SMTP Server Blocked, Incoming External Email Not Arriving

Hello Newsgroup,

We've had this problem happen twice in two weeks:

No incoming external email is being delivered. Senders do not receive NDRs.

In Current Sessions of our Default SMTP Virtual Server, there are 500 items
(which happens to be the default limit). The sessions all go to the same
domain name, which I'll call "domain", and I'll call their IP "xx.xx.xx.xx"
They are listed as such:

User From Connected
Time
mail1014.mail.domain.com xx.xx.xx.14 267281 seconds

The rest of the entries are all from the same domain.com, but with a handful
of variations on the last IP number.

I right-click and select Terminate All.

Then I restart the SMTP service.

This allows incoming external email to be delivered. Two weeks later, the
same problem recurred.

Can anyone tell me what's happening, and how to stop it?

Small Business Server 2003, Exchange Server Version 6.5, SP2.

The following are already set:

Sender Filtering: Check Filter messages with a blank sender and Drop
connection if address filter matches filter.

Connection Filtering: Using zen.spamhaus.org.

Intelligent Messaging Filtering: Set to Block (reject) at 7 and Junk at 6.

Recipient Filtering: Filter recipients who are not in the Directory.

Default SMTP Virtual Server/Advanced/Edit: I check everything.

Default SMTP Virtual Server/Access/Relay: Only the list below may relay:
192.168.16.3 (255.255.255.0)
127.0.0.1
192.168.1.2
Allow all computers which successfully authenticate to relay IS checked.

Should I enter *.domain.com in Default SMTP Virtual
Server/Access/Connection: All except the list below?


Many thanks in advance for your thoughts!

Matthew

"Matthew" <> wrote in message
news:...
> Hello Newsgroup,
>
> We've had this problem happen twice in two weeks:
>
> No incoming external email is being delivered. Senders do not receive
> NDRs.
>
> In Current Sessions of our Default SMTP Virtual Server, there are 500
> items (which happens to be the default limit). The sessions all go to the
> same domain name, which I'll call "domain", and I'll call their IP
> "xx.xx.xx.xx" They are listed as such:
>
> User From
> Connected Time
> mail1014.mail.domain.com xx.xx.xx.14 267281 seconds
>
> The rest of the entries are all from the same domain.com, but with a
> handful of variations on the last IP number.
>
> I right-click and select Terminate All.
>
> Then I restart the SMTP service.
>
> This allows incoming external email to be delivered. Two weeks later, the
> same problem recurred.
>
> Can anyone tell me what's happening, and how to stop it?
>
> Small Business Server 2003, Exchange Server Version 6.5, SP2.
>
> The following are already set:
>
> Sender Filtering: Check Filter messages with a blank sender and Drop
> connection if address filter matches filter.
>
> Connection Filtering: Using zen.spamhaus.org.
>
> Intelligent Messaging Filtering: Set to Block (reject) at 7 and Junk at 6.
>
> Recipient Filtering: Filter recipients who are not in the Directory.
>
> Default SMTP Virtual Server/Advanced/Edit: I check everything.
>
> Default SMTP Virtual Server/Access/Relay: Only the list below may relay:
> 192.168.16.3 (255.255.255.0)
> 127.0.0.1
> 192.168.1.2
> Allow all computers which successfully authenticate to relay IS checked.
>
> Should I enter *.domain.com in Default SMTP Virtual
> Server/Access/Connection: All except the list below?
>
>
> Many thanks in advance for your thoughts!
>
> Matthew
>

Your server may have been subject to an NDR attack. If that happened, it
could have possibly been initiated by a rogue mass-mailer virus opened by
someone internally.

Have you checked http://mxtoolbox.com to see if you are on any blacklists?

Do you have an SPF record for your domain?

I don't see why there are any entries in the allow to relay list, especially
the server itself (the loopback address). Did you put in theose current
entries in (> 192.168.16.3 & 192.168.1.2)? They appear to be on different
subnets. How many subnets do you have? Curious, what are those machines, and
may I ask their purpose of allowing them to relay?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Possible, but with the connection time being in the hundreds of thousands of
seconds, I doubt it.

My first guess is this:

http://support.microsoft.com/kb/927478

Since they are all from the same domain, it fits since the cause is a
malformed SPF record at the sending domain. Would explain all connections
from them hanging.

You can test to see if this is the case by disabling senderID filtering
before installing the hotfix.

