Find your solution!

HightowerFL · 06-Nov-2009, 07:07 AM #1

My client uses an 2003 exchange server with a smarthost. It has worked flawlessly for years until the 1st of the month. They noticed that their connection speed to the internet had dramatically decreased. It was so slow that I could not remote into the server. My connection would time out.

I went onsite and saw that the SMTP service was using huge amounts of memory and the Messages Qued for deferred delivery had thousands of messages waiting to be sent. I also went into the mailroot folder and found over 20,000 messages sitting in the Que folder.

After checking the message headers in all of the Qued messages I came to the conclusion that a spammer forged the sender and return path information that matched that of my clients domain. The email addresses the spammer forged don't exist on my clients domain and they are not on the smarthost's either.

This has created an NDR loop between the exchange server and the Smarthost's mail server (unix based). Essentially someone sent out a bunch of spam probably as a BCC and addressed the To field to Custservice@company.com and made the return path agrieg@company.com . Then each spam message comes into the smarthost's server looking for custservice@company.com. The smarthost doesn't recognize the mailbox name and forwards it to the exchange server. The exchange server doesn't recognize the name and tries to send an NDR to the sender (who's name is forged and points right back to the same domain) Then the smarthost tries to send the NDR back to the exchange server. Take that and times it by however spams the spammer sent and it's a good way to mess up an exchange server.

Here is an example of the header info:

Return-path: <agrieg@company.com>
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4Kt7-0007Qd-4e
for custservice@company.com; Sat, 31 Oct 2009 16:49:29 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 16:39:28 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4KjP-0003NP-V0
for custservice@company.com; Sat, 31 Oct 2009 16:39:28 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 16:29:27 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4KZi-0007hM-MH
for custservice@company.com; Sat, 31 Oct 2009 16:29:26 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 16:19:26 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4KQ1-0003bH-Gl
for custservice@company.com; Sat, 31 Oct 2009 16:19:25 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 16:09:24 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4KGJ-0007sZ-Hc
for custservice@company.com; Sat, 31 Oct 2009 16:09:23 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 15:59:22 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4K6c-0003tI-DZ
for custservice@company.com; Sat, 31 Oct 2009 15:59:22 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 15:49:21 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4Jwv-0008Lp-9U
for custservice@company.com; Sat, 31 Oct 2009 15:49:21 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 15:39:20 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4JnE-0004Rd-5H
for custservice@company.com; Sat, 31 Oct 2009 15:39:20 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 15:29:18 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4JdW-0000aV-1W
for custservice@company.com; Sat, 31 Oct 2009 15:29:18 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 15:19:17 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4JTp-0005FZ-0f
for custservice@company.com; Sat, 31 Oct 2009 15:19:17 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 15:09:16 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4JK7-0001Sb-Vv
for custservice@company.com; Sat, 31 Oct 2009 15:09:16 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 14:59:15 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4JAQ-00056i-Tm
for custservice@company.com; Sat, 31 Oct 2009 14:59:15 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 14:49:14 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4J0j-0002MV-Sh
for custservice@company.com; Sat, 31 Oct 2009 14:49:14 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 14:39:13 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4Ir2-00074c-SX
for custservice@company.com; Sat, 31 Oct 2009 14:39:13 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 14:39:12 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4Ir1-00074R-U7
for custservice@company.com; Sat, 31 Oct 2009 14:39:12 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 14:39:10 -0400
Received: from [89.241.115.139] (helo=alexmann.com)
by localhost.localdomain with smtp (Exim 4.69)
(envelope-from <agrieg@company.com>)
id 1N4Iqx-00073d-C9
for custservice@company.com; Sat, 31 Oct 2009 14:39:10 -0400
To: <custservice@company.com>
Subject: Your order 7741
From: <custservice@company.com>

In exchanges system manager I used sender filtering to block Mailer-Daemon@smarthost.com and my clients server started behaving again. they were able to send and receive no problem. But about a day after I did that the smarthost called saying that their exchange server had a problem and was slowing down their unix mail server.

Also note that the Smarthost has mailboxes on their system for all the users in the domain
that the uses can access through the web.

So what do you think is my best option?

Disable Non-delivery reports in global settings or should I create a mailbox for the non-existing user and take in all the messages to end the loop.

Rockn · 08-Nov-2009, 08:39 PM #2

It sounds like the smarthost should do something if the email address does not exist on your clients domain. They are in essence the email gateway and should offer some sort of blocking of email addresses that do not exist or do not originate from the customer domain.

HightowerFL · 08-Nov-2009, 08:43 PM #3

Well the solution was to disable NDR's on the exchange server. The smarthost provider moved the smart host to a different IP address and all is going well. Of course, you are not suppose to disable NDR's but that seemed to be the only solution in this case.

Tag Cloud
access audio black screen blue screen boot bsod connection crash dell desktop drivers dvd email error excel excel 2003 firefox hard drive hardware hijackthis internet keyboard laptop malware monitor motherboard network networking outlook problem ram recovery router safe mode screen slow sound spyware tdlwsp.dll trojan vba video virus vista vundo windows windows 7 windows vista windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for: