virus issues

We are using exchange 2003.
Apparently we have been hit by a virus. All the users are being constantly 
hit with emails that are from either:
system administrator    undeliverable: bla bla bal (password has been 
updated or account suspended..which is the virus package I think)
or from

administrator@mydomain.com   : you have successfully updated your password 
(this is the virus package)


I have antivirus software running on all systems, including the server.
I have run the FXmydoom.exe package from symantec on  all the servers and 
many (not all) of the workstations..
...I did a google on 'your password has been updated" that led me to 
MyDoom......

but still everyone gets these emails...

What can I do? where do I go from here?

thanks for the help ;)


0
mark7111 (54)
6/14/2005 1:59:28 PM
exchange.admin 57650 articles. 2 followers. Follow

19 Replies
573 Views

Similar Articles

[PageSpeed] 28

What type of AV software are you running on the server?  Do you have the 
ability to blacklist any domains or IP addresses?

Greg

"markus" <mark@nospam.com> wrote in message 
news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
> We are using exchange 2003.
> Apparently we have been hit by a virus. All the users are being constantly 
> hit with emails that are from either:
> system administrator    undeliverable: bla bla bal (password has been 
> updated or account suspended..which is the virus package I think)
> or from
>
> administrator@mydomain.com   : you have successfully updated your password 
> (this is the virus package)
>
>
> I have antivirus software running on all systems, including the server.
> I have run the FXmydoom.exe package from symantec on  all the servers and 
> many (not all) of the workstations..
> ..I did a google on 'your password has been updated" that led me to 
> MyDoom......
>
> but still everyone gets these emails...
>
> What can I do? where do I go from here?
>
> thanks for the help ;)
>
> 


0
replyto1 (32)
6/14/2005 1:56:52 PM
I am running Norton Small Business V7.5 antivirus and the IMF filter so am 
sorta limited..
But I'm really not understanding what is going on..  where are these emails 
coming from?
Is a system in my network sending them?
many are for users that do not exist in the network ......these are the 
'undeliverable' ones...  but many go to legit users too..
I'm really trying to understand just what is going on...........who or shat 
is sending these mails. Is it internal or external?

thanks
..
"markus" <mark@nospam.com> wrote in message 
news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
> We are using exchange 2003.
> Apparently we have been hit by a virus. All the users are being constantly 
> hit with emails that are from either:
> system administrator    undeliverable: bla bla bal (password has been 
> updated or account suspended..which is the virus package I think)
> or from
>
> administrator@mydomain.com   : you have successfully updated your password 
> (this is the virus package)
>
>
> I have antivirus software running on all systems, including the server.
> I have run the FXmydoom.exe package from symantec on  all the servers and 
> many (not all) of the workstations..
> ..I did a google on 'your password has been updated" that led me to 
> MyDoom......
>
> but still everyone gets these emails...
>
> What can I do? where do I go from here?
>
> thanks for the help ;)
>
> 


0
mark7111 (54)
6/14/2005 2:21:11 PM
You can view the originator through the Message Header. Open the email and 
click on View/Options. You can block the IP and originating domain which may 
or may not do you any good as spammers are always constantly changing them. 
However I've had good results blocking the ISP IP which is usually foreign 
and does not affect legitimate emails. Also you may want to turn off Relay 
in case they are relaying through your SMTP. Do you use the IMF Companion? 
You may want to turn on Performance Counters for IMF so you can determine 
the correct SCL level you need to apply. Also using RBL's is a good thing to 
do also.


"markus" <mark@nospam.com> wrote in message 
news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>I am running Norton Small Business V7.5 antivirus and the IMF filter so am 
>sorta limited..
> But I'm really not understanding what is going on..  where are these 
> emails coming from?
> Is a system in my network sending them?
> many are for users that do not exist in the network ......these are the 
> 'undeliverable' ones...  but many go to legit users too..
> I'm really trying to understand just what is going on...........who or 
> shat is sending these mails. Is it internal or external?
>
> thanks
> .
> "markus" <mark@nospam.com> wrote in message 
> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>> We are using exchange 2003.
>> Apparently we have been hit by a virus. All the users are being 
>> constantly hit with emails that are from either:
>> system administrator    undeliverable: bla bla bal (password has been 
>> updated or account suspended..which is the virus package I think)
>> or from
>>
>> administrator@mydomain.com   : you have successfully updated your 
>> password (this is the virus package)
>>
>>
>> I have antivirus software running on all systems, including the server.
>> I have run the FXmydoom.exe package from symantec on  all the servers and 
>> many (not all) of the workstations..
>> ..I did a google on 'your password has been updated" that led me to 
>> MyDoom......
>>
>> but still everyone gets these emails...
>>
>> What can I do? where do I go from here?
>>
>> thanks for the help ;)
>>
>>
>
> 


0
allen.miyake (137)
6/14/2005 4:25:15 PM
Ok...

this is what I'm not understanding. There are basically 2 types of email 
that concern me.

Is the users box (outlook 2003) he will have a bunch of email to:

from: System Administrator                     subject: undeliverable: You 
have sucessfully updated your password.

*******This is the header from one of those

Microsoft Mail Internet Headers Version 2.0

From: postmaster@mydomain.com

To: user@mydomain.com

Date: Tue, 14 Jun 2005 16:52:54 -0400

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status;

boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."

X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546

Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>

Subject: Delivery Status Notification (Failure)

--9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.

Content-Type: text/plain; charset=unicode-1-1-utf-7

--9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.

Content-Type: message/delivery-status

--9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.

Content-Type: message/rfc822

Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP address of 
my server))) by EXCHANGE.mydomain.local with Microsoft 
SMTPSVC(6.0.3790.1830);

Tue, 14 Jun 2005 16:52:54 -0400

From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
EXIST.************************

To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******

****Ok, the mail was undeliverable because josh does not exist... but where 
is the sender (info@mydomain.com) coming from?

Subject: You have successfully updated your password

Date: Tue, 14 Jun 2005 16:52:54 -0400

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0008_9AC13455.6335A418"

X-Priority: 3

X-MSMail-Priority: Normal

Return-Path: info@mydomain.com

Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>

X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
FILETIME=[098348C0:01C57123]

------=_NextPart_000_0008_9AC13455.6335A418

Content-Type: text/html;

charset="ISO-8859-1"

Content-Transfer-Encoding: 7bit

------=_NextPart_000_0008_9AC13455.6335A418

Content-Type: application/octet-stream;

name="email-password.zip"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename="email-password.zip"



------=_NextPart_000_0008_9AC13455.6335A418--

--9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--



?????? if he is getting this mail returned to him, does it not mean that he 
is sending it?... but he's not. Does that mean that the virus is on his PC?? 
But I've scanned for it several times and not found it at all, ever...

Where are these mails coming from? Is the server sending them out somehow? 
is his PC sending them out somehow? I don't know where to begin to figure 
this out......

********************************************************************************

The other type pof email he will receive is from, for instance,

Administrator@mydomain.com Subject; You have sucessfully updated your 
password

Here is the header info from one of those:

Microsoft Mail Internet Headers Version 2.0

Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local with 
Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP address 
of the server here...*****************8

Tue, 14 Jun 2005 09:07:59 -0400

From: administrator@mydomain.com

To: real user@mydomain.com

Subject: You have successfully updated your password

Date: Tue, 14 Jun 2005 09:07:59 -0400

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0001_4FC13ACF.85304567"

X-Priority: 3

X-MSMail-Priority: Normal

Return-Path: administrator@mydomain.com

Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>

X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
FILETIME=[16867EC0:01C570E2]

------=_NextPart_000_0001_4FC13ACF.85304567

Content-Type: text/html;

charset="ISO-8859-1"

Content-Transfer-Encoding: 7bit

------=_NextPart_000_0001_4FC13ACF.85304567

Content-Type: application/octet-stream;

name="new-password.zip"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename="new-password.zip"



------=_NextPart_000_0001_4FC13ACF.85304567--



So... block what address?? it says the email is coming from my own 
server...?

Plus, what about the system administrator returned email? where is that 
coming from... Im so confused......

"AllenM" <allen.miyake@gmail.com> wrote in message 
news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
> You can view the originator through the Message Header. Open the email and 
> click on View/Options. You can block the IP and originating domain which 
> may or may not do you any good as spammers are always constantly changing 
> them. However I've had good results blocking the ISP IP which is usually 
> foreign and does not affect legitimate emails. Also you may want to turn 
> off Relay in case they are relaying through your SMTP. Do you use the IMF 
> Companion? You may want to turn on Performance Counters for IMF so you can 
> determine the correct SCL level you need to apply. Also using RBL's is a 
> good thing to do also.
>
>
> "markus" <mark@nospam.com> wrote in message 
> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>I am running Norton Small Business V7.5 antivirus and the IMF filter so am 
>>sorta limited..
>> But I'm really not understanding what is going on..  where are these 
>> emails coming from?
>> Is a system in my network sending them?
>> many are for users that do not exist in the network ......these are the 
>> 'undeliverable' ones...  but many go to legit users too..
>> I'm really trying to understand just what is going on...........who or 
>> shat is sending these mails. Is it internal or external?
>>
>> thanks
>> .
>> "markus" <mark@nospam.com> wrote in message 
>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>> We are using exchange 2003.
>>> Apparently we have been hit by a virus. All the users are being 
>>> constantly hit with emails that are from either:
>>> system administrator    undeliverable: bla bla bal (password has been 
>>> updated or account suspended..which is the virus package I think)
>>> or from
>>>
>>> administrator@mydomain.com   : you have successfully updated your 
>>> password (this is the virus package)
>>>
>>>
>>> I have antivirus software running on all systems, including the server.
>>> I have run the FXmydoom.exe package from symantec on  all the servers 
>>> and many (not all) of the workstations..
>>> ..I did a google on 'your password has been updated" that led me to 
>>> MyDoom......
>>>
>>> but still everyone gets these emails...
>>>
>>> What can I do? where do I go from here?
>>>
>>> thanks for the help ;)
>>>
>>>
>>
>>
>
> 


0
mark7111 (54)
6/14/2005 9:36:51 PM
Looks like someone is using your SMTP virtual server for relaying. You need 
to turn that off unless you have a specific reason to have it on. You should 
only "allow" the internal IP address of your mail server to use relay on 
this server.


"markus" <mark@nospam.com> wrote in message 
news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
> Ok...
>
> this is what I'm not understanding. There are basically 2 types of email 
> that concern me.
>
> Is the users box (outlook 2003) he will have a bunch of email to:
>
> from: System Administrator                     subject: undeliverable: You 
> have sucessfully updated your password.
>
> *******This is the header from one of those
>
> Microsoft Mail Internet Headers Version 2.0
>
> From: postmaster@mydomain.com
>
> To: user@mydomain.com
>
> Date: Tue, 14 Jun 2005 16:52:54 -0400
>
> MIME-Version: 1.0
>
> Content-Type: multipart/report; report-type=delivery-status;
>
> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>
> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>
> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>
> Subject: Delivery Status Notification (Failure)
>
> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>
> Content-Type: text/plain; charset=unicode-1-1-utf-7
>
> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>
> Content-Type: message/delivery-status
>
> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>
> Content-Type: message/rfc822
>
> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP address 
> of my server))) by EXCHANGE.mydomain.local with Microsoft 
> SMTPSVC(6.0.3790.1830);
>
> Tue, 14 Jun 2005 16:52:54 -0400
>
> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
> EXIST.************************
>
> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>
> ****Ok, the mail was undeliverable because josh does not exist... but 
> where is the sender (info@mydomain.com) coming from?
>
> Subject: You have successfully updated your password
>
> Date: Tue, 14 Jun 2005 16:52:54 -0400
>
> MIME-Version: 1.0
>
> Content-Type: multipart/mixed;
>
> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>
> X-Priority: 3
>
> X-MSMail-Priority: Normal
>
> Return-Path: info@mydomain.com
>
> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>
> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
> FILETIME=[098348C0:01C57123]
>
> ------=_NextPart_000_0008_9AC13455.6335A418
>
> Content-Type: text/html;
>
> charset="ISO-8859-1"
>
> Content-Transfer-Encoding: 7bit
>
> ------=_NextPart_000_0008_9AC13455.6335A418
>
> Content-Type: application/octet-stream;
>
> name="email-password.zip"
>
> Content-Transfer-Encoding: base64
>
> Content-Disposition: attachment;
>
> filename="email-password.zip"
>
>
>
> ------=_NextPart_000_0008_9AC13455.6335A418--
>
> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>
>
>
> ?????? if he is getting this mail returned to him, does it not mean that 
> he is sending it?... but he's not. Does that mean that the virus is on his 
> PC?? But I've scanned for it several times and not found it at all, 
> ever...
>
> Where are these mails coming from? Is the server sending them out somehow? 
> is his PC sending them out somehow? I don't know where to begin to figure 
> this out......
>
> ********************************************************************************
>
> The other type pof email he will receive is from, for instance,
>
> Administrator@mydomain.com Subject; You have sucessfully updated your 
> password
>
> Here is the header info from one of those:
>
> Microsoft Mail Internet Headers Version 2.0
>
> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local with 
> Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP address 
> of the server here...*****************8
>
> Tue, 14 Jun 2005 09:07:59 -0400
>
> From: administrator@mydomain.com
>
> To: real user@mydomain.com
>
> Subject: You have successfully updated your password
>
> Date: Tue, 14 Jun 2005 09:07:59 -0400
>
> MIME-Version: 1.0
>
> Content-Type: multipart/mixed;
>
> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>
> X-Priority: 3
>
> X-MSMail-Priority: Normal
>
> Return-Path: administrator@mydomain.com
>
> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>
> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
> FILETIME=[16867EC0:01C570E2]
>
> ------=_NextPart_000_0001_4FC13ACF.85304567
>
> Content-Type: text/html;
>
> charset="ISO-8859-1"
>
> Content-Transfer-Encoding: 7bit
>
> ------=_NextPart_000_0001_4FC13ACF.85304567
>
> Content-Type: application/octet-stream;
>
> name="new-password.zip"
>
> Content-Transfer-Encoding: base64
>
> Content-Disposition: attachment;
>
> filename="new-password.zip"
>
>
>
> ------=_NextPart_000_0001_4FC13ACF.85304567--
>
>
>
> So... block what address?? it says the email is coming from my own 
> server...?
>
> Plus, what about the system administrator returned email? where is that 
> coming from... Im so confused......
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>> You can view the originator through the Message Header. Open the email 
>> and click on View/Options. You can block the IP and originating domain 
>> which may or may not do you any good as spammers are always constantly 
>> changing them. However I've had good results blocking the ISP IP which is 
>> usually foreign and does not affect legitimate emails. Also you may want 
>> to turn off Relay in case they are relaying through your SMTP. Do you use 
>> the IMF Companion? You may want to turn on Performance Counters for IMF 
>> so you can determine the correct SCL level you need to apply. Also using 
>> RBL's is a good thing to do also.
>>
>>
>> "markus" <mark@nospam.com> wrote in message 
>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>I am running Norton Small Business V7.5 antivirus and the IMF filter so 
>>>am sorta limited..
>>> But I'm really not understanding what is going on..  where are these 
>>> emails coming from?
>>> Is a system in my network sending them?
>>> many are for users that do not exist in the network ......these are the 
>>> 'undeliverable' ones...  but many go to legit users too..
>>> I'm really trying to understand just what is going on...........who or 
>>> shat is sending these mails. Is it internal or external?
>>>
>>> thanks
>>> .
>>> "markus" <mark@nospam.com> wrote in message 
>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>> We are using exchange 2003.
>>>> Apparently we have been hit by a virus. All the users are being 
>>>> constantly hit with emails that are from either:
>>>> system administrator    undeliverable: bla bla bal (password has been 
>>>> updated or account suspended..which is the virus package I think)
>>>> or from
>>>>
>>>> administrator@mydomain.com   : you have successfully updated your 
>>>> password (this is the virus package)
>>>>
>>>>
>>>> I have antivirus software running on all systems, including the server.
>>>> I have run the FXmydoom.exe package from symantec on  all the servers 
>>>> and many (not all) of the workstations..
>>>> ..I did a google on 'your password has been updated" that led me to 
>>>> MyDoom......
>>>>
>>>> but still everyone gets these emails...
>>>>
>>>> What can I do? where do I go from here?
>>>>
>>>> thanks for the help ;)
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/14/2005 9:46:06 PM
Could you elaborate a bit please...
In the default SMTP virtual server properties / relay ....
i have the box:  'Only the list below'  (and nothing in the list) checked 
and
checked - 'Allow all computers which sucessfully authenticate to relay, 
regardless of the list above'

is this not right??
There is a terminal server on this network... could that be involved in this 
relay someway?





"AllenM" <allen.miyake@gmail.com> wrote in message 
news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
> Looks like someone is using your SMTP virtual server for relaying. You 
> need to turn that off unless you have a specific reason to have it on. You 
> should only "allow" the internal IP address of your mail server to use 
> relay on this server.
>
>
> "markus" <mark@nospam.com> wrote in message 
> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>> Ok...
>>
>> this is what I'm not understanding. There are basically 2 types of email 
>> that concern me.
>>
>> Is the users box (outlook 2003) he will have a bunch of email to:
>>
>> from: System Administrator                     subject: undeliverable: 
>> You have sucessfully updated your password.
>>
>> *******This is the header from one of those
>>
>> Microsoft Mail Internet Headers Version 2.0
>>
>> From: postmaster@mydomain.com
>>
>> To: user@mydomain.com
>>
>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>
>> MIME-Version: 1.0
>>
>> Content-Type: multipart/report; report-type=delivery-status;
>>
>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>
>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>
>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>
>> Subject: Delivery Status Notification (Failure)
>>
>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>
>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>
>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>
>> Content-Type: message/delivery-status
>>
>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>
>> Content-Type: message/rfc822
>>
>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP address 
>> of my server))) by EXCHANGE.mydomain.local with Microsoft 
>> SMTPSVC(6.0.3790.1830);
>>
>> Tue, 14 Jun 2005 16:52:54 -0400
>>
>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>> EXIST.************************
>>
>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>
>> ****Ok, the mail was undeliverable because josh does not exist... but 
>> where is the sender (info@mydomain.com) coming from?
>>
>> Subject: You have successfully updated your password
>>
>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>
>> MIME-Version: 1.0
>>
>> Content-Type: multipart/mixed;
>>
>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>
>> X-Priority: 3
>>
>> X-MSMail-Priority: Normal
>>
>> Return-Path: info@mydomain.com
>>
>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>
>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>> FILETIME=[098348C0:01C57123]
>>
>> ------=_NextPart_000_0008_9AC13455.6335A418
>>
>> Content-Type: text/html;
>>
>> charset="ISO-8859-1"
>>
>> Content-Transfer-Encoding: 7bit
>>
>> ------=_NextPart_000_0008_9AC13455.6335A418
>>
>> Content-Type: application/octet-stream;
>>
>> name="email-password.zip"
>>
>> Content-Transfer-Encoding: base64
>>
>> Content-Disposition: attachment;
>>
>> filename="email-password.zip"
>>
>>
>>
>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>
>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>
>>
>>
>> ?????? if he is getting this mail returned to him, does it not mean that 
>> he is sending it?... but he's not. Does that mean that the virus is on 
>> his PC?? But I've scanned for it several times and not found it at all, 
>> ever...
>>
>> Where are these mails coming from? Is the server sending them out 
>> somehow? is his PC sending them out somehow? I don't know where to begin 
>> to figure this out......
>>
>> ********************************************************************************
>>
>> The other type pof email he will receive is from, for instance,
>>
>> Administrator@mydomain.com Subject; You have sucessfully updated your 
>> password
>>
>> Here is the header info from one of those:
>>
>> Microsoft Mail Internet Headers Version 2.0
>>
>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local with 
>> Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP 
>> address of the server here...*****************8
>>
>> Tue, 14 Jun 2005 09:07:59 -0400
>>
>> From: administrator@mydomain.com
>>
>> To: real user@mydomain.com
>>
>> Subject: You have successfully updated your password
>>
>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>
>> MIME-Version: 1.0
>>
>> Content-Type: multipart/mixed;
>>
>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>
>> X-Priority: 3
>>
>> X-MSMail-Priority: Normal
>>
>> Return-Path: administrator@mydomain.com
>>
>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>
>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>> FILETIME=[16867EC0:01C570E2]
>>
>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>
>> Content-Type: text/html;
>>
>> charset="ISO-8859-1"
>>
>> Content-Transfer-Encoding: 7bit
>>
>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>
>> Content-Type: application/octet-stream;
>>
>> name="new-password.zip"
>>
>> Content-Transfer-Encoding: base64
>>
>> Content-Disposition: attachment;
>>
>> filename="new-password.zip"
>>
>>
>>
>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>
>>
>>
>> So... block what address?? it says the email is coming from my own 
>> server...?
>>
>> Plus, what about the system administrator returned email? where is that 
>> coming from... Im so confused......
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>> You can view the originator through the Message Header. Open the email 
>>> and click on View/Options. You can block the IP and originating domain 
>>> which may or may not do you any good as spammers are always constantly 
>>> changing them. However I've had good results blocking the ISP IP which 
>>> is usually foreign and does not affect legitimate emails. Also you may 
>>> want to turn off Relay in case they are relaying through your SMTP. Do 
>>> you use the IMF Companion? You may want to turn on Performance Counters 
>>> for IMF so you can determine the correct SCL level you need to apply. 
>>> Also using RBL's is a good thing to do also.
>>>
>>>
>>> "markus" <mark@nospam.com> wrote in message 
>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>I am running Norton Small Business V7.5 antivirus and the IMF filter so 
>>>>am sorta limited..
>>>> But I'm really not understanding what is going on..  where are these 
>>>> emails coming from?
>>>> Is a system in my network sending them?
>>>> many are for users that do not exist in the network ......these are the 
>>>> 'undeliverable' ones...  but many go to legit users too..
>>>> I'm really trying to understand just what is going on...........who or 
>>>> shat is sending these mails. Is it internal or external?
>>>>
>>>> thanks
>>>> .
>>>> "markus" <mark@nospam.com> wrote in message 
>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>> We are using exchange 2003.
>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>> constantly hit with emails that are from either:
>>>>> system administrator    undeliverable: bla bla bal (password has been 
>>>>> updated or account suspended..which is the virus package I think)
>>>>> or from
>>>>>
>>>>> administrator@mydomain.com   : you have successfully updated your 
>>>>> password (this is the virus package)
>>>>>
>>>>>
>>>>> I have antivirus software running on all systems, including the 
>>>>> server.
>>>>> I have run the FXmydoom.exe package from symantec on  all the servers 
>>>>> and many (not all) of the workstations..
>>>>> ..I did a google on 'your password has been updated" that led me to 
>>>>> MyDoom......
>>>>>
>>>>> but still everyone gets these emails...
>>>>>
>>>>> What can I do? where do I go from here?
>>>>>
>>>>> thanks for the help ;)
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
mark7111 (54)
6/14/2005 11:07:11 PM
you need to uncheck "'Allow all computers which sucessfully authenticate to 
relay,
 regardless of the list above" This is what is allowing outside users to to 
use your SMTP relay.
Otherwise the listed server above does no good. We want "Only the listed 
below" which should be the internal IP of your Exchange server. Give it a 
try and of course monitor it overthe next day or so.


