I *really* messed up...

[andreabash]

Last week I started messing around with something I never should have touched (my relay settings). I was trying to fix another issue and in the process I thought I might have accidentally changed something in those settings.

I think that I accidentally opened my sever up to spammers. I *think* I've since closed the relay, but I'm still getting delivery failure notices and my logs still seem to show mail I'm not sending. I'm not sure if it's old mail, though.

Something is definitely wrong because MailEnable completely freezes and crashes every time I try to open the outbound SMTP queue. I wanted to go in and check to see if there were messages stuck in there.

I'm really at a loss for what to do. My server is now set to allow mail relay for authenticated senders under the MailEnable integrated setting. I'm not certain whether I'm still open to spammers.

I'm also still not able to figure out the earlier problem -- users not being able to send mail out through our server. I think I'm missing some magical combination that would allow me to send e-mail, be safe from spammers, but still leave access open to send messages from a script on our server.

This is already too long, so I'll stop there. I would appreciate any help anyone can offer on this. ME has been working really well for me for 6 months -- then I got a new ISP and started messing with settings. Really bad idea.

Andrea

[jorune]

As long as you are using authentication for SMTP relay (or privileged IP addresses only) you should be safe from unauthorized relay attempts. Spammers will constantly test your server to see if it's an open relay and so if you accidentally opened it up for any extended period of time, then it's VERY likely spammers started to relay off your server.

However, like I said, once you locked it down again it should be safe. Hopefully you didn't get on any blacklists in the process.

Examining your SMTP logs is the only way to see what is going on. Your server should be issuing an "authorization required" for spammers that attempt to relay through your server.

Another way to verify things are locked down is to use some online tests such as these:


Open Relay Testing sites
http://www.ordb.org/submit/
http://www.mailenable.com/tools
http://www.antispam-ufrj.pads.ufrj.br/test-relay.html

Hope that helps.

-Johnny

[andreabash]

Thanks for the info. I couldn't get any of those links to tell me anything. The first never sent me an e-mail, the mailenable link didn't seem to say anything about relay, and the third I couldn't get to load at all.

I've looked at my logs, but they are insanely confusing and I just honestly don't understand what I'm looking at. I can't even really expand the screen so that I can figure out what's all supposed to be on one line.

Since I can't check my server, I am still not sure if I'm open. But the logs sure seem to have a lot of addresses I don't recognize. I wish I knew what I was looking for here.

[andreabash]

By the way, I'm still assuming it's a bad sign that ME crashes when I try to open my outbound SMTP queue. Is there any way to fix that issue? A way to clear things out without opening the queue directly?

[jorune]

Thanks for the info. I couldn't get any of those links to tell me anything. The first never sent me an e-mail,.

After reading the page you should have seen this, "From the time of your reply, it may be several of hours before the check is actually performed, and subsequently it may be a while before you receive the result of the test via email. "

I.E. you get a confirmation email and then reply to it. If you don't get an email then there was some problem delivering the message to your server. Also it could take a little bit depending on the load.

the mailenable link didn't seem to say anything about relay

On that link you enter your domain name and the MailEnable system will test your relay. If you never entered your domain then naturally you wouldn't see any relay information.

and the third I couldn't get to load at all

You are correct, the third link seems to be dead. Wasn't the last time I checked. Oh well, you know the Internet - things come and go. I apologize for giving you a dead link. That was a nice tester that I remember - it tried a bunch of different methods in an attempt to relay off your machine and showed the results real-time.

I've looked at my logs, but they are insanely confusing and I just honestly don't understand what I'm looking at. I can't even really expand the screen so that I can figure out what's all supposed to be on one line.

Opening the logs into notepad and then turning off Word Wrap should make them easier to read. Yes looking at logs can be a daunting task, but it's the only way to really know what is happening on your server. So it would behoove you to make the effort and get used to reading them when you have trouble such as you are describing.

Since I can't check my server, I am still not sure if I'm open. But the logs sure seem to have a lot of addresses I don't recognize. I wish I knew what I was looking for here.

Probably the first step would be to try and verify you are not an open relay. Checking the logs is one way, but there are a lot of on-line relay tests. Try the MailEnable one again and hopefully you will find out for sure.

Good Luck!

-Johnny

[jorune]

By the way, I'm still assuming it's a bad sign that ME crashes when I try to open my outbound SMTP queue. Is there any way to fix that issue? A way to clear things out without opening the queue directly?

Is ME crashing or the MMC? There is a difference. You'll need to verify the answer to that question before I (or anyone) could help you on that matter.

[andreabash]

After reading the page you should have seen this, "From the time of your reply, it may be several of hours before the check is actually performed, and subsequently it may be a while before you receive the result of the test via email. "

I did see that. It just never sent me the e-mail to confirm that I was the owner of the e-mail so that they could even perofrm the test. I seem to be receiving e-mail fine here, though.

On that link you enter your domain name and the MailEnable system will test your relay. If you never entered your domain then naturally you wouldn't see any relay information.

Naturally I did enter my domain. I got back 6 lines of information -- with no information listed after the "relay test" line. So, again, it wouldn't tell me anything about relay. Perhaps other domains get other results.

As for the logs, I still don't know what I'm looking for. I see lines and lines of garbage that make no sense. I completely turned off relay for now. I don't need it to send e-mail, so it's not really hurting me -- just my script that is now unavailable.

I'm pretty sure it is ME that is crashing. I still have access to everything else on the server.

[andreabash]

I had to enable relay again for autheticated senders -- I stopped receiving any e-mail. Now I'm back to getting thousands of messages that look like this:

A message (from <POSTMASTER@babysfirstsite.com>) was received at 30 Sep 2004 18:35:52 +0000.

The following addresses had delivery problems:

<marketcoverage@press.prserv.net>
Permanent Failure: 522_mailbox_full;_group_quota_sz=75497472/75497472_ct=6285/100000
Delivery last attempted at Thu, 30 Sep 2004 18:35:52 -0000

-------------------------

How can anyone be sending out from my server if it's only enabled for integrated authetication?? I honestly don't understand. I appreciate that ME is free and I really can't afford to switch to a paid service -- but I am getting worried that I might have to do that. I just can't seem to figure this out on my own.

[jorune]

Naturally I did enter my domain. I got back 6 lines of information -- with no information listed after the "relay test" line. So, again, it wouldn't tell me anything about relay. Perhaps other domains get other results.

After entering your domain, the MailEnable tool will conduct a series of test. The VERY last test is the relay test. It will say Server Relay Test (yourdomain.com). I just did it and it seemed to work okay.
If your not getting any results here, then I am not sure why. I would dig up other relay testing sites for you but my track record at this point is dismal.

I'm pretty sure it is ME that is crashing. I still have access to everything else on the server.

Is ME crashing? Did you check to see that the SMTP/POP, etc services are running? You can do this by looking in the MMC and click System->Services. Another way to tell is to look at the server Task Manager - all the MailEnable services are listed in the Processes tab and start with 'ME' and so you can list them in order in the Task Manager. If, for example, the MESMTPC.EXE is missing then you know it crashed.

Also you can look at the queue by ?:\Program Files\Mail Enable\Queues. That's why I think your MMC is crashing and not the actual server.

Hope this helps.

-Johnny

[jorune]

How can anyone be sending out from my server if it's only enabled for integrated authetication?? I honestly don't understand. I appreciate that ME is free and I really can't afford to switch to a paid service -- but I am getting worried that I might have to do that. I just can't seem to figure this out on my own.

Mail getting bounced back to your server may not have come from your server. Spammers typically use spoofing to forge the From: address so it looks like it came from your domain when in reality it came from the spammer server.

Checking to see if your relay settings are working is the first step to verifying that you are not an open relay.

[andreabash]

Honestly, I'm not an idiot, but you're still losing me. Yes, the relay information on the mailenable screen is blank. There is no information there. This is what I get back: http://www.babysfirstsite.com/screen.jpg . When I leave out the www, I get even less useful information.

You've lost me on ME crashing vs. MMC. It's not shutting down all nice and pretty, so I don't think all the services would stop even if it were ME crashing. It freezes completely.

