP should not be listed, 
yet you then tell me that I need to set it to "Only the list below".
My question is if there is nothing in the list what purpose does this serve?



"Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
> "Select which computers may relay through this VS" sets which "other" 
> computers (hostname or IP) can relay (anonymously) e-mail through your 
> Exchange server.  Unless you have a specific internal app that needs to 
> relay, this list should be blank.  The internal IP of your Exchange server 
> should NOT be in that list.  It should also be set at the default setting 
> of "Only the list below".
>
> "allow all computers which authenticate" is specifically for clients such 
> as IMAP or POP3 users that must send e-mail using your server.  It further 
> dictates that they MUST authenticate before being allowed to relay the 
> messages.  This does not deal with anonymous smtp sessions (such as mail 
> from other e-mail servers).  Outlook clients in MAPI mode do not relay 
> messages, so this only needs to be checked if you have IMAP or POP3 
> clients. How clients can authenticate are determined by the settings under 
> the authentication section.  I doubt that a virus would be able to 
> initiate an authenticated SMTP session.
>
> As far as where the messages are coming from, you need to look at the 
> headers of one of the actual messages.  If the headers from that message 
> indicate that it is internal, then you likely have an infected machine on 
> your network.  If they are all destined for local addresses (even if they 
> are invalid users), then there is no issue with relaying.  Relaying would 
> only be an issue if the messages are being sent to external addresses.
>
> Hope this helps.
>
> -- 
> Ben Winzenz
> Exchange MVP
> MessageOne
>
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>> This may be a bit above and beyond as to how well I can explain it so do 
>> not write this in stone. Here's my interpetation.
>> "Select which computer may relay through this virtual server" By 
>> selecting this we are saying that only email that passes through this 
>> email server may send outside.
>> "Allow all computers which successfully authenticate to relay, regardless 
>> of the list above". What this is saying is that anyone can go through 
>> this SMTP relay without passing through the server above. Which means 
>> they can send an email from another mail server.
>> So we only want email from our mail server to pass through our SMTP 
>> virtual server. SPAMMERS who use the SMTP virtual server do not send 
>> email from our Exchange server. Hope that makes sense and my interetaion 
>> is also correct. I do think it is because I was also getting those type 
>> of password confirmations like you are and since I closed the open relay 
>> it has not happened since. Maybe we can get someone else or na MVP to 
>> chime in and clarify this. If you do find it to be incorrect or find a 
>> better explaination I'd like to hear about it. Good luck.
>>
>> "markus" <mark@nospam.com> wrote in message 
>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>> OK, I've unchecked "'Allow all computers which sucessfully authenticate 
>>> to
>>> relay', and put in the IP address of the server only...
>>> but a question..... outside users would not be 'authenticated' users 
>>> would they?  By authenticated, they mean logged onto the network?
>>> Why not  allow authenticated users to relay if they are all inhouse 
>>> anyway....
>>> or............
>>> could it be that a remote user, logging on thru terminal server, is 
>>> actually doing the relaying...  if he had for instance, mydoom, which 
>>> adds an SMTP server, infecting his remote PC... and then logged onto the 
>>> network thru TS...  could that be then relaying  thru exchange...?
>>> ..sounds logical to me..  what you think?
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>> authenticate to relay,
>>>> regardless of the list above" This is what is allowing outside users to 
>>>> to use your SMTP relay.
>>>> Otherwise the listed server above does no good. We want "Only the 
>>>> listed below" which should be the internal IP of your Exchange server. 
>>>> Give it a try and of course monitor it overthe next day or so.
>>>>
>>>>
>>>> "markus" <mark@nospam.com> wrote in message 
>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>> Could you elaborate a bit please...
>>>>> In the default SMTP virtual server properties / relay ....
>>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>>> checked and
>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>> relay, regardless of the list above'
>>>>>
>>>>> is this not right??
>>>>> There is a terminal server on this network... could that be involved 
>>>>> in this relay someway?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>> Looks like someone is using your SMTP virtual server for relaying. 
>>>>>> You need to turn that off unless you have a specific reason to have 
>>>>>> it on. You should only "allow" the internal IP address of your mail 
>>>>>> server to use relay on this server.
>>>>>>
>>>>>>
>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>> Ok...
>>>>>>>
>>>>>>> this is what I'm not understanding. There are basically 2 types of 
>>>>>>> email that concern me.
>>>>>>>
>>>>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>>>>
>>>>>>> from: System Administrator                     subject: 
>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>
>>>>>>> *******This is the header from one of those
>>>>>>>
>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>
>>>>>>> From: postmaster@mydomain.com
>>>>>>>
>>>>>>> To: user@mydomain.com
>>>>>>>
>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>
>>>>>>> MIME-Version: 1.0
>>>>>>>
>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>
>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>
>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>
>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>
>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>
>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>
>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>
>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>
>>>>>>> Content-Type: message/delivery-status
>>>>>>>
>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>
>>>>>>> Content-Type: message/rfc822
>>>>>>>
>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>>>>> SMTPSVC(6.0.3790.1830);
>>>>>>>
>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>
>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>> EXIST.************************
>>>>>>>
>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>>>>>>
>>>>>>> ****Ok, the mail was undeliverable because josh does not exist... 
>>>>>>> but where is the sender (info@mydomain.com) coming from?
>>>>>>>
>>>>>>> Subject: You have successfully updated your password
>>>>>>>
>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>
>>>>>>> MIME-Version: 1.0
>>>>>>>
>>>>>>> Content-Type: multipart/mixed;
>>>>>>>
>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>
>>>>>>> X-Priority: 3
>>>>>>>
>>>>>>> X-MSMail-Priority: Normal
>>>>>>>
>>>>>>> Return-Path: info@mydomain.com
>>>>>>>
>>>>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>
>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>
>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>
>>>>>>> Content-Type: text/html;
>>>>>>>
>>>>>>> charset="ISO-8859-1"
>>>>>>>
>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>
>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>
>>>>>>> Content-Type: application/octet-stream;
>>>>>>>
>>>>>>> name="email-password.zip"
>>>>>>>
>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>
>>>>>>> Content-Disposition: attachment;
>>>>>>>
>>>>>>> filename="email-password.zip"
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>
>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ?????? if he is getting this mail returned to him, does it not mean 
>>>>>>> that he is sending it?... but he's not. Does that mean that the 
>>>>>>> virus is on his PC?? But I've scanned for it several times and not 
>>>>>>> found it at all, ever...
>>>>>>>
>>>>>>> Where are these mails coming from? Is the server sending them out 
>>>>>>> somehow? is his PC sending them out somehow? I don't know where to 
>>>>>>> begin to figure this out......
>>>>>>>
>>>>>>> ********************************************************************************
>>>>>>>
>>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>>
>>>>>>> Administrator@mydomain.com Subject; You have sucessfully updated 
>>>>>>> your password
>>>>>>>
>>>>>>> Here is the header info from one of those:
>>>>>>>
>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>
>>>>>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local 
>>>>>>> with Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit 
>>>>>>> IP address of the server here...*****************8
>>>>>>>
>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>
>>>>>>> From: administrator@mydomain.com
>>>>>>>
>>>>>>> To: real user@mydomain.com
>>>>>>>
>>>>>>> Subject: You have successfully updated your password
>>>>>>>
>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>
>>>>>>> MIME-Version: 1.0
>>>>>>>
>>>>>>> Content-Type: multipart/mixed;
>>>>>>>
>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>
>>>>>>> X-Priority: 3
>>>>>>>
>>>>>>> X-MSMail-Priority: Normal
>>>>>>>
>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>
>>>>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>
>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>
>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>
>>>>>>> Content-Type: text/html;
>>>>>>>
>>>>>>> charset="ISO-8859-1"
>>>>>>>
>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>
>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>
>>>>>>> Content-Type: application/octet-stream;
>>>>>>>
>>>>>>> name="new-password.zip"
>>>>>>>
>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>
>>>>>>> Content-Disposition: attachment;
>>>>>>>
>>>>>>> filename="new-password.zip"
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> So... block what address?? it says the email is coming from my own 
>>>>>>> server...?
>>>>>>>
>>>>>>> Plus, what about the system administrator returned email? where is 
>>>>>>> that coming from... Im so confused......
>>>>>>>
>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>> You can view the originator through the Message Header. Open the 
>>>>>>>> email and click on View/Options. You can block the IP and 
>>>>>>>> originating domain which may or may not do you any good as spammers 
>>>>>>>> are always constantly changing them. However I've had good results 
>>>>>>>> blocking the ISP IP which is usually foreign and does not affect 
>>>>>>>> legitimate emails. Also you may want to turn off Relay in case they 
>>>>>>>> are relaying through your SMTP. Do you use the IMF Companion? You 
>>>>>>>> may want to turn on Performance Counters for IMF so you can 
>>>>>>>> determine the correct SCL level you need to apply. Also using RBL's 
>>>>>>>> is a good thing to do also.
>>>>>>>>
>>>>>>>>
>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>filter so am sorta limited..
>>>>>>>>> But I'm really not understanding what is going on..  where are 
>>>>>>>>> these emails coming from?
>>>>>>>>> Is a system in my network sending them?
>>>>>>>>> many are for users that do not exist in the network ......these 
>>>>>>>>> are the 'undeliverable' ones...  but many go to legit users too..
>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>> on...........who or shat is sending these mails. Is it internal or 
>>>>>>>>> external?
>>>>>>>>>
>>>>>>>>> thanks
>>>>>>>>> .
>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>>>>>> constantly hit with emails that are from either:
>>>>>>>>>> system administrator    undeliverable: bla bla bal (password has 
>>>>>>>>>> been updated or account suspended..which is the virus package I 
>>>>>>>>>> think)
>>>>>>>>>> or from
>>>>>>>>>>
>>>>>>>>>> administrator@mydomain.com   : you have successfully updated your 
>>>>>>>>>> password (this is the virus package)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have antivirus software running on all systems, including the 
>>>>>>>>>> server.
>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>>>> ..I did a google on 'your password has been updated" that led me 
>>>>>>>>>> to MyDoom......
>>>>>>>>>>
>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>
>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>
>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/15/2005 5:13:20 PM
It serves to limit anonymous relay access to "only the list below".  If it 
is blank, then no computers will be able to anonymously relay.  Exchange 
doesn't relay mail off itself, so it doesn't need to be in there.  Since you 
have to make a choice (only the list below, or all except the list below), 
the best choice is "only the list below".

-- 
Ben Winzenz
Exchange MVP
MessageOne


"AllenM" <allen.miyake@gmail.com> wrote in message 
news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
> Hey Ben,
> I'm glad I found you and you were able to chime in. I guess at this point 
> this information is more for my interest and knowledge that Marcus but he 
> did start the thread. I'm a bit confused at what you just wrote.
>
> "Unless you have a specific internal app that needs to relay, this list 
> should be blank.  The internal IP of your Exchange server should NOT be in 
> that list.  It should also be set at the default setting of "Only the list 
> below".
>
> Your telling me here my exchange servers internal IP should not be listed, 
> yet you then tell me that I need to set it to "Only the list below".
> My question is if there is nothing in the list what purpose does this 
> serve?
>
>
>
> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
> in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>> "Select which computers may relay through this VS" sets which "other" 
>> computers (hostname or IP) can relay (anonymously) e-mail through your 
>> Exchange server.  Unless you have a specific internal app that needs to 
>> relay, this list should be blank.  The internal IP of your Exchange 
>> server should NOT be in that list.  It should also be set at the default 
>> setting of "Only the list below".
>>
>> "allow all computers which authenticate" is specifically for clients such 
>> as IMAP or POP3 users that must send e-mail using your server.  It 
>> further dictates that they MUST authenticate before being allowed to 
>> relay the messages.  This does not deal with anonymous smtp sessions 
>> (such as mail from other e-mail servers).  Outlook clients in MAPI mode 
>> do not relay messages, so this only needs to be checked if you have IMAP 
>> or POP3 clients. How clients can authenticate are determined by the 
>> settings under the authentication section.  I doubt that a virus would be 
>> able to initiate an authenticated SMTP session.
>>
>> As far as where the messages are coming from, you need to look at the 
>> headers of one of the actual messages.  If the headers from that message 
>> indicate that it is internal, then you likely have an infected machine on 
>> your network.  If they are all destined for local addresses (even if they 
>> are invalid users), then there is no issue with relaying.  Relaying would 
>> only be an issue if the messages are being sent to external addresses.
>>
>> Hope this helps.
>>
>> -- 
>> Ben Winzenz
>> Exchange MVP
>> MessageOne
>>
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>> This may be a bit above and beyond as to how well I can explain it so do 
>>> not write this in stone. Here's my interpetation.
>>> "Select which computer may relay through this virtual server" By 
>>> selecting this we are saying that only email that passes through this 
>>> email server may send outside.
>>> "Allow all computers which successfully authenticate to relay, 
>>> regardless of the list above". What this is saying is that anyone can go 
>>> through this SMTP relay without passing through the server above. Which 
>>> means they can send an email from another mail server.
>>> So we only want email from our mail server to pass through our SMTP 
>>> virtual server. SPAMMERS who use the SMTP virtual server do not send 
>>> email from our Exchange server. Hope that makes sense and my interetaion 
>>> is also correct. I do think it is because I was also getting those type 
>>> of password confirmations like you are and since I closed the open relay 
>>> it has not happened since. Maybe we can get someone else or na MVP to 
>>> chime in and clarify this. If you do find it to be incorrect or find a 
>>> better explaination I'd like to hear about it. Good luck.
>>>
>>> "markus" <mark@nospam.com> wrote in message 
>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>> OK, I've unchecked "'Allow all computers which sucessfully authenticate 
>>>> to
>>>> relay', and put in the IP address of the server only...
>>>> but a question..... outside users would not be 'authenticated' users 
>>>> would they?  By authenticated, they mean logged onto the network?
>>>> Why not  allow authenticated users to relay if they are all inhouse 
>>>> anyway....
>>>> or............
>>>> could it be that a remote user, logging on thru terminal server, is 
>>>> actually doing the relaying...  if he had for instance, mydoom, which 
>>>> adds an SMTP server, infecting his remote PC... and then logged onto 
>>>> the network thru TS...  could that be then relaying  thru exchange...?
>>>> ..sounds logical to me..  what you think?
>>>>
>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>> authenticate to relay,
>>>>> regardless of the list above" This is what is allowing outside users 
>>>>> to to use your SMTP relay.
>>>>> Otherwise the listed server above does no good. We want "Only the 
>>>>> listed below" which should be the internal IP of your Exchange server. 
>>>>> Give it a try and of course monitor it overthe next day or so.
>>>>>
>>>>>
>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>> Could you elaborate a bit please...
>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>>>> checked and
>>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>>> relay, regardless of the list above'
>>>>>>
>>>>>> is this not right??
>>>>>> There is a terminal server on this network... could that be involved 
>>>>>> in this relay someway?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>> Looks like someone is using your SMTP virtual server for relaying. 
>>>>>>> You need to turn that off unless you have a specific reason to have 
>>>>>>> it on. You should only "allow" the internal IP address of your mail 
>>>>>>> server to use relay on this server.
>>>>>>>
>>>>>>>
>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>> Ok...
>>>>>>>>
>>>>>>>> this is what I'm not understanding. There are basically 2 types of 
>>>>>>>> email that concern me.
>>>>>>>>
>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>>>>>
>>>>>>>> from: System Administrator                     subject: 
>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>
>>>>>>>> *******This is the header from one of those
>>>>>>>>
>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>
>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>
>>>>>>>> To: user@mydomain.com
>>>>>>>>
>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>
>>>>>>>> MIME-Version: 1.0
>>>>>>>>
>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>
>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>
>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>
>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>
>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>
>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>
>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>
>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>
>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>
>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>
>>>>>>>> Content-Type: message/rfc822
>>>>>>>>
>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>>>>>> SMTPSVC(6.0.3790.1830);
>>>>>>>>
>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>
>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>> EXIST.************************
>>>>>>>>
>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>>>>>>>
>>>>>>>> ****Ok, the mail was undeliverable because josh does not exist... 
>>>>>>>> but where is the sender (info@mydomain.com) coming from?
>>>>>>>>
>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>
>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>
>>>>>>>> MIME-Version: 1.0
>>>>>>>>
>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>
>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>
>>>>>>>> X-Priority: 3
>>>>>>>>
>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>
>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>
>>>>>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>
>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>
>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>
>>>>>>>> Content-Type: text/html;
>>>>>>>>
>>>>>>>> charset="ISO-8859-1"
>>>>>>>>
>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>
>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>
>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>
>>>>>>>> name="email-password.zip"
>>>>>>>>
>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>
>>>>>>>> Content-Disposition: attachment;
>>>>>>>>
>>>>>>>> filename="email-password.zip"
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>
>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ?????? if he is getting this mail returned to him, does it not mean 
>>>>>>>> that he is sending it?... but he's not. Does that mean that the 
>>>>>>>> virus is on his PC?? But I've scanned for it several times and not 
>>>>>>>> found it at all, ever...
>>>>>>>>
>>>>>>>> Where are these mails coming from? Is the server sending them out 
>>>>>>>> somehow? is his PC sending them out somehow? I don't know where to 
>>>>>>>> begin to figure this out......
>>>>>>>>
>>>>>>>> ********************************************************************************
>>>>>>>>
>>>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>>>
>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully updated 
>>>>>>>> your password
>>>>>>>>
>>>>>>>> Here is the header info from one of those:
>>>>>>>>
>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>
>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local 
>>>>>>>> with Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the 
>>>>>>>> legit IP address of the server here...*****************8
>>>>>>>>
>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>
>>>>>>>> From: administrator@mydomain.com
>>>>>>>>
>>>>>>>> To: real user@mydomain.com
>>>>>>>>
>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>
>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>
>>>>>>>> MIME-Version: 1.0
>>>>>>>>
>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>
>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>
>>>>>>>> X-Priority: 3
>>>>>>>>
>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>
>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>
>>>>>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>
>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>
>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>
>>>>>>>> Content-Type: text/html;
>>>>>>>>
>>>>>>>> charset="ISO-8859-1"
>>>>>>>>
>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>
>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>
>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>
>>>>>>>> name="new-password.zip"
>>>>>>>>
>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>
>>>>>>>> Content-Disposition: attachment;
>>>>>>>>
>>>>>>>> filename="new-password.zip"
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> So... block what address?? it says the email is coming from my own 
>>>>>>>> server...?
>>>>>>>>
>>>>>>>> Plus, what about the system administrator returned email? where is 
>>>>>>>> that coming from... Im so confused......
>>>>>>>>
>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>> You can view the originator through the Message Header. Open the 
>>>>>>>>> email and click on View/Options. You can block the IP and 
>>>>>>>>> originating domain which may or may not do you any good as 
>>>>>>>>> spammers are always constantly changing them. However I've had 
>>>>>>>>> good results blocking the ISP IP which is usually foreign and does 
>>>>>>>>> not affect legitimate emails. Also you may want to turn off Relay 
>>>>>>>>> in case they are relaying through your SMTP. Do you use the IMF 
>>>>>>>>> Companion? You may want to turn on Performance Counters for IMF so 
>>>>>>>>> you can determine the correct SCL level you need to apply. Also 
>>>>>>>>> using RBL's is a good thing to do also.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>> But I'm really not understanding what is going on..  where are 
>>>>>>>>>> these emails coming from?
>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>> many are for users that do not exist in the network ......these 
>>>>>>>>>> are the 'undeliverable' ones...  but many go to legit users too..
>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>> on...........who or shat is sending these mails. Is it internal 
>>>>>>>>>> or external?
>>>>>>>>>>
>>>>>>>>>> thanks
>>>>>>>>>> .
>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>>>>>>> constantly hit with emails that are from either:
>>>>>>>>>>> system administrator    undeliverable: bla bla bal (password has 
>>>>>>>>>>> been updated or account suspended..which is the virus package I 
>>>>>>>>>>> think)
>>>>>>>>>>> or from
>>>>>>>>>>>
>>>>>>>>>>> administrator@mydomain.com   : you have successfully updated 
>>>>>>>>>>> your password (this is the virus package)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I have antivirus software running on all systems, including the 
>>>>>>>>>>> server.
>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>>>>> ..I did a google on 'your password has been updated" that led me 
>>>>>>>>>>> to MyDoom......
>>>>>>>>>>>
>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>
>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>
>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
Ben
6/15/2005 5:20:10 PM
This is getting better and better. In my case we are a SBS 2003 and Exchange 
2003 environment. We host our own SMTP server and use OWA. We have remote 
client who have three alternatives on how they can access email at home. 1. 
OWA. 2. Outlook as a Citrix Published Application and 3. Remote connect to 
our Citrix server desktop and use Oulook from the desktop.
So I should have "Only the listed below" with no servers listed.
and should not have the "Allow all computers which successfully authenticate 
to relay, regardless of the list above" checked? I do not want to have open 
relay enabled as I do not think I have a need for it. Thanks again Ben.

"Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
> It serves to limit anonymous relay access to "only the list below".  If it 
> is blank, then no computers will be able to anonymously relay.  Exchange 
> doesn't relay mail off itself, so it doesn't need to be in there.  Since 
> you have to make a choice (only the list below, or all except the list 
> below), the best choice is "only the list below".
>
> -- 
> Ben Winzenz
> Exchange MVP
> MessageOne
>
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>> Hey Ben,
>> I'm glad I found you and you were able to chime in. I guess at this point 
>> this information is more for my interest and knowledge that Marcus but he 
>> did start the thread. I'm a bit confused at what you just wrote.
>>
>> "Unless you have a specific internal app that needs to relay, this list 
>> should be blank.  The internal IP of your Exchange server should NOT be 
>> in that list.  It should also be set at the default setting of "Only the 
>> list below".
>>
>> Your telling me here my exchange servers internal IP should not be 
>> listed, yet you then tell me that I need to set it to "Only the list 
>> below".
>> My question is if there is nothing in the list what purpose does this 
>> serve?
>>
>>
>>
>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>> wrote in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>> "Select which computers may relay through this VS" sets which "other" 
>>> computers (hostname or IP) can relay (anonymously) e-mail through your 
>>> Exchange server.  Unless you have a specific internal app that needs to 
>>> relay, this list should be blank.  The internal IP of your Exchange 
>>> server should NOT be in that list.  It should also be set at the default 
>>> setting of "Only the list below".
>>>
>>> "allow all computers which authenticate" is specifically for clients 
>>> such as IMAP or POP3 users that must send e-mail using your server.  It 
>>> further dictates that they MUST authenticate before being allowed to 
>>> relay the messages.  This does not deal with anonymous smtp sessions 
>>> (such as mail from other e-mail servers).  Outlook clients in MAPI mode 
>>> do not relay messages, so this only needs to be checked if you have IMAP 
>>> or POP3 clients. How clients can authenticate are determined by the 
>>> settings under the authentication section.  I doubt that a virus would 
>>> be able to initiate an authenticated SMTP session.
>>>
>>> As far as where the messages are coming from, you need to look at the 
>>> headers of one of the actual messages.  If the headers from that message 
>>> indicate that it is internal, then you likely have an infected machine 
>>> on your network.  If they are all destined for local addresses (even if 
>>> they are invalid users), then there is no issue with relaying.  Relaying 
>>> would only be an issue if the messages are being sent to external 
>>> addresses.
>>>
>>> Hope this helps.
>>>
>>> -- 
>>> Ben Winzenz
>>> Exchange MVP
>>> MessageOne
>>>
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>> This may be a bit above and beyond as to how well I can explain it so 
>>>> do not write this in stone. Here's my interpetation.
>>>> "Select which computer may relay through this virtual server" By 
>>>> selecting this we are saying that only email that passes through this 
>>>> email server may send outside.
>>>> "Allow all computers which successfully authenticate to relay, 
>>>> regardless of the list above". What this is saying is that anyone can 
>>>> go through this SMTP relay without passing through the server above. 
>>>> Which means they can send an email from another mail server.
>>>> So we only want email from our mail server to pass through our SMTP 
>>>> virtual server. SPAMMERS who use the SMTP virtual server do not send 
>>>> email from our Exchange server. Hope that makes sense and my 
>>>> interetaion is also correct. I do think it is because I was also 
>>>> getting those type of password confirmations like you are and since I 
>>>> closed the open relay it has not happened since. Maybe we can get 
>>>> someone else or na MVP to chime in and clarify this. If you do find it 
>>>> to be incorrect or find a better explaination I'd like to hear about 
>>>> it. Good luck.
>>>>
>>>> "markus" <mark@nospam.com> wrote in message 
>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>> authenticate to
>>>>> relay', and put in the IP address of the server only...
>>>>> but a question..... outside users would not be 'authenticated' users 
>>>>> would they?  By authenticated, they mean logged onto the network?
>>>>> Why not  allow authenticated users to relay if they are all inhouse 
>>>>> anyway....
>>>>> or............
>>>>> could it be that a remote user, logging on thru terminal server, is 
>>>>> actually doing the relaying...  if he had for instance, mydoom, which 
>>>>> adds an SMTP server, infecting his remote PC... and then logged onto 
>>>>> the network thru TS...  could that be then relaying  thru exchange...?
>>>>> ..sounds logical to me..  what you think?
>>>>>
>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>> authenticate to relay,
>>>>>> regardless of the list above" This is what is allowing outside users 
>>>>>> to to use your SMTP relay.
>>>>>> Otherwise the listed server above does no good. We want "Only the 
>>>>>> listed below" which should be the internal IP of your Exchange 
>>>>>> server. Give it a try and of course monitor it overthe next day or 
>>>>>> so.
>>>>>>
>>>>>>
>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>> Could you elaborate a bit please...
>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>>>>> checked and
>>>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>>>> relay, regardless of the list above'
>>>>>>>
>>>>>>> is this not right??
>>>>>>> There is a terminal server on this network... could that be involved 
>>>>>>> in this relay someway?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>> Looks like someone is using your SMTP virtual server for relaying. 
>>>>>>>> You need to turn that off unless you have a specific reason to have 
>>>>>>>> it on. You should only "allow" the internal IP address of your mail 
>>>>>>>> server to use relay on this server.
>>>>>>>>
>>>>>>>>
>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>> Ok...
>>>>>>>>>
>>>>>>>>> this is what I'm not understanding. There are basically 2 types of 
>>>>>>>>> email that concern me.
>>>>>>>>>
>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>>>>>>
>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>
>>>>>>>>> *******This is the header from one of those
>>>>>>>>>
>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>
>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>
>>>>>>>>> To: user@mydomain.com
>>>>>>>>>
>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>
>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>
>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>
>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>
>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>
>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>
>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>
>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>
>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>
>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>
>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>
>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>
>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>
>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>>>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>>>>>>> SMTPSVC(6.0.3790.1830);
>>>>>>>>>
>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>
>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>> EXIST.************************
>>>>>>>>>
>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>> EITHER*******
>>>>>>>>>
>>>>>>>>> ****Ok, the mail was undeliverable because josh does not exist... 
>>>>>>>>> but where is the sender (info@mydomain.com) coming from?
>>>>>>>>>
>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>
>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>
>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>
>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>
>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>
>>>>>>>>> X-Priority: 3
>>>>>>>>>
>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>
>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>
>>>>>>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>
>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>
>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>
>>>>>>>>> Content-Type: text/html;
>>>>>>>>>
>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>
>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>
>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>
>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>
>>>>>>>>> name="email-password.zip"
>>>>>>>>>
>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>
>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>
>>>>>>>>> filename="email-password.zip"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>
>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ?????? if he is getting this mail returned to him, does it not 
>>>>>>>>> mean that he is sending it?... but he's not. Does that mean that 
>>>>>>>>> the virus is on his PC?? But I've scanned for it several times and 
>>>>>>>>> not found it at all, ever...
>>>>>>>>>
>>>>>>>>> Where are these mails coming from? Is the server sending them out 
>>>>>>>>> somehow? is his PC sending them out somehow? I don't know where to 
>>>>>>>>> begin to figure this out......
>>>>>>>>>
>>>>>>>>> ********************************************************************************
>>>>>>>>>
>>>>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>>>>
>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully updated 
>>>>>>>>> your password
>>>>>>>>>
>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>
>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>
>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local 
>>>>>>>>> with Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the 
>>>>>>>>> legit IP address of the server here...*****************8
>>>>>>>>>
>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>
>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>
>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>
>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>
>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>
>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>
>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>
>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>
>>>>>>>>> X-Priority: 3
>>>>>>>>>
>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>
>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>
>>>>>>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>
>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>
>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>
>>>>>>>>> Content-Type: text/html;
>>>>>>>>>
>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>
>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>
>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>
>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>
>>>>>>>>> name="new-password.zip"
>>>>>>>>>
>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>
>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>
>>>>>>>>> filename="new-password.zip"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> So... block what address?? it says the email is coming from my own 
>>>>>>>>> server...?
>>>>>>>>>
>>>>>>>>> Plus, what about the system administrator returned email? where is 
>>>>>>>>> that coming from... Im so confused......
>>>>>>>>>
>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>> You can view the originator through the Message Header. Open the 
>>>>>>>>>> email and click on View/Options. You can block the IP and 
>>>>>>>>>> originating domain which may or may not do you any good as 
>>>>>>>>>> spammers are always constantly changing them. However I've had 
>>>>>>>>>> good results blocking the ISP IP which is usually foreign and 
>>>>>>>>>> does not affect legitimate emails. Also you may want to turn off 
>>>>>>>>>> Relay in case they are relaying through your SMTP. Do you use the 
>>>>>>>>>> IMF Companion? You may want to turn on Performance Counters for 
>>>>>>>>>> IMF so you can determine the correct SCL level you need to apply. 
>>>>>>>>>> Also using RBL's is a good thing to do also.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>>> But I'm really not understanding what is going on..  where are 
>>>>>>>>>>> these emails coming from?
>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>> many are for users that do not exist in the network ......these 
>>>>>>>>>>> are the 'undeliverable' ones...  but many go to legit users 
>>>>>>>>>>> too..
>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>> on...........who or shat is sending these mails. Is it internal 
>>>>>>>>>>> or external?
>>>>>>>>>>>
>>>>>>>>>>> thanks
>>>>>>>>>>> .
>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>>>>>>>> constantly hit with emails that are from either:
>>>>>>>>>>>> system administrator    undeliverable: bla bla bal (password 
>>>>>>>>>>>> has been updated or account suspended..which is the virus 
>>>>>>>>>>>> package I think)
>>>>>>>>>>>> or from
>>>>>>>>>>>>
>>>>>>>>>>>> administrator@mydomain.com   : you have successfully updated 
>>>>>>>>>>>> your password (this is the virus package)
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I have antivirus software running on all systems, including the 
>>>>>>>>>>>> server.
>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>>>>>> ..I did a google on 'your password has been updated" that led 
>>>>>>>>>>>> me to MyDoom......
>>>>>>>>>>>>
>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>
>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>
>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/15/2005 5:36:07 PM
Right.  Unless you have SMTP clients (IMAP/POP3), you don't really need to 
allow authenticated relay.  Exchange 2003 actually has IMAP and POP3 
services disabled by default, so you'd know if you had enabled them.

