Relaying and unsolicited commercial e-mail in Exchange Server 5.5

This article describes the fundamental issues about relaying and unsolicited commercial e-mail in a Microsoft Exchange Server 5.5 organization.

What is relaying?

Relaying is the process of submitting an e-mail message to the SMTP server of a domain so that the e-mail message is transferred to the SMTP server of another domain for delivery.

The e-mail message is received by the SMTP server of the first domain. The SMTP server determines that the intended recipient of the e-mail message does not exist in the recipient's messaging environment. At that time, the message is submitted for delivery to the actual authoritative domain where the recipient resides.

What is unsolicited commercial e-mail?

Unsolicited commercial e-mail is an e-mail message that is sent to many people without their consent. Typically, unsolicited commercial e-mail promotes a service or a product. Unsolicited commercial e-mail is used to reach a large audience at a low cost to the sender of the e-mail message. However, unsolicited commercial e-mail may have a high cost for the intended recipients.

What is the difference between unsolicited commercial e-mail and relayed e-mail?

When you view e-mail messages on your Exchange server, you have to look at the originator of the message and at the recipient of the message to determine if the message is unsolicited commercial e-mail or relayed e-mail.

• If the recipient's e-mail domain is external, someone is trying to relay the message through your server.
• If the recipient's e-mail domain is local, someone might be sending unsolicited commercial e-mail to the local recipient.

Note In the following samples, assume that the server is authoritative for Adatum.com.

In the following sample, neither the Originator nor the Recipient belongs to your domain. Therefore, this message was relayed through your server. The actual sender of the message may have made the sender appear to be a user who has an SMTP address of user@adatum.com. This practice is known as "spoofing." However, the message is intended for an external recipient. Therefore, relaying has occurred.In the following sample, the Originator is from an Internet domain. This Originator is sending e-mail to an SMTP address that does not exist in your Exchange organization. The Internet Mail Service (also know as IMS) accepts this message because the service only examines the data that appears after the at (@) sign.After the message is received, the Internet Mail Service uses the local mail client to locate the user account. If no user account is found, your Exchange server rejects the message and sends a non-delivery report (NDR) to the Originator.

Note In the Internet Message Service queues, the field that typically identifies the Originator of a message may only contain an empty pair of angle brackets (<>). If the Originator is not identified, your Exchange server has received the message, but your Exchange server has rejected the message for an unknown reason. For example, the Originator may not be identified if the message was sent to a nonexistent user or if the message was sent to a user whose mailbox is full.

According to the Request for Comments (RFC) standards, when your Exchange server rejects a message, your Exchange server must send an NDR. On your Exchange server, if the Originator of the message contains an empty pair of angle brackets, these angle brackets indicate that the postmaster mailbox or the system mailbox of your Exchange server sent the message. If the postmaster mailbox or the system mailbox of your Exchange server sent the message, this indicates to you, the administrator, that this message is an NDR.

How does relaying work?

Sample scenario: The originator at A. Datum Corporation wants to send an e-mail message to johnsmith@contoso.com. The e-mail servers at Contoso Ltd. are responsible for all e-mail messages that are sent to contoso.com. To move an incoming message to the correct mailbox, the following actions occur:

1. The originator sends the e-mail message by using SMTP through the server.adatum.com server.
2. When the server.adatum.com server receives the e-mail message, the server.adatum.com server determines that the recipient of this e-mail message does not exist in the messaging organization.
3. The server.adatum.com server delivers the message to the correct domain.
4. The server.adatum.com server performs a DNS lookup for the contoso.com mail exchanger (MX) record. The DNS lookup identifies mail.contoso.com.
5. The server.adatum.com server submits the message to the mail.contoso.com server by using SMTP. The mail.contoso.com server accepts the e-mail message and delivers it to the user's mailbox.

What is open relay?

Open relay occurs when an e-mail server permits e-mail messages to be relayed through the system without exercising any restrictions or any control over the relayed e-mail. After you install the Internet Mail Service in Exchange Server 5.5, the default configuration permits the server to be used for open relay.

What is authenticated relay?

Authenticated relay occurs when an e-mail server only permits e-mail messages to be relayed through the system if the sender of the message has an account that has a user name and a password. This account can exist on the e-mail server that relays the e-mail message, or this account can exist on a server that is a member of the domain that the e-mail server belongs to.