-Cliff




"Ace Fekay [MCT]" <> wrote in message
news:...
> "Matthew" <> wrote in message
> news:...
>> Hello Newsgroup,
>>
>> We've had this problem happen twice in two weeks:
>>
>> No incoming external email is being delivered. Senders do not receive
>> NDRs.
>>
>> In Current Sessions of our Default SMTP Virtual Server, there are 500
>> items (which happens to be the default limit). The sessions all go to
>> the same domain name, which I'll call "domain", and I'll call their IP
>> "xx.xx.xx.xx" They are listed as such:
>>
>> User From Connected Time
>> mail1014.mail.domain.com xx.xx.xx.14 267281 seconds
>>
>> The rest of the entries are all from the same domain.com, but with a
>> handful of variations on the last IP number.
>>
>> I right-click and select Terminate All.
>>
>> Then I restart the SMTP service.
>>
>> This allows incoming external email to be delivered. Two weeks later,
>> the same problem recurred.
>>
>> Can anyone tell me what's happening, and how to stop it?
>>
>> Small Business Server 2003, Exchange Server Version 6.5, SP2.
>>
>> The following are already set:
>>
>> Sender Filtering: Check Filter messages with a blank sender and Drop
>> connection if address filter matches filter.
>>
>> Connection Filtering: Using zen.spamhaus.org.
>>
>> Intelligent Messaging Filtering: Set to Block (reject) at 7 and Junk at
>> 6.
>>
>> Recipient Filtering: Filter recipients who are not in the Directory.
>>
>> Default SMTP Virtual Server/Advanced/Edit: I check everything.
>>
>> Default SMTP Virtual Server/Access/Relay: Only the list below may relay:
>> 192.168.16.3 (255.255.255.0)
>> 127.0.0.1
>> 192.168.1.2
>> Allow all computers which successfully authenticate to relay IS checked.
>>
>> Should I enter *.domain.com in Default SMTP Virtual
>> Server/Access/Connection: All except the list below?
>>
>>
>> Many thanks in advance for your thoughts!
>>
>> Matthew
>>
>
> Your server may have been subject to an NDR attack. If that happened, it
> could have possibly been initiated by a rogue mass-mailer virus opened by
> someone internally.
>
> Have you checked http://mxtoolbox.com to see if you are on any blacklists?
>
> Do you have an SPF record for your domain?
>
> I don't see why there are any entries in the allow to relay list,
> especially the server itself (the loopback address). Did you put in theose
> current entries in (> 192.168.16.3 & 192.168.1.2)? They appear to be on
> different subnets. How many subnets do you have? Curious, what are those
> machines, and may I ask their purpose of allowing them to relay?
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
> 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>

On Mon, 30 Nov 2009 19:24:42 -0700, "Cliff Galiher"
<> wrote:

>Possible, but with the connection time being in the hundreds of thousands of
>seconds, I doubt it.
>
>My first guess is this:
>
>http://support.microsoft.com/kb/927478

You're in the right neighborhood. Check the build number on the
Msgfilter.dll file. This one has a more recent build number.

http://support.microsoft.com/kb/951639
---
Rich Matheisen
MCSE+I, Exchange MVP

Hello Ace,

Thanks for your response!

I checked mxtoolbox, I think we're good. Interesting, I hadn't done a port
scan before, we have four ports open:
25 SMTP
80 HTTP
443 HTTPS
3389 Remote Desktop

All other ports are closed. Does this sound right?

Not on any blacklist. Reverse lookup is okay, as is SMTP.

Apparently we do not have an SPF record. Is this necessary now?

I'm not sure why those entries are in our relay allow list, I'm not the one
who set up the server. Yes, we have two subnets:
192.168.1.x is between the external NIC and our firewall.
192.168.16.x is the internal NIC and all devices on our network.

Thanks again!