-- 
Ben Winzenz
Exchange MVP
MessageOne


"AllenM" <allen.miyake@gmail.com> wrote in message 
news:uOfHBCdcFHA.2840@TK2MSFTNGP14.phx.gbl...
> This is getting better and better. In my case we are a SBS 2003 and 
> Exchange 2003 environment. We host our own SMTP server and use OWA. We 
> have remote client who have three alternatives on how they can access 
> email at home. 1. OWA. 2. Outlook as a Citrix Published Application and 3. 
> Remote connect to our Citrix server desktop and use Oulook from the 
> desktop.
> So I should have "Only the listed below" with no servers listed.
> and should not have the "Allow all computers which successfully 
> authenticate to relay, regardless of the list above" checked? I do not 
> want to have open relay enabled as I do not think I have a need for it. 
> Thanks again Ben.
>
> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
> in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
>> It serves to limit anonymous relay access to "only the list below".  If 
>> it is blank, then no computers will be able to anonymously relay. 
>> Exchange doesn't relay mail off itself, so it doesn't need to be in 
>> there.  Since you have to make a choice (only the list below, or all 
>> except the list below), the best choice is "only the list below".
>>
>> -- 
>> Ben Winzenz
>> Exchange MVP
>> MessageOne
>>
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>>> Hey Ben,
>>> I'm glad I found you and you were able to chime in. I guess at this 
>>> point this information is more for my interest and knowledge that Marcus 
>>> but he did start the thread. I'm a bit confused at what you just wrote.
>>>
>>> "Unless you have a specific internal app that needs to relay, this list 
>>> should be blank.  The internal IP of your Exchange server should NOT be 
>>> in that list.  It should also be set at the default setting of "Only the 
>>> list below".
>>>
>>> Your telling me here my exchange servers internal IP should not be 
>>> listed, yet you then tell me that I need to set it to "Only the list 
>>> below".
>>> My question is if there is nothing in the list what purpose does this 
>>> serve?
>>>
>>>
>>>
>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>> wrote in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>>> "Select which computers may relay through this VS" sets which "other" 
>>>> computers (hostname or IP) can relay (anonymously) e-mail through your 
>>>> Exchange server.  Unless you have a specific internal app that needs to 
>>>> relay, this list should be blank.  The internal IP of your Exchange 
>>>> server should NOT be in that list.  It should also be set at the 
>>>> default setting of "Only the list below".
>>>>
>>>> "allow all computers which authenticate" is specifically for clients 
>>>> such as IMAP or POP3 users that must send e-mail using your server.  It 
>>>> further dictates that they MUST authenticate before being allowed to 
>>>> relay the messages.  This does not deal with anonymous smtp sessions 
>>>> (such as mail from other e-mail servers).  Outlook clients in MAPI mode 
>>>> do not relay messages, so this only needs to be checked if you have 
>>>> IMAP or POP3 clients. How clients can authenticate are determined by 
>>>> the settings under the authentication section.  I doubt that a virus 
>>>> would be able to initiate an authenticated SMTP session.
>>>>
>>>> As far as where the messages are coming from, you need to look at the 
>>>> headers of one of the actual messages.  If the headers from that 
>>>> message indicate that it is internal, then you likely have an infected 
>>>> machine on your network.  If they are all destined for local addresses 
>>>> (even if they are invalid users), then there is no issue with relaying. 
>>>> Relaying would only be an issue if the messages are being sent to 
>>>> external addresses.
>>>>
>>>> Hope this helps.
>>>>
>>>> -- 
>>>> Ben Winzenz
>>>> Exchange MVP
>>>> MessageOne
>>>>
>>>>
>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>>> This may be a bit above and beyond as to how well I can explain it so 
>>>>> do not write this in stone. Here's my interpetation.
>>>>> "Select which computer may relay through this virtual server" By 
>>>>> selecting this we are saying that only email that passes through this 
>>>>> email server may send outside.
>>>>> "Allow all computers which successfully authenticate to relay, 
>>>>> regardless of the list above". What this is saying is that anyone can 
>>>>> go through this SMTP relay without passing through the server above. 
>>>>> Which means they can send an email from another mail server.
>>>>> So we only want email from our mail server to pass through our SMTP 
>>>>> virtual server. SPAMMERS who use the SMTP virtual server do not send 
>>>>> email from our Exchange server. Hope that makes sense and my 
>>>>> interetaion is also correct. I do think it is because I was also 
>>>>> getting those type of password confirmations like you are and since I 
>>>>> closed the open relay it has not happened since. Maybe we can get 
>>>>> someone else or na MVP to chime in and clarify this. If you do find it 
>>>>> to be incorrect or find a better explaination I'd like to hear about 
>>>>> it. Good luck.
>>>>>
>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>>> authenticate to
>>>>>> relay', and put in the IP address of the server only...
>>>>>> but a question..... outside users would not be 'authenticated' users 
>>>>>> would they?  By authenticated, they mean logged onto the network?
>>>>>> Why not  allow authenticated users to relay if they are all inhouse 
>>>>>> anyway....
>>>>>> or............
>>>>>> could it be that a remote user, logging on thru terminal server, is 
>>>>>> actually doing the relaying...  if he had for instance, mydoom, which 
>>>>>> adds an SMTP server, infecting his remote PC... and then logged onto 
>>>>>> the network thru TS...  could that be then relaying  thru 
>>>>>> exchange...?
>>>>>> ..sounds logical to me..  what you think?
>>>>>>
>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>>> authenticate to relay,
>>>>>>> regardless of the list above" This is what is allowing outside users 
>>>>>>> to to use your SMTP relay.
>>>>>>> Otherwise the listed server above does no good. We want "Only the 
>>>>>>> listed below" which should be the internal IP of your Exchange 
>>>>>>> server. Give it a try and of course monitor it overthe next day or 
>>>>>>> so.
>>>>>>>
>>>>>>>
>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>>> Could you elaborate a bit please...
>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>>>>>> checked and
>>>>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>>>>> relay, regardless of the list above'
>>>>>>>>
>>>>>>>> is this not right??
>>>>>>>> There is a terminal server on this network... could that be 
>>>>>>>> involved in this relay someway?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>>> Looks like someone is using your SMTP virtual server for relaying. 
>>>>>>>>> You need to turn that off unless you have a specific reason to 
>>>>>>>>> have it on. You should only "allow" the internal IP address of 
>>>>>>>>> your mail server to use relay on this server.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>>> Ok...
>>>>>>>>>>
>>>>>>>>>> this is what I'm not understanding. There are basically 2 types 
>>>>>>>>>> of email that concern me.
>>>>>>>>>>
>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>>>>>>>
>>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>
>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>
>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>
>>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>>
>>>>>>>>>> To: user@mydomain.com
>>>>>>>>>>
>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>
>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>
>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>
>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>
>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>
>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>>
>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>
>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>
>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>
>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>
>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>
>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>
>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>
>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>>>>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>>>>>>>> SMTPSVC(6.0.3790.1830);
>>>>>>>>>>
>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>
>>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>>> EXIST.************************
>>>>>>>>>>
>>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>>> EITHER*******
>>>>>>>>>>
>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not exist... 
>>>>>>>>>> but where is the sender (info@mydomain.com) coming from?
>>>>>>>>>>
>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>
>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>
>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>
>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>
>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>
>>>>>>>>>> X-Priority: 3
>>>>>>>>>>
>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>
>>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>>
>>>>>>>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>>
>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>
>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>
>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>
>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>
>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>
>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>
>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>
>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>
>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>
>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>
>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>
>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ?????? if he is getting this mail returned to him, does it not 
>>>>>>>>>> mean that he is sending it?... but he's not. Does that mean that 
>>>>>>>>>> the virus is on his PC?? But I've scanned for it several times 
>>>>>>>>>> and not found it at all, ever...
>>>>>>>>>>
>>>>>>>>>> Where are these mails coming from? Is the server sending them out 
>>>>>>>>>> somehow? is his PC sending them out somehow? I don't know where 
>>>>>>>>>> to begin to figure this out......
>>>>>>>>>>
>>>>>>>>>> ********************************************************************************
>>>>>>>>>>
>>>>>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>>>>>
>>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully updated 
>>>>>>>>>> your password
>>>>>>>>>>
>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>
>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>
>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by 
>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft SMTPSVC(6.0.3790.1830); 
>>>>>>>>>> ****where x.x.x. is the legit IP address of the server 
>>>>>>>>>> here...*****************8
>>>>>>>>>>
>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>
>>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>>
>>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>>
>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>
>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>
>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>
>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>
>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>
>>>>>>>>>> X-Priority: 3
>>>>>>>>>>
>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>
>>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>>
>>>>>>>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>>
>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>
>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>
>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>
>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>
>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>
>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>
>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>
>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>
>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>
>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>
>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> So... block what address?? it says the email is coming from my 
>>>>>>>>>> own server...?
>>>>>>>>>>
>>>>>>>>>> Plus, what about the system administrator returned email? where 
>>>>>>>>>> is that coming from... Im so confused......
>>>>>>>>>>
>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>> You can view the originator through the Message Header. Open the 
>>>>>>>>>>> email and click on View/Options. You can block the IP and 
>>>>>>>>>>> originating domain which may or may not do you any good as 
>>>>>>>>>>> spammers are always constantly changing them. However I've had 
>>>>>>>>>>> good results blocking the ISP IP which is usually foreign and 
>>>>>>>>>>> does not affect legitimate emails. Also you may want to turn off 
>>>>>>>>>>> Relay in case they are relaying through your SMTP. Do you use 
>>>>>>>>>>> the IMF Companion? You may want to turn on Performance Counters 
>>>>>>>>>>> for IMF so you can determine the correct SCL level you need to 
>>>>>>>>>>> apply. Also using RBL's is a good thing to do also.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>>>> But I'm really not understanding what is going on..  where are 
>>>>>>>>>>>> these emails coming from?
>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>> many are for users that do not exist in the network ......these 
>>>>>>>>>>>> are the 'undeliverable' ones...  but many go to legit users 
>>>>>>>>>>>> too..
>>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>>> on...........who or shat is sending these mails. Is it internal 
>>>>>>>>>>>> or external?
>>>>>>>>>>>>
>>>>>>>>>>>> thanks
>>>>>>>>>>>> .
>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are 
>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>> system administrator    undeliverable: bla bla bal (password 
>>>>>>>>>>>>> has been updated or account suspended..which is the virus 
>>>>>>>>>>>>> package I think)
>>>>>>>>>>>>> or from
>>>>>>>>>>>>>
>>>>>>>>>>>>> administrator@mydomain.com   : you have successfully updated 
>>>>>>>>>>>>> your password (this is the virus package)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have antivirus software running on all systems, including 
>>>>>>>>>>>>> the server.
>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that led 
>>>>>>>>>>>>> me to MyDoom......
>>>>>>>>>>>>>
>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>
>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>
>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
Ben
6/15/2005 6:04:38 PM
Great. Thanks again Ben. I hope this helps out Marcus also.

"Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
in message news:O0oozSdcFHA.3808@TK2MSFTNGP14.phx.gbl...
> Right.  Unless you have SMTP clients (IMAP/POP3), you don't really need to 
> allow authenticated relay.  Exchange 2003 actually has IMAP and POP3 
> services disabled by default, so you'd know if you had enabled them.
>
> -- 
> Ben Winzenz
> Exchange MVP
> MessageOne
>
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:uOfHBCdcFHA.2840@TK2MSFTNGP14.phx.gbl...
>> This is getting better and better. In my case we are a SBS 2003 and 
>> Exchange 2003 environment. We host our own SMTP server and use OWA. We 
>> have remote client who have three alternatives on how they can access 
>> email at home. 1. OWA. 2. Outlook as a Citrix Published Application and 
>> 3. Remote connect to our Citrix server desktop and use Oulook from the 
>> desktop.
>> So I should have "Only the listed below" with no servers listed.
>> and should not have the "Allow all computers which successfully 
>> authenticate to relay, regardless of the list above" checked? I do not 
>> want to have open relay enabled as I do not think I have a need for it. 
>> Thanks again Ben.
>>
>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>> wrote in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
>>> It serves to limit anonymous relay access to "only the list below".  If 
>>> it is blank, then no computers will be able to anonymously relay. 
>>> Exchange doesn't relay mail off itself, so it doesn't need to be in 
>>> there.  Since you have to make a choice (only the list below, or all 
>>> except the list below), the best choice is "only the list below".
>>>
>>> -- 
>>> Ben Winzenz
>>> Exchange MVP
>>> MessageOne
>>>
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>>>> Hey Ben,
>>>> I'm glad I found you and you were able to chime in. I guess at this 
>>>> point this information is more for my interest and knowledge that 
>>>> Marcus but he did start the thread. I'm a bit confused at what you just 
>>>> wrote.
>>>>
>>>> "Unless you have a specific internal app that needs to relay, this list 
>>>> should be blank.  The internal IP of your Exchange server should NOT be 
>>>> in that list.  It should also be set at the default setting of "Only 
>>>> the list below".
>>>>
>>>> Your telling me here my exchange servers internal IP should not be 
>>>> listed, yet you then tell me that I need to set it to "Only the list 
>>>> below".
>>>> My question is if there is nothing in the list what purpose does this 
>>>> serve?
>>>>
>>>>
>>>>
>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>> wrote in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>>>> "Select which computers may relay through this VS" sets which "other" 
>>>>> computers (hostname or IP) can relay (anonymously) e-mail through your 
>>>>> Exchange server.  Unless you have a specific internal app that needs 
>>>>> to relay, this list should be blank.  The internal IP of your Exchange 
>>>>> server should NOT be in that list.  It should also be set at the 
>>>>> default setting of "Only the list below".
>>>>>
>>>>> "allow all computers which authenticate" is specifically for clients 
>>>>> such as IMAP or POP3 users that must send e-mail using your server. 
>>>>> It further dictates that they MUST authenticate before being allowed 
>>>>> to relay the messages.  This does not deal with anonymous smtp 
>>>>> sessions (such as mail from other e-mail servers).  Outlook clients in 
>>>>> MAPI mode do not relay messages, so this only needs to be checked if 
>>>>> you have IMAP or POP3 clients. How clients can authenticate are 
>>>>> determined by the settings under the authentication section.  I doubt 
>>>>> that a virus would be able to initiate an authenticated SMTP session.
>>>>>
>>>>> As far as where the messages are coming from, you need to look at the 
>>>>> headers of one of the actual messages.  If the headers from that 
>>>>> message indicate that it is internal, then you likely have an infected 
>>>>> machine on your network.  If they are all destined for local addresses 
>>>>> (even if they are invalid users), then there is no issue with 
>>>>> relaying. Relaying would only be an issue if the messages are being 
>>>>> sent to external addresses.
>>>>>
>>>>> Hope this helps.
>>>>>
>>>>> -- 
>>>>> Ben Winzenz
>>>>> Exchange MVP
>>>>> MessageOne
>>>>>
>>>>>
>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>>>> This may be a bit above and beyond as to how well I can explain it so 
>>>>>> do not write this in stone. Here's my interpetation.
>>>>>> "Select which computer may relay through this virtual server" By 
>>>>>> selecting this we are saying that only email that passes through this 
>>>>>> email server may send outside.
>>>>>> "Allow all computers which successfully authenticate to relay, 
>>>>>> regardless of the list above". What this is saying is that anyone can 
>>>>>> go through this SMTP relay without passing through the server above. 
>>>>>> Which means they can send an email from another mail server.
>>>>>> So we only want email from our mail server to pass through our SMTP 
>>>>>> virtual server. SPAMMERS who use the SMTP virtual server do not send 
>>>>>> email from our Exchange server. Hope that makes sense and my 
>>>>>> interetaion is also correct. I do think it is because I was also 
>>>>>> getting those type of password confirmations like you are and since I 
>>>>>> closed the open relay it has not happened since. Maybe we can get 
>>>>>> someone else or na MVP to chime in and clarify this. If you do find 
>>>>>> it to be incorrect or find a better explaination I'd like to hear 
>>>>>> about it. Good luck.
>>>>>>
>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>>>> authenticate to
>>>>>>> relay', and put in the IP address of the server only...
>>>>>>> but a question..... outside users would not be 'authenticated' users 
>>>>>>> would they?  By authenticated, they mean logged onto the network?
>>>>>>> Why not  allow authenticated users to relay if they are all inhouse 
>>>>>>> anyway....
>>>>>>> or............
>>>>>>> could it be that a remote user, logging on thru terminal server, is 
>>>>>>> actually doing the relaying...  if he had for instance, mydoom, 
>>>>>>> which adds an SMTP server, infecting his remote PC... and then 
>>>>>>> logged onto the network thru TS...  could that be then relaying 
>>>>>>> thru exchange...?
>>>>>>> ..sounds logical to me..  what you think?
>>>>>>>
>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>>>> authenticate to relay,
>>>>>>>> regardless of the list above" This is what is allowing outside 
>>>>>>>> users to to use your SMTP relay.
>>>>>>>> Otherwise the listed server above does no good. We want "Only the 
>>>>>>>> listed below" which should be the internal IP of your Exchange 
>>>>>>>> server. Give it a try and of course monitor it overthe next day or 
>>>>>>>> so.
>>>>>>>>
>>>>>>>>
>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>>>> Could you elaborate a bit please...
>>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>>>>>>> checked and
>>>>>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>>>>>> relay, regardless of the list above'
>>>>>>>>>
>>>>>>>>> is this not right??
>>>>>>>>> There is a terminal server on this network... could that be 
>>>>>>>>> involved in this relay someway?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>> Looks like someone is using your SMTP virtual server for 
>>>>>>>>>> relaying. You need to turn that off unless you have a specific 
>>>>>>>>>> reason to have it on. You should only "allow" the internal IP 
>>>>>>>>>> address of your mail server to use relay on this server.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>>>> Ok...
>>>>>>>>>>>
>>>>>>>>>>> this is what I'm not understanding. There are basically 2 types 
>>>>>>>>>>> of email that concern me.
>>>>>>>>>>>
>>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email 
>>>>>>>>>>> to:
>>>>>>>>>>>
>>>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>>
>>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>>
>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>
>>>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>>>
>>>>>>>>>>> To: user@mydomain.com
>>>>>>>>>>>
>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>
>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>>
>>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>>
>>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>>
>>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>>>
>>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>>
>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>>
>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>>
>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>>
>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>>>>>>>> address of my server))) by EXCHANGE.mydomain.local with 
>>>>>>>>>>> Microsoft SMTPSVC(6.0.3790.1830);
>>>>>>>>>>>
>>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>
>>>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>>>> EXIST.************************
>>>>>>>>>>>
>>>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>>>> EITHER*******
>>>>>>>>>>>
>>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not 
>>>>>>>>>>> exist... but where is the sender (info@mydomain.com) coming 
>>>>>>>>>>> from?
>>>>>>>>>>>
>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>
>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>
>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>
>>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>>
>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>
>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>
>>>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>>>
>>>>>>>>>>> Message-ID: 
>>>>>>>>>>> <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>>>
>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>>
>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>
>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>
>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>
>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>
>>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>>
>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>
>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>
>>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>>
>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ?????? if he is getting this mail returned to him, does it not 
>>>>>>>>>>> mean that he is sending it?... but he's not. Does that mean that 
>>>>>>>>>>> the virus is on his PC?? But I've scanned for it several times 
>>>>>>>>>>> and not found it at all, ever...
>>>>>>>>>>>
>>>>>>>>>>> Where are these mails coming from? Is the server sending them 
>>>>>>>>>>> out somehow? is his PC sending them out somehow? I don't know 
>>>>>>>>>>> where to begin to figure this out......
>>>>>>>>>>>
>>>>>>>>>>> ********************************************************************************
>>>>>>>>>>>
>>>>>>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>>>>>>
>>>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully updated 
>>>>>>>>>>> your password
>>>>>>>>>>>
>>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>>
>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>
>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by 
>>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft SMTPSVC(6.0.3790.1830); 
>>>>>>>>>>> ****where x.x.x. is the legit IP address of the server 
>>>>>>>>>>> here...*****************8
>>>>>>>>>>>
>>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>
>>>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>>>
>>>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>>>
>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>
>>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>
>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>
>>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>>
>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>
>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>
>>>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>>>
>>>>>>>>>>> Message-ID: 
>>>>>>>>>>> <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>>>
>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>>
>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>
>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>
>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>
>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>
>>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>>
>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>
>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>
>>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> So... block what address?? it says the email is coming from my 
>>>>>>>>>>> own server...?
>>>>>>>>>>>
>>>>>>>>>>> Plus, what about the system administrator returned email? where 
>>>>>>>>>>> is that coming from... Im so confused......
>>>>>>>>>>>
>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>> You can view the originator through the Message Header. Open 
>>>>>>>>>>>> the email and click on View/Options. You can block the IP and 
>>>>>>>>>>>> originating domain which may or may not do you any good as 
>>>>>>>>>>>> spammers are always constantly changing them. However I've had 
>>>>>>>>>>>> good results blocking the ISP IP which is usually foreign and 
>>>>>>>>>>>> does not affect legitimate emails. Also you may want to turn 
>>>>>>>>>>>> off Relay in case they are relaying through your SMTP. Do you 
>>>>>>>>>>>> use the IMF Companion? You may want to turn on Performance 
>>>>>>>>>>>> Counters for IMF so you can determine the correct SCL level you 
>>>>>>>>>>>> need to apply. Also using RBL's is a good thing to do also.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>>>>> But I'm really not understanding what is going on..  where are 
>>>>>>>>>>>>> these emails coming from?
>>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>>> many are for users that do not exist in the network 
>>>>>>>>>>>>> ......these are the 'undeliverable' ones...  but many go to 
>>>>>>>>>>>>> legit users too..
>>>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>>>> on...........who or shat is sending these mails. Is it 
>>>>>>>>>>>>> internal or external?
>>>>>>>>>>>>>
>>>>>>>>>>>>> thanks
>>>>>>>>>>>>> .
>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are 
>>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>>> system administrator    undeliverable: bla bla bal (password 
>>>>>>>>>>>>>> has been updated or account suspended..which is the virus 
>>>>>>>>>>>>>> package I think)
>>>>>>>>>>>>>> or from
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> administrator@mydomain.com   : you have successfully updated 
>>>>>>>>>>>>>> your password (this is the virus package)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have antivirus software running on all systems, including 
>>>>>>>>>>>>>> the server.
>>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that led 
>>>>>>>>>>>>>> me to MyDoom......
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/15/2005 6:11:08 PM
Ok..  but a question..
I have access to another server running SBS2003 (not at all concerned with 
my issue)  but I looked at the setup on it just to see.
On sbs2003, it is all setup by a wizard, the ICW, and the settings as the MS 
wizard set them up are:
only the list below is checked and in that list is:
192.168.1.75 /255.255.255.0    (the ip of the server) and
127.0.0.1

also the check mark for "allow all computers that sucessfully 
authenticate..." is checked.

Doesnt this indicate that this is the setup that MS recommends?

another question..  again in the default SMTP settings under access control 
/authentication..
'anonymous access'   is checked

Why am I allowing anonymous access? Should I be?


"AllenM" <allen.miyake@gmail.com> wrote in message 
news:uJxWlVdcFHA.4028@TK2MSFTNGP10.phx.gbl...
> Great. Thanks again Ben. I hope this helps out Marcus also.
>
> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
> in message news:O0oozSdcFHA.3808@TK2MSFTNGP14.phx.gbl...
>> Right.  Unless you have SMTP clients (IMAP/POP3), you don't really need 
>> to allow authenticated relay.  Exchange 2003 actually has IMAP and POP3 
>> services disabled by default, so you'd know if you had enabled them.
>>
>> -- 
>> Ben Winzenz
>> Exchange MVP
>> MessageOne
>>
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:uOfHBCdcFHA.2840@TK2MSFTNGP14.phx.gbl...
>>> This is getting better and better. In my case we are a SBS 2003 and 
>>> Exchange 2003 environment. We host our own SMTP server and use OWA. We 
>>> have remote client who have three alternatives on how they can access 
>>> email at home. 1. OWA. 2. Outlook as a Citrix Published Application and 
>>> 3. Remote connect to our Citrix server desktop and use Oulook from the 
>>> desktop.
>>> So I should have "Only the listed below" with no servers listed.
>>> and should not have the "Allow all computers which successfully 
>>> authenticate to relay, regardless of the list above" checked? I do not 
>>> want to have open relay enabled as I do not think I have a need for it. 
>>> Thanks again Ben.
>>>
>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>> wrote in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
>>>> It serves to limit anonymous relay access to "only the list below".  If 
>>>> it is blank, then no computers will be able to anonymously relay. 
>>>> Exchange doesn't relay mail off itself, so it doesn't need to be in 
>>>> there.  Since you have to make a choice (only the list below, or all 
>>>> except the list below), the best choice is "only the list below".
>>>>
>>>> -- 
>>>> Ben Winzenz
>>>> Exchange MVP
>>>> MessageOne
>>>>
>>>>
>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>>>>> Hey Ben,
>>>>> I'm glad I found you and you were able to chime in. I guess at this 
>>>>> point this information is more for my interest and knowledge that 
>>>>> Marcus but he did start the thread. I'm a bit confused at what you 
>>>>> just wrote.
>>>>>
>>>>> "Unless you have a specific internal app that needs to relay, this 
>>>>> list should be blank.  The internal IP of your Exchange server should 
>>>>> NOT be in that list.  It should also be set at the default setting of 
>>>>> "Only the list below".
>>>>>
>>>>> Your telling me here my exchange servers internal IP should not be 
>>>>> listed, yet you then tell me that I need to set it to "Only the list 
>>>>> below".
>>>>> My question is if there is nothing in the list what purpose does this 
>>>>> serve?
>>>>>
>>>>>
>>>>>
>>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>>> wrote in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>>>>> "Select which computers may relay through this VS" sets which "other" 
>>>>>> computers (hostname or IP) can relay (anonymously) e-mail through 
>>>>>> your Exchange server.  Unless you have a specific internal app that 
>>>>>> needs to relay, this list should be blank.  The internal IP of your 
>>>>>> Exchange server should NOT be in that list.  It should also be set at 
>>>>>> the default setting of "Only the list below".
>>>>>>
>>>>>> "allow all computers which authenticate" is specifically for clients 
>>>>>> such as IMAP or POP3 users that must send e-mail using your server. 
>>>>>> It further dictates that they MUST authenticate before being allowed 
>>>>>> to relay the messages.  This does not deal with anonymous smtp 
>>>>>> sessions (such as mail from other e-mail servers).  Outlook clients 
>>>>>> in MAPI mode do not relay messages, so this only needs to be checked 
>>>>>> if you have IMAP or POP3 clients. How clients can authenticate are 
>>>>>> determined by the settings under the authentication section.  I doubt 
>>>>>> that a virus would be able to initiate an authenticated SMTP session.
>>>>>>
>>>>>> As far as where the messages are coming from, you need to look at the 
>>>>>> headers of one of the actual messages.  If the headers from that 
>>>>>> message indicate that it is internal, then you likely have an 
>>>>>> infected machine on your network.  If they are all destined for local 
>>>>>> addresses (even if they are invalid users), then there is no issue 
>>>>>> with relaying. Relaying would only be an issue if the messages are 
>>>>>> being sent to external addresses.
>>>>>>
>>>>>> Hope this helps.
>>>>>>
>>>>>> -- 
>>>>>> Ben Winzenz
>>>>>> Exchange MVP
>>>>>> MessageOne
>>>>>>
>>>>>>
>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>>>>> This may be a bit above and beyond as to how well I can explain it 
>>>>>>> so do not write this in stone. Here's my interpetation.
>>>>>>> "Select which computer may relay through this virtual server" By 
>>>>>>> selecting this we are saying that only email that passes through 
>>>>>>> this email server may send outside.
>>>>>>> "Allow all computers which successfully authenticate to relay, 
>>>>>>> regardless of the list above". What this is saying is that anyone 
>>>>>>> can go through this SMTP relay without passing through the server 
>>>>>>> above. Which means they can send an email from another mail server.
>>>>>>> So we only want email from our mail server to pass through our SMTP 
>>>>>>> virtual server. SPAMMERS who use the SMTP virtual server do not send 
>>>>>>> email from our Exchange server. Hope that makes sense and my 
>>>>>>> interetaion is also correct. I do think it is because I was also 
>>>>>>> getting those type of password confirmations like you are and since 
>>>>>>> I closed the open relay it has not happened since. Maybe we can get 
>>>>>>> someone else or na MVP to chime in and clarify this. If you do find 
>>>>>>> it to be incorrect or find a better explaination I'd like to hear 
>>>>>>> about it. Good luck.
>>>>>>>
>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>>>>> authenticate to
>>>>>>>> relay', and put in the IP address of the server only...
>>>>>>>> but a question..... outside users would not be 'authenticated' 
>>>>>>>> users would they?  By authenticated, they mean logged onto the 
>>>>>>>> network?
>>>>>>>> Why not  allow authenticated users to relay if they are all inhouse 
>>>>>>>> anyway....
>>>>>>>> or............
>>>>>>>> could it be that a remote user, logging on thru terminal server, is 
>>>>>>>> actually doing the relaying...  if he had for instance, mydoom, 
>>>>>>>> which adds an SMTP server, infecting his remote PC... and then 
>>>>>>>> logged onto the network thru TS...  could that be then relaying 
>>>>>>>> thru exchange...?
>>>>>>>> ..sounds logical to me..  what you think?
>>>>>>>>
>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>>>>> authenticate to relay,
>>>>>>>>> regardless of the list above" This is what is allowing outside 
>>>>>>>>> users to to use your SMTP relay.
>>>>>>>>> Otherwise the listed server above does no good. We want "Only the 
>>>>>>>>> listed below" which should be the internal IP of your Exchange 
>>>>>>>>> server. Give it a try and of course monitor it overthe next day or 
>>>>>>>>> so.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>>>>> Could you elaborate a bit please...
>>>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>>>>>>>> checked and
>>>>>>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>>>>>>> relay, regardless of the list above'
>>>>>>>>>>
>>>>>>>>>> is this not right??
>>>>>>>>>> There is a terminal server on this network... could that be 
>>>>>>>>>> involved in this relay someway?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>> Looks like someone is using your SMTP virtual server for 
>>>>>>>>>>> relaying. You need to turn that off unless you have a specific 
>>>>>>>>>>> reason to have it on. You should only "allow" the internal IP 
>>>>>>>>>>> address of your mail server to use relay on this server.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>>>>> Ok...
>>>>>>>>>>>>
>>>>>>>>>>>> this is what I'm not understanding. There are basically 2 types 
>>>>>>>>>>>> of email that concern me.
>>>>>>>>>>>>
>>>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email 
>>>>>>>>>>>> to:
>>>>>>>>>>>>
>>>>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>>>
>>>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>>>
>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>
>>>>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>>>>
>>>>>>>>>>>> To: user@mydomain.com
>>>>>>>>>>>>
>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>
>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>>>
>>>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>>>
>>>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>>>
>>>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>>>>
>>>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>>>
>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>>>
>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>>>
>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>>>
>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit 
>>>>>>>>>>>> IP address of my server))) by EXCHANGE.mydomain.local with 
>>>>>>>>>>>> Microsoft SMTPSVC(6.0.3790.1830);
>>>>>>>>>>>>
>>>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>
>>>>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>>>>> EXIST.************************
>>>>>>>>>>>>
>>>>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>>>>> EITHER*******
>>>>>>>>>>>>
>>>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not 
>>>>>>>>>>>> exist... but where is the sender (info@mydomain.com) coming 
>>>>>>>>>>>> from?
>>>>>>>>>>>>
>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>
>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>
>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>
>>>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>>>
>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>
>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>
>>>>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>>>>
>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>> <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>>>>
>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>>>
>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>
>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>
>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>
>>>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>
>>>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>>>
>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ?????? if he is getting this mail returned to him, does it not 
>>>>>>>>>>>> mean that he is sending it?... but he's not. Does that mean 
>>>>>>>>>>>> that the virus is on his PC?? But I've scanned for it several 
>>>>>>>>>>>> times and not found it at all, ever...
>>>>>>>>>>>>
>>>>>>>>>>>> Where are these mails coming from? Is the server sending them 
>>>>>>>>>>>> out somehow? is his PC sending them out somehow? I don't know 
>>>>>>>>>>>> where to begin to figure this out......
>>>>>>>>>>>>
>>>>>>>>>>>> ********************************************************************************
>>>>>>>>>>>>
>>>>>>>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>>>>>>>
>>>>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully 
>>>>>>>>>>>> updated your password
>>>>>>>>>>>>
>>>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>>>
>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>
>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by 
>>>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft SMTPSVC(6.0.3790.1830); 
>>>>>>>>>>>> ****where x.x.x. is the legit IP address of the server 
>>>>>>>>>>>> here...*****************8
>>>>>>>>>>>>
>>>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>
>>>>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>>>>
>>>>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>>>>
>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>
>>>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>
>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>
>>>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>>>
>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>
>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>
>>>>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>>>>
>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>> <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>>>>
>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>>>
>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>
>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>
>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>
>>>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>
>>>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> So... block what address?? it says the email is coming from my 
>>>>>>>>>>>> own server...?
>>>>>>>>>>>>
>>>>>>>>>>>> Plus, what about the system administrator returned email? where 
>>>>>>>>>>>> is that coming from... Im so confused......
>>>>>>>>>>>>
>>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>>> You can view the originator through the Message Header. Open 
>>>>>>>>>>>>> the email and click on View/Options. You can block the IP and 
>>>>>>>>>>>>> originating domain which may or may not do you any good as 
>>>>>>>>>>>>> spammers are always constantly changing them. However I've had 
>>>>>>>>>>>>> good results blocking the ISP IP which is usually foreign and 
>>>>>>>>>>>>> does not affect legitimate emails. Also you may want to turn 
>>>>>>>>>>>>> off Relay in case they are relaying through your SMTP. Do you 
>>>>>>>>>>>>> use the IMF Companion? You may want to turn on Performance 
>>>>>>>>>>>>> Counters for IMF so you can determine the correct SCL level 
>>>>>>>>>>>>> you need to apply. Also using RBL's is a good thing to do 
>>>>>>>>>>>>> also.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>>>>>> But I'm really not understanding what is going on..  where 
>>>>>>>>>>>>>> are these emails coming from?
>>>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>>>> many are for users that do not exist in the network 
>>>>>>>>>>>>>> ......these are the 'undeliverable' ones...  but many go to 
>>>>>>>>>>>>>> legit users too..
>>>>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>>>>> on...........who or shat is sending these mails. Is it 
>>>>>>>>>>>>>> internal or external?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>> .
>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are 
>>>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>>>> system administrator    undeliverable: bla bla bal (password 
>>>>>>>>>>>>>>> has been updated or account suspended..which is the virus 
>>>>>>>>>>>>>>> package I think)
>>>>>>>>>>>>>>> or from
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> administrator@mydomain.com   : you have successfully updated 
>>>>>>>>>>>>>>> your password (this is the virus package)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I have antivirus software running on all systems, including 
>>>>>>>>>>>>>>> the server.
>>>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all 
>>>>>>>>>>>>>>> the servers and many (not all) of the workstations..
>>>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that 
>>>>>>>>>>>>>>> led me to MyDoom......
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
mark7111 (54)
6/15/2005 10:23:30 PM
I'm not sure why the ICW adds those settings under the relay restrictions - 
that may be better asked in the SBS newsgroups.  I know it isn't the default 
for regular Exchange (Standard or Enterprise), so it may be specific to SBS. 
As far as the authenticated relay, it is indeed on by default.  My 
recommendation was that if you do not support any IMAP or POP3 clients it 
should be disabled (unchecked).

As far as your second question about Anonymous access, you have to leave it 
on.  That controls how other mail servers are able to connect to you and 
send mail to you.  If you disable anonymous, you'll find that you stop 
receiving e-mail  :-)  SMTP conversations (unless specifically set up 
otherwise) are all anonymous.  When you send an e-mail to another domain, 
your server does the same thing (establishes an anonymous session).

-- 
Ben Winzenz
Exchange MVP
MessageOne


"markus" <mark@nospam.com> wrote in message 
news:eCuV9ffcFHA.3404@tk2msftngp13.phx.gbl...
> Ok..  but a question..
> I have access to another server running SBS2003 (not at all concerned with 
> my issue)  but I looked at the setup on it just to see.
> On sbs2003, it is all setup by a wizard, the ICW, and the settings as the 
> MS wizard set them up are:
> only the list below is checked and in that list is:
> 192.168.1.75 /255.255.255.0    (the ip of the server) and
> 127.0.0.1
>
> also the check mark for "allow all computers that sucessfully 
> authenticate..." is checked.
>
> Doesnt this indicate that this is the setup that MS recommends?
>
> another question..  again in the default SMTP settings under access 
> control /authentication..
> 'anonymous access'   is checked
>
> Why am I allowing anonymous access? Should I be?
>
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:uJxWlVdcFHA.4028@TK2MSFTNGP10.phx.gbl...
>> Great. Thanks again Ben. I hope this helps out Marcus also.
>>
>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>> wrote in message news:O0oozSdcFHA.3808@TK2MSFTNGP14.phx.gbl...
>>> Right.  Unless you have SMTP clients (IMAP/POP3), you don't really need 
>>> to allow authenticated relay.  Exchange 2003 actually has IMAP and POP3 
>>> services disabled by default, so you'd know if you had enabled them.
>>>
>>> -- 
>>> Ben Winzenz
>>> Exchange MVP
>>> MessageOne
>>>
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:uOfHBCdcFHA.2840@TK2MSFTNGP14.phx.gbl...
>>>> This is getting better and better. In my case we are a SBS 2003 and 
>>>> Exchange 2003 environment. We host our own SMTP server and use OWA. We 
>>>> have remote client who have three alternatives on how they can access 
>>>> email at home. 1. OWA. 2. Outlook as a Citrix Published Application and 
>>>> 3. Remote connect to our Citrix server desktop and use Oulook from the 
>>>> desktop.
>>>> So I should have "Only the listed below" with no servers listed.
>>>> and should not have the "Allow all computers which successfully 
>>>> authenticate to relay, regardless of the list above" checked? I do not 
>>>> want to have open relay enabled as I do not think I have a need for it. 
>>>> Thanks again Ben.
>>>>
>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>> wrote in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
>>>>> It serves to limit anonymous relay access to "only the list below". 
>>>>> If it is blank, then no computers will be able to anonymously relay. 
>>>>> Exchange doesn't relay mail off itself, so it doesn't need to be in 
>>>>> there.  Since you have to make a choice (only the list below, or all 
>>>>> except the list below), the best choice is "only the list below".
>>>>>
>>>>> -- 
>>>>> Ben Winzenz
>>>>> Exchange MVP
>>>>> MessageOne
>>>>>
>>>>>
>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>>>>>> Hey Ben,
>>>>>> I'm glad I found you and you were able to chime in. I guess at this 
>>>>>> point this information is more for my interest and knowledge that 
>>>>>> Marcus but he did start the thread. I'm a bit confused at what you 
>>>>>> just wrote.
>>>>>>
>>>>>> "Unless you have a specific internal app that needs to relay, this 
>>>>>> list should be blank.  The internal IP of your Exchange server should 
>>>>>> NOT be in that list.  It should also be set at the default setting of 
>>>>>> "Only the list below".
>>>>>>
>>>>>> Your telling me here my exchange servers internal IP should not be 
>>>>>> listed, yet you then tell me that I need to set it to "Only the list 
>>>>>> below".
>>>>>> My question is if there is nothing in the list what purpose does this 
>>>>>> serve?
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>>>> wrote in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>>>>>> "Select which computers may relay through this VS" sets which 
>>>>>>> "other" computers (hostname or IP) can relay (anonymously) e-mail 
>>>>>>> through your Exchange server.  Unless you have a specific internal 
>>>>>>> app that needs to relay, this list should be blank.  The internal IP 
>>>>>>> of your Exchange server should NOT be in that list.  It should also 
>>>>>>> be set at the default setting of "Only the list below".
>>>>>>>
>>>>>>> "allow all computers which authenticate" is specifically for clients 
>>>>>>> such as IMAP or POP3 users that must send e-mail using your server. 
>>>>>>> It further dictates that they MUST authenticate before being allowed 
>>>>>>> to relay the messages.  This does not deal with anonymous smtp 
>>>>>>> sessions (such as mail from other e-mail servers).  Outlook clients 
>>>>>>> in MAPI mode do not relay messages, so this only needs to be checked 
>>>>>>> if you have IMAP or POP3 clients. How clients can authenticate are 
>>>>>>> determined by the settings under the authentication section.  I 
>>>>>>> doubt that a virus would be able to initiate an authenticated SMTP 
>>>>>>> session.
>>>>>>>
>>>>>>> As far as where the messages are coming from, you need to look at 
>>>>>>> the headers of one of the actual messages.  If the headers from that 
>>>>>>> message indicate that it is internal, then you likely have an 
>>>>>>> infected machine on your network.  If they are all destined for 
>>>>>>> local addresses (even if they are invalid users), then there is no 
>>>>>>> issue with relaying. Relaying would only be an issue if the messages 
>>>>>>> are being sent to external addresses.
>>>>>>>
>>>>>>> Hope this helps.
>>>>>>>
>>>>>>> -- 
>>>>>>> Ben Winzenz
>>>>>>> Exchange MVP
>>>>>>> MessageOne
>>>>>>>
>>>>>>>
>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>>>>>> This may be a bit above and beyond as to how well I can explain it 
>>>>>>>> so do not write this in stone. Here's my interpetation.
>>>>>>>> "Select which computer may relay through this virtual server" By 
>>>>>>>> selecting this we are saying that only email that passes through 
>>>>>>>> this email server may send outside.
>>>>>>>> "Allow all computers which successfully authenticate to relay, 
>>>>>>>> regardless of the list above". What this is saying is that anyone 
>>>>>>>> can go through this SMTP relay without passing through the server 
>>>>>>>> above. Which means they can send an email from another mail server.
>>>>>>>> So we only want email from our mail server to pass through our SMTP 
>>>>>>>> virtual server. SPAMMERS who use the SMTP virtual server do not 
>>>>>>>> send email from our Exchange server. Hope that makes sense and my 
>>>>>>>> interetaion is also correct. I do think it is because I was also 
>>>>>>>> getting those type of password confirmations like you are and since 
>>>>>>>> I closed the open relay it has not happened since. Maybe we can get 
>>>>>>>> someone else or na MVP to chime in and clarify this. If you do find 
>>>>>>>> it to be incorrect or find a better explaination I'd like to hear 
>>>>>>>> about it. Good luck.
>>>>>>>>
>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>>>>>> authenticate to
>>>>>>>>> relay', and put in the IP address of the server only...
>>>>>>>>> but a question..... outside users would not be 'authenticated' 
>>>>>>>>> users would they?  By authenticated, they mean logged onto the 
>>>>>>>>> network?
>>>>>>>>> Why not  allow authenticated users to relay if they are all 
>>>>>>>>> inhouse anyway....
>>>>>>>>> or............
>>>>>>>>> could it be that a remote user, logging on thru terminal server, 
>>>>>>>>> is actually doing the relaying...  if he had for instance, mydoom, 
>>>>>>>>> which adds an SMTP server, infecting his remote PC... and then 
>>>>>>>>> logged onto the network thru TS...  could that be then relaying 
>>>>>>>>> thru exchange...?
>>>>>>>>> ..sounds logical to me..  what you think?
>>>>>>>>>
>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>>>>>> authenticate to relay,
>>>>>>>>>> regardless of the list above" This is what is allowing outside 
>>>>>>>>>> users to to use your SMTP relay.
>>>>>>>>>> Otherwise the listed server above does no good. We want "Only the 
>>>>>>>>>> listed below" which should be the internal IP of your Exchange 
>>>>>>>>>> server. Give it a try and of course monitor it overthe next day 
>>>>>>>>>> or so.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>>>>>> Could you elaborate a bit please...
>>>>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>>>>> i have the box:  'Only the list below'  (and nothing in the 
>>>>>>>>>>> list) checked and
>>>>>>>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>>>>>>>> relay, regardless of the list above'
>>>>>>>>>>>
>>>>>>>>>>> is this not right??
>>>>>>>>>>> There is a terminal server on this network... could that be 
>>>>>>>>>>> involved in this relay someway?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>> Looks like someone is using your SMTP virtual server for 
>>>>>>>>>>>> relaying. You need to turn that off unless you have a specific 
>>>>>>>>>>>> reason to have it on. You should only "allow" the internal IP 
>>>>>>>>>>>> address of your mail server to use relay on this server.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>> Ok...
>>>>>>>>>>>>>
>>>>>>>>>>>>> this is what I'm not understanding. There are basically 2 
>>>>>>>>>>>>> types of email that concern me.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email 
>>>>>>>>>>>>> to:
>>>>>>>>>>>>>
>>>>>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>>>>
>>>>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>>>>
>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> To: user@mydomain.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>>>>
>>>>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>>>>
>>>>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>>>>
>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>>>>
>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>>>>
>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>>>>
>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit 
>>>>>>>>>>>>> IP address of my server))) by EXCHANGE.mydomain.local with 
>>>>>>>>>>>>> Microsoft SMTPSVC(6.0.3790.1830);
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>>>>>> EXIST.************************
>>>>>>>>>>>>>
>>>>>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>>>>>> EITHER*******
>>>>>>>>>>>>>
>>>>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not 
>>>>>>>>>>>>> exist... but where is the sender (info@mydomain.com) coming 
>>>>>>>>>>>>> from?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>
>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>
>>>>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>
>>>>>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>>> <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>
>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>
>>>>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>
>>>>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>>>>
>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ?????? if he is getting this mail returned to him, does it not 
>>>>>>>>>>>>> mean that he is sending it?... but he's not. Does that mean 
>>>>>>>>>>>>> that the virus is on his PC?? But I've scanned for it several 
>>>>>>>>>>>>> times and not found it at all, ever...
>>>>>>>>>>>>>
>>>>>>>>>>>>> Where are these mails coming from? Is the server sending them 
>>>>>>>>>>>>> out somehow? is his PC sending them out somehow? I don't know 
>>>>>>>>>>>>> where to begin to figure this out......
>>>>>>>>>>>>>
>>>>>>>>>>>>> ********************************************************************************
>>>>>>>>>>>>>
>>>>>>>>>>>>> The other type pof email he will receive is from, for 
>>>>>>>>>>>>> instance,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully 
>>>>>>>>>>>>> updated your password
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by 
>>>>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft SMTPSVC(6.0.3790.1830); 
>>>>>>>>>>>>> ****where x.x.x. is the legit IP address of the server 
>>>>>>>>>>>>> here...*****************8
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>
>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>
>>>>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>
>>>>>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>>> <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>
>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>
>>>>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>
>>>>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> So... block what address?? it says the email is coming from my 
>>>>>>>>>>>>> own server...?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Plus, what about the system administrator returned email? 
>>>>>>>>>>>>> where is that coming from... Im so confused......
>>>>>>>>>>>>>
>>>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>>>> You can view the originator through the Message Header. Open 
>>>>>>>>>>>>>> the email and click on View/Options. You can block the IP and 
>>>>>>>>>>>>>> originating domain which may or may not do you any good as 
>>>>>>>>>>>>>> spammers are always constantly changing them. However I've 
>>>>>>>>>>>>>> had good results blocking the ISP IP which is usually foreign 
>>>>>>>>>>>>>> and does not affect legitimate emails. Also you may want to 
>>>>>>>>>>>>>> turn off Relay in case they are relaying through your SMTP. 
>>>>>>>>>>>>>> Do you use the IMF Companion? You may want to turn on 
>>>>>>>>>>>>>> Performance Counters for IMF so you can determine the correct 
>>>>>>>>>>>>>> SCL level you need to apply. Also using RBL's is a good thing 
>>>>>>>>>>>>>> to do also.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>>>>>>> But I'm really not understanding what is going on..  where 
>>>>>>>>>>>>>>> are these emails coming from?
>>>>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>>>>> many are for users that do not exist in the network 
>>>>>>>>>>>>>>> ......these are the 'undeliverable' ones...  but many go to 
>>>>>>>>>>>>>>> legit users too..
>>>>>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>>>>>> on...........who or shat is sending these mails. Is it 
>>>>>>>>>>>>>>> internal or external?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are 
>>>>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>>>>> system administrator    undeliverable: bla bla bal 
>>>>>>>>>>>>>>>> (password has been updated or account suspended..which is 
>>>>>>>>>>>>>>>> the virus package I think)
>>>>>>>>>>>>>>>> or from
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> administrator@mydomain.com   : you have successfully 
>>>>>>>>>>>>>>>> updated your password (this is the virus package)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I have antivirus software running on all systems, including 
>>>>>>>>>>>>>>>> the server.
>>>>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all 
>>>>>>>>>>>>>>>> the servers and many (not all) of the workstations..
>>>>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that 
>>>>>>>>>>>>>>>> led me to MyDoom......
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
Ben
6/16/2005 2:34:09 PM
I want to comment on what Marcus said about the default settings for the 
relay restrictions. I'm sure the CEICW set these settings. Mine also were 
set to 192.168.x.x /255.255.255.0 and 127.0.0.1.  I was a bit suspicious 
about the 127.0.0.1 being there so I removed it. I didn't see any issues or 
problems after doing so.
When I originally setup the SBS 2003 server we were using an ISP to host our 
email and a POP3 connection to pull to our Exchange server. I have since 
changed that and we are now hosting our own SMTP and Exchange server. My 
suspicion, and again I can be wrong, is that these were inputted because of 
my original configuration using POP3. Possible?


"Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
in message news:Oqy31BocFHA.3912@TK2MSFTNGP15.phx.gbl...
> I'm not sure why the ICW adds those settings under the relay 
> restrictions - that may be better asked in the SBS newsgroups.  I know it 
> isn't the default for regular Exchange (Standard or Enterprise), so it may 
> be specific to SBS. As far as the authenticated relay, it is indeed on by 
> default.  My recommendation was that if you do not support any IMAP or 
> POP3 clients it should be disabled (unchecked).
>
> As far as your second question about Anonymous access, you have to leave 
> it on.  That controls how other mail servers are able to connect to you 
> and send mail to you.  If you disable anonymous, you'll find that you stop 
> receiving e-mail  :-)  SMTP conversations (unless specifically set up 
> otherwise) are all anonymous.  When you send an e-mail to another domain, 
> your server does the same thing (establishes an anonymous session).
>
> -- 
> Ben Winzenz
> Exchange MVP
> MessageOne
>
>
> "markus" <mark@nospam.com> wrote in message 
> news:eCuV9ffcFHA.3404@tk2msftngp13.phx.gbl...
>> Ok..  but a question..
>> I have access to another server running SBS2003 (not at all concerned 
>> with my issue)  but I looked at the setup on it just to see.
>> On sbs2003, it is all setup by a wizard, the ICW, and the settings as the 
>> MS wizard set them up are:
>> only the list below is checked and in that list is:
>> 192.168.1.75 /255.255.255.0    (the ip of the server) and
>> 127.0.0.1
>>
>> also the check mark for "allow all computers that sucessfully 
>> authenticate..." is checked.
>>
>> Doesnt this indicate that this is the setup that MS recommends?
>>
>> another question..  again in the default SMTP settings under access 
>> control /authentication..
>> 'anonymous access'   is checked
>>
>> Why am I allowing anonymous access? Should I be?
>>
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:uJxWlVdcFHA.4028@TK2MSFTNGP10.phx.gbl...
>>> Great. Thanks again Ben. I hope this helps out Marcus also.
>>>
>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>> wrote in message news:O0oozSdcFHA.3808@TK2MSFTNGP14.phx.gbl...
>>>> Right.  Unless you have SMTP clients (IMAP/POP3), you don't really need 
>>>> to allow authenticated relay.  Exchange 2003 actually has IMAP and POP3 
>>>> services disabled by default, so you'd know if you had enabled them.
>>>>
>>>> -- 
>>>> Ben Winzenz
>>>> Exchange MVP
>>>> MessageOne
>>>>
>>>>
>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>> news:uOfHBCdcFHA.2840@TK2MSFTNGP14.phx.gbl...
>>>>> This is getting better and better. In my case we are a SBS 2003 and 
>>>>> Exchange 2003 environment. We host our own SMTP server and use OWA. We 
>>>>> have remote client who have three alternatives on how they can access 
>>>>> email at home. 1. OWA. 2. Outlook as a Citrix Published Application 
>>>>> and 3. Remote connect to our Citrix server desktop and use Oulook from 
>>>>> the desktop.
>>>>> So I should have "Only the listed below" with no servers listed.
>>>>> and should not have the "Allow all computers which successfully 
>>>>> authenticate to relay, regardless of the list above" checked? I do not 
>>>>> want to have open relay enabled as I do not think I have a need for 
>>>>> it. Thanks again Ben.
>>>>>
>>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>>> wrote in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
>>>>>> It serves to limit anonymous relay access to "only the list below". 
>>>>>> If it is blank, then no computers will be able to anonymously relay. 
>>>>>> Exchange doesn't relay mail off itself, so it doesn't need to be in 
>>>>>> there.  Since you have to make a choice (only the list below, or all 
>>>>>> except the list below), the best choice is "only the list below".
>>>>>>
>>>>>> -- 
>>>>>> Ben Winzenz
>>>>>> Exchange MVP
>>>>>> MessageOne
>>>>>>
>>>>>>
>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>>>>>>> Hey Ben,
>>>>>>> I'm glad I found you and you were able to chime in. I guess at this 
>>>>>>> point this information is more for my interest and knowledge that 
>>>>>>> Marcus but he did start the thread. I'm a bit confused at what you 
>>>>>>> just wrote.
>>>>>>>
>>>>>>> "Unless you have a specific internal app that needs to relay, this 
>>>>>>> list should be blank.  The internal IP of your Exchange server 
>>>>>>> should NOT be in that list.  It should also be set at the default 
>>>>>>> setting of "Only the list below".
>>>>>>>
>>>>>>> Your telling me here my exchange servers internal IP should not be 
>>>>>>> listed, yet you then tell me that I need to set it to "Only the list 
>>>>>>> below".
>>>>>>> My question is if there is nothing in the list what purpose does 
>>>>>>> this serve?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>>>>> wrote in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>>>>>>> "Select which computers may relay through this VS" sets which 
>>>>>>>> "other" computers (hostname or IP) can relay (anonymously) e-mail 
>>>>>>>> through your Exchange server.  Unless you have a specific internal 
>>>>>>>> app that needs to relay, this list should be blank.  The internal 
>>>>>>>> IP of your Exchange server should NOT be in that list.  It should 
>>>>>>>> also be set at the default setting of "Only the list below".
>>>>>>>>
>>>>>>>> "allow all computers which authenticate" is specifically for 
>>>>>>>> clients such as IMAP or POP3 users that must send e-mail using your 
>>>>>>>> server. It further dictates that they MUST authenticate before 
>>>>>>>> being allowed to relay the messages.  This does not deal with 
>>>>>>>> anonymous smtp sessions (such as mail from other e-mail servers). 
>>>>>>>> Outlook clients in MAPI mode do not relay messages, so this only 
>>>>>>>> needs to be checked if you have IMAP or POP3 clients. How clients 
>>>>>>>> can authenticate are determined by the settings under the 
>>>>>>>> authentication section.  I doubt that a virus would be able to 
>>>>>>>> initiate an authenticated SMTP session.
>>>>>>>>
>>>>>>>> As far as where the messages are coming from, you need to look at 
>>>>>>>> the headers of one of the actual messages.  If the headers from 
>>>>>>>> that message indicate that it is internal, then you likely have an 
>>>>>>>> infected machine on your network.  If they are all destined for 
>>>>>>>> local addresses (even if they are invalid users), then there is no 
>>>>>>>> issue with relaying. Relaying would only be an issue if the 
>>>>>>>> messages are being sent to external addresses.
>>>>>>>>
>>>>>>>> Hope this helps.
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Ben Winzenz
>>>>>>>> Exchange MVP
>>>>>>>> MessageOne
>>>>>>>>
>>>>>>>>
>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>>>>>>> This may be a bit above and beyond as to how well I can explain it 
>>>>>>>>> so do not write this in stone. Here's my interpetation.
>>>>>>>>> "Select which computer may relay through this virtual server" By 
>>>>>>>>> selecting this we are saying that only email that passes through 
>>>>>>>>> this email server may send outside.
>>>>>>>>> "Allow all computers which successfully authenticate to relay, 
>>>>>>>>> regardless of the list above". What this is saying is that anyone 
>>>>>>>>> can go through this SMTP relay without passing through the server 
>>>>>>>>> above. Which means they can send an email from another mail 
>>>>>>>>> server.
>>>>>>>>> So we only want email from our mail server to pass through our 
>>>>>>>>> SMTP virtual server. SPAMMERS who use the SMTP virtual server do 
>>>>>>>>> not send email from our Exchange server. Hope that makes sense and 
>>>>>>>>> my interetaion is also correct. I do think it is because I was 
>>>>>>>>> also getting those type of password confirmations like you are and 
>>>>>>>>> since I closed the open relay it has not happened since. Maybe we 
>>>>>>>>> can get someone else or na MVP to chime in and clarify this. If 
>>>>>>>>> you do find it to be incorrect or find a better explaination I'd 
>>>>>>>>> like to hear about it. Good luck.
>>>>>>>>>
>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>>>>>>> authenticate to
>>>>>>>>>> relay', and put in the IP address of the server only...
>>>>>>>>>> but a question..... outside users would not be 'authenticated' 
>>>>>>>>>> users would they?  By authenticated, they mean logged onto the 
>>>>>>>>>> network?
>>>>>>>>>> Why not  allow authenticated users to relay if they are all 
>>>>>>>>>> inhouse anyway....
>>>>>>>>>> or............
>>>>>>>>>> could it be that a remote user, logging on thru terminal server, 
>>>>>>>>>> is actually doing the relaying...  if he had for instance, 
>>>>>>>>>> mydoom, which adds an SMTP server, infecting his remote PC... and 
>>>>>>>>>> then logged onto the network thru TS...  could that be then 
>>>>>>>>>> relaying thru exchange...?
>>>>>>>>>> ..sounds logical to me..  what you think?
>>>>>>>>>>
>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>>>>>>> authenticate to relay,
>>>>>>>>>>> regardless of the list above" This is what is allowing outside 
>>>>>>>>>>> users to to use your SMTP relay.
>>>>>>>>>>> Otherwise the listed server above does no good. We want "Only 
>>>>>>>>>>> the listed below" which should be the internal IP of your 
>>>>>>>>>>> Exchange server. Give it a try and of course monitor it overthe 
>>>>>>>>>>> next day or so.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>>>>>>> Could you elaborate a bit please...
>>>>>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>>>>>> i have the box:  'Only the list below'  (and nothing in the 
>>>>>>>>>>>> list) checked and
>>>>>>>>>>>> checked - 'Allow all computers which sucessfully authenticate 
>>>>>>>>>>>> to relay, regardless of the list above'
>>>>>>>>>>>>
>>>>>>>>>>>> is this not right??
>>>>>>>>>>>> There is a terminal server on this network... could that be 
>>>>>>>>>>>> involved in this relay someway?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>>> Looks like someone is using your SMTP virtual server for 
>>>>>>>>>>>>> relaying. You need to turn that off unless you have a specific 
>>>>>>>>>>>>> reason to have it on. You should only "allow" the internal IP 
>>>>>>>>>>>>> address of your mail server to use relay on this server.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>> Ok...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> this is what I'm not understanding. There are basically 2 
>>>>>>>>>>>>>> types of email that concern me.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email 
>>>>>>>>>>>>>> to:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> To: user@mydomain.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit 
>>>>>>>>>>>>>> IP address of my server))) by EXCHANGE.mydomain.local with 
>>>>>>>>>>>>>> Microsoft SMTPSVC(6.0.3790.1830);
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>>>>>>> EXIST.************************
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>>>>>>> EITHER*******
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not 
>>>>>>>>>>>>>> exist... but where is the sender (info@mydomain.com) coming 
>>>>>>>>>>>>>> from?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>>>> <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ?????? if he is getting this mail returned to him, does it 
>>>>>>>>>>>>>> not mean that he is sending it?... but he's not. Does that 
>>>>>>>>>>>>>> mean that the virus is on his PC?? But I've scanned for it 
>>>>>>>>>>>>>> several times and not found it at all, ever...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Where are these mails coming from? Is the server sending them 
>>>>>>>>>>>>>> out somehow? is his PC sending them out somehow? I don't know 
>>>>>>>>>>>>>> where to begin to figure this out......
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ********************************************************************************
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The other type pof email he will receive is from, for 
>>>>>>>>>>>>>> instance,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully 
>>>>>>>>>>>>>> updated your password
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by 
>>>>>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft 
>>>>>>>>>>>>>> SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP 
>>>>>>>>>>>>>> address of the server here...*****************8
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>>>> <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So... block what address?? it says the email is coming from 
>>>>>>>>>>>>>> my own server...?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Plus, what about the system administrator returned email? 
>>>>>>>>>>>>>> where is that coming from... Im so confused......
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>>>>> You can view the originator through the Message Header. Open 
>>>>>>>>>>>>>>> the email and click on View/Options. You can block the IP 
>>>>>>>>>>>>>>> and originating domain which may or may not do you any good 
>>>>>>>>>>>>>>> as spammers are always constantly changing them. However 
>>>>>>>>>>>>>>> I've had good results blocking the ISP IP which is usually 
>>>>>>>>>>>>>>> foreign and does not affect legitimate emails. Also you may 
>>>>>>>>>>>>>>> want to turn off Relay in case they are relaying through 
>>>>>>>>>>>>>>> your SMTP. Do you use the IMF Companion? You may want to 
>>>>>>>>>>>>>>> turn on Performance Counters for IMF so you can determine 
>>>>>>>>>>>>>>> the correct SCL level you need to apply. Also using RBL's is 
>>>>>>>>>>>>>>> a good thing to do also.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the 
>>>>>>>>>>>>>>>>IMF filter so am sorta limited..
>>>>>>>>>>>>>>>> But I'm really not understanding what is going on..  where 
>>>>>>>>>>>>>>>> are these emails coming from?
>>>>>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>>>>>> many are for users that do not exist in the network 
>>>>>>>>>>>>>>>> ......these are the 'undeliverable' ones...  but many go to 
>>>>>>>>>>>>>>>> legit users too..
>>>>>>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>>>>>>> on...........who or shat is sending these mails. Is it 
>>>>>>>>>>>>>>>> internal or external?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are 
>>>>>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>>>>>> system administrator    undeliverable: bla bla bal 
>>>>>>>>>>>>>>>>> (password has been updated or account suspended..which is 
>>>>>>>>>>>>>>>>> the virus package I think)
>>>>>>>>>>>>>>>>> or from
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> administrator@mydomain.com   : you have successfully 
>>>>>>>>>>>>>>>>> updated your password (this is the virus package)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I have antivirus software running on all systems, 
>>>>>>>>>>>>>>>>> including the server.
>>>>>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all 
>>>>>>>>>>>>>>>>> the servers and many (not all) of the workstations..
>>>>>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that 
>>>>>>>>>>>>>>>>> led me to MyDoom......
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/16/2005 3:47:44 PM
On the SBS2003  system I looked at.,  I actually have looked at 2 different 
ones now, the pop3 connector has never been setup, but the settings ar both 
systems are basically the same.. So apparently that is how the wizard sets 
it up.