"markus" <mark@nospam.com> wrote in message 
news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
> Could you elaborate a bit please...
> In the default SMTP virtual server properties / relay ....
> i have the box:  'Only the list below'  (and nothing in the list) checked 
> and
> checked - 'Allow all computers which sucessfully authenticate to relay, 
> regardless of the list above'
>
> is this not right??
> There is a terminal server on this network... could that be involved in 
> this relay someway?
>
>
>
>
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>> Looks like someone is using your SMTP virtual server for relaying. You 
>> need to turn that off unless you have a specific reason to have it on. 
>> You should only "allow" the internal IP address of your mail server to 
>> use relay on this server.
>>
>>
>> "markus" <mark@nospam.com> wrote in message 
>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>> Ok...
>>>
>>> this is what I'm not understanding. There are basically 2 types of email 
>>> that concern me.
>>>
>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>
>>> from: System Administrator                     subject: undeliverable: 
>>> You have sucessfully updated your password.
>>>
>>> *******This is the header from one of those
>>>
>>> Microsoft Mail Internet Headers Version 2.0
>>>
>>> From: postmaster@mydomain.com
>>>
>>> To: user@mydomain.com
>>>
>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>
>>> MIME-Version: 1.0
>>>
>>> Content-Type: multipart/report; report-type=delivery-status;
>>>
>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>
>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>
>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>
>>> Subject: Delivery Status Notification (Failure)
>>>
>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>
>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>
>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>
>>> Content-Type: message/delivery-status
>>>
>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>
>>> Content-Type: message/rfc822
>>>
>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP address 
>>> of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>> SMTPSVC(6.0.3790.1830);
>>>
>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>
>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>> EXIST.************************
>>>
>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>>
>>> ****Ok, the mail was undeliverable because josh does not exist... but 
>>> where is the sender (info@mydomain.com) coming from?
>>>
>>> Subject: You have successfully updated your password
>>>
>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>
>>> MIME-Version: 1.0
>>>
>>> Content-Type: multipart/mixed;
>>>
>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>
>>> X-Priority: 3
>>>
>>> X-MSMail-Priority: Normal
>>>
>>> Return-Path: info@mydomain.com
>>>
>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>
>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>> FILETIME=[098348C0:01C57123]
>>>
>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>
>>> Content-Type: text/html;
>>>
>>> charset="ISO-8859-1"
>>>
>>> Content-Transfer-Encoding: 7bit
>>>
>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>
>>> Content-Type: application/octet-stream;
>>>
>>> name="email-password.zip"
>>>
>>> Content-Transfer-Encoding: base64
>>>
>>> Content-Disposition: attachment;
>>>
>>> filename="email-password.zip"
>>>
>>>
>>>
>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>
>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>
>>>
>>>
>>> ?????? if he is getting this mail returned to him, does it not mean that 
>>> he is sending it?... but he's not. Does that mean that the virus is on 
>>> his PC?? But I've scanned for it several times and not found it at all, 
>>> ever...
>>>
>>> Where are these mails coming from? Is the server sending them out 
>>> somehow? is his PC sending them out somehow? I don't know where to begin 
>>> to figure this out......
>>>
>>> ********************************************************************************
>>>
>>> The other type pof email he will receive is from, for instance,
>>>
>>> Administrator@mydomain.com Subject; You have sucessfully updated your 
>>> password
>>>
>>> Here is the header info from one of those:
>>>
>>> Microsoft Mail Internet Headers Version 2.0
>>>
>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local with 
>>> Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP 
>>> address of the server here...*****************8
>>>
>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>
>>> From: administrator@mydomain.com
>>>
>>> To: real user@mydomain.com
>>>
>>> Subject: You have successfully updated your password
>>>
>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>
>>> MIME-Version: 1.0
>>>
>>> Content-Type: multipart/mixed;
>>>
>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>
>>> X-Priority: 3
>>>
>>> X-MSMail-Priority: Normal
>>>
>>> Return-Path: administrator@mydomain.com
>>>
>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>
>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>> FILETIME=[16867EC0:01C570E2]
>>>
>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>
>>> Content-Type: text/html;
>>>
>>> charset="ISO-8859-1"
>>>
>>> Content-Transfer-Encoding: 7bit
>>>
>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>
>>> Content-Type: application/octet-stream;
>>>
>>> name="new-password.zip"
>>>
>>> Content-Transfer-Encoding: base64
>>>
>>> Content-Disposition: attachment;
>>>
>>> filename="new-password.zip"
>>>
>>>
>>>
>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>
>>>
>>>
>>> So... block what address?? it says the email is coming from my own 
>>> server...?
>>>
>>> Plus, what about the system administrator returned email? where is that 
>>> coming from... Im so confused......
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>> You can view the originator through the Message Header. Open the email 
>>>> and click on View/Options. You can block the IP and originating domain 
>>>> which may or may not do you any good as spammers are always constantly 
>>>> changing them. However I've had good results blocking the ISP IP which 
>>>> is usually foreign and does not affect legitimate emails. Also you may 
>>>> want to turn off Relay in case they are relaying through your SMTP. Do 
>>>> you use the IMF Companion? You may want to turn on Performance Counters 
>>>> for IMF so you can determine the correct SCL level you need to apply. 
>>>> Also using RBL's is a good thing to do also.
>>>>
>>>>
>>>> "markus" <mark@nospam.com> wrote in message 
>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>I am running Norton Small Business V7.5 antivirus and the IMF filter so 
>>>>>am sorta limited..
>>>>> But I'm really not understanding what is going on..  where are these 
>>>>> emails coming from?
>>>>> Is a system in my network sending them?
>>>>> many are for users that do not exist in the network ......these are 
>>>>> the 'undeliverable' ones...  but many go to legit users too..
>>>>> I'm really trying to understand just what is going on...........who or 
>>>>> shat is sending these mails. Is it internal or external?
>>>>>
>>>>> thanks
>>>>> .
>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>> We are using exchange 2003.
>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>> constantly hit with emails that are from either:
>>>>>> system administrator    undeliverable: bla bla bal (password has been 
>>>>>> updated or account suspended..which is the virus package I think)
>>>>>> or from
>>>>>>
>>>>>> administrator@mydomain.com   : you have successfully updated your 
>>>>>> password (this is the virus package)
>>>>>>
>>>>>>
>>>>>> I have antivirus software running on all systems, including the 
>>>>>> server.
>>>>>> I have run the FXmydoom.exe package from symantec on  all the servers 
>>>>>> and many (not all) of the workstations..
>>>>>> ..I did a google on 'your password has been updated" that led me to 
>>>>>> MyDoom......
>>>>>>
>>>>>> but still everyone gets these emails...
>>>>>>
>>>>>> What can I do? where do I go from here?
>>>>>>
>>>>>> thanks for the help ;)
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/14/2005 11:16:41 PM
OK, I've unchecked "'Allow all computers which sucessfully authenticate to
relay', and put in the IP address of the server only...
but a question..... outside users would not be 'authenticated' users would 
they?  By authenticated, they mean logged onto the network?
Why not  allow authenticated users to relay if they are all inhouse 
anyway....
or............
could it be that a remote user, logging on thru terminal server, is actually 
doing the relaying...  if he had for instance, mydoom, which adds an SMTP 
server, infecting his remote PC... and then logged onto the network thru 
TS...  could that be then relaying  thru exchange...?
...sounds logical to me..  what you think?

"AllenM" <allen.miyake@gmail.com> wrote in message 
news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
> you need to uncheck "'Allow all computers which sucessfully authenticate 
> to relay,
> regardless of the list above" This is what is allowing outside users to to 
> use your SMTP relay.
> Otherwise the listed server above does no good. We want "Only the listed 
> below" which should be the internal IP of your Exchange server. Give it a 
> try and of course monitor it overthe next day or so.
>
>
> "markus" <mark@nospam.com> wrote in message 
> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>> Could you elaborate a bit please...
>> In the default SMTP virtual server properties / relay ....
>> i have the box:  'Only the list below'  (and nothing in the list) checked 
>> and
>> checked - 'Allow all computers which sucessfully authenticate to relay, 
>> regardless of the list above'
>>
>> is this not right??
>> There is a terminal server on this network... could that be involved in 
>> this relay someway?
>>
>>
>>
>>
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>> Looks like someone is using your SMTP virtual server for relaying. You 
>>> need to turn that off unless you have a specific reason to have it on. 
>>> You should only "allow" the internal IP address of your mail server to 
>>> use relay on this server.
>>>
>>>
>>> "markus" <mark@nospam.com> wrote in message 
>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>> Ok...
>>>>
>>>> this is what I'm not understanding. There are basically 2 types of 
>>>> email that concern me.
>>>>
>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>
>>>> from: System Administrator                     subject: undeliverable: 
>>>> You have sucessfully updated your password.
>>>>
>>>> *******This is the header from one of those
>>>>
>>>> Microsoft Mail Internet Headers Version 2.0
>>>>
>>>> From: postmaster@mydomain.com
>>>>
>>>> To: user@mydomain.com
>>>>
>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>
>>>> MIME-Version: 1.0
>>>>
>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>
>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>
>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>
>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>
>>>> Subject: Delivery Status Notification (Failure)
>>>>
>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>
>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>
>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>
>>>> Content-Type: message/delivery-status
>>>>
>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>
>>>> Content-Type: message/rfc822
>>>>
>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>> SMTPSVC(6.0.3790.1830);
>>>>
>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>
>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>> EXIST.************************
>>>>
>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>>>
>>>> ****Ok, the mail was undeliverable because josh does not exist... but 
>>>> where is the sender (info@mydomain.com) coming from?
>>>>
>>>> Subject: You have successfully updated your password
>>>>
>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>
>>>> MIME-Version: 1.0
>>>>
>>>> Content-Type: multipart/mixed;
>>>>
>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>
>>>> X-Priority: 3
>>>>
>>>> X-MSMail-Priority: Normal
>>>>
>>>> Return-Path: info@mydomain.com
>>>>
>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>
>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>> FILETIME=[098348C0:01C57123]
>>>>
>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>
>>>> Content-Type: text/html;
>>>>
>>>> charset="ISO-8859-1"
>>>>
>>>> Content-Transfer-Encoding: 7bit
>>>>
>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>
>>>> Content-Type: application/octet-stream;
>>>>
>>>> name="email-password.zip"
>>>>
>>>> Content-Transfer-Encoding: base64
>>>>
>>>> Content-Disposition: attachment;
>>>>
>>>> filename="email-password.zip"
>>>>
>>>>
>>>>
>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>
>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>
>>>>
>>>>
>>>> ?????? if he is getting this mail returned to him, does it not mean 
>>>> that he is sending it?... but he's not. Does that mean that the virus 
>>>> is on his PC?? But I've scanned for it several times and not found it 
>>>> at all, ever...
>>>>
>>>> Where are these mails coming from? Is the server sending them out 
>>>> somehow? is his PC sending them out somehow? I don't know where to 
>>>> begin to figure this out......
>>>>
>>>> ********************************************************************************
>>>>
>>>> The other type pof email he will receive is from, for instance,
>>>>
>>>> Administrator@mydomain.com Subject; You have sucessfully updated your 
>>>> password
>>>>
>>>> Here is the header info from one of those:
>>>>
>>>> Microsoft Mail Internet Headers Version 2.0
>>>>
>>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local with 
>>>> Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP 
>>>> address of the server here...*****************8
>>>>
>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>
>>>> From: administrator@mydomain.com
>>>>
>>>> To: real user@mydomain.com
>>>>
>>>> Subject: You have successfully updated your password
>>>>
>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>
>>>> MIME-Version: 1.0
>>>>
>>>> Content-Type: multipart/mixed;
>>>>
>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>
>>>> X-Priority: 3
>>>>
>>>> X-MSMail-Priority: Normal
>>>>
>>>> Return-Path: administrator@mydomain.com
>>>>
>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>
>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>> FILETIME=[16867EC0:01C570E2]
>>>>
>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>
>>>> Content-Type: text/html;
>>>>
>>>> charset="ISO-8859-1"
>>>>
>>>> Content-Transfer-Encoding: 7bit
>>>>
>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>
>>>> Content-Type: application/octet-stream;
>>>>
>>>> name="new-password.zip"
>>>>
>>>> Content-Transfer-Encoding: base64
>>>>
>>>> Content-Disposition: attachment;
>>>>
>>>> filename="new-password.zip"
>>>>
>>>>
>>>>
>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>
>>>>
>>>>
>>>> So... block what address?? it says the email is coming from my own 
>>>> server...?
>>>>
>>>> Plus, what about the system administrator returned email? where is that 
>>>> coming from... Im so confused......
>>>>
>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>> You can view the originator through the Message Header. Open the email 
>>>>> and click on View/Options. You can block the IP and originating domain 
>>>>> which may or may not do you any good as spammers are always constantly 
>>>>> changing them. However I've had good results blocking the ISP IP which 
>>>>> is usually foreign and does not affect legitimate emails. Also you may 
>>>>> want to turn off Relay in case they are relaying through your SMTP. Do 
>>>>> you use the IMF Companion? You may want to turn on Performance 
>>>>> Counters for IMF so you can determine the correct SCL level you need 
>>>>> to apply. Also using RBL's is a good thing to do also.
>>>>>
>>>>>
>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF filter 
>>>>>>so am sorta limited..
>>>>>> But I'm really not understanding what is going on..  where are these 
>>>>>> emails coming from?
>>>>>> Is a system in my network sending them?
>>>>>> many are for users that do not exist in the network ......these are 
>>>>>> the 'undeliverable' ones...  but many go to legit users too..
>>>>>> I'm really trying to understand just what is going on...........who 
>>>>>> or shat is sending these mails. Is it internal or external?
>>>>>>
>>>>>> thanks
>>>>>> .
>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>> We are using exchange 2003.
>>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>>> constantly hit with emails that are from either:
>>>>>>> system administrator    undeliverable: bla bla bal (password has 
>>>>>>> been updated or account suspended..which is the virus package I 
>>>>>>> think)
>>>>>>> or from
>>>>>>>
>>>>>>> administrator@mydomain.com   : you have successfully updated your 
>>>>>>> password (this is the virus package)
>>>>>>>
>>>>>>>
>>>>>>> I have antivirus software running on all systems, including the 
>>>>>>> server.
>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>> servers and many (not all) of the workstations..
>>>>>>> ..I did a google on 'your password has been updated" that led me to 
>>>>>>> MyDoom......
>>>>>>>
>>>>>>> but still everyone gets these emails...
>>>>>>>
>>>>>>> What can I do? where do I go from here?
>>>>>>>
>>>>>>> thanks for the help ;)
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
mark7111 (54)
6/15/2005 2:38:59 AM
This may be a bit above and beyond as to how well I can explain it so do not 
write this in stone. Here's my interpetation.
"Select which computer may relay through this virtual server" By selecting 
this we are saying that only email that passes through this email server may 
send outside.
"Allow all computers which successfully authenticate to relay, regardless of 
the list above". What this is saying is that anyone can go through this SMTP 
relay without passing through the server above. Which means they can send an 
email from another mail server.
So we only want email from our mail server to pass through our SMTP virtual 
server. SPAMMERS who use the SMTP virtual server do not send email from our 
Exchange server. Hope that makes sense and my interetaion is also correct. I 
do think it is because I was also getting those type of password 
confirmations like you are and since I closed the open relay it has not 
happened since. Maybe we can get someone else or na MVP to chime in and 
clarify this. If you do find it to be incorrect or find a better 
explaination I'd like to hear about it. Good luck.

"markus" <mark@nospam.com> wrote in message 
news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
> OK, I've unchecked "'Allow all computers which sucessfully authenticate to
> relay', and put in the IP address of the server only...
> but a question..... outside users would not be 'authenticated' users would 
> they?  By authenticated, they mean logged onto the network?
> Why not  allow authenticated users to relay if they are all inhouse 
> anyway....
> or............
> could it be that a remote user, logging on thru terminal server, is 
> actually doing the relaying...  if he had for instance, mydoom, which adds 
> an SMTP server, infecting his remote PC... and then logged onto the 
> network thru TS...  could that be then relaying  thru exchange...?
> ..sounds logical to me..  what you think?
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>> you need to uncheck "'Allow all computers which sucessfully authenticate 
>> to relay,
>> regardless of the list above" This is what is allowing outside users to 
>> to use your SMTP relay.
>> Otherwise the listed server above does no good. We want "Only the listed 
>> below" which should be the internal IP of your Exchange server. Give it a 
>> try and of course monitor it overthe next day or so.
>>
>>
>> "markus" <mark@nospam.com> wrote in message 
>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>> Could you elaborate a bit please...
>>> In the default SMTP virtual server properties / relay ....
>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>> checked and
>>> checked - 'Allow all computers which sucessfully authenticate to relay, 
>>> regardless of the list above'
>>>
>>> is this not right??
>>> There is a terminal server on this network... could that be involved in 
>>> this relay someway?
>>>
>>>
>>>
>>>
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>> Looks like someone is using your SMTP virtual server for relaying. You 
>>>> need to turn that off unless you have a specific reason to have it on. 
>>>> You should only "allow" the internal IP address of your mail server to 
>>>> use relay on this server.
>>>>
>>>>
>>>> "markus" <mark@nospam.com> wrote in message 
>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>> Ok...
>>>>>
>>>>> this is what I'm not understanding. There are basically 2 types of 
>>>>> email that concern me.
>>>>>
>>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>>
>>>>> from: System Administrator                     subject: undeliverable: 
>>>>> You have sucessfully updated your password.
>>>>>
>>>>> *******This is the header from one of those
>>>>>
>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>
>>>>> From: postmaster@mydomain.com
>>>>>
>>>>> To: user@mydomain.com
>>>>>
>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>
>>>>> MIME-Version: 1.0
>>>>>
>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>
>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>
>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>
>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>
>>>>> Subject: Delivery Status Notification (Failure)
>>>>>
>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>
>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>
>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>
>>>>> Content-Type: message/delivery-status
>>>>>
>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>
>>>>> Content-Type: message/rfc822
>>>>>
>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>>> SMTPSVC(6.0.3790.1830);
>>>>>
>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>
>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>> EXIST.************************
>>>>>
>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>>>>
>>>>> ****Ok, the mail was undeliverable because josh does not exist... but 
>>>>> where is the sender (info@mydomain.com) coming from?
>>>>>
>>>>> Subject: You have successfully updated your password
>>>>>
>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>
>>>>> MIME-Version: 1.0
>>>>>
>>>>> Content-Type: multipart/mixed;
>>>>>
>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>
>>>>> X-Priority: 3
>>>>>
>>>>> X-MSMail-Priority: Normal
>>>>>
>>>>> Return-Path: info@mydomain.com
>>>>>
>>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>
>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>> FILETIME=[098348C0:01C57123]
>>>>>
>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>
>>>>> Content-Type: text/html;
>>>>>
>>>>> charset="ISO-8859-1"
>>>>>
>>>>> Content-Transfer-Encoding: 7bit
>>>>>
>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>
>>>>> Content-Type: application/octet-stream;
>>>>>
>>>>> name="email-password.zip"
>>>>>
>>>>> Content-Transfer-Encoding: base64
>>>>>
>>>>> Content-Disposition: attachment;
>>>>>
>>>>> filename="email-password.zip"
>>>>>
>>>>>
>>>>>
>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>
>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>
>>>>>
>>>>>
>>>>> ?????? if he is getting this mail returned to him, does it not mean 
>>>>> that he is sending it?... but he's not. Does that mean that the virus 
>>>>> is on his PC?? But I've scanned for it several times and not found it 
>>>>> at all, ever...
>>>>>
>>>>> Where are these mails coming from? Is the server sending them out 
>>>>> somehow? is his PC sending them out somehow? I don't know where to 
>>>>> begin to figure this out......
>>>>>
>>>>> ********************************************************************************
>>>>>
>>>>> The other type pof email he will receive is from, for instance,
>>>>>
>>>>> Administrator@mydomain.com Subject; You have sucessfully updated your 
>>>>> password
>>>>>
>>>>> Here is the header info from one of those:
>>>>>
>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>
>>>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local 
>>>>> with Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit 
>>>>> IP address of the server here...*****************8
>>>>>
>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>
>>>>> From: administrator@mydomain.com
>>>>>
>>>>> To: real user@mydomain.com
>>>>>
>>>>> Subject: You have successfully updated your password
>>>>>
>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>
>>>>> MIME-Version: 1.0
>>>>>
>>>>> Content-Type: multipart/mixed;
>>>>>
>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>
>>>>> X-Priority: 3
>>>>>
>>>>> X-MSMail-Priority: Normal
>>>>>
>>>>> Return-Path: administrator@mydomain.com
>>>>>
>>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>
>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>
>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>
>>>>> Content-Type: text/html;
>>>>>
>>>>> charset="ISO-8859-1"
>>>>>
>>>>> Content-Transfer-Encoding: 7bit
>>>>>
>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>
>>>>> Content-Type: application/octet-stream;
>>>>>
>>>>> name="new-password.zip"
>>>>>
>>>>> Content-Transfer-Encoding: base64
>>>>>
>>>>> Content-Disposition: attachment;
>>>>>
>>>>> filename="new-password.zip"
>>>>>
>>>>>
>>>>>
>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>
>>>>>
>>>>>
>>>>> So... block what address?? it says the email is coming from my own 
>>>>> server...?
>>>>>
>>>>> Plus, what about the system administrator returned email? where is 
>>>>> that coming from... Im so confused......
>>>>>
>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>> You can view the originator through the Message Header. Open the 
>>>>>> email and click on View/Options. You can block the IP and originating 
>>>>>> domain which may or may not do you any good as spammers are always 
>>>>>> constantly changing them. However I've had good results blocking the 
>>>>>> ISP IP which is usually foreign and does not affect legitimate 
>>>>>> emails. Also you may want to turn off Relay in case they are relaying 
>>>>>> through your SMTP. Do you use the IMF Companion? You may want to turn 
>>>>>> on Performance Counters for IMF so you can determine the correct SCL 
>>>>>> level you need to apply. Also using RBL's is a good thing to do also.
>>>>>>
>>>>>>
>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF filter 
>>>>>>>so am sorta limited..
>>>>>>> But I'm really not understanding what is going on..  where are these 
>>>>>>> emails coming from?
>>>>>>> Is a system in my network sending them?
>>>>>>> many are for users that do not exist in the network ......these are 
>>>>>>> the 'undeliverable' ones...  but many go to legit users too..
>>>>>>> I'm really trying to understand just what is going on...........who 
>>>>>>> or shat is sending these mails. Is it internal or external?
>>>>>>>
>>>>>>> thanks
>>>>>>> .
>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>> We are using exchange 2003.
>>>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>>>> constantly hit with emails that are from either:
>>>>>>>> system administrator    undeliverable: bla bla bal (password has 
>>>>>>>> been updated or account suspended..which is the virus package I 
>>>>>>>> think)
>>>>>>>> or from
>>>>>>>>
>>>>>>>> administrator@mydomain.com   : you have successfully updated your 
>>>>>>>> password (this is the virus package)
>>>>>>>>
>>>>>>>>
>>>>>>>> I have antivirus software running on all systems, including the 
>>>>>>>> server.
>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>> ..I did a google on 'your password has been updated" that led me to 
>>>>>>>> MyDoom......
>>>>>>>>
>>>>>>>> but still everyone gets these emails...
>>>>>>>>
>>>>>>>> What can I do? where do I go from here?
>>>>>>>>
>>>>>>>> thanks for the help ;)
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/15/2005 3:11:30 PM
"Select which computers may relay through this VS" sets which "other" 
computers (hostname or IP) can relay (anonymously) e-mail through your 
Exchange server.  Unless you have a specific internal app that needs to 
relay, this list should be blank.  The internal IP of your Exchange server 
should NOT be in that list.  It should also be set at the default setting of 
"Only the list below".