Authenticated relay uses the AUTH verb. The AUTH verb is an Extended SMTP (ESMTP) command. Your messaging server, your firewall, or your other networking components that work with SMTP must allow ESMTP verbs to be passed.

Note You can also configure your e-mail server to relay e-mail messages that come from specific Internet Protocol (IP) addresses. This configuration does not require authentication.

Weakly protected accounts are accounts that do not use a password or use a weak password. Some companies that send unsolicited commercial e-mail may run a tool that is designed to find weakly protected accounts on your Exchange server. These tools use different methods to find the user name and then to crack the password of a weakly protected account.

Typically, these tools try to gain access to the local guest account, to the domain guest account, to the administrator account on the Exchange server, and to manually created accounts such as the Webmaster account or the Service account. If you have one of these accounts in any domain that has a trust relationship with the domain that contains the Internet Mail Service server, make sure that this account has a strong password.

How do I determine the account that is being used for authenticated relay?

To determine the account that is being used for authenticated relay on the Exchange Server 5.5 Internet Mail Service, follow these steps:

1. On the Exchange server, save and then clear all events in the application log.
2. Start the Microsoft Exchange Server Administrator program, and then connect to the Exchange server that is running the Internet Mail Service.
3. Expand your site, expand Configuration, and then click Connections.
4. In the right pane, click Internet Mail Service (Server Name).
5. On the File menu, click Properties, and then click the Diagnostic Logging tab.
6. In the right pane, click SMTP Interface Events.
7. Under Logging level, click Maximum, and then click OK.
8. Use the Services item in Control Panel to stop and then restart the Microsoft Exchange Internet Mail Service.
   
   Note These steps set the logging level for the SMTP Interface Events to the maximum logging level. This setting forces the authenticated sender to reestablish a session. Therefore, the authenticated user session is logged in the application log.
9. In the application log in Event Viewer, locate event ID 2010. This event contains the name of the user account that is being used for authenticated relay.

Microsoft recommends that you take one or more of the following steps to make it more difficult for someone to use an account to relay e-mail messages by using authenticated relaying:

• Change the password for the user account.
• Disable the user account.
• Rename the user account.

How do I prevent relaying?

By default, the Internet Mail Service is open for relay after you install the Internet Mail Service in Exchange Server 5.5. To prevent relaying, you must be running Microsoft Exchange Server 5.5 Service Pack 1 or later.

Before you close relaying, make sure that you understand the features that the "How do I use the settings on the Exchange Server 5.5 Internet Mail Service Routing tab?" section describes.

How do I configure my server to prevent access by POP3 or IMAP4 client programs?

You can close relaying to prevent access by any Post Office Protocol 3 (POP3) client programs or by any Internet Message Access Protocol (IMAP4) client programs. Microsoft recommends that you use this configuration to prevent relaying. To configure your server to prevent access by any POP3 client programs or by any IMAP4 client programs, follow these steps:

1. Start the Microsoft Exchange Server Administrator tool.
2. Expand your site, expand Configuration, and then click Connections.
3. In the right pane, click Internet Mail Service (Server Name).
4. On the File menu, click Properties.
5. Click the Routing tab, and then click Reroute incoming SMTP mail (required for POP3/IMAP4 support).
6. Verify that your e-mail domain appears under Routing, and that <inbound> appears under Route to.
7. Click Routing Restrictions.
8. Click to select the Hosts and clients with these IP addresses check box. Do not type any IP addresses in this field.
9. Click OK two times.
10. When you receive the following message, click OK:
    The Microsoft Exchange Internet Mail Service must be restarted for your changes to take effect. Stop and start the Internet Mail Service using the Services icon in Windows NT Control Panel.
11. Restart the Microsoft Exchange Internet Mail Service.

How do I configure my server to require authentication?