"AllenM" <allen.miyake@gmail.com> wrote in message 
news:%23jkcGqocFHA.3940@TK2MSFTNGP10.phx.gbl...
>I want to comment on what Marcus said about the default settings for the 
>relay restrictions. I'm sure the CEICW set these settings. Mine also were 
>set to 192.168.x.x /255.255.255.0 and 127.0.0.1.  I was a bit suspicious 
>about the 127.0.0.1 being there so I removed it. I didn't see any issues or 
>problems after doing so.
> When I originally setup the SBS 2003 server we were using an ISP to host 
> our email and a POP3 connection to pull to our Exchange server. I have 
> since changed that and we are now hosting our own SMTP and Exchange 
> server. My suspicion, and again I can be wrong, is that these were 
> inputted because of my original configuration using POP3. Possible?
>
>
> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
> in message news:Oqy31BocFHA.3912@TK2MSFTNGP15.phx.gbl...
>> I'm not sure why the ICW adds those settings under the relay 
>> restrictions - that may be better asked in the SBS newsgroups.  I know it 
>> isn't the default for regular Exchange (Standard or Enterprise), so it 
>> may be specific to SBS. As far as the authenticated relay, it is indeed 
>> on by default.  My recommendation was that if you do not support any IMAP 
>> or POP3 clients it should be disabled (unchecked).
>>
>> As far as your second question about Anonymous access, you have to leave 
>> it on.  That controls how other mail servers are able to connect to you 
>> and send mail to you.  If you disable anonymous, you'll find that you 
>> stop receiving e-mail  :-)  SMTP conversations (unless specifically set 
>> up otherwise) are all anonymous.  When you send an e-mail to another 
>> domain, your server does the same thing (establishes an anonymous 
>> session).
>>
>> -- 
>> Ben Winzenz
>> Exchange MVP
>> MessageOne
>>
>>
>> "markus" <mark@nospam.com> wrote in message 
>> news:eCuV9ffcFHA.3404@tk2msftngp13.phx.gbl...
>>> Ok..  but a question..
>>> I have access to another server running SBS2003 (not at all concerned 
>>> with my issue)  but I looked at the setup on it just to see.
>>> On sbs2003, it is all setup by a wizard, the ICW, and the settings as 
>>> the MS wizard set them up are:
>>> only the list below is checked and in that list is:
>>> 192.168.1.75 /255.255.255.0    (the ip of the server) and
>>> 127.0.0.1
>>>
>>> also the check mark for "allow all computers that sucessfully 
>>> authenticate..." is checked.
>>>
>>> Doesnt this indicate that this is the setup that MS recommends?
>>>
>>> another question..  again in the default SMTP settings under access 
>>> control /authentication..
>>> 'anonymous access'   is checked
>>>
>>> Why am I allowing anonymous access? Should I be?
>>>
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:uJxWlVdcFHA.4028@TK2MSFTNGP10.phx.gbl...
>>>> Great. Thanks again Ben. I hope this helps out Marcus also.
>>>>
>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>> wrote in message news:O0oozSdcFHA.3808@TK2MSFTNGP14.phx.gbl...
>>>>> Right.  Unless you have SMTP clients (IMAP/POP3), you don't really 
>>>>> need to allow authenticated relay.  Exchange 2003 actually has IMAP 
>>>>> and POP3 services disabled by default, so you'd know if you had 
>>>>> enabled them.
>>>>>
>>>>> -- 
>>>>> Ben Winzenz
>>>>> Exchange MVP
>>>>> MessageOne
>>>>>
>>>>>
>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>> news:uOfHBCdcFHA.2840@TK2MSFTNGP14.phx.gbl...
>>>>>> This is getting better and better. In my case we are a SBS 2003 and 
>>>>>> Exchange 2003 environment. We host our own SMTP server and use OWA. 
>>>>>> We have remote client who have three alternatives on how they can 
>>>>>> access email at home. 1. OWA. 2. Outlook as a Citrix Published 
>>>>>> Application and 3. Remote connect to our Citrix server desktop and 
>>>>>> use Oulook from the desktop.
>>>>>> So I should have "Only the listed below" with no servers listed.
>>>>>> and should not have the "Allow all computers which successfully 
>>>>>> authenticate to relay, regardless of the list above" checked? I do 
>>>>>> not want to have open relay enabled as I do not think I have a need 
>>>>>> for it. Thanks again Ben.
>>>>>>
>>>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>>>> wrote in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
>>>>>>> It serves to limit anonymous relay access to "only the list below". 
>>>>>>> If it is blank, then no computers will be able to anonymously relay. 
>>>>>>> Exchange doesn't relay mail off itself, so it doesn't need to be in 
>>>>>>> there.  Since you have to make a choice (only the list below, or all 
>>>>>>> except the list below), the best choice is "only the list below".
>>>>>>>
>>>>>>> -- 
>>>>>>> Ben Winzenz
>>>>>>> Exchange MVP
>>>>>>> MessageOne
>>>>>>>
>>>>>>>
>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>>>>>>>> Hey Ben,
>>>>>>>> I'm glad I found you and you were able to chime in. I guess at this 
>>>>>>>> point this information is more for my interest and knowledge that 
>>>>>>>> Marcus but he did start the thread. I'm a bit confused at what you 
>>>>>>>> just wrote.
>>>>>>>>
>>>>>>>> "Unless you have a specific internal app that needs to relay, this 
>>>>>>>> list should be blank.  The internal IP of your Exchange server 
>>>>>>>> should NOT be in that list.  It should also be set at the default 
>>>>>>>> setting of "Only the list below".
>>>>>>>>
>>>>>>>> Your telling me here my exchange servers internal IP should not be 
>>>>>>>> listed, yet you then tell me that I need to set it to "Only the 
>>>>>>>> list below".
>>>>>>>> My question is if there is nothing in the list what purpose does 
>>>>>>>> this serve?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> "Ben Winzenz [Exchange MVP]" 
>>>>>>>> <ben_winzenz@NOSPAMdotmessageonedotcom> wrote in message 
>>>>>>>> news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>>>>>>>> "Select which computers may relay through this VS" sets which 
>>>>>>>>> "other" computers (hostname or IP) can relay (anonymously) e-mail 
>>>>>>>>> through your Exchange server.  Unless you have a specific internal 
>>>>>>>>> app that needs to relay, this list should be blank.  The internal 
>>>>>>>>> IP of your Exchange server should NOT be in that list.  It should 
>>>>>>>>> also be set at the default setting of "Only the list below".
>>>>>>>>>
>>>>>>>>> "allow all computers which authenticate" is specifically for 
>>>>>>>>> clients such as IMAP or POP3 users that must send e-mail using 
>>>>>>>>> your server. It further dictates that they MUST authenticate 
>>>>>>>>> before being allowed to relay the messages.  This does not deal 
>>>>>>>>> with anonymous smtp sessions (such as mail from other e-mail 
>>>>>>>>> servers). Outlook clients in MAPI mode do not relay messages, so 
>>>>>>>>> this only needs to be checked if you have IMAP or POP3 clients. 
>>>>>>>>> How clients can authenticate are determined by the settings under 
>>>>>>>>> the authentication section.  I doubt that a virus would be able to 
>>>>>>>>> initiate an authenticated SMTP session.
>>>>>>>>>
>>>>>>>>> As far as where the messages are coming from, you need to look at 
>>>>>>>>> the headers of one of the actual messages.  If the headers from 
>>>>>>>>> that message indicate that it is internal, then you likely have an 
>>>>>>>>> infected machine on your network.  If they are all destined for 
>>>>>>>>> local addresses (even if they are invalid users), then there is no 
>>>>>>>>> issue with relaying. Relaying would only be an issue if the 
>>>>>>>>> messages are being sent to external addresses.
>>>>>>>>>
>>>>>>>>> Hope this helps.
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Ben Winzenz
>>>>>>>>> Exchange MVP
>>>>>>>>> MessageOne
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>>>>>>>> This may be a bit above and beyond as to how well I can explain 
>>>>>>>>>> it so do not write this in stone. Here's my interpetation.
>>>>>>>>>> "Select which computer may relay through this virtual server" By 
>>>>>>>>>> selecting this we are saying that only email that passes through 
>>>>>>>>>> this email server may send outside.
>>>>>>>>>> "Allow all computers which successfully authenticate to relay, 
>>>>>>>>>> regardless of the list above". What this is saying is that anyone 
>>>>>>>>>> can go through this SMTP relay without passing through the server 
>>>>>>>>>> above. Which means they can send an email from another mail 
>>>>>>>>>> server.
>>>>>>>>>> So we only want email from our mail server to pass through our 
>>>>>>>>>> SMTP virtual server. SPAMMERS who use the SMTP virtual server do 
>>>>>>>>>> not send email from our Exchange server. Hope that makes sense 
>>>>>>>>>> and my interetaion is also correct. I do think it is because I 
>>>>>>>>>> was also getting those type of password confirmations like you 
>>>>>>>>>> are and since I closed the open relay it has not happened since. 
>>>>>>>>>> Maybe we can get someone else or na MVP to chime in and clarify 
>>>>>>>>>> this. If you do find it to be incorrect or find a better 
>>>>>>>>>> explaination I'd like to hear about it. Good luck.
>>>>>>>>>>
>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>>>>>>>> authenticate to
>>>>>>>>>>> relay', and put in the IP address of the server only...
>>>>>>>>>>> but a question..... outside users would not be 'authenticated' 
>>>>>>>>>>> users would they?  By authenticated, they mean logged onto the 
>>>>>>>>>>> network?
>>>>>>>>>>> Why not  allow authenticated users to relay if they are all 
>>>>>>>>>>> inhouse anyway....
>>>>>>>>>>> or............
>>>>>>>>>>> could it be that a remote user, logging on thru terminal server, 
>>>>>>>>>>> is actually doing the relaying...  if he had for instance, 
>>>>>>>>>>> mydoom, which adds an SMTP server, infecting his remote PC... 
>>>>>>>>>>> and then logged onto the network thru TS...  could that be then 
>>>>>>>>>>> relaying thru exchange...?
>>>>>>>>>>> ..sounds logical to me..  what you think?
>>>>>>>>>>>
>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>>>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>>>>>>>> authenticate to relay,
>>>>>>>>>>>> regardless of the list above" This is what is allowing outside 
>>>>>>>>>>>> users to to use your SMTP relay.
>>>>>>>>>>>> Otherwise the listed server above does no good. We want "Only 
>>>>>>>>>>>> the listed below" which should be the internal IP of your 
>>>>>>>>>>>> Exchange server. Give it a try and of course monitor it overthe 
>>>>>>>>>>>> next day or so.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>> Could you elaborate a bit please...
>>>>>>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>>>>>>> i have the box:  'Only the list below'  (and nothing in the 
>>>>>>>>>>>>> list) checked and
>>>>>>>>>>>>> checked - 'Allow all computers which sucessfully authenticate 
>>>>>>>>>>>>> to relay, regardless of the list above'
>>>>>>>>>>>>>
>>>>>>>>>>>>> is this not right??
>>>>>>>>>>>>> There is a terminal server on this network... could that be 
>>>>>>>>>>>>> involved in this relay someway?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>>>> Looks like someone is using your SMTP virtual server for 
>>>>>>>>>>>>>> relaying. You need to turn that off unless you have a 
>>>>>>>>>>>>>> specific reason to have it on. You should only "allow" the 
>>>>>>>>>>>>>> internal IP address of your mail server to use relay on this 
>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>> Ok...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> this is what I'm not understanding. There are basically 2 
>>>>>>>>>>>>>>> types of email that concern me.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of 
>>>>>>>>>>>>>>> email to:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> To: user@mydomain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the 
>>>>>>>>>>>>>>> legit IP address of my server))) by EXCHANGE.mydomain.local 
>>>>>>>>>>>>>>> with Microsoft SMTPSVC(6.0.3790.1830);
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>>>>>>>> EXIST.************************
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>>>>>>>> EITHER*******
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not 
>>>>>>>>>>>>>>> exist... but where is the sender (info@mydomain.com) coming 
>>>>>>>>>>>>>>> from?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>>>>> <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ?????? if he is getting this mail returned to him, does it 
>>>>>>>>>>>>>>> not mean that he is sending it?... but he's not. Does that 
>>>>>>>>>>>>>>> mean that the virus is on his PC?? But I've scanned for it 
>>>>>>>>>>>>>>> several times and not found it at all, ever...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Where are these mails coming from? Is the server sending 
>>>>>>>>>>>>>>> them out somehow? is his PC sending them out somehow? I 
>>>>>>>>>>>>>>> don't know where to begin to figure this out......
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ********************************************************************************
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The other type pof email he will receive is from, for 
>>>>>>>>>>>>>>> instance,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully 
>>>>>>>>>>>>>>> updated your password
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by 
>>>>>>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft 
>>>>>>>>>>>>>>> SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP 
>>>>>>>>>>>>>>> address of the server here...*****************8
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>>>>> <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> So... block what address?? it says the email is coming from 
>>>>>>>>>>>>>>> my own server...?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Plus, what about the system administrator returned email? 
>>>>>>>>>>>>>>> where is that coming from... Im so confused......
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>>>>>> You can view the originator through the Message Header. 
>>>>>>>>>>>>>>>> Open the email and click on View/Options. You can block the 
>>>>>>>>>>>>>>>> IP and originating domain which may or may not do you any 
>>>>>>>>>>>>>>>> good as spammers are always constantly changing them. 
>>>>>>>>>>>>>>>> However I've had good results blocking the ISP IP which is 
>>>>>>>>>>>>>>>> usually foreign and does not affect legitimate emails. Also 
>>>>>>>>>>>>>>>> you may want to turn off Relay in case they are relaying 
>>>>>>>>>>>>>>>> through your SMTP. Do you use the IMF Companion? You may 
>>>>>>>>>>>>>>>> want to turn on Performance Counters for IMF so you can 
>>>>>>>>>>>>>>>> determine the correct SCL level you need to apply. Also 
>>>>>>>>>>>>>>>> using RBL's is a good thing to do also.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the 
>>>>>>>>>>>>>>>>>IMF filter so am sorta limited..
>>>>>>>>>>>>>>>>> But I'm really not understanding what is going on..  where 
>>>>>>>>>>>>>>>>> are these emails coming from?
>>>>>>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>>>>>>> many are for users that do not exist in the network 
>>>>>>>>>>>>>>>>> ......these are the 'undeliverable' ones...  but many go 
>>>>>>>>>>>>>>>>> to legit users too..
>>>>>>>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>>>>>>>> on...........who or shat is sending these mails. Is it 
>>>>>>>>>>>>>>>>> internal or external?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are 
>>>>>>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>>>>>>> system administrator    undeliverable: bla bla bal 
>>>>>>>>>>>>>>>>>> (password has been updated or account suspended..which is 
>>>>>>>>>>>>>>>>>> the virus package I think)
>>>>>>>>>>>>>>>>>> or from
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> administrator@mydomain.com   : you have successfully 
>>>>>>>>>>>>>>>>>> updated your password (this is the virus package)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I have antivirus software running on all systems, 
>>>>>>>>>>>>>>>>>> including the server.
>>>>>>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all 
>>>>>>>>>>>>>>>>>> the servers and many (not all) of the workstations..
>>>>>>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that 
>>>>>>>>>>>>>>>>>> led me to MyDoom......
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
mark7111 (54)
6/16/2005 11:05:41 PM
Reply:

Similar Artilces:

Performance issues with XMLTextReader
Hi there, I need to parse a lot of html-files from wikipedia, and I need to do it as fast as possible. So I started a little testing with XMLTextReader, but the results I get confuse me. It seems that the Reader ALWAYS needs about 1 second for the first textReader.Read() Here's my testcode: XmlTextReader _myReader = new XmlTextReader(textBox1.Text); DateTime _firstRead = DateTime.MinValue; DateTime _start = DateTime.Now; _myReader.Read(); _firstRead = DateTime.Now; while (_myReader.Read()) { } MessageBox.Show("FirstRead: " + Convert.ToString(_firstRead - _start) + "...

Printing issue in Excel Sheet
Hi Friends, When ever i am giving a print job, it is printing page with my name as a cover page for the print job. If i give a single page as 5 copies, it is printing 5 cover pages. It it is 50, it is giving 50 cover pages where i am not able to remove this settings. Please give me some idea about this. -- Thanks & Regards Vijayaraj V System Engineer Vijay wrote: > Hi Friends, > When ever i am giving a print job, it is printing page with my name as a > cover page for the print job. If i give a single page as 5 copies, it is > printing 5 cover pages. It it is 50, i...

Viruses
I heard that Outlook is not really as risky as one would think about getting a virus attack and that Outlook Express is what is usally attacked. Is there any truth to that? Can anyone share any experiences they have had with virus attacks and Outlook? Please tell us your version number too. Thanks These two articles will give you a clue as to which versions of Outlook are most at-risk. Short version: if you use a current version and have all updates installed, you are quite safe from everything except your own stupidity. http://www.slipstick.com/emo/2005/up050120.htm#preview http...

XP Pro Login Issue
I have a Windows XP Pro computer that I think has been hit with a virus. It is not part of a domain currently. I have 2 accounts on the computer (Administrator and Joe) and when I try and log on to either one it appears to start the login then goes right to saving settings and logging out. I even tried to do this in Safe mode so I could run a MalwareBytes but no go. If I can't log in then I can't run Malware Bytes. Any ideas? Thanks! -Richard "Richard K" <rkokoski@foxdtechllc.com> wrote in message news:eDKtabVuKHA.6140@TK2MSFTNGP05.phx.g...

Replication Issues
We have recently setup an Exchange 2003 Server into our network. We moved acrossed mailboxes and started replication of the Public Folders from our old Exchange 2000 server. This seemed to work at first, but has now stopped working. The Exchange 2003 server is replicating fine to the Exchang 2000 one: I created a new fodler on the Exchnage 2003 box and this soon appeared in the Public Folder list on the Exchange 2000 box. Replikction however does not occur the other way. I have increased the diagnostic logging for replication but this is not showing any errors. I also examined mess...

Issues with Outlook 2003
I have a user experiencing two issues with Outlook 2003. The first issue is, when they shut down Outlook outlook.exe remains in the process list in Task Manager. When they try to restart Outlook it won't start and a second instance of outlook.exe is listed in the process list. If the first instance of Outlook.exe is ended Outlook can be started without issue. The second issue is the offline folders are synchronizing. They are set up properly under send/receive groups and it looks like the synch completes during Outlook shutdown. But if you open Outlook in offline mode none of the...

No Infobar issue
I have a user in Outlook 2003 that when he forwards a message, and it gets an infobar in the original email. However, if he modifies an attachment in an email and forwards it, the infobar won't shows on that email. Here are the steps what that user did. 1.. Open an email 2.. Modify an attachment in that email and save it 3.. Forward the email 4.. Close the email without save changes Actually I tried the above steps, but I don't see the infobar either. However, the user said he always got the infobar till couple weeks ago. I assumed there is a way enable the feature....

Please please help!! Weird coding issue
Hi, I have a button that when pressed asked to select a worksheet and select email addresses, when the email addresses have been selected it will then email that particular user. Columns A,B and C needs to be hidden but when I hide these columns I get a mismatch error, if the columns stay visable it works? please help this is very fustrating!! Mis match error 13 Sub MAIL_PIP() Dim Response As String Dim DefaultFolder As String, DefaultFileName As String Dim FileToSave Dim OutApp As Object 'this emails operations manager Dim OutMail As Object Dim strbody As String ...

subtotal issues with NULL cells
I have a worksheet of raw data. One of the columns has 3 unique values...either 1, 2 or no data at all (NULL). Without inserting some value in this cell, is there some way of doing a Subtotal of all 3 of these values. At the moment the grouping that is done on that value is lumped into the "1's". Naturally they aren't counted but there is no separation either. I know Pivot Tables would work but i'm looking for something easy and straightforward. Dave French I didn't get that result when I tested (xl2003). Are you sure you used the correct range? I like...

Last Known Good Configuration issue
Suddenly my pc will only start up using Last Known Cood Configuration. During every start up, it stops during the Windows XP scrolling blue thing window and won't proceed. So I shut down the power switch and when it comes to life I get a screen offering to start in Safe Mode, Last Known Good Configuration or in Normal Mode. Normal Mode does not work. So when I choose Last Known Good Configuration, it starts up Windows and my pc is alive. I'm not sure what changes that I may have made that messed it up or when it first occurred. My WinXP cd is old. It is service pack 1 a...

List of banks/brokerages temporarily unavailable issue
I have not been able to access the list of financial institutions when trying to set up online service for my branks or brokerages. When prompted to select the bank or brokerage, I get the message "The list is temporarily unavailable. Please try again later.". I have tried all the steps discussed in this article: http://support.microsoft.com/kb/905695 Does any one have any idea how to get the online updates to work? I am using Money 2005 Standard Edition. Thanks 2005 Standard only allows downloads for two years after you initially installed it. Perhaps those two years h...

Virus like behaviour but no virus
G'day Hope I can get some help with this one 1)Exchange 2003 on Windows 2003 2) I have scanned the server for viruses using two reputable brands and no virus has been detected. I have an Exchange compatible virus scanner; no viruses. 3) The SMTP service is running; The Exchange Virtual SMTP server is stopped. 4) As soon as the virtual SMTP server is started my link is flooded with outbound traffic. If I then pause the virtual server the flooding continues. If I stop the virtual SMTP server the flooding stops. 5) I cannot see anything in the queues. Getting desperate so any suggesti...

Mail receiving issue
Hi We have a little issue with our exchange server which is bugging me. Scenario is Windows 2K server with Exchange 2K fully updated. Basically the majority of mail gets through to our exchange server and onto outlook for our users, but some of our mail goes to our fallback (priority 10) location. Why aren't all of our e-mails coming through the exchange server?? There are no messages on the event viewer to suggest there is a problem with Exchange. This can happen anytime during the day. Has anyone got any suggestions??? Thanks Simon Simon, When you state that the email goes ...

Virus e-mails
I posted a Question Oct 4 at 11:45 PM "Balanced or Mixed Asset Funds" Sence then my e-mail address has received hundreds of virus carrying e-mails every day some purported to be from Microsoft or Postmaster, etc. My virus S/W deleted them and I don't run .exe e-mail attachments. My e-mail is overloaded and useless. Only the e-mail given to this newsgroup is effected. Why are our e-mail addresses included in the post? To whom should I report this? It is not just this newsgroup. The spammers have software that scans all the newsgroups and pull out anything that look...

AVG Virus software
Hi, I use the free version of AVG. When I looked at my VIRUS VAULT I saw about 10 entries, some described as virus, but I am not sure what to do to get rid of these things. Do I select EMPTY VAULT or else select each item and click on DELETE ? Thanks, Peter Since it's not part of Windows XP, you would ask here: http://forums.avg.com/us-en/avg-free-forum "Peter Buttuls" <ye025@victoria.tc.ca> wrote in message news:%23dhtl4%23hKHA.4912@TK2MSFTNGP02.phx.gbl... : Hi, : I use the free version of AVG. When I looked at my VIRUS VAULT I saw about : 10 entr...

SSRS2008 Line Chart Axis issue
I'm running into some trouble here and I'm wondering if anyone might be able to help with a solution. I have a line chart within an SSRS2008 report, and *sometimes* the axis values are a little off. In the one case in particular, I only have 3 data points -- 0, -0.9, 3.1. What I would expect to see on the axis is -1, 0, 1, 2, 3, 4, but what is actually occurring is the axis is displaying -1, 1, 2, 3, 4 and skipping 0. I do have a custom interval on the axis set of 1, and when I set it back to auto, the 0 is there, however it displays -1, 0, 1,1,2,2,3,3,4 (which is why I ma...

Cell format Issue
When enter 899405090111023400 in my excell sheet, it always convert to 899405090111023000 why is this? changing cell format doesn't help -- mar "marlon" <marlong@ceytel.lk> wrote: > When enter 899405090111023400 in my excell sheet, > it always convert to 899405090111023000 > why is this? Because Excel treats that as a number. On data entry, Excel will convert only the first 15 significant digits. Moreover, Excel will display only the 15 significant digits. > changing cell format doesn't help Actually, it does -- if you format th...

Formatting Issues #2
I made up a flyer like message for some property I'm trying to seel in Outlook. I had it formatted just the way I wanted, but when I sent it to my Yahoo account to test it, the formatting was all messed up. How do I keep it from doing this? Hard to say without any details. You have to be aware that designing for a website is something different than designing for a mail client. Mail clients and especially web based mail clients do not support all HTML and CSS formatting options in the way a webpage would. -- Robert Sparnaaij [MVP-Outlook] Coauthor, Configuring Microsoft Outloo...

I think i have a virus
I have a problem with exchange. each time I start it up the internet connection comes to a stand still. I looked into the queues and found a huge list of domains with messages. I noticed that is I stop the virtual SMTP server the internet comes back to life, I ended up delete all the queues and uninstalling reinstalling SMTP. But still I have the problem? any answers? It might be that one of your accounts is compromised. Disable SMTP relay for authenticated users and change passwords on all accounts. AlanM wrote: > I have a problem with exchange. > > each time I start it up t...

security issues ? not sure
kinda worried here as i was seeking some old friends on myspace & clicked on one entry & got a page that showed an alleged security scan being run. so i ran my one quick scan on mse & over 35500 files were checked & no threats. so i went into explorer & found something in windows>sys32 called "drv store"; i dont ever recall seeing that before & i see it on the av7 page, text below. i saw a similar window pop up a few days back, & on the page was a small window, again, of an alleged security scan running & in that window i saw an i...

email virus alerts
I am getting tons of Email virus alerts with the address coming from MS Corporation Public Assistance, MS Corporate Security Internet Department. What does this mean. Is there anyway I can set this up so that it automatically deletes it from my inbox? See www.microsoft.com/security and you'll learn that this junk is not from Microsoft. Spam detector software can usually detect and handle this stuff. Hope this is useful to you. Let us know. rms margie wrote: > I am getting tons of Email virus alerts with the address > coming from MS Corporation Public Assistance, MS ...

How to resolve this thread DEADLOCK issue?
I have: Thread A (main GUI thread) Thread B (secondary GUI thread that pops up alert windows) Thread A calls ClassA which creates and manages Thread B through ClassB. ClassB creates and manages alert windows in the second CWinThread derived thread. ClassB also creates a message window (MsgWindow) so neither class uses PostThreadMessage and instead posts to MsgWindow and the MsgWindow calls methods in ClassB. The initialization is to call 5 funcs in ClassA to set some params. Each of these 5 funcs call a function in ClassB which caches the value. That generally happens once. Then the...

Check printing issues
I've been using Microsoft Money for 6 or 7 years, but there are still things I haven't figured out how to do (or if they are doable); my current version is Money 2003. I use the "three on a page" homeowner check style. For printing partial pages, after one check is printed, money wants me to put the rest of the checks into the printer sideways--and I always get messed up when I do this. My printer, a Brother MFC 4650, has no problem printing pages as short as 5". A single check plus the bottom tab is 5 1/4 inches, so there is no reason for me to turn the checks for a pa...

Virus
We use outlook express I think my wife has a virusin her E-mail Identity. Ive updated Norton and it does not detect any virus but every time she opens her E-mail some thing keepes trying to send E-mails to address we never heard of. Norton stops them from going. It's only my wife Identity. Does anyone have a suggestion how to fix it Thanks Gary Gary, I would try also runing a spyware program like Ad-aware to clean out any unwanted programs that you didn't even know where there. Also, make sure you have the latest virus definitions from symantec for your norton. Good luck! Brett &...

Calculation problem #N/A issue
Hello, Can someone tell me if the following is possible. I am making a few basic calculations in a worksheet. Sometimes the value returned is #N/A because a cell is blank. This is correct. Once the cell is filled with a value the calculation is correct. My question is: Is it possible to hide or show a blank or a user defined value instead of #N/A? Thanks --- Message posted from http://www.ExcelForum.com/ joe pt, You can change your original formulas; = yourformula to = IF(ISNA(yourformula),"",yourformula) You can replace the "" with a 0 if you want. John "...