"allow all computers which authenticate" is specifically for clients such as 
IMAP or POP3 users that must send e-mail using your server.  It further 
dictates that they MUST authenticate before being allowed to relay the 
messages.  This does not deal with anonymous smtp sessions (such as mail 
from other e-mail servers).  Outlook clients in MAPI mode do not relay 
messages, so this only needs to be checked if you have IMAP or POP3 clients. 
How clients can authenticate are determined by the settings under the 
authentication section.  I doubt that a virus would be able to initiate an 
authenticated SMTP session.

As far as where the messages are coming from, you need to look at the 
headers of one of the actual messages.  If the headers from that message 
indicate that it is internal, then you likely have an infected machine on 
your network.  If they are all destined for local addresses (even if they 
are invalid users), then there is no issue with relaying.  Relaying would 
only be an issue if the messages are being sent to external addresses.

Hope this helps.

-- 
Ben Winzenz
Exchange MVP
MessageOne


"AllenM" <allen.miyake@gmail.com> wrote in message 
news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
> This may be a bit above and beyond as to how well I can explain it so do 
> not write this in stone. Here's my interpetation.
> "Select which computer may relay through this virtual server" By selecting 
> this we are saying that only email that passes through this email server 
> may send outside.
> "Allow all computers which successfully authenticate to relay, regardless 
> of the list above". What this is saying is that anyone can go through this 
> SMTP relay without passing through the server above. Which means they can 
> send an email from another mail server.
> So we only want email from our mail server to pass through our SMTP 
> virtual server. SPAMMERS who use the SMTP virtual server do not send email 
> from our Exchange server. Hope that makes sense and my interetaion is also 
> correct. I do think it is because I was also getting those type of 
> password confirmations like you are and since I closed the open relay it 
> has not happened since. Maybe we can get someone else or na MVP to chime 
> in and clarify this. If you do find it to be incorrect or find a better 
> explaination I'd like to hear about it. Good luck.
>
> "markus" <mark@nospam.com> wrote in message 
> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>> OK, I've unchecked "'Allow all computers which sucessfully authenticate 
>> to
>> relay', and put in the IP address of the server only...
>> but a question..... outside users would not be 'authenticated' users 
>> would they?  By authenticated, they mean logged onto the network?
>> Why not  allow authenticated users to relay if they are all inhouse 
>> anyway....
>> or............
>> could it be that a remote user, logging on thru terminal server, is 
>> actually doing the relaying...  if he had for instance, mydoom, which 
>> adds an SMTP server, infecting his remote PC... and then logged onto the 
>> network thru TS...  could that be then relaying  thru exchange...?
>> ..sounds logical to me..  what you think?
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>> you need to uncheck "'Allow all computers which sucessfully authenticate 
>>> to relay,
>>> regardless of the list above" This is what is allowing outside users to 
>>> to use your SMTP relay.
>>> Otherwise the listed server above does no good. We want "Only the listed 
>>> below" which should be the internal IP of your Exchange server. Give it 
>>> a try and of course monitor it overthe next day or so.
>>>
>>>
>>> "markus" <mark@nospam.com> wrote in message 
>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>> Could you elaborate a bit please...
>>>> In the default SMTP virtual server properties / relay ....
>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>> checked and
>>>> checked - 'Allow all computers which sucessfully authenticate to relay, 
>>>> regardless of the list above'
>>>>
>>>> is this not right??
>>>> There is a terminal server on this network... could that be involved in 
>>>> this relay someway?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>> Looks like someone is using your SMTP virtual server for relaying. You 
>>>>> need to turn that off unless you have a specific reason to have it on. 
>>>>> You should only "allow" the internal IP address of your mail server to 
>>>>> use relay on this server.
>>>>>
>>>>>
>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>> Ok...
>>>>>>
>>>>>> this is what I'm not understanding. There are basically 2 types of 
>>>>>> email that concern me.
>>>>>>
>>>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>>>
>>>>>> from: System Administrator                     subject: 
>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>
>>>>>> *******This is the header from one of those
>>>>>>
>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>
>>>>>> From: postmaster@mydomain.com
>>>>>>
>>>>>> To: user@mydomain.com
>>>>>>
>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>
>>>>>> MIME-Version: 1.0
>>>>>>
>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>
>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>
>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>
>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>
>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>
>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>
>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>
>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>
>>>>>> Content-Type: message/delivery-status
>>>>>>
>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>
>>>>>> Content-Type: message/rfc822
>>>>>>
>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>>>> SMTPSVC(6.0.3790.1830);
>>>>>>
>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>
>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>> EXIST.************************
>>>>>>
>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>>>>>
>>>>>> ****Ok, the mail was undeliverable because josh does not exist... but 
>>>>>> where is the sender (info@mydomain.com) coming from?
>>>>>>
>>>>>> Subject: You have successfully updated your password
>>>>>>
>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>
>>>>>> MIME-Version: 1.0
>>>>>>
>>>>>> Content-Type: multipart/mixed;
>>>>>>
>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>
>>>>>> X-Priority: 3
>>>>>>
>>>>>> X-MSMail-Priority: Normal
>>>>>>
>>>>>> Return-Path: info@mydomain.com
>>>>>>
>>>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>
>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>
>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>
>>>>>> Content-Type: text/html;
>>>>>>
>>>>>> charset="ISO-8859-1"
>>>>>>
>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>
>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>
>>>>>> Content-Type: application/octet-stream;
>>>>>>
>>>>>> name="email-password.zip"
>>>>>>
>>>>>> Content-Transfer-Encoding: base64
>>>>>>
>>>>>> Content-Disposition: attachment;
>>>>>>
>>>>>> filename="email-password.zip"
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>
>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>
>>>>>>
>>>>>>
>>>>>> ?????? if he is getting this mail returned to him, does it not mean 
>>>>>> that he is sending it?... but he's not. Does that mean that the virus 
>>>>>> is on his PC?? But I've scanned for it several times and not found it 
>>>>>> at all, ever...
>>>>>>
>>>>>> Where are these mails coming from? Is the server sending them out 
>>>>>> somehow? is his PC sending them out somehow? I don't know where to 
>>>>>> begin to figure this out......
>>>>>>
>>>>>> ********************************************************************************
>>>>>>
>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>
>>>>>> Administrator@mydomain.com Subject; You have sucessfully updated your 
>>>>>> password
>>>>>>
>>>>>> Here is the header info from one of those:
>>>>>>
>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>
>>>>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local 
>>>>>> with Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit 
>>>>>> IP address of the server here...*****************8
>>>>>>
>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>
>>>>>> From: administrator@mydomain.com
>>>>>>
>>>>>> To: real user@mydomain.com
>>>>>>
>>>>>> Subject: You have successfully updated your password
>>>>>>
>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>
>>>>>> MIME-Version: 1.0
>>>>>>
>>>>>> Content-Type: multipart/mixed;
>>>>>>
>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>
>>>>>> X-Priority: 3
>>>>>>
>>>>>> X-MSMail-Priority: Normal
>>>>>>
>>>>>> Return-Path: administrator@mydomain.com
>>>>>>
>>>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>
>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>
>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>
>>>>>> Content-Type: text/html;
>>>>>>
>>>>>> charset="ISO-8859-1"
>>>>>>
>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>
>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>
>>>>>> Content-Type: application/octet-stream;
>>>>>>
>>>>>> name="new-password.zip"
>>>>>>
>>>>>> Content-Transfer-Encoding: base64
>>>>>>
>>>>>> Content-Disposition: attachment;
>>>>>>
>>>>>> filename="new-password.zip"
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>
>>>>>>
>>>>>>
>>>>>> So... block what address?? it says the email is coming from my own 
>>>>>> server...?
>>>>>>
>>>>>> Plus, what about the system administrator returned email? where is 
>>>>>> that coming from... Im so confused......
>>>>>>
>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>> You can view the originator through the Message Header. Open the 
>>>>>>> email and click on View/Options. You can block the IP and 
>>>>>>> originating domain which may or may not do you any good as spammers 
>>>>>>> are always constantly changing them. However I've had good results 
>>>>>>> blocking the ISP IP which is usually foreign and does not affect 
>>>>>>> legitimate emails. Also you may want to turn off Relay in case they 
>>>>>>> are relaying through your SMTP. Do you use the IMF Companion? You 
>>>>>>> may want to turn on Performance Counters for IMF so you can 
>>>>>>> determine the correct SCL level you need to apply. Also using RBL's 
>>>>>>> is a good thing to do also.
>>>>>>>
>>>>>>>
>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF filter 
>>>>>>>>so am sorta limited..
>>>>>>>> But I'm really not understanding what is going on..  where are 
>>>>>>>> these emails coming from?
>>>>>>>> Is a system in my network sending them?
>>>>>>>> many are for users that do not exist in the network ......these are 
>>>>>>>> the 'undeliverable' ones...  but many go to legit users too..
>>>>>>>> I'm really trying to understand just what is going on...........who 
>>>>>>>> or shat is sending these mails. Is it internal or external?
>>>>>>>>
>>>>>>>> thanks
>>>>>>>> .
>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>> We are using exchange 2003.
>>>>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>>>>> constantly hit with emails that are from either:
>>>>>>>>> system administrator    undeliverable: bla bla bal (password has 
>>>>>>>>> been updated or account suspended..which is the virus package I 
>>>>>>>>> think)
>>>>>>>>> or from
>>>>>>>>>
>>>>>>>>> administrator@mydomain.com   : you have successfully updated your 
>>>>>>>>> password (this is the virus package)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have antivirus software running on all systems, including the 
>>>>>>>>> server.
>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>>> ..I did a google on 'your password has been updated" that led me 
>>>>>>>>> to MyDoom......
>>>>>>>>>
>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>
>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>
>>>>>>>>> thanks for the help ;)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
Ben
6/15/2005 4:53:10 PM
Hey Ben,
I'm glad I found you and you were able to chime in. I guess at this point 
this information is more for my interest and knowledge that Marcus but he 
did start the thread. I'm a bit confused at what you just wrote.

"Unless you have a specific internal app that needs to relay, this list 
should be blank.  The internal IP of your Exchange server should NOT be in 
that list.  It should also be set at the default setting of "Only the list 
below".

Your telling me here my exchange servers internal IP should not be listed, 
yet you then tell me that I need to set it to "Only the list below".
My question is if there is nothing in the list what purpose does this serve?



"Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
> "Select which computers may relay through this VS" sets which "other" 
> computers (hostname or IP) can relay (anonymously) e-mail through your 
> Exchange server.  Unless you have a specific internal app that needs to 
> relay, this list should be blank.  The internal IP of your Exchange server 
> should NOT be in that list.  It should also be set at the default setting 
> of "Only the list below".
>
> "allow all computers which authenticate" is specifically for clients such 
> as IMAP or POP3 users that must send e-mail using your server.  It further 
> dictates that they MUST authenticate before being allowed to relay the 
> messages.  This does not deal with anonymous smtp sessions (such as mail 
> from other e-mail servers).  Outlook clients in MAPI mode do not relay 
> messages, so this only needs to be checked if you have IMAP or POP3 
> clients. How clients can authenticate are determined by the settings under 
> the authentication section.  I doubt that a virus would be able to 
> initiate an authenticated SMTP session.
>
> As far as where the messages are coming from, you need to look at the 
> headers of one of the actual messages.  If the headers from that message 
> indicate that it is internal, then you likely have an infected machine on 
> your network.  If they are all destined for local addresses (even if they 
> are invalid users), then there is no issue with relaying.  Relaying would 
> only be an issue if the messages are being sent to external addresses.
>
> Hope this helps.
>
> -- 
> Ben Winzenz
> Exchange MVP
> MessageOne
>
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>> This may be a bit above and beyond as to how well I can explain it so do 
>> not write this in stone. Here's my interpetation.
>> "Select which computer may relay through this virtual server" By 
>> selecting this we are saying that only email that passes through this 
>> email server may send outside.
>> "Allow all computers which successfully authenticate to relay, regardless 
>> of the list above". What this is saying is that anyone can go through 
>> this SMTP relay without passing through the server above. Which means 
>> they can send an email from another mail server.
>> So we only want email from our mail server to pass through our SMTP 
>> virtual server. SPAMMERS who use the SMTP virtual server do not send 
>> email from our Exchange server. Hope that makes sense and my interetaion 
>> is also correct. I do think it is because I was also getting those type 
>> of password confirmations like you are and since I closed the open relay 
>> it has not happened since. Maybe we can get someone else or na MVP to 
>> chime in and clarify this. If you do find it to be incorrect or find a 
>> better explaination I'd like to hear about it. Good luck.
>>
>> "markus" <mark@nospam.com> wrote in message 
>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>> OK, I've unchecked "'Allow all computers which sucessfully authenticate 
>>> to
>>> relay', and put in the IP address of the server only...
>>> but a question..... outside users would not be 'authenticated' users 
>>> would they?  By authenticated, they mean logged onto the network?
>>> Why not  allow authenticated users to relay if they are all inhouse 
>>> anyway....
>>> or............
>>> could it be that a remote user, logging on thru terminal server, is 
>>> actually doing the relaying...  if he had for instance, mydoom, which 
>>> adds an SMTP server, infecting his remote PC... and then logged onto the 
>>> network thru TS...  could that be then relaying  thru exchange...?
>>> ..sounds logical to me..  what you think?
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>> authenticate to relay,
>>>> regardless of the list above" This is what is allowing outside users to 
>>>> to use your SMTP relay.
>>>> Otherwise the listed server above does no good. We want "Only the 
>>>> listed below" which should be the internal IP of your Exchange server. 
>>>> Give it a try and of course monitor it overthe next day or so.
>>>>
>>>>
>>>> "markus" <mark@nospam.com> wrote in message 
>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>> Could you elaborate a bit please...
>>>>> In the default SMTP virtual server properties / relay ....
>>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>>> checked and
>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>> relay, regardless of the list above'
>>>>>
>>>>> is this not right??
>>>>> There is a terminal server on this network... could that be involved 
>>>>> in this relay someway?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>> Looks like someone is using your SMTP virtual server for relaying. 
>>>>>> You need to turn that off unless you have a specific reason to have 
>>>>>> it on. You should only "allow" the internal IP address of your mail 
>>>>>> server to use relay on this server.
>>>>>>
>>>>>>
>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>> Ok...
>>>>>>>
>>>>>>> this is what I'm not understanding. There are basically 2 types of 
>>>>>>> email that concern me.
>>>>>>>
>>>>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>>>>
>>>>>>> from: System Administrator                     subject: 
>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>
>>>>>>> *******This is the header from one of those
>>>>>>>
>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>
>>>>>>> From: postmaster@mydomain.com
>>>>>>>
>>>>>>> To: user@mydomain.com
>>>>>>>
>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>
>>>>>>> MIME-Version: 1.0
>>>>>>>
>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>
>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>
>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>
>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>
>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>
>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>
>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>
>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>
>>>>>>> Content-Type: message/delivery-status
>>>>>>>
>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>
>>>>>>> Content-Type: message/rfc822
>>>>>>>
>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>>>>> SMTPSVC(6.0.3790.1830);
>>>>>>>
>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>
>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>> EXIST.************************
>>>>>>>
>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>>>>>>
>>>>>>> ****Ok, the mail was undeliverable because josh does not exist... 
>>>>>>> but where is the sender (info@mydomain.com) coming from?
>>>>>>>
>>>>>>> Subject: You have successfully updated your password
>>>>>>>
>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>
>>>>>>> MIME-Version: 1.0
>>>>>>>
>>>>>>> Content-Type: multipart/mixed;
>>>>>>>
>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>
>>>>>>> X-Priority: 3
>>>>>>>
>>>>>>> X-MSMail-Priority: Normal
>>>>>>>
>>>>>>> Return-Path: info@mydomain.com
>>>>>>>
>>>>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>
>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>
>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>
>>>>>>> Content-Type: text/html;
>>>>>>>
>>>>>>> charset="ISO-8859-1"
>>>>>>>
>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>
>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>
>>>>>>> Content-Type: application/octet-stream;
>>>>>>>
>>>>>>> name="email-password.zip"
>>>>>>>
>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>
>>>>>>> Content-Disposition: attachment;
>>>>>>>
>>>>>>> filename="email-password.zip"
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>
>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ?????? if he is getting this mail returned to him, does it not mean 
>>>>>>> that he is sending it?... but he's not. Does that mean that the 
>>>>>>> virus is on his PC?? But I've scanned for it several times and not 
>>>>>>> found it at all, ever...
>>>>>>>
>>>>>>> Where are these mails coming from? Is the server sending them out 
>>>>>>> somehow? is his PC sending them out somehow? I don't know where to 
>>>>>>> begin to figure this out......
>>>>>>>
>>>>>>> ********************************************************************************
>>>>>>>
>>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>>
>>>>>>> Administrator@mydomain.com Subject; You have sucessfully updated 
>>>>>>> your password
>>>>>>>
>>>>>>> Here is the header info from one of those:
>>>>>>>
>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>
>>>>>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local 
>>>>>>> with Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit 
>>>>>>> IP address of the server here...*****************8
>>>>>>>
>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>
>>>>>>> From: administrator@mydomain.com
>>>>>>>
>>>>>>> To: real user@mydomain.com
>>>>>>>
>>>>>>> Subject: You have successfully updated your password
>>>>>>>
>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>
>>>>>>> MIME-Version: 1.0
>>>>>>>
>>>>>>> Content-Type: multipart/mixed;
>>>>>>>
>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>
>>>>>>> X-Priority: 3
>>>>>>>
>>>>>>> X-MSMail-Priority: Normal
>>>>>>>
>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>
>>>>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>
>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>
>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>
>>>>>>> Content-Type: text/html;
>>>>>>>
>>>>>>> charset="ISO-8859-1"
>>>>>>>
>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>
>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>
>>>>>>> Content-Type: application/octet-stream;
>>>>>>>
>>>>>>> name="new-password.zip"
>>>>>>>
>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>
>>>>>>> Content-Disposition: attachment;
>>>>>>>
>>>>>>> filename="new-password.zip"
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> So... block what address?? it says the email is coming from my own 
>>>>>>> server...?
>>>>>>>
>>>>>>> Plus, what about the system administrator returned email? where is 
>>>>>>> that coming from... Im so confused......
>>>>>>>
>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>> You can view the originator through the Message Header. Open the 
>>>>>>>> email and click on View/Options. You can block the IP and 
>>>>>>>> originating domain which may or may not do you any good as spammers 
>>>>>>>> are always constantly changing them. However I've had good results 
>>>>>>>> blocking the ISP IP which is usually foreign and does not affect 
>>>>>>>> legitimate emails. Also you may want to turn off Relay in case they 
>>>>>>>> are relaying through your SMTP. Do you use the IMF Companion? You 
>>>>>>>> may want to turn on Performance Counters for IMF so you can 
>>>>>>>> determine the correct SCL level you need to apply. Also using RBL's 
>>>>>>>> is a good thing to do also.
>>>>>>>>
>>>>>>>>
>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>filter so am sorta limited..
>>>>>>>>> But I'm really not understanding what is going on..  where are 
>>>>>>>>> these emails coming from?
>>>>>>>>> Is a system in my network sending them?
>>>>>>>>> many are for users that do not exist in the network ......these 
>>>>>>>>> are the 'undeliverable' ones...  but many go to legit users too..
>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>> on...........who or shat is sending these mails. Is it internal or 
>>>>>>>>> external?
>>>>>>>>>
>>>>>>>>> thanks
>>>>>>>>> .
>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>>>>>> constantly hit with emails that are from either:
>>>>>>>>>> system administrator    undeliverable: bla bla bal (password has 
>>>>>>>>>> been updated or account suspended..which is the virus package I 
>>>>>>>>>> think)
>>>>>>>>>> or from
>>>>>>>>>>
>>>>>>>>>> administrator@mydomain.com   : you have successfully updated your 
>>>>>>>>>> password (this is the virus package)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have antivirus software running on all systems, including the 
>>>>>>>>>> server.
>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>>>> ..I did a google on 'your password has been updated" that led me 
>>>>>>>>>> to MyDoom......
>>>>>>>>>>
>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>
>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>
>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/15/2005 5:13:20 PM
It serves to limit anonymous relay access to "only the list below".  If it 
is blank, then no computers will be able to anonymously relay.  Exchange 
doesn't relay mail off itself, so it doesn't need to be in there.  Since you 
have to make a choice (only the list below, or all except the list below), 
the best choice is "only the list below".