At any rate, I was able to access the outgoing messages with the alternative method and they are deleting now -- 37,000 + of them. Some from today, even though ME is closed to anyone but authenticated senders.

Have I messed up ME to the point where it's still open even though it says it is closed?

[jorune]

Honestly, I'm not an idiot, but you're still losing me. Yes, the relay information on the mailenable screen is blank. There is no information there. This is what I get back: http://www.babysfirstsite.com/screen.jpg . When I leave out the www, I get even less useful information.

Not sure why you are not getting information here. Something may not be configured correctly on your server. Check your server by using www.dnsstuff.com (specifically the MX records, and A records for your server).

You've lost me on ME crashing vs. MMC. It's not shutting down all nice and pretty, so I don't think all the services would stop even if it were ME crashing. It freezes completely.

MMC is the Microsoft Management Console. It's used to administer many aspects of the server. It's just a .msc file for MailEnable administration and tells the MMC what to do when you are making settings in MailEnable.
In this case I believe it's crashing when it goes to check the queue (maybe the queue has a corrupted file in it, or has too many items or something) - I don't think the server itself is crashing (although I could be wrong, but I am not there with you to see what is going on). This is why going to the actual queue on the server (?:\Program Files\Mail Enable\Queues) is an alternative.

At any rate, I was able to access the outgoing messages with the alternative method and they are deleting now -- 37,000 + of them. Some from today, even though ME is closed to anyone but authenticated senders.

37,000 is a lot of messages in the queue and might be why the MMC is crashing. This doesn't mean that the ME server itself is actually crashing. I gave some suggestions above on how to make that determination.

Have I messed up ME to the point where it's still open even though it says it is closed?

What is still open? The MMC? Again this is not the MailEnable server itself. It's a microsoft tool used to administer the server and is nothing more than a .msc file that MailEnable created so that you can use the MMC to manage the server.

I hope this helps.

-Johnny

[jorune]

Yes, the relay information on the mailenable screen is blank. There is no information there. This is what I get back: http://www.babysfirstsite.com/screen.jpg . When I leave out the www, I get even less useful information.

I was unable to get an MX record lookup back from your domain (I took the liberty to do this - I hope you don't mind - you posted your domain in the above post). This is a problem that needs to be rectified first of all. That's why the MailEnable relay test did not work is because it never found an MX record.

How I am searching:
Searching for babysfirstsite.com MX record at f.root-servers.net [192.5.5.241]: Got referral to I.GTLD-SERVERS.NET. [took 69 ms]
Searching for babysfirstsite.com MX record at I.GTLD-SERVERS.NET. [192.43.172.30]: Got referral to ns.rackspace.com. [took 145 ms]
Searching for babysfirstsite.com MX record at ns.rackspace.com. [69.20.95.4]: Reports that no MX records exist. [took 43 ms]

Answer:
No MX records exist for babysfirstsite.com. [Neg TTL=86400 seconds]

Details:
ns.rackspace.com. (an authoritative nameserver for babysfirstsite.com.) says that there are no MX records for babysfirstsite.com.
The E-mail address in charge of the babysfirstsite.com. zone is: hostmaster@rackspace.com.

[jorune]

That's why the MailEnable relay test did not work is because it never found an MX record.

This will also account as to why you are not getting mail from the other test site I gave you. When a mail server goes to send your server mail it does an MX lookup in order to see where (the IP) to make the SMTP connection.

So you have another matter to attend to before you continue on with the relay problem.

FYI

-Johnny

[Kiliman]

Hi, sorry to bust in to this thread, but I also did a test at www.dnsreport.com

It seems that there are a lot of problems with your DNS and MX settings. For example, you can expect a lot of mail to be rejected because you don't have a PTR record.

Setting up a mail server isn't like using Outlook. You need to make sure all those things are setup correctly if you want mail to work properly.

Most of the regulars on this forum do a pretty good job at helping out. It might help if you gave us some information on your setup.

Also, looking at the screenshot, it's possible that your installation is screwed up. You may want to try reinstalling it.

Good luck!

Kiliman