Matthew


"Ace Fekay [MCT]" <> wrote in message
news:...
> "Matthew" <> wrote in message
> news:...
>> Hello Newsgroup,
>>
>> We've had this problem happen twice in two weeks:
>>
>> No incoming external email is being delivered. Senders do not receive
>> NDRs.
>>
>> In Current Sessions of our Default SMTP Virtual Server, there are 500
>> items (which happens to be the default limit). The sessions all go to
>> the same domain name, which I'll call "domain", and I'll call their IP
>> "xx.xx.xx.xx" They are listed as such:
>>
>> User From Connected Time
>> mail1014.mail.domain.com xx.xx.xx.14 267281 seconds
>>
>> The rest of the entries are all from the same domain.com, but with a
>> handful of variations on the last IP number.
>>
>> I right-click and select Terminate All.
>>
>> Then I restart the SMTP service.
>>
>> This allows incoming external email to be delivered. Two weeks later,
>> the same problem recurred.
>>
>> Can anyone tell me what's happening, and how to stop it?
>>
>> Small Business Server 2003, Exchange Server Version 6.5, SP2.
>>
>> The following are already set:
>>
>> Sender Filtering: Check Filter messages with a blank sender and Drop
>> connection if address filter matches filter.
>>
>> Connection Filtering: Using zen.spamhaus.org.
>>
>> Intelligent Messaging Filtering: Set to Block (reject) at 7 and Junk at
>> 6.
>>
>> Recipient Filtering: Filter recipients who are not in the Directory.
>>
>> Default SMTP Virtual Server/Advanced/Edit: I check everything.
>>
>> Default SMTP Virtual Server/Access/Relay: Only the list below may relay:
>> 192.168.16.3 (255.255.255.0)
>> 127.0.0.1
>> 192.168.1.2
>> Allow all computers which successfully authenticate to relay IS checked.
>>
>> Should I enter *.domain.com in Default SMTP Virtual
>> Server/Access/Connection: All except the list below?
>>
>>
>> Many thanks in advance for your thoughts!
>>
>> Matthew
>>
>
> Your server may have been subject to an NDR attack. If that happened, it
> could have possibly been initiated by a rogue mass-mailer virus opened by
> someone internally.
>
> Have you checked http://mxtoolbox.com to see if you are on any blacklists?
>
> Do you have an SPF record for your domain?
>
> I don't see why there are any entries in the allow to relay list,
> especially the server itself (the loopback address). Did you put in theose
> current entries in (> 192.168.16.3 & 192.168.1.2)? They appear to be on
> different subnets. How many subnets do you have? Curious, what are those
> machines, and may I ask their purpose of allowing them to relay?
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
> 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>

Not sure how this is relavent, but I assume it is:

I found out that one of our users periodically receives a large amount of
spam from this same "domain.com"

Thanks again!
Matthew

"Matthew" <> wrote in message
news:...
> Hello Newsgroup,
>
> We've had this problem happen twice in two weeks:
>
> No incoming external email is being delivered. Senders do not receive
> NDRs.
>
> In Current Sessions of our Default SMTP Virtual Server, there are 500
> items (which happens to be the default limit). The sessions all go to the
> same domain name, which I'll call "domain", and I'll call their IP
> "xx.xx.xx.xx" They are listed as such:
>
> User From
> Connected Time
> mail1014.mail.domain.com xx.xx.xx.14 267281 seconds
>
> The rest of the entries are all from the same domain.com, but with a
> handful of variations on the last IP number.
>
> I right-click and select Terminate All.
>
> Then I restart the SMTP service.
>
> This allows incoming external email to be delivered. Two weeks later, the
> same problem recurred.
>
> Can anyone tell me what's happening, and how to stop it?
>
> Small Business Server 2003, Exchange Server Version 6.5, SP2.
>
> The following are already set:
>
> Sender Filtering: Check Filter messages with a blank sender and Drop
> connection if address filter matches filter.
>
> Connection Filtering: Using zen.spamhaus.org.
>
> Intelligent Messaging Filtering: Set to Block (reject) at 7 and Junk at 6.
>
> Recipient Filtering: Filter recipients who are not in the Directory.
>
> Default SMTP Virtual Server/Advanced/Edit: I check everything.
>
> Default SMTP Virtual Server/Access/Relay: Only the list below may relay:
> 192.168.16.3 (255.255.255.0)
> 127.0.0.1
> 192.168.1.2
> Allow all computers which successfully authenticate to relay IS checked.
>
> Should I enter *.domain.com in Default SMTP Virtual
> Server/Access/Connection: All except the list below?
>
>
> Many thanks in advance for your thoughts!
>
> Matthew
>

Hi,

Their description of the problem sure seems to align with our situation.
Seems like I should apply this hotfix, and then apply the updated hotfix
with the newer file version. But I don't understand what I can learn by
disabling SenderID filtering?