-- 
Ben Winzenz
Exchange MVP
MessageOne


"AllenM" <allen.miyake@gmail.com> wrote in message 
news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
> Hey Ben,
> I'm glad I found you and you were able to chime in. I guess at this point 
> this information is more for my interest and knowledge that Marcus but he 
> did start the thread. I'm a bit confused at what you just wrote.
>
> "Unless you have a specific internal app that needs to relay, this list 
> should be blank.  The internal IP of your Exchange server should NOT be in 
> that list.  It should also be set at the default setting of "Only the list 
> below".
>
> Your telling me here my exchange servers internal IP should not be listed, 
> yet you then tell me that I need to set it to "Only the list below".
> My question is if there is nothing in the list what purpose does this 
> serve?
>
>
>
> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
> in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>> "Select which computers may relay through this VS" sets which "other" 
>> computers (hostname or IP) can relay (anonymously) e-mail through your 
>> Exchange server.  Unless you have a specific internal app that needs to 
>> relay, this list should be blank.  The internal IP of your Exchange 
>> server should NOT be in that list.  It should also be set at the default 
>> setting of "Only the list below".
>>
>> "allow all computers which authenticate" is specifically for clients such 
>> as IMAP or POP3 users that must send e-mail using your server.  It 
>> further dictates that they MUST authenticate before being allowed to 
>> relay the messages.  This does not deal with anonymous smtp sessions 
>> (such as mail from other e-mail servers).  Outlook clients in MAPI mode 
>> do not relay messages, so this only needs to be checked if you have IMAP 
>> or POP3 clients. How clients can authenticate are determined by the 
>> settings under the authentication section.  I doubt that a virus would be 
>> able to initiate an authenticated SMTP session.
>>
>> As far as where the messages are coming from, you need to look at the 
>> headers of one of the actual messages.  If the headers from that message 
>> indicate that it is internal, then you likely have an infected machine on 
>> your network.  If they are all destined for local addresses (even if they 
>> are invalid users), then there is no issue with relaying.  Relaying would 
>> only be an issue if the messages are being sent to external addresses.
>>
>> Hope this helps.
>>
>> -- 
>> Ben Winzenz
>> Exchange MVP
>> MessageOne
>>
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>> This may be a bit above and beyond as to how well I can explain it so do 
>>> not write this in stone. Here's my interpetation.
>>> "Select which computer may relay through this virtual server" By 
>>> selecting this we are saying that only email that passes through this 
>>> email server may send outside.
>>> "Allow all computers which successfully authenticate to relay, 
>>> regardless of the list above". What this is saying is that anyone can go 
>>> through this SMTP relay without passing through the server above. Which 
>>> means they can send an email from another mail server.
>>> So we only want email from our mail server to pass through our SMTP 
>>> virtual server. SPAMMERS who use the SMTP virtual server do not send 
>>> email from our Exchange server. Hope that makes sense and my interetaion 
>>> is also correct. I do think it is because I was also getting those type 
>>> of password confirmations like you are and since I closed the open relay 
>>> it has not happened since. Maybe we can get someone else or na MVP to 
>>> chime in and clarify this. If you do find it to be incorrect or find a 
>>> better explaination I'd like to hear about it. Good luck.
>>>
>>> "markus" <mark@nospam.com> wrote in message 
>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>> OK, I've unchecked "'Allow all computers which sucessfully authenticate 
>>>> to
>>>> relay', and put in the IP address of the server only...
>>>> but a question..... outside users would not be 'authenticated' users 
>>>> would they?  By authenticated, they mean logged onto the network?
>>>> Why not  allow authenticated users to relay if they are all inhouse 
>>>> anyway....
>>>> or............
>>>> could it be that a remote user, logging on thru terminal server, is 
>>>> actually doing the relaying...  if he had for instance, mydoom, which 
>>>> adds an SMTP server, infecting his remote PC... and then logged onto 
>>>> the network thru TS...  could that be then relaying  thru exchange...?
>>>> ..sounds logical to me..  what you think?
>>>>
>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>> authenticate to relay,
>>>>> regardless of the list above" This is what is allowing outside users 
>>>>> to to use your SMTP relay.
>>>>> Otherwise the listed server above does no good. We want "Only the 
>>>>> listed below" which should be the internal IP of your Exchange server. 
>>>>> Give it a try and of course monitor it overthe next day or so.
>>>>>
>>>>>
>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>> Could you elaborate a bit please...
>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>>>> checked and
>>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>>> relay, regardless of the list above'
>>>>>>
>>>>>> is this not right??
>>>>>> There is a terminal server on this network... could that be involved 
>>>>>> in this relay someway?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>> Looks like someone is using your SMTP virtual server for relaying. 
>>>>>>> You need to turn that off unless you have a specific reason to have 
>>>>>>> it on. You should only "allow" the internal IP address of your mail 
>>>>>>> server to use relay on this server.
>>>>>>>
>>>>>>>
>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>> Ok...
>>>>>>>>
>>>>>>>> this is what I'm not understanding. There are basically 2 types of 
>>>>>>>> email that concern me.
>>>>>>>>
>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>>>>>
>>>>>>>> from: System Administrator                     subject: 
>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>
>>>>>>>> *******This is the header from one of those
>>>>>>>>
>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>
>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>
>>>>>>>> To: user@mydomain.com
>>>>>>>>
>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>
>>>>>>>> MIME-Version: 1.0
>>>>>>>>
>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>
>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>
>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>
>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>
>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>
>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>
>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>
>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>
>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>
>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>
>>>>>>>> Content-Type: message/rfc822
>>>>>>>>
>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>>>>>> SMTPSVC(6.0.3790.1830);
>>>>>>>>
>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>
>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>> EXIST.************************
>>>>>>>>
>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST EITHER*******
>>>>>>>>
>>>>>>>> ****Ok, the mail was undeliverable because josh does not exist... 
>>>>>>>> but where is the sender (info@mydomain.com) coming from?
>>>>>>>>
>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>
>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>
>>>>>>>> MIME-Version: 1.0
>>>>>>>>
>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>
>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>
>>>>>>>> X-Priority: 3
>>>>>>>>
>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>
>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>
>>>>>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>
>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>
>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>
>>>>>>>> Content-Type: text/html;
>>>>>>>>
>>>>>>>> charset="ISO-8859-1"
>>>>>>>>
>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>
>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>
>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>
>>>>>>>> name="email-password.zip"
>>>>>>>>
>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>
>>>>>>>> Content-Disposition: attachment;
>>>>>>>>
>>>>>>>> filename="email-password.zip"
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>
>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ?????? if he is getting this mail returned to him, does it not mean 
>>>>>>>> that he is sending it?... but he's not. Does that mean that the 
>>>>>>>> virus is on his PC?? But I've scanned for it several times and not 
>>>>>>>> found it at all, ever...
>>>>>>>>
>>>>>>>> Where are these mails coming from? Is the server sending them out 
>>>>>>>> somehow? is his PC sending them out somehow? I don't know where to 
>>>>>>>> begin to figure this out......
>>>>>>>>
>>>>>>>> ********************************************************************************
>>>>>>>>
>>>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>>>
>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully updated 
>>>>>>>> your password
>>>>>>>>
>>>>>>>> Here is the header info from one of those:
>>>>>>>>
>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>
>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local 
>>>>>>>> with Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the 
>>>>>>>> legit IP address of the server here...*****************8
>>>>>>>>
>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>
>>>>>>>> From: administrator@mydomain.com
>>>>>>>>
>>>>>>>> To: real user@mydomain.com
>>>>>>>>
>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>
>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>
>>>>>>>> MIME-Version: 1.0
>>>>>>>>
>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>
>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>
>>>>>>>> X-Priority: 3
>>>>>>>>
>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>
>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>
>>>>>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>
>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>
>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>
>>>>>>>> Content-Type: text/html;
>>>>>>>>
>>>>>>>> charset="ISO-8859-1"
>>>>>>>>
>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>
>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>
>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>
>>>>>>>> name="new-password.zip"
>>>>>>>>
>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>
>>>>>>>> Content-Disposition: attachment;
>>>>>>>>
>>>>>>>> filename="new-password.zip"
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> So... block what address?? it says the email is coming from my own 
>>>>>>>> server...?
>>>>>>>>
>>>>>>>> Plus, what about the system administrator returned email? where is 
>>>>>>>> that coming from... Im so confused......
>>>>>>>>
>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>> You can view the originator through the Message Header. Open the 
>>>>>>>>> email and click on View/Options. You can block the IP and 
>>>>>>>>> originating domain which may or may not do you any good as 
>>>>>>>>> spammers are always constantly changing them. However I've had 
>>>>>>>>> good results blocking the ISP IP which is usually foreign and does 
>>>>>>>>> not affect legitimate emails. Also you may want to turn off Relay 
>>>>>>>>> in case they are relaying through your SMTP. Do you use the IMF 
>>>>>>>>> Companion? You may want to turn on Performance Counters for IMF so 
>>>>>>>>> you can determine the correct SCL level you need to apply. Also 
>>>>>>>>> using RBL's is a good thing to do also.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>> But I'm really not understanding what is going on..  where are 
>>>>>>>>>> these emails coming from?
>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>> many are for users that do not exist in the network ......these 
>>>>>>>>>> are the 'undeliverable' ones...  but many go to legit users too..
>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>> on...........who or shat is sending these mails. Is it internal 
>>>>>>>>>> or external?
>>>>>>>>>>
>>>>>>>>>> thanks
>>>>>>>>>> .
>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>>>>>>> constantly hit with emails that are from either:
>>>>>>>>>>> system administrator    undeliverable: bla bla bal (password has 
>>>>>>>>>>> been updated or account suspended..which is the virus package I 
>>>>>>>>>>> think)
>>>>>>>>>>> or from
>>>>>>>>>>>
>>>>>>>>>>> administrator@mydomain.com   : you have successfully updated 
>>>>>>>>>>> your password (this is the virus package)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I have antivirus software running on all systems, including the 
>>>>>>>>>>> server.
>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>>>>> ..I did a google on 'your password has been updated" that led me 
>>>>>>>>>>> to MyDoom......
>>>>>>>>>>>
>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>
>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>
>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
Ben
6/15/2005 5:20:10 PM
This is getting better and better. In my case we are a SBS 2003 and Exchange 
2003 environment. We host our own SMTP server and use OWA. We have remote 
client who have three alternatives on how they can access email at home. 1. 
OWA. 2. Outlook as a Citrix Published Application and 3. Remote connect to 
our Citrix server desktop and use Oulook from the desktop.
So I should have "Only the listed below" with no servers listed.
and should not have the "Allow all computers which successfully authenticate 
to relay, regardless of the list above" checked? I do not want to have open 
relay enabled as I do not think I have a need for it. Thanks again Ben.

"Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
> It serves to limit anonymous relay access to "only the list below".  If it 
> is blank, then no computers will be able to anonymously relay.  Exchange 
> doesn't relay mail off itself, so it doesn't need to be in there.  Since 
> you have to make a choice (only the list below, or all except the list 
> below), the best choice is "only the list below".
>
> -- 
> Ben Winzenz
> Exchange MVP
> MessageOne
>
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>> Hey Ben,
>> I'm glad I found you and you were able to chime in. I guess at this point 
>> this information is more for my interest and knowledge that Marcus but he 
>> did start the thread. I'm a bit confused at what you just wrote.
>>
>> "Unless you have a specific internal app that needs to relay, this list 
>> should be blank.  The internal IP of your Exchange server should NOT be 
>> in that list.  It should also be set at the default setting of "Only the 
>> list below".
>>
>> Your telling me here my exchange servers internal IP should not be 
>> listed, yet you then tell me that I need to set it to "Only the list 
>> below".
>> My question is if there is nothing in the list what purpose does this 
>> serve?
>>
>>
>>
>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>> wrote in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>> "Select which computers may relay through this VS" sets which "other" 
>>> computers (hostname or IP) can relay (anonymously) e-mail through your 
>>> Exchange server.  Unless you have a specific internal app that needs to 
>>> relay, this list should be blank.  The internal IP of your Exchange 
>>> server should NOT be in that list.  It should also be set at the default 
>>> setting of "Only the list below".
>>>
>>> "allow all computers which authenticate" is specifically for clients 
>>> such as IMAP or POP3 users that must send e-mail using your server.  It 
>>> further dictates that they MUST authenticate before being allowed to 
>>> relay the messages.  This does not deal with anonymous smtp sessions 
>>> (such as mail from other e-mail servers).  Outlook clients in MAPI mode 
>>> do not relay messages, so this only needs to be checked if you have IMAP 
>>> or POP3 clients. How clients can authenticate are determined by the 
>>> settings under the authentication section.  I doubt that a virus would 
>>> be able to initiate an authenticated SMTP session.
>>>
>>> As far as where the messages are coming from, you need to look at the 
>>> headers of one of the actual messages.  If the headers from that message 
>>> indicate that it is internal, then you likely have an infected machine 
>>> on your network.  If they are all destined for local addresses (even if 
>>> they are invalid users), then there is no issue with relaying.  Relaying 
>>> would only be an issue if the messages are being sent to external 
>>> addresses.
>>>
>>> Hope this helps.
>>>
>>> -- 
>>> Ben Winzenz
>>> Exchange MVP
>>> MessageOne
>>>
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>> This may be a bit above and beyond as to how well I can explain it so 
>>>> do not write this in stone. Here's my interpetation.
>>>> "Select which computer may relay through this virtual server" By 
>>>> selecting this we are saying that only email that passes through this 
>>>> email server may send outside.
>>>> "Allow all computers which successfully authenticate to relay, 
>>>> regardless of the list above". What this is saying is that anyone can 
>>>> go through this SMTP relay without passing through the server above. 
>>>> Which means they can send an email from another mail server.
>>>> So we only want email from our mail server to pass through our SMTP 
>>>> virtual server. SPAMMERS who use the SMTP virtual server do not send 
>>>> email from our Exchange server. Hope that makes sense and my 
>>>> interetaion is also correct. I do think it is because I was also 
>>>> getting those type of password confirmations like you are and since I 
>>>> closed the open relay it has not happened since. Maybe we can get 
>>>> someone else or na MVP to chime in and clarify this. If you do find it 
>>>> to be incorrect or find a better explaination I'd like to hear about 
>>>> it. Good luck.
>>>>
>>>> "markus" <mark@nospam.com> wrote in message 
>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>> authenticate to
>>>>> relay', and put in the IP address of the server only...
>>>>> but a question..... outside users would not be 'authenticated' users 
>>>>> would they?  By authenticated, they mean logged onto the network?
>>>>> Why not  allow authenticated users to relay if they are all inhouse 
>>>>> anyway....
>>>>> or............
>>>>> could it be that a remote user, logging on thru terminal server, is 
>>>>> actually doing the relaying...  if he had for instance, mydoom, which 
>>>>> adds an SMTP server, infecting his remote PC... and then logged onto 
>>>>> the network thru TS...  could that be then relaying  thru exchange...?
>>>>> ..sounds logical to me..  what you think?
>>>>>
>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>> authenticate to relay,
>>>>>> regardless of the list above" This is what is allowing outside users 
>>>>>> to to use your SMTP relay.
>>>>>> Otherwise the listed server above does no good. We want "Only the 
>>>>>> listed below" which should be the internal IP of your Exchange 
>>>>>> server. Give it a try and of course monitor it overthe next day or 
>>>>>> so.
>>>>>>
>>>>>>
>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>> Could you elaborate a bit please...
>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>>>>> checked and
>>>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>>>> relay, regardless of the list above'
>>>>>>>
>>>>>>> is this not right??
>>>>>>> There is a terminal server on this network... could that be involved 
>>>>>>> in this relay someway?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>> Looks like someone is using your SMTP virtual server for relaying. 
>>>>>>>> You need to turn that off unless you have a specific reason to have 
>>>>>>>> it on. You should only "allow" the internal IP address of your mail 
>>>>>>>> server to use relay on this server.
>>>>>>>>
>>>>>>>>
>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>> Ok...
>>>>>>>>>
>>>>>>>>> this is what I'm not understanding. There are basically 2 types of 
>>>>>>>>> email that concern me.
>>>>>>>>>
>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>>>>>>
>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>
>>>>>>>>> *******This is the header from one of those
>>>>>>>>>
>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>
>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>
>>>>>>>>> To: user@mydomain.com
>>>>>>>>>
>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>
>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>
>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>
>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>
>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>
>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>
>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>
>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>
>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>
>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>
>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>
>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>
>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>
>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>>>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>>>>>>> SMTPSVC(6.0.3790.1830);
>>>>>>>>>
>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>
>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>> EXIST.************************
>>>>>>>>>
>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>> EITHER*******
>>>>>>>>>
>>>>>>>>> ****Ok, the mail was undeliverable because josh does not exist... 
>>>>>>>>> but where is the sender (info@mydomain.com) coming from?
>>>>>>>>>
>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>
>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>
>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>
>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>
>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>
>>>>>>>>> X-Priority: 3
>>>>>>>>>
>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>
>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>
>>>>>>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>
>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>
>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>
>>>>>>>>> Content-Type: text/html;
>>>>>>>>>
>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>
>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>
>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>
>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>
>>>>>>>>> name="email-password.zip"
>>>>>>>>>
>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>
>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>
>>>>>>>>> filename="email-password.zip"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>
>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ?????? if he is getting this mail returned to him, does it not 
>>>>>>>>> mean that he is sending it?... but he's not. Does that mean that 
>>>>>>>>> the virus is on his PC?? But I've scanned for it several times and 
>>>>>>>>> not found it at all, ever...
>>>>>>>>>
>>>>>>>>> Where are these mails coming from? Is the server sending them out 
>>>>>>>>> somehow? is his PC sending them out somehow? I don't know where to 
>>>>>>>>> begin to figure this out......
>>>>>>>>>
>>>>>>>>> ********************************************************************************
>>>>>>>>>
>>>>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>>>>
>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully updated 
>>>>>>>>> your password
>>>>>>>>>
>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>
>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>
>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by EXCHANGE.mydomain.local 
>>>>>>>>> with Microsoft SMTPSVC(6.0.3790.1830); ****where x.x.x. is the 
>>>>>>>>> legit IP address of the server here...*****************8
>>>>>>>>>
>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>
>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>
>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>
>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>
>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>
>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>
>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>
>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>
>>>>>>>>> X-Priority: 3
>>>>>>>>>
>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>
>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>
>>>>>>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>
>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>
>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>
>>>>>>>>> Content-Type: text/html;
>>>>>>>>>
>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>
>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>
>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>
>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>
>>>>>>>>> name="new-password.zip"
>>>>>>>>>
>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>
>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>
>>>>>>>>> filename="new-password.zip"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> So... block what address?? it says the email is coming from my own 
>>>>>>>>> server...?
>>>>>>>>>
>>>>>>>>> Plus, what about the system administrator returned email? where is 
>>>>>>>>> that coming from... Im so confused......
>>>>>>>>>
>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>> You can view the originator through the Message Header. Open the 
>>>>>>>>>> email and click on View/Options. You can block the IP and 
>>>>>>>>>> originating domain which may or may not do you any good as 
>>>>>>>>>> spammers are always constantly changing them. However I've had 
>>>>>>>>>> good results blocking the ISP IP which is usually foreign and 
>>>>>>>>>> does not affect legitimate emails. Also you may want to turn off 
>>>>>>>>>> Relay in case they are relaying through your SMTP. Do you use the 
>>>>>>>>>> IMF Companion? You may want to turn on Performance Counters for 
>>>>>>>>>> IMF so you can determine the correct SCL level you need to apply. 
>>>>>>>>>> Also using RBL's is a good thing to do also.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>>> But I'm really not understanding what is going on..  where are 
>>>>>>>>>>> these emails coming from?
>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>> many are for users that do not exist in the network ......these 
>>>>>>>>>>> are the 'undeliverable' ones...  but many go to legit users 
>>>>>>>>>>> too..
>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>> on...........who or shat is sending these mails. Is it internal 
>>>>>>>>>>> or external?
>>>>>>>>>>>
>>>>>>>>>>> thanks
>>>>>>>>>>> .
>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are being 
>>>>>>>>>>>> constantly hit with emails that are from either:
>>>>>>>>>>>> system administrator    undeliverable: bla bla bal (password 
>>>>>>>>>>>> has been updated or account suspended..which is the virus 
>>>>>>>>>>>> package I think)
>>>>>>>>>>>> or from
>>>>>>>>>>>>
>>>>>>>>>>>> administrator@mydomain.com   : you have successfully updated 
>>>>>>>>>>>> your password (this is the virus package)
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I have antivirus software running on all systems, including the 
>>>>>>>>>>>> server.
>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>>>>>> ..I did a google on 'your password has been updated" that led 
>>>>>>>>>>>> me to MyDoom......
>>>>>>>>>>>>
>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>
>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>
>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/15/2005 5:36:07 PM
Right.  Unless you have SMTP clients (IMAP/POP3), you don't really need to 
allow authenticated relay.  Exchange 2003 actually has IMAP and POP3 
services disabled by default, so you'd know if you had enabled them.

