- Copy internal post link
- Copy external post link
- Report article
https://administrator.de/forum/excange-versendet-spam-169026.html
[content:169026]
Excange versendet Spam
habe gerade ein Problem bei einem Kunden.
Der Exchange Server (2003) versendet seit kurzem Spam-Mails.
Da gerade alle anderen Rechner aus sind kommt nur noch der Server selbst in frage.
Auf einen Opern Relay habe ich ihn schon getestet. Ist soweit auch ok.
Wollte es mal mit der Nachrichtenverfolgung probieren. Leider bekomme ich dort beim versuch sie zu aktivieren immer "Zugriff verweigert"
Jetzt versuche ich die quelle des Übels zu finden und brauche da mal etwas Hilfe.
Für Hilfe währe ich euch sehr dankbar.
MFG
Content-Key: 169026
Url: https://administrator.de/contentid/169026
Printed on: May 7, 2024 at 19:05 o'clock
- Comment overview - Please log in
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-676942
[content:169026#676942]
- Stoppe den virtuellen SMTP und schau dann in der Queue nach, um welche Mail es sich handelt, bzw. bereinige die SMTP Queue
- Wenn du das SMTP Logging aktiviert hast, überprüfe auch hier was der virtuelle SMTP macht.
LG Günther
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-676943
[content:169026#676943]
ich habe den queue eben mal umbenannt und eine neue Queue erzeugt um die Warteschlange auf Null zu setzen.
Das SMTP Logging ist aktiviert verstehe aber nicht so was da drin steht.
Die meisten Emails stammen von einem gewissen "Tony Anderson"
Hilft das weiter?
Wonach muss ich im Protokoll suchen?
LG Alex
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-676949
[content:169026#676949]
Post doch einmal den Header eines dieser Mails.
LG Günther
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-676951
[content:169026#676951]
Thu, 30 Jun 2011 19:23:32 +0200
Reply-To: <tony515and@gmail.com>
From: "Tony Anderson"<tony_cooper213@earthlink.net>
Subject: Immediate response
Date: Thu, 30 Jun 2011 18:23:31 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: tony_cooper213@earthlink.net
Message-ID: <{KUNDENSERVER}RFWMozg000025e5@mail2.{KUNDENDOMAIN}.de>
X-OriginalArrivalTime: 30 Jun 2011 17:23:33.0655 (UTC) FILETIME=[70354A70:01CC374A]
Dear Friend,
I have a profiling amount of secured in an offshore private bank. I am seeking your assistance in securing these funds into a safe account for future investment purposes/the purchase of properties in your country, but requiring maximum confidentiality. This is borne out of the fact that I am still in active service in the Ministry here in Scotland-UK.Upon your positive response to my proposal, I will provide you with the following information:
How I will introduce you/your company to the holding bank and make you the beneficiary of the money.
What percentage of the money I am willing to give you for your assistance.
Kindly respond with your Mobile phone, fax numbers and contact address for easier and faster
communication.
Tony Anderson
die in {} Klammern gesetzten Bezeichnungen habe ich geändert sind Kundendomain und Servername
Aus der Logdate zu dem zeitpunkt:
17:23:33 195.54.106.239 - - 0
17:23:33 41.203.64.253 RCPT - 250
17:23:33 41.203.64.253 RCPT - 250
17:23:33 41.203.64.253 RCPT - 250
17:23:33 75.180.132.243 - - 0
17:23:33 41.203.64.253 RCPT - 250
17:23:33 41.203.64.253 RCPT - 250
17:23:33 75.180.132.243 - - 0
17:23:33 75.180.132.243 RSET - 0
17:23:33 41.203.64.253 RCPT - 250
17:23:33 41.203.64.253 RCPT - 250
17:23:33 41.203.64.253 RCPT - 250
17:23:33 41.203.64.253 RCPT - 250
17:23:33 75.180.132.243 - - 0
17:23:33 75.180.132.243 MAIL - 0
17:23:33 65.55.88.22 - - 0
17:23:33 65.55.88.22 EHLO - 0
17:23:33 41.203.64.253 RCPT - 250
17:23:33 174.122.2.226 - - 0
17:23:33 174.122.2.226 EHLO - 0
17:23:33 75.180.132.243 - - 0
17:23:33 75.180.132.243 RCPT - 0
17:23:33 41.203.64.253 MAIL - 250
17:23:33 41.203.64.253 RCPT - 250
17:23:33 41.203.64.253 RCPT - 250
17:23:33 41.203.64.253 RCPT - 250
17:23:33 65.55.88.22 - - 0
17:23:33 65.55.88.22 MAIL - 0
17:23:33 63.241.31.147 - - 0