You can also control relaying by using a valid username and password. This configuration permits users who use a POP3 client or an IMAP4 client to relay e-mail. To configure your server to require authentication, follow these steps:

1. Start the Microsoft Exchange Server Administrator tool.
2. Expand your site, expand Configuration, and then click Connections.
3. In the right pane, click Internet Mail Service (Server Name).
4. On the File menu, click Properties.
5. Click the Routing tab, click Reroute incoming SMTP mail (required for POP3/IMAP4 support).
6. Verify that your e-mail domain appears under Routing, and that <inbound> appears under Route to.
7. Click Routing Restrictions.
8. Click to select the Hosts and clients that successfully authenticate check box, and then click OK.
9. Click OK
10. When you receive the following message, click OK:
    The Microsoft Exchange Internet Mail Service must be restarted for your changes to take effect. Stop and start the Internet Mail Service using the Services icon in Windows NT Control Panel.
11. Restart the Exchange Internet Mail Service.

How do I use the settings on the Exchange Server 5.5 Internet Mail Service Routing tab?

By default, the Do not reroute incoming SMTP e-mail setting is on. This setting permits relaying to occur. Microsoft does not recommend the use of this setting. This setting has been removed from later versions of Exchange.

The Reroute incoming SMTP e-mail (required for POP3/IMAP4 support) setting permits you to use the Routing Restrictions settings. The Routing Restrictions settings permit you to control relaying.

The Routing box setting permits you to add additional domains that you can receive or relay e-mail messages for. If you want to receive incoming e-mail messages for a specific domain, you must use this setting to add the domain.

The Routing Restrictions settings permit you to control relaying through your Exchange server. You can use more than one setting. When you use more than one setting, the relay process uses the method that permits the message to be relayed. These settings include the following:

• The Hosts and clients that successfully authenticate setting forces senders of non-local e-mail messages to authenticate by using the AUTH verb. The senders must supply a correct user name and password. Typically, you use this setting if you have POP3 users or IMAP4 users who access their e-mail from Internet addresses.
  
  Note If you use this setting, review the "How do these changes affect my clients?" section.
• The Hosts and clients with these IP addresses setting permits you to control the client or server IP addresses that can relay through your Exchange server. The IP address of the sending host must have a valid entry in this field for relaying to occur. You can use this setting to specify individual addresses or to specify a range of addresses.
  
  Note Do not put the Exchange server IP address in this range.
  
  To permit only one host to relay e-mail messages, type the following:
  IP address: IP address =Complete IP address of the Sending Host
  For example, type 1.2.3.4, MASK=255.255.255.255.
• The Hosts and clients connecting to these internal addresses setting permits you to relay only those e-mail messages that are sent by hosts and by clients that connect to specified IP addresses on the computer that is running Exchange Server 5.5.
  
  This setting permits multihomed servers to restrict relaying based on the IP address that the client connects to. If you select this setting, you must turn off IP forwarding by using the Networking item in Control Panel.
• The Specify the hosts and clients that can never route mail setting permits you to add the IP addresses that you never want to relay e-mail messages for, regardless of the other settings that you may have configured.

back to "How do I prevent relaying?"

How do I test relaying to verify that the server is closed?

You can use many methods to test your Exchange server for open relay. To use telnet to test your Exchange server for open relay, follow these steps:

1. Click Start, click Run, type command in the Open box, and then click OK.
2. Do the following, depending on your operating system:
   • If you are running Microsoft Windows 2000, follow these steps:
     1. At the command prompt, type telnet, and then press ENTER.
     2. Type set local_echo, and then press ENTER.
     3. Type open IP address of your Exchange server 25, and then press ENTER.
        
        For example, if the IP address of the Exchange server is 192.168.1.5, type the following command, and then press ENTER:
        open 192.168.1.5 25
   • If you are running Microsoft Windows NT 4.0, follow these steps:
     1. At the command prompt, type telnet IP address of your Exchange server 25, and then press ENTER.
        
        For example, if the IP address of the Exchange server is 192.168.1.5, type the following command, and then press ENTER:
        telnet 192.168.1.5 25
     2. On the Terminal menu, click Preferences.
     3. Click to select the Local Echo check box, and then click OK.
3. Type helo, and then press ENTER. You receive the following response from the Internet Mail Service:
   250 OK
4. Type mail from: username@Exchange administrator's domain.com, and then press ENTER.
   
   You receive the following response from the Internet Mail Service:
   250 OK - mail from <username@Exchange administrator's domain.com>
5. Type rpct to: user@relaydomain.com, and then press ENTER.
   
   Note user@relaydomain.com is a placeholder for the name of a user account from a remote domain.
   