-- 
Ben Winzenz
Exchange MVP
MessageOne


"AllenM" <allen.miyake@gmail.com> wrote in message 
news:uOfHBCdcFHA.2840@TK2MSFTNGP14.phx.gbl...
> This is getting better and better. In my case we are a SBS 2003 and 
> Exchange 2003 environment. We host our own SMTP server and use OWA. We 
> have remote client who have three alternatives on how they can access 
> email at home. 1. OWA. 2. Outlook as a Citrix Published Application and 3. 
> Remote connect to our Citrix server desktop and use Oulook from the 
> desktop.
> So I should have "Only the listed below" with no servers listed.
> and should not have the "Allow all computers which successfully 
> authenticate to relay, regardless of the list above" checked? I do not 
> want to have open relay enabled as I do not think I have a need for it. 
> Thanks again Ben.
>
> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
> in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
>> It serves to limit anonymous relay access to "only the list below".  If 
>> it is blank, then no computers will be able to anonymously relay. 
>> Exchange doesn't relay mail off itself, so it doesn't need to be in 
>> there.  Since you have to make a choice (only the list below, or all 
>> except the list below), the best choice is "only the list below".
>>
>> -- 
>> Ben Winzenz
>> Exchange MVP
>> MessageOne
>>
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>>> Hey Ben,
>>> I'm glad I found you and you were able to chime in. I guess at this 
>>> point this information is more for my interest and knowledge that Marcus 
>>> but he did start the thread. I'm a bit confused at what you just wrote.
>>>
>>> "Unless you have a specific internal app that needs to relay, this list 
>>> should be blank.  The internal IP of your Exchange server should NOT be 
>>> in that list.  It should also be set at the default setting of "Only the 
>>> list below".
>>>
>>> Your telling me here my exchange servers internal IP should not be 
>>> listed, yet you then tell me that I need to set it to "Only the list 
>>> below".
>>> My question is if there is nothing in the list what purpose does this 
>>> serve?
>>>
>>>
>>>
>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>> wrote in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>>> "Select which computers may relay through this VS" sets which "other" 
>>>> computers (hostname or IP) can relay (anonymously) e-mail through your 
>>>> Exchange server.  Unless you have a specific internal app that needs to 
>>>> relay, this list should be blank.  The internal IP of your Exchange 
>>>> server should NOT be in that list.  It should also be set at the 
>>>> default setting of "Only the list below".
>>>>
>>>> "allow all computers which authenticate" is specifically for clients 
>>>> such as IMAP or POP3 users that must send e-mail using your server.  It 
>>>> further dictates that they MUST authenticate before being allowed to 
>>>> relay the messages.  This does not deal with anonymous smtp sessions 
>>>> (such as mail from other e-mail servers).  Outlook clients in MAPI mode 
>>>> do not relay messages, so this only needs to be checked if you have 
>>>> IMAP or POP3 clients. How clients can authenticate are determined by 
>>>> the settings under the authentication section.  I doubt that a virus 
>>>> would be able to initiate an authenticated SMTP session.
>>>>
>>>> As far as where the messages are coming from, you need to look at the 
>>>> headers of one of the actual messages.  If the headers from that 
>>>> message indicate that it is internal, then you likely have an infected 
>>>> machine on your network.  If they are all destined for local addresses 
>>>> (even if they are invalid users), then there is no issue with relaying. 
>>>> Relaying would only be an issue if the messages are being sent to 
>>>> external addresses.
>>>>
>>>> Hope this helps.
>>>>
>>>> -- 
>>>> Ben Winzenz
>>>> Exchange MVP
>>>> MessageOne
>>>>
>>>>
>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>>> This may be a bit above and beyond as to how well I can explain it so 
>>>>> do not write this in stone. Here's my interpetation.
>>>>> "Select which computer may relay through this virtual server" By 
>>>>> selecting this we are saying that only email that passes through this 
>>>>> email server may send outside.
>>>>> "Allow all computers which successfully authenticate to relay, 
>>>>> regardless of the list above". What this is saying is that anyone can 
>>>>> go through this SMTP relay without passing through the server above. 
>>>>> Which means they can send an email from another mail server.
>>>>> So we only want email from our mail server to pass through our SMTP 
>>>>> virtual server. SPAMMERS who use the SMTP virtual server do not send 
>>>>> email from our Exchange server. Hope that makes sense and my 
>>>>> interetaion is also correct. I do think it is because I was also 
>>>>> getting those type of password confirmations like you are and since I 
>>>>> closed the open relay it has not happened since. Maybe we can get 
>>>>> someone else or na MVP to chime in and clarify this. If you do find it 
>>>>> to be incorrect or find a better explaination I'd like to hear about 
>>>>> it. Good luck.
>>>>>
>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>>> authenticate to
>>>>>> relay', and put in the IP address of the server only...
>>>>>> but a question..... outside users would not be 'authenticated' users 
>>>>>> would they?  By authenticated, they mean logged onto the network?
>>>>>> Why not  allow authenticated users to relay if they are all inhouse 
>>>>>> anyway....
>>>>>> or............
>>>>>> could it be that a remote user, logging on thru terminal server, is 
>>>>>> actually doing the relaying...  if he had for instance, mydoom, which 
>>>>>> adds an SMTP server, infecting his remote PC... and then logged onto 
>>>>>> the network thru TS...  could that be then relaying  thru 
>>>>>> exchange...?
>>>>>> ..sounds logical to me..  what you think?
>>>>>>
>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>>> authenticate to relay,
>>>>>>> regardless of the list above" This is what is allowing outside users 
>>>>>>> to to use your SMTP relay.
>>>>>>> Otherwise the listed server above does no good. We want "Only the 
>>>>>>> listed below" which should be the internal IP of your Exchange 
>>>>>>> server. Give it a try and of course monitor it overthe next day or 
>>>>>>> so.
>>>>>>>
>>>>>>>
>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>>> Could you elaborate a bit please...
>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>>>>>> checked and
>>>>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>>>>> relay, regardless of the list above'
>>>>>>>>
>>>>>>>> is this not right??
>>>>>>>> There is a terminal server on this network... could that be 
>>>>>>>> involved in this relay someway?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>>> Looks like someone is using your SMTP virtual server for relaying. 
>>>>>>>>> You need to turn that off unless you have a specific reason to 
>>>>>>>>> have it on. You should only "allow" the internal IP address of 
>>>>>>>>> your mail server to use relay on this server.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>>> Ok...
>>>>>>>>>>
>>>>>>>>>> this is what I'm not understanding. There are basically 2 types 
>>>>>>>>>> of email that concern me.
>>>>>>>>>>
>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email to:
>>>>>>>>>>
>>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>
>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>
>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>
>>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>>
>>>>>>>>>> To: user@mydomain.com
>>>>>>>>>>
>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>
>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>
>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>
>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>
>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>
>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>>
>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>
>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>
>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>
>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>
>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>
>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>
>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>
>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>>>>>>> address of my server))) by EXCHANGE.mydomain.local with Microsoft 
>>>>>>>>>> SMTPSVC(6.0.3790.1830);
>>>>>>>>>>
>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>
>>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>>> EXIST.************************
>>>>>>>>>>
>>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>>> EITHER*******
>>>>>>>>>>
>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not exist... 
>>>>>>>>>> but where is the sender (info@mydomain.com) coming from?
>>>>>>>>>>
>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>
>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>
>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>
>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>
>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>
>>>>>>>>>> X-Priority: 3
>>>>>>>>>>
>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>
>>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>>
>>>>>>>>>> Message-ID: <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>>
>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>
>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>
>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>
>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>
>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>
>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>
>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>
>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>
>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>
>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>
>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>
>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ?????? if he is getting this mail returned to him, does it not 
>>>>>>>>>> mean that he is sending it?... but he's not. Does that mean that 
>>>>>>>>>> the virus is on his PC?? But I've scanned for it several times 
>>>>>>>>>> and not found it at all, ever...
>>>>>>>>>>
>>>>>>>>>> Where are these mails coming from? Is the server sending them out 
>>>>>>>>>> somehow? is his PC sending them out somehow? I don't know where 
>>>>>>>>>> to begin to figure this out......
>>>>>>>>>>
>>>>>>>>>> ********************************************************************************
>>>>>>>>>>
>>>>>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>>>>>
>>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully updated 
>>>>>>>>>> your password
>>>>>>>>>>
>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>
>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>
>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by 
>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft SMTPSVC(6.0.3790.1830); 
>>>>>>>>>> ****where x.x.x. is the legit IP address of the server 
>>>>>>>>>> here...*****************8
>>>>>>>>>>
>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>
>>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>>
>>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>>
>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>
>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>
>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>
>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>
>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>
>>>>>>>>>> X-Priority: 3
>>>>>>>>>>
>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>
>>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>>
>>>>>>>>>> Message-ID: <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>>
>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>
>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>
>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>
>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>
>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>
>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>
>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>
>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>
>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>
>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>
>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> So... block what address?? it says the email is coming from my 
>>>>>>>>>> own server...?
>>>>>>>>>>
>>>>>>>>>> Plus, what about the system administrator returned email? where 
>>>>>>>>>> is that coming from... Im so confused......
>>>>>>>>>>
>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>> You can view the originator through the Message Header. Open the 
>>>>>>>>>>> email and click on View/Options. You can block the IP and 
>>>>>>>>>>> originating domain which may or may not do you any good as 
>>>>>>>>>>> spammers are always constantly changing them. However I've had 
>>>>>>>>>>> good results blocking the ISP IP which is usually foreign and 
>>>>>>>>>>> does not affect legitimate emails. Also you may want to turn off 
>>>>>>>>>>> Relay in case they are relaying through your SMTP. Do you use 
>>>>>>>>>>> the IMF Companion? You may want to turn on Performance Counters 
>>>>>>>>>>> for IMF so you can determine the correct SCL level you need to 
>>>>>>>>>>> apply. Also using RBL's is a good thing to do also.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>>>> But I'm really not understanding what is going on..  where are 
>>>>>>>>>>>> these emails coming from?
>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>> many are for users that do not exist in the network ......these 
>>>>>>>>>>>> are the 'undeliverable' ones...  but many go to legit users 
>>>>>>>>>>>> too..
>>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>>> on...........who or shat is sending these mails. Is it internal 
>>>>>>>>>>>> or external?
>>>>>>>>>>>>
>>>>>>>>>>>> thanks
>>>>>>>>>>>> .
>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are 
>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>> system administrator    undeliverable: bla bla bal (password 
>>>>>>>>>>>>> has been updated or account suspended..which is the virus 
>>>>>>>>>>>>> package I think)
>>>>>>>>>>>>> or from
>>>>>>>>>>>>>
>>>>>>>>>>>>> administrator@mydomain.com   : you have successfully updated 
>>>>>>>>>>>>> your password (this is the virus package)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have antivirus software running on all systems, including 
>>>>>>>>>>>>> the server.
>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that led 
>>>>>>>>>>>>> me to MyDoom......
>>>>>>>>>>>>>
>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>
>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>
>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
Ben
6/15/2005 6:04:38 PM
Great. Thanks again Ben. I hope this helps out Marcus also.

"Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
in message news:O0oozSdcFHA.3808@TK2MSFTNGP14.phx.gbl...
> Right.  Unless you have SMTP clients (IMAP/POP3), you don't really need to 
> allow authenticated relay.  Exchange 2003 actually has IMAP and POP3 
> services disabled by default, so you'd know if you had enabled them.
>
> -- 
> Ben Winzenz
> Exchange MVP
> MessageOne
>
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:uOfHBCdcFHA.2840@TK2MSFTNGP14.phx.gbl...
>> This is getting better and better. In my case we are a SBS 2003 and 
>> Exchange 2003 environment. We host our own SMTP server and use OWA. We 
>> have remote client who have three alternatives on how they can access 
>> email at home. 1. OWA. 2. Outlook as a Citrix Published Application and 
>> 3. Remote connect to our Citrix server desktop and use Oulook from the 
>> desktop.
>> So I should have "Only the listed below" with no servers listed.
>> and should not have the "Allow all computers which successfully 
>> authenticate to relay, regardless of the list above" checked? I do not 
>> want to have open relay enabled as I do not think I have a need for it. 
>> Thanks again Ben.
>>
>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>> wrote in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
>>> It serves to limit anonymous relay access to "only the list below".  If 
>>> it is blank, then no computers will be able to anonymously relay. 
>>> Exchange doesn't relay mail off itself, so it doesn't need to be in 
>>> there.  Since you have to make a choice (only the list below, or all 
>>> except the list below), the best choice is "only the list below".
>>>
>>> -- 
>>> Ben Winzenz
>>> Exchange MVP
>>> MessageOne
>>>
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>>>> Hey Ben,
>>>> I'm glad I found you and you were able to chime in. I guess at this 
>>>> point this information is more for my interest and knowledge that 
>>>> Marcus but he did start the thread. I'm a bit confused at what you just 
>>>> wrote.
>>>>
>>>> "Unless you have a specific internal app that needs to relay, this list 
>>>> should be blank.  The internal IP of your Exchange server should NOT be 
>>>> in that list.  It should also be set at the default setting of "Only 
>>>> the list below".
>>>>
>>>> Your telling me here my exchange servers internal IP should not be 
>>>> listed, yet you then tell me that I need to set it to "Only the list 
>>>> below".
>>>> My question is if there is nothing in the list what purpose does this 
>>>> serve?
>>>>
>>>>
>>>>
>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>> wrote in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>>>> "Select which computers may relay through this VS" sets which "other" 
>>>>> computers (hostname or IP) can relay (anonymously) e-mail through your 
>>>>> Exchange server.  Unless you have a specific internal app that needs 
>>>>> to relay, this list should be blank.  The internal IP of your Exchange 
>>>>> server should NOT be in that list.  It should also be set at the 
>>>>> default setting of "Only the list below".
>>>>>
>>>>> "allow all computers which authenticate" is specifically for clients 
>>>>> such as IMAP or POP3 users that must send e-mail using your server. 
>>>>> It further dictates that they MUST authenticate before being allowed 
>>>>> to relay the messages.  This does not deal with anonymous smtp 
>>>>> sessions (such as mail from other e-mail servers).  Outlook clients in 
>>>>> MAPI mode do not relay messages, so this only needs to be checked if 
>>>>> you have IMAP or POP3 clients. How clients can authenticate are 
>>>>> determined by the settings under the authentication section.  I doubt 
>>>>> that a virus would be able to initiate an authenticated SMTP session.
>>>>>
>>>>> As far as where the messages are coming from, you need to look at the 
>>>>> headers of one of the actual messages.  If the headers from that 
>>>>> message indicate that it is internal, then you likely have an infected 
>>>>> machine on your network.  If they are all destined for local addresses 
>>>>> (even if they are invalid users), then there is no issue with 
>>>>> relaying. Relaying would only be an issue if the messages are being 
>>>>> sent to external addresses.
>>>>>
>>>>> Hope this helps.
>>>>>
>>>>> -- 
>>>>> Ben Winzenz
>>>>> Exchange MVP
>>>>> MessageOne
>>>>>
>>>>>
>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>>>> This may be a bit above and beyond as to how well I can explain it so 
>>>>>> do not write this in stone. Here's my interpetation.
>>>>>> "Select which computer may relay through this virtual server" By 
>>>>>> selecting this we are saying that only email that passes through this 
>>>>>> email server may send outside.
>>>>>> "Allow all computers which successfully authenticate to relay, 
>>>>>> regardless of the list above". What this is saying is that anyone can 
>>>>>> go through this SMTP relay without passing through the server above. 
>>>>>> Which means they can send an email from another mail server.
>>>>>> So we only want email from our mail server to pass through our SMTP 
>>>>>> virtual server. SPAMMERS who use the SMTP virtual server do not send 
>>>>>> email from our Exchange server. Hope that makes sense and my 
>>>>>> interetaion is also correct. I do think it is because I was also 
>>>>>> getting those type of password confirmations like you are and since I 
>>>>>> closed the open relay it has not happened since. Maybe we can get 
>>>>>> someone else or na MVP to chime in and clarify this. If you do find 
>>>>>> it to be incorrect or find a better explaination I'd like to hear 
>>>>>> about it. Good luck.
>>>>>>
>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>>>> authenticate to
>>>>>>> relay', and put in the IP address of the server only...
>>>>>>> but a question..... outside users would not be 'authenticated' users 
>>>>>>> would they?  By authenticated, they mean logged onto the network?
>>>>>>> Why not  allow authenticated users to relay if they are all inhouse 
>>>>>>> anyway....
>>>>>>> or............
>>>>>>> could it be that a remote user, logging on thru terminal server, is 
>>>>>>> actually doing the relaying...  if he had for instance, mydoom, 
>>>>>>> which adds an SMTP server, infecting his remote PC... and then 
>>>>>>> logged onto the network thru TS...  could that be then relaying 
>>>>>>> thru exchange...?
>>>>>>> ..sounds logical to me..  what you think?
>>>>>>>
>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>>>> authenticate to relay,
>>>>>>>> regardless of the list above" This is what is allowing outside 
>>>>>>>> users to to use your SMTP relay.
>>>>>>>> Otherwise the listed server above does no good. We want "Only the 
>>>>>>>> listed below" which should be the internal IP of your Exchange 
>>>>>>>> server. Give it a try and of course monitor it overthe next day or 
>>>>>>>> so.
>>>>>>>>
>>>>>>>>
>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>>>> Could you elaborate a bit please...
>>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>>>>>>> checked and
>>>>>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>>>>>> relay, regardless of the list above'
>>>>>>>>>
>>>>>>>>> is this not right??
>>>>>>>>> There is a terminal server on this network... could that be 
>>>>>>>>> involved in this relay someway?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>> Looks like someone is using your SMTP virtual server for 
>>>>>>>>>> relaying. You need to turn that off unless you have a specific 
>>>>>>>>>> reason to have it on. You should only "allow" the internal IP 
>>>>>>>>>> address of your mail server to use relay on this server.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>>>> Ok...
>>>>>>>>>>>
>>>>>>>>>>> this is what I'm not understanding. There are basically 2 types 
>>>>>>>>>>> of email that concern me.
>>>>>>>>>>>
>>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email 
>>>>>>>>>>> to:
>>>>>>>>>>>
>>>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>>
>>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>>
>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>
>>>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>>>
>>>>>>>>>>> To: user@mydomain.com
>>>>>>>>>>>
>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>
>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>>
>>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>>
>>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>>
>>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>>>
>>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>>
>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>>
>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>>
>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>>
>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit IP 
>>>>>>>>>>> address of my server))) by EXCHANGE.mydomain.local with 
>>>>>>>>>>> Microsoft SMTPSVC(6.0.3790.1830);
>>>>>>>>>>>
>>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>
>>>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>>>> EXIST.************************
>>>>>>>>>>>
>>>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>>>> EITHER*******
>>>>>>>>>>>
>>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not 
>>>>>>>>>>> exist... but where is the sender (info@mydomain.com) coming 
>>>>>>>>>>> from?
>>>>>>>>>>>
>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>
>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>
>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>
>>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>>
>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>
>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>
>>>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>>>
>>>>>>>>>>> Message-ID: 
>>>>>>>>>>> <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>>>
>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>>
>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>
>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>
>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>
>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>
>>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>>
>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>
>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>
>>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>>
>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ?????? if he is getting this mail returned to him, does it not 
>>>>>>>>>>> mean that he is sending it?... but he's not. Does that mean that 
>>>>>>>>>>> the virus is on his PC?? But I've scanned for it several times 
>>>>>>>>>>> and not found it at all, ever...
>>>>>>>>>>>
>>>>>>>>>>> Where are these mails coming from? Is the server sending them 
>>>>>>>>>>> out somehow? is his PC sending them out somehow? I don't know 
>>>>>>>>>>> where to begin to figure this out......
>>>>>>>>>>>
>>>>>>>>>>> ********************************************************************************
>>>>>>>>>>>
>>>>>>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>>>>>>
>>>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully updated 
>>>>>>>>>>> your password
>>>>>>>>>>>
>>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>>
>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>
>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by 
>>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft SMTPSVC(6.0.3790.1830); 
>>>>>>>>>>> ****where x.x.x. is the legit IP address of the server 
>>>>>>>>>>> here...*****************8
>>>>>>>>>>>
>>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>
>>>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>>>
>>>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>>>
>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>
>>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>
>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>
>>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>>
>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>
>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>
>>>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>>>
>>>>>>>>>>> Message-ID: 
>>>>>>>>>>> <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>>>
>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>>
>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>
>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>
>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>
>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>
>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>
>>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>>
>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>
>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>
>>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> So... block what address?? it says the email is coming from my 
>>>>>>>>>>> own server...?
>>>>>>>>>>>
>>>>>>>>>>> Plus, what about the system administrator returned email? where 
>>>>>>>>>>> is that coming from... Im so confused......
>>>>>>>>>>>
>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>> You can view the originator through the Message Header. Open 
>>>>>>>>>>>> the email and click on View/Options. You can block the IP and 
>>>>>>>>>>>> originating domain which may or may not do you any good as 
>>>>>>>>>>>> spammers are always constantly changing them. However I've had 
>>>>>>>>>>>> good results blocking the ISP IP which is usually foreign and 
>>>>>>>>>>>> does not affect legitimate emails. Also you may want to turn 
>>>>>>>>>>>> off Relay in case they are relaying through your SMTP. Do you 
>>>>>>>>>>>> use the IMF Companion? You may want to turn on Performance 
>>>>>>>>>>>> Counters for IMF so you can determine the correct SCL level you 
>>>>>>>>>>>> need to apply. Also using RBL's is a good thing to do also.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>>>>> But I'm really not understanding what is going on..  where are 
>>>>>>>>>>>>> these emails coming from?
>>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>>> many are for users that do not exist in the network 
>>>>>>>>>>>>> ......these are the 'undeliverable' ones...  but many go to 
>>>>>>>>>>>>> legit users too..
>>>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>>>> on...........who or shat is sending these mails. Is it 
>>>>>>>>>>>>> internal or external?
>>>>>>>>>>>>>
>>>>>>>>>>>>> thanks
>>>>>>>>>>>>> .
>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are 
>>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>>> system administrator    undeliverable: bla bla bal (password 
>>>>>>>>>>>>>> has been updated or account suspended..which is the virus 
>>>>>>>>>>>>>> package I think)
>>>>>>>>>>>>>> or from
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> administrator@mydomain.com   : you have successfully updated 
>>>>>>>>>>>>>> your password (this is the virus package)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have antivirus software running on all systems, including 
>>>>>>>>>>>>>> the server.
>>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all the 
>>>>>>>>>>>>>> servers and many (not all) of the workstations..
>>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that led 
>>>>>>>>>>>>>> me to MyDoom......
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/15/2005 6:11:08 PM
Ok..  but a question..
I have access to another server running SBS2003 (not at all concerned with 
my issue)  but I looked at the setup on it just to see.
On sbs2003, it is all setup by a wizard, the ICW, and the settings as the MS 
wizard set them up are:
only the list below is checked and in that list is:
192.168.1.75 /255.255.255.0    (the ip of the server) and
127.0.0.1

also the check mark for "allow all computers that sucessfully 
authenticate..." is checked.

Doesnt this indicate that this is the setup that MS recommends?

another question..  again in the default SMTP settings under access control 
/authentication..
'anonymous access'   is checked

Why am I allowing anonymous access? Should I be?