17:23:33 63.241.31.147 EHLO - 0
17:23:33 41.203.64.253 RCPT - 250
17:23:33 41.203.64.253 MAIL - 250
17:23:33 174.122.2.226 - - 0
17:23:33 174.122.2.226 MAIL - 0
17:23:33 75.180.132.243 - - 0
17:23:33 75.180.132.243 RSET - 0
17:23:33 41.203.64.253 RCPT - 250
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-676959
[content:169026#676959]
7-03 16:32:20
#Fields: date time c-ip cs-username s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
2011-07-03 16:32:20 213.165.64.100 OutboundConnectionResponse {kundenserver} - 25 - - 220+mx0.gmx.net+GMX+Mailservices+ESMTP+{mx093} 0 0 SMTP - - - -
2011-07-03 16:32:20 213.165.64.100 OutboundConnectionCommand {kundenserver} - 25 EHLO - mail2.{kundendomain} 0 0 SMTP - - - -
2011-07-03 16:32:20 213.165.64.100 OutboundConnectionResponse {kundenserver} - 25 - - 250-mx0.gmx.net+GMX+Mailservices 0 0 SMTP - - - -
2011-07-03 16:32:20 213.165.64.100 OutboundConnectionCommand {kundenserver} - 25 MAIL - FROM:<reiss@{kundendomain}> 0 0 SMTP - - - -
2011-07-03 16:32:20 213.165.64.100 OutboundConnectionResponse {kundenserver} - 25 - - 250+2.1.0+ok+{mx093} 0 0 SMTP - - - -
2011-07-03 16:32:20 213.165.64.100 OutboundConnectionCommand {kundenserver} - 25 RCPT - TO:<TobiasMeyer@gmx.de> 0 0 SMTP - - - -
2011-07-03 16:32:20 213.165.64.100 OutboundConnectionResponse {kundenserver} - 25 - - 250+2.1.5+ok+{mx093} 0 0 SMTP - - - -
2011-07-03 16:32:20 213.165.64.100 OutboundConnectionCommand {kundenserver} - 25 DATA - - 0 0 SMTP - - - -
2011-07-03 16:32:20 213.165.64.100 OutboundConnectionResponse {kundenserver} - 25 - - 354+mx0.gmx.net+Go+ahead+{mx093} 0 0 SMTP - - - -
2011-07-03 16:32:20 213.165.64.100 OutboundConnectionResponse {kundenserver} - 25 - - 250+2.6.0+Message+accepted+{mx093} 0 0 SMTP - - - -
2011-07-03 16:32:20 213.165.64.100 OutboundConnectionCommand {kundenserver} - 25 QUIT - - 0 0 SMTP - - - -
2011-07-03 16:32:20 213.165.64.100 OutboundConnectionResponse {kundenserver} - 25 - - 221+2.0.0+GMX+Mailservices+{mx093} 0 0 SMTP - - - -
2011-07-03 16:36:59 200.99.91.130 [200.99.91.130] {kundenserver} 10.0.50.9 0 EHLO - +[200.99.91.130] 250 0 SMTP - - - -
2011-07-03 16:36:59 200.99.91.130 [200.99.91.130] {kundenserver} 10.0.50.9 0 MAIL - +From:<rsciannaca@provincia.trapani.it> 250 0 SMTP - - - -
2011-07-03 16:36:59 200.99.91.130 [200.99.91.130] {kundenserver} 10.0.50.9 0 RCPT - +To:<weber@{kundendomain}> 250 0 SMTP - - - -
2011-07-03 16:37:00 200.99.91.130 [200.99.91.130] {kundenserver} 10.0.50.9 0 DATA - +<984A93CA944113CD1FC69FC11446984A@provincia.trapani.it> 250 0 SMTP - - - -
2011-07-03 16:37:00 200.99.91.130 [200.99.91.130] {kundenserver} 10.0.59.1 0 QUIT - [200.99.91.130] 240 1844 SMTP - - - -
2011-07-03 16:53:06 196.218.42.173 [196.218.42.173] {kundenserver} 10.0.59.1 0 EHLO - +[196.218.42.173] 250 0 SMTP - - - -
2011-07-03 16:53:06 196.218.42.173 [196.218.42.173] {kundenserver} 10.0.59.1 0 MAIL - +From:<geloslack@dbsconsult.co.uk> 250 0 SMTP - - - -
2011-07-03 16:53:06 196.218.42.173 [196.218.42.173] {kundenserver} 10.0.59.1 0 RCPT - +To:<y-hendrix@{kundendomain}> 250 0 SMTP - - - -
2011-07-03 16:53:06 196.218.42.173 [196.218.42.173] {kundenserver} 10.0.59.1 0 DATA - +<002001cc3999$057d4105$d542c4b5@xlmvurt> 250 0 SMTP - - - -
2011-07-03 16:53:06 196.218.42.173 [196.218.42.173] {kundenserver} 10.0.59.1 0 QUIT - [196.218.42.173] 240 703 SMTP - - - -
2011-07-03 16:53:08 66.111.4.72 OutboundConnectionResponse {kundenserver} - 25 - - 220+mx3.messagingengine.com+ESMTP+.+No+UCE+permitted. 0 0 SMTP - - - -
2011-07-03 16:53:08 66.111.4.72 OutboundConnectionCommand {kundenserver} - 25 EHLO - mail2.{kundendomain} 0 0 SMTP - - - -
2011-07-03 16:53:08 66.111.4.72 OutboundConnectionResponse {kundenserver} - 25 - - 250-mx3.messagingengine.com 0 0 SMTP - - - -
2011-07-03 16:53:08 66.111.4.72 OutboundConnectionCommand {kundenserver} - 25 MAIL - FROM:<>+SIZE=3179 0 0 SMTP - - - -
2011-07-03 16:53:08 66.111.4.72 OutboundConnectionResponse {kundenserver} - 25 - - 250+2.1.0+Ok 0 0 SMTP - - - -
2011-07-03 16:53:08 66.111.4.72 OutboundConnectionCommand {kundenserver} - 25 RCPT - TO:<geloslack@dbsconsult.co.uk> 0 0 SMTP - - - -
2011-07-03 16:53:08 66.111.4.72 OutboundConnectionResponse {kundenserver} - 25 - - 250+2.1.5+Ok 0 0 SMTP - - - -
2011-07-03 16:53:08 66.111.4.72 OutboundConnectionCommand {kundenserver} - 25 DATA - - 0 0 SMTP - - - -
2011-07-03 16:53:08 66.111.4.72 OutboundConnectionResponse {kundenserver} - 25 - - 354+End+data+with+<CR><LF>.<CR><LF> 0 0 SMTP - - - -
2011-07-03 16:53:09 66.111.4.72 OutboundConnectionResponse {kundenserver} - 25 - - 250+2.0.0+Ok:+queued+as+E212822017D 0 0 SMTP - - - -
2011-07-03 16:53:09 66.111.4.72 OutboundConnectionCommand {kundenserver} - 25 QUIT - - 0 0 SMTP - - - -
2011-07-03 16:53:09 66.111.4.72 OutboundConnectionResponse {kundenserver} - 25 - - 221+2.0.0+Bye 0 0 SMTP - - - -
2011-07-03 16:53:09 190.234.248.46 [190.234.248.46] {kundenserver} 10.0.59.1 0 EHLO - +[190.234.248.46] 250 0 SMTP - - - -
2011-07-03 16:53:09 190.234.248.46 [190.234.248.46] {kundenserver} 10.0.59.1 0 MAIL - +From:<aerts@courseware.nl> 250 0 SMTP - - - -
2011-07-03 16:53:09 190.234.248.46 [190.234.248.46] {kundenserver} 10.0.59.1 0 RCPT - +To:<uucp@{kundendomain}> 250 0 SMTP - - - -
2011-07-03 16:53:10 190.234.248.46 [190.234.248.46] {kundenserver} 10.0.59.1 0 DATA - +<4DEFA06CD4022318BAF5398157764DEF@courseware.nl> 250 0 SMTP - - - -
2011-07-03 16:53:10 190.234.248.46 [190.234.248.46] {kundenserver} 10.0.59.1 0 QUIT - [190.234.248.46] 240 1547 SMTP - - - -
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-676961
[content:169026#676961]
Gruß
Filipp
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-676962
[content:169026#676962]
Danke für die info Filipp.
Laut -> http://www.abuse.net/relay.html sollte es nicht so sein.
wie schliesse ich die lücke am besten?????
LG Alex
PS:
das ergebnis von http://www.mxtoolbox.com
220 mail2.KUNDENDOMAIN.de Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Sun, 3 Jul 2011 19:59:15 +0200
OK - 80.XXX.XXX.X resolves to mail3.KUNDENDOMAIN.de
Warning - Reverse DNS does not match SMTP Banner
0 seconds - Good on Connection time
Not an open relay.
1.123 seconds - Good on Transaction time
Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 mail2.KUNDENDOMAIN.de Hello [64.20.227.133] [187 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com....Sender OK [281 ms]
RCPT TO: <test@example.com>
550 5.7.1 Unable to relay for test@example.com [156 ms]
QUIT
221 2.0.0 mail2.KUNDENDOMAIN.de Service closing transmission channel [172 ms]
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-676965
[content:169026#676965]
- führe einmal damit einen OpenRelay Test durch - http://www.mxtoolbox.com/diagnostic.aspx
- deaktivere in den Einstellungen des virtuellen SMTP, dass authentifizierte User relayen dürfen
LG Günther
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-676968
[content:169026#676968]
OK - 80.XXX.XXX.X resolves to mail3.KUNDENDOMAIN.de
Warning - Reverse DNS does not match SMTP Banner
0 seconds - Good on Connection time
Not an open relay.
1.014 seconds - Good on Transaction time
Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 mail2.KUNDENDOMAIN.de Hello [64.20.227.133] [172 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com....Sender OK [187 ms]
RCPT TO: <test@example.com>
550 5.7.1 Unable to relay for test@example.com [172 ms]
QUIT
221 2.0.0 mail2.KUNDENDOMAIN.de Service closing transmission channel [156 ms]]
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-676970
[content:169026#676970]
Dann führe das durch.
LG Günther
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-676971
[content:169026#676971]
welche Einstellung genau ist gemeint ?
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-676972
[content:169026#676972]
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-677009
[content:169026#677009]
Wie kann ich das vermeiden?
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/excange-versendet-spam-169026.html#comment-677101
[content:169026#677101]