Many thanks!
Matthew


"Cliff Galiher" <> wrote in message
news:...
> Possible, but with the connection time being in the hundreds of thousands
> of seconds, I doubt it.
>
> My first guess is this:
>
> http://support.microsoft.com/kb/927478
>
> Since they are all from the same domain, it fits since the cause is a
> malformed SPF record at the sending domain. Would explain all connections
> from them hanging.
>
> You can test to see if this is the case by disabling senderID filtering
> before installing the hotfix.
>
> -Cliff
>
>
>
>
> "Ace Fekay [MCT]" <> wrote in message
> news:...
>> "Matthew" <> wrote in message
>> news:...
>>> Hello Newsgroup,
>>>
>>> We've had this problem happen twice in two weeks:
>>>
>>> No incoming external email is being delivered. Senders do not receive
>>> NDRs.
>>>
>>> In Current Sessions of our Default SMTP Virtual Server, there are 500
>>> items (which happens to be the default limit). The sessions all go to
>>> the same domain name, which I'll call "domain", and I'll call their IP
>>> "xx.xx.xx.xx" They are listed as such:
>>>
>>> User From Connected Time
>>> mail1014.mail.domain.com xx.xx.xx.14 267281 seconds
>>>
>>> The rest of the entries are all from the same domain.com, but with a
>>> handful of variations on the last IP number.
>>>
>>> I right-click and select Terminate All.
>>>
>>> Then I restart the SMTP service.
>>>
>>> This allows incoming external email to be delivered. Two weeks later,
>>> the same problem recurred.
>>>
>>> Can anyone tell me what's happening, and how to stop it?
>>>
>>> Small Business Server 2003, Exchange Server Version 6.5, SP2.
>>>
>>> The following are already set:
>>>
>>> Sender Filtering: Check Filter messages with a blank sender and Drop
>>> connection if address filter matches filter.
>>>
>>> Connection Filtering: Using zen.spamhaus.org.
>>>
>>> Intelligent Messaging Filtering: Set to Block (reject) at 7 and Junk at
>>> 6.
>>>
>>> Recipient Filtering: Filter recipients who are not in the Directory.
>>>
>>> Default SMTP Virtual Server/Advanced/Edit: I check everything.
>>>
>>> Default SMTP Virtual Server/Access/Relay: Only the list below may relay:
>>> 192.168.16.3 (255.255.255.0)
>>> 127.0.0.1
>>> 192.168.1.2
>>> Allow all computers which successfully authenticate to relay IS checked.
>>>
>>> Should I enter *.domain.com in Default SMTP Virtual
>>> Server/Access/Connection: All except the list below?
>>>
>>>
>>> Many thanks in advance for your thoughts!
>>>
>>> Matthew
>>>
>>
>> Your server may have been subject to an NDR attack. If that happened, it
>> could have possibly been initiated by a rogue mass-mailer virus opened by
>> someone internally.
>>
>> Have you checked http://mxtoolbox.com to see if you are on any
>> blacklists?
>>
>> Do you have an SPF record for your domain?
>>
>> I don't see why there are any entries in the allow to relay list,
>> especially the server itself (the loopback address). Did you put in
>> theose current entries in (> 192.168.16.3 & 192.168.1.2)? They appear to
>> be on different subnets. How many subnets do you have? Curious, what are
>> those machines, and may I ask their purpose of allowing them to relay?
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among responding engineers, and to help others benefit from your
>> resolution.
>>
>> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
>> 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>>
>> For urgent issues, please contact Microsoft PSS directly. Please check
>> http://support.microsoft.com for regional support phone numbers.
>>

You don't need port 80 open as it's a potential security risk.