"AllenM" <allen.miyake@gmail.com> wrote in message 
news:uJxWlVdcFHA.4028@TK2MSFTNGP10.phx.gbl...
> Great. Thanks again Ben. I hope this helps out Marcus also.
>
> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
> in message news:O0oozSdcFHA.3808@TK2MSFTNGP14.phx.gbl...
>> Right.  Unless you have SMTP clients (IMAP/POP3), you don't really need 
>> to allow authenticated relay.  Exchange 2003 actually has IMAP and POP3 
>> services disabled by default, so you'd know if you had enabled them.
>>
>> -- 
>> Ben Winzenz
>> Exchange MVP
>> MessageOne
>>
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:uOfHBCdcFHA.2840@TK2MSFTNGP14.phx.gbl...
>>> This is getting better and better. In my case we are a SBS 2003 and 
>>> Exchange 2003 environment. We host our own SMTP server and use OWA. We 
>>> have remote client who have three alternatives on how they can access 
>>> email at home. 1. OWA. 2. Outlook as a Citrix Published Application and 
>>> 3. Remote connect to our Citrix server desktop and use Oulook from the 
>>> desktop.
>>> So I should have "Only the listed below" with no servers listed.
>>> and should not have the "Allow all computers which successfully 
>>> authenticate to relay, regardless of the list above" checked? I do not 
>>> want to have open relay enabled as I do not think I have a need for it. 
>>> Thanks again Ben.
>>>
>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>> wrote in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
>>>> It serves to limit anonymous relay access to "only the list below".  If 
>>>> it is blank, then no computers will be able to anonymously relay. 
>>>> Exchange doesn't relay mail off itself, so it doesn't need to be in 
>>>> there.  Since you have to make a choice (only the list below, or all 
>>>> except the list below), the best choice is "only the list below".
>>>>
>>>> -- 
>>>> Ben Winzenz
>>>> Exchange MVP
>>>> MessageOne
>>>>
>>>>
>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>>>>> Hey Ben,
>>>>> I'm glad I found you and you were able to chime in. I guess at this 
>>>>> point this information is more for my interest and knowledge that 
>>>>> Marcus but he did start the thread. I'm a bit confused at what you 
>>>>> just wrote.
>>>>>
>>>>> "Unless you have a specific internal app that needs to relay, this 
>>>>> list should be blank.  The internal IP of your Exchange server should 
>>>>> NOT be in that list.  It should also be set at the default setting of 
>>>>> "Only the list below".
>>>>>
>>>>> Your telling me here my exchange servers internal IP should not be 
>>>>> listed, yet you then tell me that I need to set it to "Only the list 
>>>>> below".
>>>>> My question is if there is nothing in the list what purpose does this 
>>>>> serve?
>>>>>
>>>>>
>>>>>
>>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>>> wrote in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>>>>> "Select which computers may relay through this VS" sets which "other" 
>>>>>> computers (hostname or IP) can relay (anonymously) e-mail through 
>>>>>> your Exchange server.  Unless you have a specific internal app that 
>>>>>> needs to relay, this list should be blank.  The internal IP of your 
>>>>>> Exchange server should NOT be in that list.  It should also be set at 
>>>>>> the default setting of "Only the list below".
>>>>>>
>>>>>> "allow all computers which authenticate" is specifically for clients 
>>>>>> such as IMAP or POP3 users that must send e-mail using your server. 
>>>>>> It further dictates that they MUST authenticate before being allowed 
>>>>>> to relay the messages.  This does not deal with anonymous smtp 
>>>>>> sessions (such as mail from other e-mail servers).  Outlook clients 
>>>>>> in MAPI mode do not relay messages, so this only needs to be checked 
>>>>>> if you have IMAP or POP3 clients. How clients can authenticate are 
>>>>>> determined by the settings under the authentication section.  I doubt 
>>>>>> that a virus would be able to initiate an authenticated SMTP session.
>>>>>>
>>>>>> As far as where the messages are coming from, you need to look at the 
>>>>>> headers of one of the actual messages.  If the headers from that 
>>>>>> message indicate that it is internal, then you likely have an 
>>>>>> infected machine on your network.  If they are all destined for local 
>>>>>> addresses (even if they are invalid users), then there is no issue 
>>>>>> with relaying. Relaying would only be an issue if the messages are 
>>>>>> being sent to external addresses.
>>>>>>
>>>>>> Hope this helps.
>>>>>>
>>>>>> -- 
>>>>>> Ben Winzenz
>>>>>> Exchange MVP
>>>>>> MessageOne
>>>>>>
>>>>>>
>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>>>>> This may be a bit above and beyond as to how well I can explain it 
>>>>>>> so do not write this in stone. Here's my interpetation.
>>>>>>> "Select which computer may relay through this virtual server" By 
>>>>>>> selecting this we are saying that only email that passes through 
>>>>>>> this email server may send outside.
>>>>>>> "Allow all computers which successfully authenticate to relay, 
>>>>>>> regardless of the list above". What this is saying is that anyone 
>>>>>>> can go through this SMTP relay without passing through the server 
>>>>>>> above. Which means they can send an email from another mail server.
>>>>>>> So we only want email from our mail server to pass through our SMTP 
>>>>>>> virtual server. SPAMMERS who use the SMTP virtual server do not send 
>>>>>>> email from our Exchange server. Hope that makes sense and my 
>>>>>>> interetaion is also correct. I do think it is because I was also 
>>>>>>> getting those type of password confirmations like you are and since 
>>>>>>> I closed the open relay it has not happened since. Maybe we can get 
>>>>>>> someone else or na MVP to chime in and clarify this. If you do find 
>>>>>>> it to be incorrect or find a better explaination I'd like to hear 
>>>>>>> about it. Good luck.
>>>>>>>
>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>>>>> authenticate to
>>>>>>>> relay', and put in the IP address of the server only...
>>>>>>>> but a question..... outside users would not be 'authenticated' 
>>>>>>>> users would they?  By authenticated, they mean logged onto the 
>>>>>>>> network?
>>>>>>>> Why not  allow authenticated users to relay if they are all inhouse 
>>>>>>>> anyway....
>>>>>>>> or............
>>>>>>>> could it be that a remote user, logging on thru terminal server, is 
>>>>>>>> actually doing the relaying...  if he had for instance, mydoom, 
>>>>>>>> which adds an SMTP server, infecting his remote PC... and then 
>>>>>>>> logged onto the network thru TS...  could that be then relaying 
>>>>>>>> thru exchange...?
>>>>>>>> ..sounds logical to me..  what you think?
>>>>>>>>
>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>>>>> authenticate to relay,
>>>>>>>>> regardless of the list above" This is what is allowing outside 
>>>>>>>>> users to to use your SMTP relay.
>>>>>>>>> Otherwise the listed server above does no good. We want "Only the 
>>>>>>>>> listed below" which should be the internal IP of your Exchange 
>>>>>>>>> server. Give it a try and of course monitor it overthe next day or 
>>>>>>>>> so.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>>>>> Could you elaborate a bit please...
>>>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>>>> i have the box:  'Only the list below'  (and nothing in the list) 
>>>>>>>>>> checked and
>>>>>>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>>>>>>> relay, regardless of the list above'
>>>>>>>>>>
>>>>>>>>>> is this not right??
>>>>>>>>>> There is a terminal server on this network... could that be 
>>>>>>>>>> involved in this relay someway?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>> Looks like someone is using your SMTP virtual server for 
>>>>>>>>>>> relaying. You need to turn that off unless you have a specific 
>>>>>>>>>>> reason to have it on. You should only "allow" the internal IP 
>>>>>>>>>>> address of your mail server to use relay on this server.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>>>>> Ok...
>>>>>>>>>>>>
>>>>>>>>>>>> this is what I'm not understanding. There are basically 2 types 
>>>>>>>>>>>> of email that concern me.
>>>>>>>>>>>>
>>>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email 
>>>>>>>>>>>> to:
>>>>>>>>>>>>
>>>>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>>>
>>>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>>>
>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>
>>>>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>>>>
>>>>>>>>>>>> To: user@mydomain.com
>>>>>>>>>>>>
>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>
>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>>>
>>>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>>>
>>>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>>>
>>>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>>>>
>>>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>>>
>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>>>
>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>>>
>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>>>
>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit 
>>>>>>>>>>>> IP address of my server))) by EXCHANGE.mydomain.local with 
>>>>>>>>>>>> Microsoft SMTPSVC(6.0.3790.1830);
>>>>>>>>>>>>
>>>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>
>>>>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>>>>> EXIST.************************
>>>>>>>>>>>>
>>>>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>>>>> EITHER*******
>>>>>>>>>>>>
>>>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not 
>>>>>>>>>>>> exist... but where is the sender (info@mydomain.com) coming 
>>>>>>>>>>>> from?
>>>>>>>>>>>>
>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>
>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>
>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>
>>>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>>>
>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>
>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>
>>>>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>>>>
>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>> <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>>>>
>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>>>
>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>
>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>
>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>
>>>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>
>>>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>>>
>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ?????? if he is getting this mail returned to him, does it not 
>>>>>>>>>>>> mean that he is sending it?... but he's not. Does that mean 
>>>>>>>>>>>> that the virus is on his PC?? But I've scanned for it several 
>>>>>>>>>>>> times and not found it at all, ever...
>>>>>>>>>>>>
>>>>>>>>>>>> Where are these mails coming from? Is the server sending them 
>>>>>>>>>>>> out somehow? is his PC sending them out somehow? I don't know 
>>>>>>>>>>>> where to begin to figure this out......
>>>>>>>>>>>>
>>>>>>>>>>>> ********************************************************************************
>>>>>>>>>>>>
>>>>>>>>>>>> The other type pof email he will receive is from, for instance,
>>>>>>>>>>>>
>>>>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully 
>>>>>>>>>>>> updated your password
>>>>>>>>>>>>
>>>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>>>
>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>
>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by 
>>>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft SMTPSVC(6.0.3790.1830); 
>>>>>>>>>>>> ****where x.x.x. is the legit IP address of the server 
>>>>>>>>>>>> here...*****************8
>>>>>>>>>>>>
>>>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>
>>>>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>>>>
>>>>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>>>>
>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>
>>>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>
>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>
>>>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>>>
>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>
>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>
>>>>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>>>>
>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>> <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>>>>
>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>>>
>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>
>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>
>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>
>>>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>
>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>
>>>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> So... block what address?? it says the email is coming from my 
>>>>>>>>>>>> own server...?
>>>>>>>>>>>>
>>>>>>>>>>>> Plus, what about the system administrator returned email? where 
>>>>>>>>>>>> is that coming from... Im so confused......
>>>>>>>>>>>>
>>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>>> You can view the originator through the Message Header. Open 
>>>>>>>>>>>>> the email and click on View/Options. You can block the IP and 
>>>>>>>>>>>>> originating domain which may or may not do you any good as 
>>>>>>>>>>>>> spammers are always constantly changing them. However I've had 
>>>>>>>>>>>>> good results blocking the ISP IP which is usually foreign and 
>>>>>>>>>>>>> does not affect legitimate emails. Also you may want to turn 
>>>>>>>>>>>>> off Relay in case they are relaying through your SMTP. Do you 
>>>>>>>>>>>>> use the IMF Companion? You may want to turn on Performance 
>>>>>>>>>>>>> Counters for IMF so you can determine the correct SCL level 
>>>>>>>>>>>>> you need to apply. Also using RBL's is a good thing to do 
>>>>>>>>>>>>> also.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>>>>>> But I'm really not understanding what is going on..  where 
>>>>>>>>>>>>>> are these emails coming from?
>>>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>>>> many are for users that do not exist in the network 
>>>>>>>>>>>>>> ......these are the 'undeliverable' ones...  but many go to 
>>>>>>>>>>>>>> legit users too..
>>>>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>>>>> on...........who or shat is sending these mails. Is it 
>>>>>>>>>>>>>> internal or external?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>> .
>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are 
>>>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>>>> system administrator    undeliverable: bla bla bal (password 
>>>>>>>>>>>>>>> has been updated or account suspended..which is the virus 
>>>>>>>>>>>>>>> package I think)
>>>>>>>>>>>>>>> or from
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> administrator@mydomain.com   : you have successfully updated 
>>>>>>>>>>>>>>> your password (this is the virus package)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I have antivirus software running on all systems, including 
>>>>>>>>>>>>>>> the server.
>>>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all 
>>>>>>>>>>>>>>> the servers and many (not all) of the workstations..
>>>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that 
>>>>>>>>>>>>>>> led me to MyDoom......
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
mark7111 (54)
6/15/2005 10:23:30 PM
I'm not sure why the ICW adds those settings under the relay restrictions - 
that may be better asked in the SBS newsgroups.  I know it isn't the default 
for regular Exchange (Standard or Enterprise), so it may be specific to SBS. 
As far as the authenticated relay, it is indeed on by default.  My 
recommendation was that if you do not support any IMAP or POP3 clients it 
should be disabled (unchecked).

As far as your second question about Anonymous access, you have to leave it 
on.  That controls how other mail servers are able to connect to you and 
send mail to you.  If you disable anonymous, you'll find that you stop 
receiving e-mail  :-)  SMTP conversations (unless specifically set up 
otherwise) are all anonymous.  When you send an e-mail to another domain, 
your server does the same thing (establishes an anonymous session).

-- 
Ben Winzenz
Exchange MVP
MessageOne


"markus" <mark@nospam.com> wrote in message 
news:eCuV9ffcFHA.3404@tk2msftngp13.phx.gbl...
> Ok..  but a question..
> I have access to another server running SBS2003 (not at all concerned with 
> my issue)  but I looked at the setup on it just to see.
> On sbs2003, it is all setup by a wizard, the ICW, and the settings as the 
> MS wizard set them up are:
> only the list below is checked and in that list is:
> 192.168.1.75 /255.255.255.0    (the ip of the server) and
> 127.0.0.1
>
> also the check mark for "allow all computers that sucessfully 
> authenticate..." is checked.
>
> Doesnt this indicate that this is the setup that MS recommends?
>
> another question..  again in the default SMTP settings under access 
> control /authentication..
> 'anonymous access'   is checked
>
> Why am I allowing anonymous access? Should I be?
>
>
> "AllenM" <allen.miyake@gmail.com> wrote in message 
> news:uJxWlVdcFHA.4028@TK2MSFTNGP10.phx.gbl...
>> Great. Thanks again Ben. I hope this helps out Marcus also.
>>
>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>> wrote in message news:O0oozSdcFHA.3808@TK2MSFTNGP14.phx.gbl...
>>> Right.  Unless you have SMTP clients (IMAP/POP3), you don't really need 
>>> to allow authenticated relay.  Exchange 2003 actually has IMAP and POP3 
>>> services disabled by default, so you'd know if you had enabled them.
>>>
>>> -- 
>>> Ben Winzenz
>>> Exchange MVP
>>> MessageOne
>>>
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:uOfHBCdcFHA.2840@TK2MSFTNGP14.phx.gbl...
>>>> This is getting better and better. In my case we are a SBS 2003 and 
>>>> Exchange 2003 environment. We host our own SMTP server and use OWA. We 
>>>> have remote client who have three alternatives on how they can access 
>>>> email at home. 1. OWA. 2. Outlook as a Citrix Published Application and 
>>>> 3. Remote connect to our Citrix server desktop and use Oulook from the 
>>>> desktop.
>>>> So I should have "Only the listed below" with no servers listed.
>>>> and should not have the "Allow all computers which successfully 
>>>> authenticate to relay, regardless of the list above" checked? I do not 
>>>> want to have open relay enabled as I do not think I have a need for it. 
>>>> Thanks again Ben.
>>>>
>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>> wrote in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
>>>>> It serves to limit anonymous relay access to "only the list below". 
>>>>> If it is blank, then no computers will be able to anonymously relay. 
>>>>> Exchange doesn't relay mail off itself, so it doesn't need to be in 
>>>>> there.  Since you have to make a choice (only the list below, or all 
>>>>> except the list below), the best choice is "only the list below".
>>>>>
>>>>> -- 
>>>>> Ben Winzenz
>>>>> Exchange MVP
>>>>> MessageOne
>>>>>
>>>>>
>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>>>>>> Hey Ben,
>>>>>> I'm glad I found you and you were able to chime in. I guess at this 
>>>>>> point this information is more for my interest and knowledge that 
>>>>>> Marcus but he did start the thread. I'm a bit confused at what you 
>>>>>> just wrote.
>>>>>>
>>>>>> "Unless you have a specific internal app that needs to relay, this 
>>>>>> list should be blank.  The internal IP of your Exchange server should 
>>>>>> NOT be in that list.  It should also be set at the default setting of 
>>>>>> "Only the list below".
>>>>>>
>>>>>> Your telling me here my exchange servers internal IP should not be 
>>>>>> listed, yet you then tell me that I need to set it to "Only the list 
>>>>>> below".
>>>>>> My question is if there is nothing in the list what purpose does this 
>>>>>> serve?
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>>>> wrote in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>>>>>> "Select which computers may relay through this VS" sets which 
>>>>>>> "other" computers (hostname or IP) can relay (anonymously) e-mail 
>>>>>>> through your Exchange server.  Unless you have a specific internal 
>>>>>>> app that needs to relay, this list should be blank.  The internal IP 
>>>>>>> of your Exchange server should NOT be in that list.  It should also 
>>>>>>> be set at the default setting of "Only the list below".
>>>>>>>
>>>>>>> "allow all computers which authenticate" is specifically for clients 
>>>>>>> such as IMAP or POP3 users that must send e-mail using your server. 
>>>>>>> It further dictates that they MUST authenticate before being allowed 
>>>>>>> to relay the messages.  This does not deal with anonymous smtp 
>>>>>>> sessions (such as mail from other e-mail servers).  Outlook clients 
>>>>>>> in MAPI mode do not relay messages, so this only needs to be checked 
>>>>>>> if you have IMAP or POP3 clients. How clients can authenticate are 
>>>>>>> determined by the settings under the authentication section.  I 
>>>>>>> doubt that a virus would be able to initiate an authenticated SMTP 
>>>>>>> session.
>>>>>>>
>>>>>>> As far as where the messages are coming from, you need to look at 
>>>>>>> the headers of one of the actual messages.  If the headers from that 
>>>>>>> message indicate that it is internal, then you likely have an 
>>>>>>> infected machine on your network.  If they are all destined for 
>>>>>>> local addresses (even if they are invalid users), then there is no 
>>>>>>> issue with relaying. Relaying would only be an issue if the messages 
>>>>>>> are being sent to external addresses.
>>>>>>>
>>>>>>> Hope this helps.
>>>>>>>
>>>>>>> -- 
>>>>>>> Ben Winzenz
>>>>>>> Exchange MVP
>>>>>>> MessageOne
>>>>>>>
>>>>>>>
>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>>>>>> This may be a bit above and beyond as to how well I can explain it 
>>>>>>>> so do not write this in stone. Here's my interpetation.
>>>>>>>> "Select which computer may relay through this virtual server" By 
>>>>>>>> selecting this we are saying that only email that passes through 
>>>>>>>> this email server may send outside.
>>>>>>>> "Allow all computers which successfully authenticate to relay, 
>>>>>>>> regardless of the list above". What this is saying is that anyone 
>>>>>>>> can go through this SMTP relay without passing through the server 
>>>>>>>> above. Which means they can send an email from another mail server.
>>>>>>>> So we only want email from our mail server to pass through our SMTP 
>>>>>>>> virtual server. SPAMMERS who use the SMTP virtual server do not 
>>>>>>>> send email from our Exchange server. Hope that makes sense and my 
>>>>>>>> interetaion is also correct. I do think it is because I was also 
>>>>>>>> getting those type of password confirmations like you are and since 
>>>>>>>> I closed the open relay it has not happened since. Maybe we can get 
>>>>>>>> someone else or na MVP to chime in and clarify this. If you do find 
>>>>>>>> it to be incorrect or find a better explaination I'd like to hear 
>>>>>>>> about it. Good luck.
>>>>>>>>
>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>>>>>> authenticate to
>>>>>>>>> relay', and put in the IP address of the server only...
>>>>>>>>> but a question..... outside users would not be 'authenticated' 
>>>>>>>>> users would they?  By authenticated, they mean logged onto the 
>>>>>>>>> network?
>>>>>>>>> Why not  allow authenticated users to relay if they are all 
>>>>>>>>> inhouse anyway....
>>>>>>>>> or............
>>>>>>>>> could it be that a remote user, logging on thru terminal server, 
>>>>>>>>> is actually doing the relaying...  if he had for instance, mydoom, 
>>>>>>>>> which adds an SMTP server, infecting his remote PC... and then 
>>>>>>>>> logged onto the network thru TS...  could that be then relaying 
>>>>>>>>> thru exchange...?
>>>>>>>>> ..sounds logical to me..  what you think?
>>>>>>>>>
>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>>>>>> authenticate to relay,
>>>>>>>>>> regardless of the list above" This is what is allowing outside 
>>>>>>>>>> users to to use your SMTP relay.
>>>>>>>>>> Otherwise the listed server above does no good. We want "Only the 
>>>>>>>>>> listed below" which should be the internal IP of your Exchange 
>>>>>>>>>> server. Give it a try and of course monitor it overthe next day 
>>>>>>>>>> or so.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>>>>>> Could you elaborate a bit please...
>>>>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>>>>> i have the box:  'Only the list below'  (and nothing in the 
>>>>>>>>>>> list) checked and
>>>>>>>>>>> checked - 'Allow all computers which sucessfully authenticate to 
>>>>>>>>>>> relay, regardless of the list above'
>>>>>>>>>>>
>>>>>>>>>>> is this not right??
>>>>>>>>>>> There is a terminal server on this network... could that be 
>>>>>>>>>>> involved in this relay someway?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>> Looks like someone is using your SMTP virtual server for 
>>>>>>>>>>>> relaying. You need to turn that off unless you have a specific 
>>>>>>>>>>>> reason to have it on. You should only "allow" the internal IP 
>>>>>>>>>>>> address of your mail server to use relay on this server.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>> Ok...
>>>>>>>>>>>>>
>>>>>>>>>>>>> this is what I'm not understanding. There are basically 2 
>>>>>>>>>>>>> types of email that concern me.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email 
>>>>>>>>>>>>> to:
>>>>>>>>>>>>>
>>>>>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>>>>
>>>>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>>>>
>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> To: user@mydomain.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>>>>
>>>>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>>>>
>>>>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>>>>
>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>>>>
>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>>>>
>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>>>>
>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit 
>>>>>>>>>>>>> IP address of my server))) by EXCHANGE.mydomain.local with 
>>>>>>>>>>>>> Microsoft SMTPSVC(6.0.3790.1830);
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>>>>>> EXIST.************************
>>>>>>>>>>>>>
>>>>>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>>>>>> EITHER*******
>>>>>>>>>>>>>
>>>>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not 
>>>>>>>>>>>>> exist... but where is the sender (info@mydomain.com) coming 
>>>>>>>>>>>>> from?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>
>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>
>>>>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>
>>>>>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>>> <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>
>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>
>>>>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>
>>>>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>>>>
>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ?????? if he is getting this mail returned to him, does it not 
>>>>>>>>>>>>> mean that he is sending it?... but he's not. Does that mean 
>>>>>>>>>>>>> that the virus is on his PC?? But I've scanned for it several 
>>>>>>>>>>>>> times and not found it at all, ever...
>>>>>>>>>>>>>
>>>>>>>>>>>>> Where are these mails coming from? Is the server sending them 
>>>>>>>>>>>>> out somehow? is his PC sending them out somehow? I don't know 
>>>>>>>>>>>>> where to begin to figure this out......
>>>>>>>>>>>>>
>>>>>>>>>>>>> ********************************************************************************
>>>>>>>>>>>>>
>>>>>>>>>>>>> The other type pof email he will receive is from, for 
>>>>>>>>>>>>> instance,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully 
>>>>>>>>>>>>> updated your password
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by 
>>>>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft SMTPSVC(6.0.3790.1830); 
>>>>>>>>>>>>> ****where x.x.x. is the legit IP address of the server 
>>>>>>>>>>>>> here...*****************8
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>
>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>
>>>>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>
>>>>>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>>> <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>
>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>
>>>>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>
>>>>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> So... block what address?? it says the email is coming from my 
>>>>>>>>>>>>> own server...?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Plus, what about the system administrator returned email? 
>>>>>>>>>>>>> where is that coming from... Im so confused......
>>>>>>>>>>>>>
>>>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>>>> You can view the originator through the Message Header. Open 
>>>>>>>>>>>>>> the email and click on View/Options. You can block the IP and 
>>>>>>>>>>>>>> originating domain which may or may not do you any good as 
>>>>>>>>>>>>>> spammers are always constantly changing them. However I've 
>>>>>>>>>>>>>> had good results blocking the ISP IP which is usually foreign 
>>>>>>>>>>>>>> and does not affect legitimate emails. Also you may want to 
>>>>>>>>>>>>>> turn off Relay in case they are relaying through your SMTP. 
>>>>>>>>>>>>>> Do you use the IMF Companion? You may want to turn on 
>>>>>>>>>>>>>> Performance Counters for IMF so you can determine the correct 
>>>>>>>>>>>>>> SCL level you need to apply. Also using RBL's is a good thing 
>>>>>>>>>>>>>> to do also.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF 
>>>>>>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>>>>>>> But I'm really not understanding what is going on..  where 
>>>>>>>>>>>>>>> are these emails coming from?
>>>>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>>>>> many are for users that do not exist in the network 
>>>>>>>>>>>>>>> ......these are the 'undeliverable' ones...  but many go to 
>>>>>>>>>>>>>>> legit users too..
>>>>>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>>>>>> on...........who or shat is sending these mails. Is it 
>>>>>>>>>>>>>>> internal or external?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are 
>>>>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>>>>> system administrator    undeliverable: bla bla bal 
>>>>>>>>>>>>>>>> (password has been updated or account suspended..which is 
>>>>>>>>>>>>>>>> the virus package I think)
>>>>>>>>>>>>>>>> or from
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> administrator@mydomain.com   : you have successfully 
>>>>>>>>>>>>>>>> updated your password (this is the virus package)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I have antivirus software running on all systems, including 
>>>>>>>>>>>>>>>> the server.
>>>>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all 
>>>>>>>>>>>>>>>> the servers and many (not all) of the workstations..
>>>>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that 
>>>>>>>>>>>>>>>> led me to MyDoom......
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
Ben
6/16/2005 2:34:09 PM
I want to comment on what Marcus said about the default settings for the 
relay restrictions. I'm sure the CEICW set these settings. Mine also were 
set to 192.168.x.x /255.255.255.0 and 127.0.0.1.  I was a bit suspicious 
about the 127.0.0.1 being there so I removed it. I didn't see any issues or 
problems after doing so.
When I originally setup the SBS 2003 server we were using an ISP to host our 
email and a POP3 connection to pull to our Exchange server. I have since 
changed that and we are now hosting our own SMTP and Exchange server. My 
suspicion, and again I can be wrong, is that these were inputted because of 
my original configuration using POP3. Possible?


"Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
in message news:Oqy31BocFHA.3912@TK2MSFTNGP15.phx.gbl...
> I'm not sure why the ICW adds those settings under the relay 
> restrictions - that may be better asked in the SBS newsgroups.  I know it 
> isn't the default for regular Exchange (Standard or Enterprise), so it may 
> be specific to SBS. As far as the authenticated relay, it is indeed on by 
> default.  My recommendation was that if you do not support any IMAP or 
> POP3 clients it should be disabled (unchecked).
>
> As far as your second question about Anonymous access, you have to leave 
> it on.  That controls how other mail servers are able to connect to you 
> and send mail to you.  If you disable anonymous, you'll find that you stop 
> receiving e-mail  :-)  SMTP conversations (unless specifically set up 
> otherwise) are all anonymous.  When you send an e-mail to another domain, 
> your server does the same thing (establishes an anonymous session).
>
> -- 
> Ben Winzenz
> Exchange MVP
> MessageOne
>
>
> "markus" <mark@nospam.com> wrote in message 
> news:eCuV9ffcFHA.3404@tk2msftngp13.phx.gbl...
>> Ok..  but a question..
>> I have access to another server running SBS2003 (not at all concerned 
>> with my issue)  but I looked at the setup on it just to see.
>> On sbs2003, it is all setup by a wizard, the ICW, and the settings as the 
>> MS wizard set them up are:
>> only the list below is checked and in that list is:
>> 192.168.1.75 /255.255.255.0    (the ip of the server) and
>> 127.0.0.1
>>
>> also the check mark for "allow all computers that sucessfully 
>> authenticate..." is checked.
>>
>> Doesnt this indicate that this is the setup that MS recommends?
>>
>> another question..  again in the default SMTP settings under access 
>> control /authentication..
>> 'anonymous access'   is checked
>>
>> Why am I allowing anonymous access? Should I be?
>>
>>
>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>> news:uJxWlVdcFHA.4028@TK2MSFTNGP10.phx.gbl...
>>> Great. Thanks again Ben. I hope this helps out Marcus also.
>>>
>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>> wrote in message news:O0oozSdcFHA.3808@TK2MSFTNGP14.phx.gbl...
>>>> Right.  Unless you have SMTP clients (IMAP/POP3), you don't really need 
>>>> to allow authenticated relay.  Exchange 2003 actually has IMAP and POP3 
>>>> services disabled by default, so you'd know if you had enabled them.
>>>>
>>>> -- 
>>>> Ben Winzenz
>>>> Exchange MVP
>>>> MessageOne
>>>>
>>>>
>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>> news:uOfHBCdcFHA.2840@TK2MSFTNGP14.phx.gbl...
>>>>> This is getting better and better. In my case we are a SBS 2003 and 
>>>>> Exchange 2003 environment. We host our own SMTP server and use OWA. We 
>>>>> have remote client who have three alternatives on how they can access 
>>>>> email at home. 1. OWA. 2. Outlook as a Citrix Published Application 
>>>>> and 3. Remote connect to our Citrix server desktop and use Oulook from 
>>>>> the desktop.
>>>>> So I should have "Only the listed below" with no servers listed.
>>>>> and should not have the "Allow all computers which successfully 
>>>>> authenticate to relay, regardless of the list above" checked? I do not 
>>>>> want to have open relay enabled as I do not think I have a need for 
>>>>> it. Thanks again Ben.
>>>>>
>>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>>> wrote in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
>>>>>> It serves to limit anonymous relay access to "only the list below". 
>>>>>> If it is blank, then no computers will be able to anonymously relay. 
>>>>>> Exchange doesn't relay mail off itself, so it doesn't need to be in 
>>>>>> there.  Since you have to make a choice (only the list below, or all 
>>>>>> except the list below), the best choice is "only the list below".
>>>>>>
>>>>>> -- 
>>>>>> Ben Winzenz
>>>>>> Exchange MVP
>>>>>> MessageOne
>>>>>>
>>>>>>
>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>>>>>>> Hey Ben,
>>>>>>> I'm glad I found you and you were able to chime in. I guess at this 
>>>>>>> point this information is more for my interest and knowledge that 
>>>>>>> Marcus but he did start the thread. I'm a bit confused at what you 
>>>>>>> just wrote.
>>>>>>>
>>>>>>> "Unless you have a specific internal app that needs to relay, this 
>>>>>>> list should be blank.  The internal IP of your Exchange server 
>>>>>>> should NOT be in that list.  It should also be set at the default 
>>>>>>> setting of "Only the list below".
>>>>>>>
>>>>>>> Your telling me here my exchange servers internal IP should not be 
>>>>>>> listed, yet you then tell me that I need to set it to "Only the list 
>>>>>>> below".
>>>>>>> My question is if there is nothing in the list what purpose does 
>>>>>>> this serve?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>>>>> wrote in message news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>>>>>>> "Select which computers may relay through this VS" sets which 
>>>>>>>> "other" computers (hostname or IP) can relay (anonymously) e-mail 
>>>>>>>> through your Exchange server.  Unless you have a specific internal 
>>>>>>>> app that needs to relay, this list should be blank.  The internal 
>>>>>>>> IP of your Exchange server should NOT be in that list.  It should 
>>>>>>>> also be set at the default setting of "Only the list below".
>>>>>>>>
>>>>>>>> "allow all computers which authenticate" is specifically for 
>>>>>>>> clients such as IMAP or POP3 users that must send e-mail using your 
>>>>>>>> server. It further dictates that they MUST authenticate before 
>>>>>>>> being allowed to relay the messages.  This does not deal with 
>>>>>>>> anonymous smtp sessions (such as mail from other e-mail servers). 
>>>>>>>> Outlook clients in MAPI mode do not relay messages, so this only 
>>>>>>>> needs to be checked if you have IMAP or POP3 clients. How clients 
>>>>>>>> can authenticate are determined by the settings under the 
>>>>>>>> authentication section.  I doubt that a virus would be able to 
>>>>>>>> initiate an authenticated SMTP session.
>>>>>>>>
>>>>>>>> As far as where the messages are coming from, you need to look at 
>>>>>>>> the headers of one of the actual messages.  If the headers from 
>>>>>>>> that message indicate that it is internal, then you likely have an 
>>>>>>>> infected machine on your network.  If they are all destined for 
>>>>>>>> local addresses (even if they are invalid users), then there is no 
>>>>>>>> issue with relaying. Relaying would only be an issue if the 
>>>>>>>> messages are being sent to external addresses.
>>>>>>>>
>>>>>>>> Hope this helps.
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Ben Winzenz
>>>>>>>> Exchange MVP
>>>>>>>> MessageOne
>>>>>>>>
>>>>>>>>
>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>>>>>>> This may be a bit above and beyond as to how well I can explain it 
>>>>>>>>> so do not write this in stone. Here's my interpetation.
>>>>>>>>> "Select which computer may relay through this virtual server" By 
>>>>>>>>> selecting this we are saying that only email that passes through 
>>>>>>>>> this email server may send outside.
>>>>>>>>> "Allow all computers which successfully authenticate to relay, 
>>>>>>>>> regardless of the list above". What this is saying is that anyone 
>>>>>>>>> can go through this SMTP relay without passing through the server 
>>>>>>>>> above. Which means they can send an email from another mail 
>>>>>>>>> server.
>>>>>>>>> So we only want email from our mail server to pass through our 
>>>>>>>>> SMTP virtual server. SPAMMERS who use the SMTP virtual server do 
>>>>>>>>> not send email from our Exchange server. Hope that makes sense and 
>>>>>>>>> my interetaion is also correct. I do think it is because I was 
>>>>>>>>> also getting those type of password confirmations like you are and 
>>>>>>>>> since I closed the open relay it has not happened since. Maybe we 
>>>>>>>>> can get someone else or na MVP to chime in and clarify this. If 
>>>>>>>>> you do find it to be incorrect or find a better explaination I'd 
>>>>>>>>> like to hear about it. Good luck.
>>>>>>>>>
>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>>>>>>> authenticate to
>>>>>>>>>> relay', and put in the IP address of the server only...
>>>>>>>>>> but a question..... outside users would not be 'authenticated' 
>>>>>>>>>> users would they?  By authenticated, they mean logged onto the 
>>>>>>>>>> network?
>>>>>>>>>> Why not  allow authenticated users to relay if they are all 
>>>>>>>>>> inhouse anyway....
>>>>>>>>>> or............
>>>>>>>>>> could it be that a remote user, logging on thru terminal server, 
>>>>>>>>>> is actually doing the relaying...  if he had for instance, 
>>>>>>>>>> mydoom, which adds an SMTP server, infecting his remote PC... and 
>>>>>>>>>> then logged onto the network thru TS...  could that be then 
>>>>>>>>>> relaying thru exchange...?
>>>>>>>>>> ..sounds logical to me..  what you think?
>>>>>>>>>>
>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>>>>>>> authenticate to relay,
>>>>>>>>>>> regardless of the list above" This is what is allowing outside 
>>>>>>>>>>> users to to use your SMTP relay.
>>>>>>>>>>> Otherwise the listed server above does no good. We want "Only 
>>>>>>>>>>> the listed below" which should be the internal IP of your 
>>>>>>>>>>> Exchange server. Give it a try and of course monitor it overthe 
>>>>>>>>>>> next day or so.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>>>>>>> Could you elaborate a bit please...
>>>>>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>>>>>> i have the box:  'Only the list below'  (and nothing in the 
>>>>>>>>>>>> list) checked and
>>>>>>>>>>>> checked - 'Allow all computers which sucessfully authenticate 
>>>>>>>>>>>> to relay, regardless of the list above'
>>>>>>>>>>>>
>>>>>>>>>>>> is this not right??
>>>>>>>>>>>> There is a terminal server on this network... could that be 
>>>>>>>>>>>> involved in this relay someway?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>>> Looks like someone is using your SMTP virtual server for 
>>>>>>>>>>>>> relaying. You need to turn that off unless you have a specific 
>>>>>>>>>>>>> reason to have it on. You should only "allow" the internal IP 
>>>>>>>>>>>>> address of your mail server to use relay on this server.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>> Ok...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> this is what I'm not understanding. There are basically 2 
>>>>>>>>>>>>>> types of email that concern me.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email 
>>>>>>>>>>>>>> to:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> To: user@mydomain.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit 
>>>>>>>>>>>>>> IP address of my server))) by EXCHANGE.mydomain.local with 
>>>>>>>>>>>>>> Microsoft SMTPSVC(6.0.3790.1830);
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>>>>>>> EXIST.************************
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>>>>>>> EITHER*******
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not 
>>>>>>>>>>>>>> exist... but where is the sender (info@mydomain.com) coming 
>>>>>>>>>>>>>> from?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>>>> <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ?????? if he is getting this mail returned to him, does it 
>>>>>>>>>>>>>> not mean that he is sending it?... but he's not. Does that 
>>>>>>>>>>>>>> mean that the virus is on his PC?? But I've scanned for it 
>>>>>>>>>>>>>> several times and not found it at all, ever...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Where are these mails coming from? Is the server sending them 
>>>>>>>>>>>>>> out somehow? is his PC sending them out somehow? I don't know 
>>>>>>>>>>>>>> where to begin to figure this out......
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ********************************************************************************
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The other type pof email he will receive is from, for 
>>>>>>>>>>>>>> instance,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully 
>>>>>>>>>>>>>> updated your password
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by 
>>>>>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft 
>>>>>>>>>>>>>> SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP 
>>>>>>>>>>>>>> address of the server here...*****************8
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>>>> <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So... block what address?? it says the email is coming from 
>>>>>>>>>>>>>> my own server...?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Plus, what about the system administrator returned email? 
>>>>>>>>>>>>>> where is that coming from... Im so confused......
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>>>>> You can view the originator through the Message Header. Open 
>>>>>>>>>>>>>>> the email and click on View/Options. You can block the IP 
>>>>>>>>>>>>>>> and originating domain which may or may not do you any good 
>>>>>>>>>>>>>>> as spammers are always constantly changing them. However 
>>>>>>>>>>>>>>> I've had good results blocking the ISP IP which is usually 
>>>>>>>>>>>>>>> foreign and does not affect legitimate emails. Also you may 
>>>>>>>>>>>>>>> want to turn off Relay in case they are relaying through 
>>>>>>>>>>>>>>> your SMTP. Do you use the IMF Companion? You may want to 
>>>>>>>>>>>>>>> turn on Performance Counters for IMF so you can determine 
>>>>>>>>>>>>>>> the correct SCL level you need to apply. Also using RBL's is 
>>>>>>>>>>>>>>> a good thing to do also.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the 
>>>>>>>>>>>>>>>>IMF filter so am sorta limited..
>>>>>>>>>>>>>>>> But I'm really not understanding what is going on..  where 
>>>>>>>>>>>>>>>> are these emails coming from?
>>>>>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>>>>>> many are for users that do not exist in the network 
>>>>>>>>>>>>>>>> ......these are the 'undeliverable' ones...  but many go to 
>>>>>>>>>>>>>>>> legit users too..
>>>>>>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>>>>>>> on...........who or shat is sending these mails. Is it 
>>>>>>>>>>>>>>>> internal or external?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are 
>>>>>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>>>>>> system administrator    undeliverable: bla bla bal 
>>>>>>>>>>>>>>>>> (password has been updated or account suspended..which is 
>>>>>>>>>>>>>>>>> the virus package I think)
>>>>>>>>>>>>>>>>> or from
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> administrator@mydomain.com   : you have successfully 
>>>>>>>>>>>>>>>>> updated your password (this is the virus package)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I have antivirus software running on all systems, 
>>>>>>>>>>>>>>>>> including the server.
>>>>>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all 
>>>>>>>>>>>>>>>>> the servers and many (not all) of the workstations..
>>>>>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that 
>>>>>>>>>>>>>>>>> led me to MyDoom......
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
allen.miyake (137)
6/16/2005 3:47:44 PM
On the SBS2003  system I looked at.,  I actually have looked at 2 different 
ones now, the pop3 connector has never been setup, but the settings ar both 
systems are basically the same.. So apparently that is how the wizard sets 
it up.