   If the Internet Mail Service is closed for relaying, you receive the following response from the Internet Mail Service:
   550 Relaying is prohibited
   
   If the Internet Mail Service is an open relay, you receive the following response from the Internet Mail Service:
   250 OK

How do these changes affect my clients?

For your POP3 clients or IMAP4 clients to use your server to send e-mail to domains outside your Exchange organization, you must configure the Internet Mail Service to allow authentication. Or, you must specify the IP address of the client that is sending the message.

If you configured the Internet Mail Service for authentication, you must configure the client to force security. To configure the client to force security, follow these steps:

1. Right-click the default Internet account, click Properties, and then click the Servers tab.
2. In the Incoming Mail Server box, verify that the user account information is in the following format:
   Domain\Account Name
   The domain account password follows the user account information.
3. In the Outgoing Mail Server box, click to select the My server requires authentication check box, and then click Settings.
4. Do either one of the following, depending on your preference:
   • To use the same credentials that you use to authenticate with Exchange Server 5.5, click Use same settings as my incoming mail server.
   • To have permission to send messages to outside domains, click Log on using, and then specify an additional user account and password.
5. Click OK.

If your clients use MAPI, the client automatically performs the authentication. You do not have to configure the client.

Note It is not a good idea to use POP3 or IMAP4 where user name and password information is sent in plain text. Consider alternatives depending on your Exchange organization.


back to "How do I use the settings on the Exchange Server 5.5 Internet Mail Service Routing tab?"

How does unsolicited commercial e-mail work?

Sample scenario: The originator wants to send an e-mail message that advertises a product or a service to thousands of people. The originator obtains a list of e-mail addresses, and then sends the unsolicited commercial e-mail message to all the recipients at the same time.

Incoming unsolicited commercial e-mail may cause many issues, including slow server performance, reduced network bandwidth, low disk space on servers, and wasted time when users and administrators have to delete the e-mail messages.

What is reverse NDR spamming?

When your Exchange server receives many unsolicited e-mail messages for users who do not exist in an organization, your Exchange server returns the messages to the Originator. However, the e-mail address that appears for the Originator may not be the actual sender's address. Therefore, your Exchange server sends the NDR to someone else. This practice is known as reverse NDR spamming. Reverse NDR spamming is not efficient because:

• Some servers do not send the original content back.
• Some servers may block the message when the message is accepted.

The following example illustrates reverse NDR spamming.

Note In this example, assume that the server is authoritative for @adatum.com.

A user at Adatum.com sends a message to invaliduser@adatum.com. However, the Exchange server changes the MAILFROM field so that the message appears to have been sent from the user@adventure-works.com address. The Internet Mail Service receives the message and generates an NDR. This NDR is addressed to user@adventure-works.com. The user@adventure-works.com mailbox receives this NDR although this user did not send the original message.

Reverse NDR spamming occurs when this process occurs on a large scale and involves many thousands of messages that cause many thousands of NDRs to be sent to a domain.

How does unsolicited commercial e-mail affect server performance?

Unsolicited commercial e-mail messages and relayed messages are common causes of decreased performance on your Exchange server. The following steps provide an overview of message flow in Microsoft Exchange Server 5.5:

1. The Internet Mail Service accepts the message from the remote SMTP server.
2. The message is sent to the MTS-IN mailbox of the Information Store. In the MTS-IN mailbox, the message is converted from SMTP format to Exchange database format.
3. The Information Store queries the Exchange directory database for the address that appears in the To field of the message.
4. When the Information Store determines that the user does not exist, the System Attendant generates an NDR for a null sender. The NDR is then converted from Exchange database format to SMTP format in the MTS-OUT mailbox of the Information Store.
5. The NDR is addressed to the bogus e-mail address that appears in the From field of the e-mail message.
6. The NDR remains in the Exchsrvr\Imcdata\Out folder. When the delivery times out in the Internet Mail Service, the NDR is deleted.

When thousands of unsolicited commercial e-mail messages flood an Exchange server, the disk I\O, the CPU utilization, and the RAM utilization increase. Eventually, they reach 100 percent. When this behavior occurs, the server stops responding and thousands of NDRs become backed up in the Exchsrvr\Imcdata\Out folder.