"Matthew" <> wrote in message
news:...
> Hello Ace,
>
> Thanks for your response!
>
> I checked mxtoolbox, I think we're good. Interesting, I hadn't done a
> port scan before, we have four ports open:
> 25 SMTP
> 80 HTTP
> 443 HTTPS
> 3389 Remote Desktop
>
> All other ports are closed. Does this sound right?
>
> Not on any blacklist. Reverse lookup is okay, as is SMTP.
>
> Apparently we do not have an SPF record. Is this necessary now?
>
> I'm not sure why those entries are in our relay allow list, I'm not the
> one who set up the server. Yes, we have two subnets:
> 192.168.1.x is between the external NIC and our firewall.
> 192.168.16.x is the internal NIC and all devices on our network.
>
> Thanks again!
>
> Matthew
>
>
> "Ace Fekay [MCT]" <> wrote in message
> news:...
>> "Matthew" <> wrote in message
>> news:...
>>> Hello Newsgroup,
>>>
>>> We've had this problem happen twice in two weeks:
>>>
>>> No incoming external email is being delivered. Senders do not receive
>>> NDRs.
>>>
>>> In Current Sessions of our Default SMTP Virtual Server, there are 500
>>> items (which happens to be the default limit). The sessions all go to
>>> the same domain name, which I'll call "domain", and I'll call their IP
>>> "xx.xx.xx.xx" They are listed as such:
>>>
>>> User From Connected Time
>>> mail1014.mail.domain.com xx.xx.xx.14 267281 seconds
>>>
>>> The rest of the entries are all from the same domain.com, but with a
>>> handful of variations on the last IP number.
>>>
>>> I right-click and select Terminate All.
>>>
>>> Then I restart the SMTP service.
>>>
>>> This allows incoming external email to be delivered. Two weeks later,
>>> the same problem recurred.
>>>
>>> Can anyone tell me what's happening, and how to stop it?
>>>
>>> Small Business Server 2003, Exchange Server Version 6.5, SP2.
>>>
>>> The following are already set:
>>>
>>> Sender Filtering: Check Filter messages with a blank sender and Drop
>>> connection if address filter matches filter.
>>>
>>> Connection Filtering: Using zen.spamhaus.org.
>>>
>>> Intelligent Messaging Filtering: Set to Block (reject) at 7 and Junk at
>>> 6.
>>>
>>> Recipient Filtering: Filter recipients who are not in the Directory.
>>>
>>> Default SMTP Virtual Server/Advanced/Edit: I check everything.
>>>
>>> Default SMTP Virtual Server/Access/Relay: Only the list below may relay:
>>> 192.168.16.3 (255.255.255.0)
>>> 127.0.0.1
>>> 192.168.1.2
>>> Allow all computers which successfully authenticate to relay IS checked.
>>>
>>> Should I enter *.domain.com in Default SMTP Virtual
>>> Server/Access/Connection: All except the list below?
>>>
>>>
>>> Many thanks in advance for your thoughts!
>>>
>>> Matthew
>>>
>>
>> Your server may have been subject to an NDR attack. If that happened, it
>> could have possibly been initiated by a rogue mass-mailer virus opened by
>> someone internally.
>>
>> Have you checked http://mxtoolbox.com to see if you are on any
>> blacklists?
>>
>> Do you have an SPF record for your domain?
>>
>> I don't see why there are any entries in the allow to relay list,
>> especially the server itself (the loopback address). Did you put in
>> theose current entries in (> 192.168.16.3 & 192.168.1.2)? They appear to
>> be on different subnets. How many subnets do you have? Curious, what are
>> those machines, and may I ask their purpose of allowing them to relay?
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among responding engineers, and to help others benefit from your
>> resolution.
>>
>> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
>> 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>>
>> For urgent issues, please contact Microsoft PSS directly. Please check
>> http://support.microsoft.com for regional support phone numbers.
>>
>
>

"Rich Matheisen [MVP]" <> wrote in message
news:...
> On Mon, 30 Nov 2009 19:24:42 -0700, "Cliff Galiher"
> <> wrote:
>
>>Possible, but with the connection time being in the hundreds of thousands
>>of
>>seconds, I doubt it.
>>
>>My first guess is this:
>>
>>http://support.microsoft.com/kb/927478
>
> You're in the right neighborhood. Check the build number on the
> Msgfilter.dll file. This one has a more recent build number.
>
> http://support.microsoft.com/kb/951639
> ---
> Rich Matheisen
> MCSE+I, Exchange MVP


Good catch, Cliff and Rich!

Ace

"Matthew" <> wrote in message
news:...
> Hello Ace,
>
> Thanks for your response!
>
> I checked mxtoolbox, I think we're good. Interesting, I hadn't done a
> port scan before, we have four ports open:
> 25 SMTP
> 80 HTTP
> 443 HTTPS
> 3389 Remote Desktop
>
> All other ports are closed. Does this sound right?
>
> Not on any blacklist. Reverse lookup is okay, as is SMTP.
>
> Apparently we do not have an SPF record. Is this necessary now?
>
> I'm not sure why those entries are in our relay allow list, I'm not the
> one who set up the server. Yes, we have two subnets:
> 192.168.1.x is between the external NIC and our firewall.
> 192.168.16.x is the internal NIC and all devices on our network.
>
> Thanks again!
>
> Matthew
>

I agree with Steve that you don't need it.

Also, you could make things easier on the SBS box by disabling one of the
NICs, and make the firewall/router the gateway for the subnet.

As for SPF, yes, it is highly suggested. It will prevent NDR spoofs with
your domain name, besides indicating emails from your IP are actually from
your domain.

Ace