"AllenM" <allen.miyake@gmail.com> wrote in message 
news:%23jkcGqocFHA.3940@TK2MSFTNGP10.phx.gbl...
>I want to comment on what Marcus said about the default settings for the 
>relay restrictions. I'm sure the CEICW set these settings. Mine also were 
>set to 192.168.x.x /255.255.255.0 and 127.0.0.1.  I was a bit suspicious 
>about the 127.0.0.1 being there so I removed it. I didn't see any issues or 
>problems after doing so.
> When I originally setup the SBS 2003 server we were using an ISP to host 
> our email and a POP3 connection to pull to our Exchange server. I have 
> since changed that and we are now hosting our own SMTP and Exchange 
> server. My suspicion, and again I can be wrong, is that these were 
> inputted because of my original configuration using POP3. Possible?
>
>
> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
> in message news:Oqy31BocFHA.3912@TK2MSFTNGP15.phx.gbl...
>> I'm not sure why the ICW adds those settings under the relay 
>> restrictions - that may be better asked in the SBS newsgroups.  I know it 
>> isn't the default for regular Exchange (Standard or Enterprise), so it 
>> may be specific to SBS. As far as the authenticated relay, it is indeed 
>> on by default.  My recommendation was that if you do not support any IMAP 
>> or POP3 clients it should be disabled (unchecked).
>>
>> As far as your second question about Anonymous access, you have to leave 
>> it on.  That controls how other mail servers are able to connect to you 
>> and send mail to you.  If you disable anonymous, you'll find that you 
>> stop receiving e-mail  :-)  SMTP conversations (unless specifically set 
>> up otherwise) are all anonymous.  When you send an e-mail to another 
>> domain, your server does the same thing (establishes an anonymous 
>> session).
>>
>> -- 
>> Ben Winzenz
>> Exchange MVP
>> MessageOne
>>
>>
>> "markus" <mark@nospam.com> wrote in message 
>> news:eCuV9ffcFHA.3404@tk2msftngp13.phx.gbl...
>>> Ok..  but a question..
>>> I have access to another server running SBS2003 (not at all concerned 
>>> with my issue)  but I looked at the setup on it just to see.
>>> On sbs2003, it is all setup by a wizard, the ICW, and the settings as 
>>> the MS wizard set them up are:
>>> only the list below is checked and in that list is:
>>> 192.168.1.75 /255.255.255.0    (the ip of the server) and
>>> 127.0.0.1
>>>
>>> also the check mark for "allow all computers that sucessfully 
>>> authenticate..." is checked.
>>>
>>> Doesnt this indicate that this is the setup that MS recommends?
>>>
>>> another question..  again in the default SMTP settings under access 
>>> control /authentication..
>>> 'anonymous access'   is checked
>>>
>>> Why am I allowing anonymous access? Should I be?
>>>
>>>
>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>> news:uJxWlVdcFHA.4028@TK2MSFTNGP10.phx.gbl...
>>>> Great. Thanks again Ben. I hope this helps out Marcus also.
>>>>
>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>> wrote in message news:O0oozSdcFHA.3808@TK2MSFTNGP14.phx.gbl...
>>>>> Right.  Unless you have SMTP clients (IMAP/POP3), you don't really 
>>>>> need to allow authenticated relay.  Exchange 2003 actually has IMAP 
>>>>> and POP3 services disabled by default, so you'd know if you had 
>>>>> enabled them.
>>>>>
>>>>> -- 
>>>>> Ben Winzenz
>>>>> Exchange MVP
>>>>> MessageOne
>>>>>
>>>>>
>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>> news:uOfHBCdcFHA.2840@TK2MSFTNGP14.phx.gbl...
>>>>>> This is getting better and better. In my case we are a SBS 2003 and 
>>>>>> Exchange 2003 environment. We host our own SMTP server and use OWA. 
>>>>>> We have remote client who have three alternatives on how they can 
>>>>>> access email at home. 1. OWA. 2. Outlook as a Citrix Published 
>>>>>> Application and 3. Remote connect to our Citrix server desktop and 
>>>>>> use Oulook from the desktop.
>>>>>> So I should have "Only the listed below" with no servers listed.
>>>>>> and should not have the "Allow all computers which successfully 
>>>>>> authenticate to relay, regardless of the list above" checked? I do 
>>>>>> not want to have open relay enabled as I do not think I have a need 
>>>>>> for it. Thanks again Ben.
>>>>>>
>>>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>>>>>> wrote in message news:eQkN95ccFHA.228@TK2MSFTNGP12.phx.gbl...
>>>>>>> It serves to limit anonymous relay access to "only the list below". 
>>>>>>> If it is blank, then no computers will be able to anonymously relay. 
>>>>>>> Exchange doesn't relay mail off itself, so it doesn't need to be in 
>>>>>>> there.  Since you have to make a choice (only the list below, or all 
>>>>>>> except the list below), the best choice is "only the list below".
>>>>>>>
>>>>>>> -- 
>>>>>>> Ben Winzenz
>>>>>>> Exchange MVP
>>>>>>> MessageOne
>>>>>>>
>>>>>>>
>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>> news:OiCLS1ccFHA.720@TK2MSFTNGP15.phx.gbl...
>>>>>>>> Hey Ben,
>>>>>>>> I'm glad I found you and you were able to chime in. I guess at this 
>>>>>>>> point this information is more for my interest and knowledge that 
>>>>>>>> Marcus but he did start the thread. I'm a bit confused at what you 
>>>>>>>> just wrote.
>>>>>>>>
>>>>>>>> "Unless you have a specific internal app that needs to relay, this 
>>>>>>>> list should be blank.  The internal IP of your Exchange server 
>>>>>>>> should NOT be in that list.  It should also be set at the default 
>>>>>>>> setting of "Only the list below".
>>>>>>>>
>>>>>>>> Your telling me here my exchange servers internal IP should not be 
>>>>>>>> listed, yet you then tell me that I need to set it to "Only the 
>>>>>>>> list below".
>>>>>>>> My question is if there is nothing in the list what purpose does 
>>>>>>>> this serve?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> "Ben Winzenz [Exchange MVP]" 
>>>>>>>> <ben_winzenz@NOSPAMdotmessageonedotcom> wrote in message 
>>>>>>>> news:uPor3qccFHA.3912@TK2MSFTNGP15.phx.gbl...
>>>>>>>>> "Select which computers may relay through this VS" sets which 
>>>>>>>>> "other" computers (hostname or IP) can relay (anonymously) e-mail 
>>>>>>>>> through your Exchange server.  Unless you have a specific internal 
>>>>>>>>> app that needs to relay, this list should be blank.  The internal 
>>>>>>>>> IP of your Exchange server should NOT be in that list.  It should 
>>>>>>>>> also be set at the default setting of "Only the list below".
>>>>>>>>>
>>>>>>>>> "allow all computers which authenticate" is specifically for 
>>>>>>>>> clients such as IMAP or POP3 users that must send e-mail using 
>>>>>>>>> your server. It further dictates that they MUST authenticate 
>>>>>>>>> before being allowed to relay the messages.  This does not deal 
>>>>>>>>> with anonymous smtp sessions (such as mail from other e-mail 
>>>>>>>>> servers). Outlook clients in MAPI mode do not relay messages, so 
>>>>>>>>> this only needs to be checked if you have IMAP or POP3 clients. 
>>>>>>>>> How clients can authenticate are determined by the settings under 
>>>>>>>>> the authentication section.  I doubt that a virus would be able to 
>>>>>>>>> initiate an authenticated SMTP session.
>>>>>>>>>
>>>>>>>>> As far as where the messages are coming from, you need to look at 
>>>>>>>>> the headers of one of the actual messages.  If the headers from 
>>>>>>>>> that message indicate that it is internal, then you likely have an 
>>>>>>>>> infected machine on your network.  If they are all destined for 
>>>>>>>>> local addresses (even if they are invalid users), then there is no 
>>>>>>>>> issue with relaying. Relaying would only be an issue if the 
>>>>>>>>> messages are being sent to external addresses.
>>>>>>>>>
>>>>>>>>> Hope this helps.
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Ben Winzenz
>>>>>>>>> Exchange MVP
>>>>>>>>> MessageOne
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>> news:%23NC5MxbcFHA.1384@TK2MSFTNGP09.phx.gbl...
>>>>>>>>>> This may be a bit above and beyond as to how well I can explain 
>>>>>>>>>> it so do not write this in stone. Here's my interpetation.
>>>>>>>>>> "Select which computer may relay through this virtual server" By 
>>>>>>>>>> selecting this we are saying that only email that passes through 
>>>>>>>>>> this email server may send outside.
>>>>>>>>>> "Allow all computers which successfully authenticate to relay, 
>>>>>>>>>> regardless of the list above". What this is saying is that anyone 
>>>>>>>>>> can go through this SMTP relay without passing through the server 
>>>>>>>>>> above. Which means they can send an email from another mail 
>>>>>>>>>> server.
>>>>>>>>>> So we only want email from our mail server to pass through our 
>>>>>>>>>> SMTP virtual server. SPAMMERS who use the SMTP virtual server do 
>>>>>>>>>> not send email from our Exchange server. Hope that makes sense 
>>>>>>>>>> and my interetaion is also correct. I do think it is because I 
>>>>>>>>>> was also getting those type of password confirmations like you 
>>>>>>>>>> are and since I closed the open relay it has not happened since. 
>>>>>>>>>> Maybe we can get someone else or na MVP to chime in and clarify 
>>>>>>>>>> this. If you do find it to be incorrect or find a better 
>>>>>>>>>> explaination I'd like to hear about it. Good luck.
>>>>>>>>>>
>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>> news:e4YKFKVcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>> OK, I've unchecked "'Allow all computers which sucessfully 
>>>>>>>>>>> authenticate to
>>>>>>>>>>> relay', and put in the IP address of the server only...
>>>>>>>>>>> but a question..... outside users would not be 'authenticated' 
>>>>>>>>>>> users would they?  By authenticated, they mean logged onto the 
>>>>>>>>>>> network?
>>>>>>>>>>> Why not  allow authenticated users to relay if they are all 
>>>>>>>>>>> inhouse anyway....
>>>>>>>>>>> or............
>>>>>>>>>>> could it be that a remote user, logging on thru terminal server, 
>>>>>>>>>>> is actually doing the relaying...  if he had for instance, 
>>>>>>>>>>> mydoom, which adds an SMTP server, infecting his remote PC... 
>>>>>>>>>>> and then logged onto the network thru TS...  could that be then 
>>>>>>>>>>> relaying thru exchange...?
>>>>>>>>>>> ..sounds logical to me..  what you think?
>>>>>>>>>>>
>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>> news:%235pkqbTcFHA.796@TK2MSFTNGP09.phx.gbl...
>>>>>>>>>>>> you need to uncheck "'Allow all computers which sucessfully 
>>>>>>>>>>>> authenticate to relay,
>>>>>>>>>>>> regardless of the list above" This is what is allowing outside 
>>>>>>>>>>>> users to to use your SMTP relay.
>>>>>>>>>>>> Otherwise the listed server above does no good. We want "Only 
>>>>>>>>>>>> the listed below" which should be the internal IP of your 
>>>>>>>>>>>> Exchange server. Give it a try and of course monitor it overthe 
>>>>>>>>>>>> next day or so.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>> news:OBShuTTcFHA.3488@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>> Could you elaborate a bit please...
>>>>>>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>>>>>>> i have the box:  'Only the list below'  (and nothing in the 
>>>>>>>>>>>>> list) checked and
>>>>>>>>>>>>> checked - 'Allow all computers which sucessfully authenticate 
>>>>>>>>>>>>> to relay, regardless of the list above'
>>>>>>>>>>>>>
>>>>>>>>>>>>> is this not right??
>>>>>>>>>>>>> There is a terminal server on this network... could that be 
>>>>>>>>>>>>> involved in this relay someway?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>>>> news:%23BqJDpScFHA.132@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>>>> Looks like someone is using your SMTP virtual server for 
>>>>>>>>>>>>>> relaying. You need to turn that off unless you have a 
>>>>>>>>>>>>>> specific reason to have it on. You should only "allow" the 
>>>>>>>>>>>>>> internal IP address of your mail server to use relay on this 
>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>> news:%23ajIQhScFHA.1148@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>> Ok...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> this is what I'm not understanding. There are basically 2 
>>>>>>>>>>>>>>> types of email that concern me.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of 
>>>>>>>>>>>>>>> email to:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> from: System Administrator                     subject: 
>>>>>>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> From: postmaster@mydomain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> To: user@mydomain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@EXCHANGE.domain.local>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the 
>>>>>>>>>>>>>>> legit IP address of my server))) by EXCHANGE.mydomain.local 
>>>>>>>>>>>>>>> with Microsoft SMTPSVC(6.0.3790.1830);
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> From: info@mydomain.com ***** THIS USER (INFO) DOES NOT 
>>>>>>>>>>>>>>> EXIST.************************
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> To: josh@mydomain.com *******THIS USER DOES NOT EXIST 
>>>>>>>>>>>>>>> EITHER*******
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not 
>>>>>>>>>>>>>>> exist... but where is the sender (info@mydomain.com) coming 
>>>>>>>>>>>>>>> from?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Return-Path: info@mydomain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>>>>> <EXCHANGEX00lfepHjon00000675@EXCHANGE.mydomain.local>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC) 
>>>>>>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ?????? if he is getting this mail returned to him, does it 
>>>>>>>>>>>>>>> not mean that he is sending it?... but he's not. Does that 
>>>>>>>>>>>>>>> mean that the virus is on his PC?? But I've scanned for it 
>>>>>>>>>>>>>>> several times and not found it at all, ever...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Where are these mails coming from? Is the server sending 
>>>>>>>>>>>>>>> them out somehow? is his PC sending them out somehow? I 
>>>>>>>>>>>>>>> don't know where to begin to figure this out......
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ********************************************************************************
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The other type pof email he will receive is from, for 
>>>>>>>>>>>>>>> instance,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Administrator@mydomain.com Subject; You have sucessfully 
>>>>>>>>>>>>>>> updated your password
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by 
>>>>>>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft 
>>>>>>>>>>>>>>> SMTPSVC(6.0.3790.1830); ****where x.x.x. is the legit IP 
>>>>>>>>>>>>>>> address of the server here...*****************8
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> From: administrator@mydomain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> To: real user@mydomain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Return-Path: administrator@mydomain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Message-ID: 
>>>>>>>>>>>>>>> <EXCHANGE5B76WE7P5IE000004cf@EXCHANGE.mydomain.local>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC) 
>>>>>>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> So... block what address?? it says the email is coming from 
>>>>>>>>>>>>>>> my own server...?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Plus, what about the system administrator returned email? 
>>>>>>>>>>>>>>> where is that coming from... Im so confused......
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "AllenM" <allen.miyake@gmail.com> wrote in message 
>>>>>>>>>>>>>>> news:%233Pcw1PcFHA.3560@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>>>>>>> You can view the originator through the Message Header. 
>>>>>>>>>>>>>>>> Open the email and click on View/Options. You can block the 
>>>>>>>>>>>>>>>> IP and originating domain which may or may not do you any 
>>>>>>>>>>>>>>>> good as spammers are always constantly changing them. 
>>>>>>>>>>>>>>>> However I've had good results blocking the ISP IP which is 
>>>>>>>>>>>>>>>> usually foreign and does not affect legitimate emails. Also 
>>>>>>>>>>>>>>>> you may want to turn off Relay in case they are relaying 
>>>>>>>>>>>>>>>> through your SMTP. Do you use the IMF Companion? You may 
>>>>>>>>>>>>>>>> want to turn on Performance Counters for IMF so you can 
>>>>>>>>>>>>>>>> determine the correct SCL level you need to apply. Also 
>>>>>>>>>>>>>>>> using RBL's is a good thing to do also.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>>>> news:eBG4ztOcFHA.3840@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the 
>>>>>>>>>>>>>>>>>IMF filter so am sorta limited..
>>>>>>>>>>>>>>>>> But I'm really not understanding what is going on..  where 
>>>>>>>>>>>>>>>>> are these emails coming from?
>>>>>>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>>>>>>> many are for users that do not exist in the network 
>>>>>>>>>>>>>>>>> ......these are the 'undeliverable' ones...  but many go 
>>>>>>>>>>>>>>>>> to legit users too..
>>>>>>>>>>>>>>>>> I'm really trying to understand just what is going 
>>>>>>>>>>>>>>>>> on...........who or shat is sending these mails. Is it 
>>>>>>>>>>>>>>>>> internal or external?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>> "markus" <mark@nospam.com> wrote in message 
>>>>>>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@tk2msftngp13.phx.gbl...
>>>>>>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are 
>>>>>>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>>>>>>> system administrator    undeliverable: bla bla bal 
>>>>>>>>>>>>>>>>>> (password has been updated or account suspended..which is 
>>>>>>>>>>>>>>>>>> the virus package I think)
>>>>>>>>>>>>>>>>>> or from
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> administrator@mydomain.com   : you have successfully 
>>>>>>>>>>>>>>>>>> updated your password (this is the virus package)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I have antivirus software running on all systems, 
>>>>>>>>>>>>>>>>>> including the server.
>>>>>>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on  all 
>>>>>>>>>>>>>>>>>> the servers and many (not all) of the workstations..
>>>>>>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that 
>>>>>>>>>>>>>>>>>> led me to MyDoom......
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 


0
mark7111 (54)
6/16/2005 11:05:41 PM
Reply:

Similar Artilces:

Exchange VM Fragmentation issue
We are currently running W2K - SP4 & Exchange 2000 enterprise, fully patched and up-to-date with the latest updates. The server has 2GB of RAM. We are getting warning messages popping up every hour telling us that the virtual memory is highly fragmented and it is highly recommended that we restart all exchange services to corect this issue. The event ID is 9582. I applied the heapcommitfreeblockthreshold patch in July of 2005 and it seemed to resolve the issue for about 4 months or so. We made no changes to the server in that time, but the 9582 message started popping up again...

OMG! Need help w/security issue
This one is truly bizarre folks!! I have an Access '97 database using a workgroup file. I have been added to that workgroup file, and granted "full rights" to the database. Yet, when I attempt to open it in Access 2002 (with the goal of converting to 2002), I cannot open the database. For that matter, neither can "Admin". Even when the OWNER of all objects within the '97 version is set to me (or Admin), the specified "owner" cannot gain access in 2002. Now, when I open the database in '97, I get in just fine. Now, here's the kicker: Wh...

Outlook 2003 & Vista HTML display issue
In Outlook 2003 on Windows Vista, HTML mail that is addressed to "undisclosed-recipients:" displays in plain text format with all of the HTML code exposed. HTML mail that is addressed to an actual e-mail address comes through and displays fine. I have tried adding the senders to my safe recipients list but that hasn't solved the problem. I use the exact same set up on a Windows XP machine or download the e-mails via a different e-mail program like Windows Mail and they are fine. Also, if I log into my mail server to look at them they are fine. However, if I download t...

Outlook Appointment VBA Issues
I am writing a routine that will Outlook Appointment items and write them into a database. When an item is recorded, I write the ID created in Access into a custom field in the appointment item. This is kinda working, but there are some strange issues. I have 22 items in the Calendar. My filter is looking for the past 10 days and the next 10 days, so there will be additional items based on recurrence. On the last run I did, 28 items were created. #1 - When I view the custom field in Outlook, only 3 of the 22 items show the ID that I wrote, yet on a second run where I check to see if the ...

publisher version incompatibility issues (2000 & 2002)
I have several users running Publisher 2000. I upgraded a few of them to 2002. My mistake, I will never upgrade just some machines again!!! Is there any exhaustive, definitive reference available explaining all the quirks, incompatibility issues and work arounds for using PUBLISHER 2000 & 2002 together? 5th item from the bottom- http://www.publishermvps.com/Default.aspx?tabid=48 David Bartosik - [MSFT MVP] www.publishermvps.com www.davidbartosik.com "philbert68" <philbert68@discussions.microsoft.com> wrote in message news:0994C513-66C1-4A27-95D7-EAF076C6B93D@micros...

picture printing issues
How do I correct a printing problem with an existing publication sent to me from an editor? One of the pictures in the newsletter continually prints upside down. All the reast of the images and pictures print correctly. Use to be some .tif images that were scanned into Publisher would print upside down. I think that was fixed in a service pack. Do you have the Publisher file? Pictures in documents that were created in an earlier version of Office appear flipped in Office XP and Office 2003 http://support.microsoft.com/kb/312838/EN-US/ -- Mary Sauer MSFT MVP http://office.microsoft.c...

Multiple Sync Issues
A few of our users have Multiple Sync Issues folders. example Sync Issues, Sync Issues1, and Sync Issues2. Any idea how to get rid of this? ...

Embedded Chart Versus Chart
I've created a class module to capture a Shift+Click on a pivot chart, which then opens the data associated with that point. It works great on pivot charts on their own sheet, but when I use the same code on an embedded chart, it fails (error code -2147417848). Everything seems to work fine, it derives the same row and column values as needed, but the ShowDetail property is unavailable in the embedded charts. Anyone have any insight? james Igoe || james.igoe@gmail.com || http://code.comparative-advantage.com I eventually solved my problem, simply using "On Error Resume Next&...

Outlook XP Emails Get Stuck, Not Large PST Issue
As a network admin at our company I've ran across about 1-2 users per week starting to have this problem, and the first one was reported about 5 weeks ago, where they randomly cannot send emails in Outlook XP (w/ SP3). They may have a few stuck in their outbox, and if you try to send them it just hangs usually around 50% on trying to connect to SMTP on our mail server to send it. If you close Outlook and reopen it fixes it for awhile then starts doing it again. Another temp fix I found is if when it's happening if I go into TOols->Account settings->Advanced and on t...

VirtualLock issue
According to Knowledge Base article 94996, VirtualLock does *not* lock pages into physical memory, but locks them into the working set. The documentation of VirtualLock still claims that the pages are locked into physical memory, and article 94996 has been removed from the Knowledge Base. Does anyone have any idea what the truth is? Note that Microsoft's haphazard pruning of important articles (while retaining hopelessly obsolete articles on 16-bit Windows 3.0) may simply indicate incompetent database management (no surprises here), or they may have actually changed the implementation t...

Preview Pane
Can anyone tell me if you have preview pane on with the default of marking messages as read does this mean that it is opened? Reason I am asking is that if the email contains is a worm does it then mean its activated? Thanks Yes, if it is a virus that doesn't need to be actually opened (ie, not an attachment but actually imbedded in the message). Not using the preview pane is considered good virus protection procedure and is listed on most virus protection "tip" lists. Leigh >-----Original Message----- >Can anyone tell me if you have preview pane on with the &g...

Workflow monitored issues
The Scenerio: I have set a up a workflow for when a case is created to update a custom field for the case for how long it has been in an active state in hours. WHen the case is created, a workflow is kicked off. All that workflow does is call a manual workflow. In the manual workflow, a wait for timer for 1 hour is started, after 1 hour, if the case is active, I add 1 to the field and then recall my same manual step which will then wait for another hour and check the status of the case, etc, etc. until it is closed. The problem: For all cases that are created (except by me as a system a...

Successor Issue
When I move my successor to the right why do the predecessors not follow and how can i make them? See your other post. -- If this post was helpful, please consider rating it. Jim Aksel, MVP Check out my blog for more information: http://www.msprojectblog.com "Nic" wrote: > When I move my successor to the right why do the predecessors not follow and > how can i make them? The timing of predecessors determines the timing of successors, not the other way around. That's what "predecessor" and "successor" mean. -- Steve House...

Secure OWA front end and Secure OWA Server issue
Im migrating my old exch2k sp3 with secure OWA installed on it to a new enviroment with a mailbox store server and a secure OWA front end. I have around 3500 users. Users both in external and internal network access OWA by typing http://mail.company.com and this link redirects to https://mail.company.com/exchange in the same server. Im doing this implementation as well in the new owa server by means of an asp which redirects from de original request to the secure page. I have a certificate from verisign. New OWA server seems to function well with users which i already moved to the ...

HELP: Strange Contacts disappearing issue Outlook 2002
Hi, On my boss computer. Running Win XP Pro and Office 2002 (10.6515.6626) SP3, stand alone POP3 based. He has 2,970 contacts in the Contacts folder, sometimes not all contacts show! You have to go to FIND and in the "look for" box just leave it blank and in "Search in" select "contacts" then hit the "Find Now" button... after a few seconds, ALL contacts show ! This is happening now a lot... what is strange also is that on the status bar, it shows 2,970 Items allways, before and after the "find" solution. Isn't that strange ?? I am going...

Send To Mail Recipient Issue
Right-clicking on a file and selecting Send To Mail Recipient doesn't attach the file to an email in Outlook 2007 any more. It believe tha it used to, but at some point this functionality disappeared on my laptop. It still works just fine on my desktop machine though. One difference between the two machines is that the laptop was upgraded from Vista to Windows 7 while the desktop was a clean Windows 7 install. I don't know if it's related, but I also lost the ability to drag and drop files into an Outlook email message. I've checked that Outlook is the defa...

move mailbox issue
We have been in the process of moving mailboxes from an older 2003 exchange server to a new one. One mailbox that I moved is having an issue. The mailbox moved fine without errors but it doesnt seem to be working correctly at the user's machine. First Outlook (2003) did not automatically point to the new server. Second I went into the the user's Mail profile and pointed it to the new server but when we start up Outlook again it still points back to the old server. I did however create a second profile on the PC and pointed it to the new server and it seems fine. Unfortunatly the...

HELP! SUBFORM issue!
I have created a form that will be used for data entry. The main form has a couple of fields, and then i have used the tab control feature to add an additional 5 tabs. with many more data entry fields. Fields on these tabs sit on two different tables, and 2 of the 5 tabs are from subforms. I have a final tab that is a summary of the results of the 5 tabs which is compiled using a query. I have two questions/problems: First, I have linked my subforms to the main form using a field that is common in both tables "stats package number". When I get to my summary page - it does...

Table of Contents -- performance issues
In Office 2007 I have a 102 -page document with a Table of Contents. Response is now slow while I'm working within this document. For example: Copy and pasting small amounts of text (1 - 4 words), selecting fields, an so on. Is there a suggested size threshold, after which performance begins to degrade? Are there setting I can change to improve performance? ... Or should I split into separate documents? Thank you Are there a lot of graphics? Are several other apps open? Do you have limited memory? Do you have a virus? 102 pages isn't challenging in itself at...

OFFLINE ADDRESS BOOK SECURITY ISSUE
Hello. I am running Exchange 2003 SP2 on Windows 2003 R2. I have multiple GALs in order to secure off certain employees, and that works just fine; users only see the people in their GAL. The problem I have is that when I configure offline folders, users can see EVERYONE. I have secured the OAB and the GAL so that only the respective security groups can see their address list, but the OAB doesn't seem to respect those permissions. I have also set the UseOAB property through adsiedit, but it still doesn't work. Any suggestions? The global address list is a compilation of eve...

Exporting data to txt/csv file
Hi: I am trying to export the data to a txt/csv (comma separated) file. Some of the fields has 0.03 or decimal numbers but its' truncating those values while exporting it. While exporting, it doesn't give me any option to specify field data types. I am using Access 2003. By default its using Windows Europian format. Please let me know how to export same values. 2) How to see/modify the import/export specification file that saved ?. -- Regards Ramesh V ...

outlook/iphone issue
does anyone know hw i can turn my entire contact list into business card format? Synching is the purview of the device/software doing the sync. Ask = Apple. --=81 Milly Staples [MVP - Outlook] Post all replies to the group to keep the discussion intact. All unsolicited mail sent to my personal account will be deleted without reading. =20 After furious head scratching, omtradelaw asked: | does anyone know hw i can turn my entire contact list into business | card format? ...

Outlook 2003 and Office Assistant 2000 issues
After upgrading some of my users from Outlook 2000 to Outlook 2003 ( with the rest of Office at 2000), when they bring up Excel, it gives an error: "The Office Assistant could not be started. Please repair the Assistant by running Office 2000 setup and selecting "repair Office 2000"". This will be very annoying if I have to repair all users as I push it out. Is this a bug or is there a simple fix for it? I dont think anyone here really uses the assistant, so it is an annoyance than anything. Thanks ...

Balance Account Issues...
I have Microsoft Money Plus and have been using the Money suite of applications for over 4 years. Today, when I went to go and balance my checking account via... * Common Tasks * Balance This Account * Clicked Next * Typed in the Statement Date and Ending Balance and Clicked Next * I checked all my "Cleared" transactions and clicked "Next" when my balance was "0". Nothing happened! I tried balancing my savings account and it works fine, but my checking account won't balance. Any ideas? Thanks On Nov 9, 3:48=A0pm, neal.m.s...@gmail.com wrote: > I ...

Outlook Emailing Issues
Lately, everytime I send an email I get the message " 550 5.7.1 <recipient email>... Relaying denied This often happens when I am sending a file along with the email. This is very frustrating. CAN ANYONE HELP??? Thanks. Ivan ARe you trying to send through another ISP server than the one under which you have your mail account? If yes, then you need to turn on authentication on the server tab of your account properties. --� Milly Staples [MVP - Outlook] Post all replies to the group to keep the discussion intact. Due to the (insert latest virus name here) virus, all mai...