How do I prevent unsolicited commercial e-mail?

Prevention of unsolicited commercial e-mail in Exchange Server 5.5 is not a simple task. In most scenarios, Microsoft recommends that you use a third-party product to help you configure your system to help prevent unsolicited commercial e-mail. If you do not use a third-party product, Microsoft recommends that you use the following options:

• Click to select the Message Filtering check box on the Connections tab of the Internet Mail Service.
• Click to select the Reject Specific IP Addresses check box on the Connections tab of the Internet Mail Service.

Message filtering is a way to delete messages or to move messages that originate from a specific e-mail address or from a specific e-mail domain. Message filtering was implemented in Microsoft Exchange Server 5.5 Service Pack 2. However, message filtering requires much of the administrator's time because the administrator must update the filter settings frequently.

How do I filter messages?

You can configure the Internet Mail Service to filter messages from a blank sender. However, to filter incoming e-mail, the message must have an entry in the MAILFROM field, regardless of whether this entry is valid. To filter on blank senders, put a period (.) character in the MAILFROM field of the filter settings.

One way to help filter the messages is to move them to another hard disk for storage until you can review them. This practice frees up space on the server. This practice is also known as turfing. However, it is not recommended to move the messages to a specified folder on the hard disk of the server because the messages can fill the hard disk of your server.

How do I reject connections by IP address?

You can configure your Exchange server to reject connections by IP addresses by clicking Specify by Host on the Connections tab of the Internet Mail Service. You can add a specific IP address and then select the Reject connection from this host. To identify the IP address that a message was sent from so that you can reject a connection from that IP address, follow these steps:

1. Click Start, click Run, type command in the Open box, and then click OK.
2. At the command prompt, type netstat -an to locate the remote server that is connecting to your Exchange server on port 25.
3. Perform a Network Monitor trace to view the incoming connection.
4. Review the Internet header of the received message. The Internet header contains the IP address that the message was sent from.

Note Many people who send unsolicited commercial e-mail messages use fake e-mail addresses, "spoof" the IP addresses, or do both of these. These practices make it very difficult to prevent incoming unsolicited commercial e-mail messages. Also, it may be difficult to reject connections by IP address if you use a relay server or a firewall.

How do I delete unsolicited commercial e-mail messages from my server?

After your server is used as an open relay or receives unsolicited commercial e-mail messages, thousands of messages may remain in the Internet Mail Service. These thousands of unsolicited commercial e-mail messages may prevent the delivery of e-mail messages from your users. You must delete the unsolicited commercial e-mail messages to make your Exchange organization work correctly again. To do so, follow these steps:

1. Take precautions to stop the unsolicited commercial e-mail messages from appearing on your server:
   1. Determine if the messages are unsolicited commercial e-mail messages or relayed e-mail messages.
   2. Close your server to relaying.
   3. Configure the server to prevent incoming unsolicited commercial e-mail messages.
2. In the Administrator program, right-click IMS, click Properties, and then click the Queue tab.
3. If there are few messages, delete them from the Queue tab.
   
   Note Make sure that you update the queue to see the changes that you have made.
4. If there are thousands of messages, you can then close the Properties dialog box.
5. Stop the Internet Mail Service, and then locate the Imcdata folder.
   
   Note There may be more then one Imcdata folder.
6. Change the name of the folder from Imcdata to Imcdata_old, and then create a new Imcdata folder.
7. Restart the Internet Mail Service.
8. Verify the queue.
   
   Note You may continue to receive unsolicited commercial e-mail messages for a short time because the messages may have resided in the Microsoft Exchange Information Store.
9. Repeat step 5 through step 7 every five minutes until the issue is resolved. It is common for this part of the process to last 20 to 30 minutes.
10. If the problem continues, click to select the Flush Queues check box on the Connection tab in the Internet Mail Service.
11. After you have deleted the unsolicited commercial e-mail messages from your Exchange server, delete or replay the e-mail messages in the Imcdata_old folder. If you want to replay these messages, see the "How do I replay messages?" section.
12. If you want to delete these messages, delete them now.
    
    Note Deleting these messages may take several minutes.

How do I replay messages?

If you have messages that were moved from the active Imcdata folder to a renamed folder or to a temporary folder that you want to manage, follow these steps:

1. Determine the messages that you want to replay. Microsoft does not recommend that you replay all the messages in the Imcdata_old folder because the server performance problem may continue. If you renamed the Imcdata folder, the messages to be replayed are located in the In subfolder and in the Out subfolder.
   
   Note If a folder that is named Archive exists in the In subfolder and in the Out subfolder, you do not have to replay the messages that appear in the Archive folder.
2. To find the messages, use one of the following methods to find the valid messages in the In subfolder and in the Out subfolder:
   • Search for e-mail addresses from your domain.
   • Search for messages that contain the postmaster@your_domain.com address, and then delete these messages. These messages are the NDRs that your system generated for the invalid messages. You do not have to replay these messages.
3. When you have located the messages that you want to replay, move the messages to the Pickup folder in the active Imcdata folder. After the messages are in the Pickup folder, the messages leave the folder immediately and can be replayed.
   
   Note This process occurs only if the Internet Mail Service is functioning correctly. You do not have to stop the Internet Mail Service to replay these messages.

back to "How do I delete unsolicited commercial e-mail messages from my server?"

How do these changes affect my clients?

Your clients will not be affected when you reject connections by IP address unless some of your clients have e-mail accounts on those systems. Clients cannot send e-mail messages to your system from e-mail accounts on systems that use IP addresses that cannot connect to your system.

What are some recommended account security measures?

The following is a list of measures that you can take to help enhance the security of your Exchange server:

• Make sure that all users have strong passwords on each account. Recommend that your users create passwords that use a mixture of uppercase letters, lowercase letters, numbers, and symbols. Passwords must have at least six characters.
• Rename the guest account, set a strong password for the guest account, and then disable the guest account.
• Rename all administrator accounts, and then set a strict password for each of the administrator accounts.
• Verify that all service accounts have strict passwords.
• Set expiration times for all passwords.
• Verify that all local accounts and all domain accounts follow these guidelines.

For more information, visit the following Microsoft Web site:

What are some recommended system maintenance measures?

The following is a list of measures that you can take to help maintain your Exchange server and to help prevent problems later:

• Continue to promote strong passwords for your users. To do this:
  • Create local security policies and domain security policies.
  • Educate your users.
  • Review your Internet Mail Service queues regularly.
  • Take a baseline measurement of your server performance.
  • Know the peak times for sending e-mail messages and for receiving e-mail messages on your server.
• Have an action plan ready to prevent your server from being used as an open relay and from becoming overwhelmed by unsolicited commercial e-mail messages:
  • Make sure that configuration information is immediately available.
  • Back up the public folders, the private folders, and the Exchange directory database on your server.
  • Have sufficient disk space available and have maintenance tools available at all times.
  • Stay up-to-date with the latest news about unsolicited commercial e-mail messages and relaying. For more information, visit the following Microsoft Web site:
• Consider using message filtering or other third-party products to help fight unsolicited commercial e-mail messages. These products include the following:
  • Products that help prevent unsolicited commercial e-mail messages
  • Products that provide antivirus features
  • Products that provide firewall features
  • Products that verify the content of e-mail messages

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

What is a firewall SMTP e-mail handler?

A SMTP e-mail handler may be a program or service. A SMTP e-mail handler is included with many firewall programs to handle incoming requests and outbound requests. Because a firewall SMTP e-mail handler can be open for relay, you must verify that this service is not open for relay.

Generally, this service is not required because the typical SMTP e-mail handler supports only basic SMTP commands. This service does not support extended commands, including the AUTH command that is used to authenticate users.

What is a block list?

A block list is a database that contains a list of known open relay servers, IP addresses, Internet service provider (ISP) dial-up addresses, and open proxies. Many domains use these block list databases to prevent delivery of e-mail to their domain. You can use a block list to reduce the number of unsolicited commercial e-mail messages that you receive.

The following is a list of Web sites that you can use to determine if your domain is contained in a block list: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

What is an open proxy?

An open proxy is a proxy server or a proxy port that is used for Web-based services and that permits other services that reside on the server, such as SMTP, to be used as open relays. Many block-list vendors search for an open proxy and an open relay when they test servers.

Each proxy server version has its own methods of closing proxy ports. See the documentation that was included with your software to determine the best security methods and settings for your proxy server.