Smtp relay attack on our mail server (not an open relay server)

Help,

We put our Exchange Server (10.0.0.125) behind a SMTP Proxy server (Xeams if you have heard of it), however recently our client complaints we replies their email too late – and we found actually we receives their email several hours and sometimes a day delayed!

The Xeams proxy we have is sitting in front of our Exchange using IP 10.0.0.10 listening all external requests coming into our Firewall (10.0.0.1) and if it is a qualified relay (10.0.0.x) it will then relay the email, which includes relaying emails from our Exchange Server (10.0.0.125).

I'm not good at networking so I have no idea whether I have spotted the right problem here that causes the delays: I found that there are huge number of concurrent connections to our Xeams server trying to relay and most of those are from nowhere but trying to send spam to "xxx@yahoo.com.tw" alike email address, and I guess it is the workload of denying those relay requests that delayed our incoming/outgoing emails… can anyone help please!!

=====Here are some logs I picked from our email proxy =======

2014-03-20 14:58:29,994 - [     74061] C --> RCPT TO:<friend56tina@yahoo.com.tw>
2014-03-20 14:58:30,371 - [     74058] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:30,371 - [     74058] C --> RCPT TO:<s84478@yahoo.com.tw>
2014-03-20 14:58:30,863 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:30,863 - [     74059] C --> RCPT TO:<s855742@yahoo.com.tw>
2014-03-20 14:58:31,291 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:31,291 - [     74060] C --> RCPT TO:<s19000215@yahoo.com.tw>
2014-03-20 14:58:34,297 - [     74057] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:34,297 - [     74057] C --> DATA
2014-03-20 14:58:34,297 - [     74057] S <-- 503 Send RCPT TO before DATA command
2014-03-20 14:58:35,010 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:35,010 - [     74061] C --> RCPT TO:<friend5720@yahoo.com.tw>
2014-03-20 14:58:35,402 - [     74058] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:35,402 - [     74058] C --> RCPT TO:<s84484@yahoo.com.tw>
2014-03-20 14:58:35,876 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:35,876 - [     74059] C --> RCPT TO:<s8557475s8557475@yahoo.com.tw>
2014-03-20 14:58:36,305 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:36,305 - [     74060] C --> RCPT TO:<s190005@yahoo.com.tw>
2014-03-20 14:58:36,914 - [     74062] ************ New connection from: 117.141.200.224
2014-03-20 14:58:37,293 - [     74062] C --> EHLO PC-201205080653
2014-03-20 14:58:37,293 - [     74062] S <-- 250-EXCHANGE.webcider.com Hello [10.0.0.20]
2014-03-20 14:58:37,293 - [     74062] S <-- 250-SIZE 377487360
2014-03-20 14:58:37,293 - [     74062] S <-- 250-PIPELINING
2014-03-20 14:58:37,293 - [     74062] S <-- 250-DSN
2014-03-20 14:58:37,293 - [     74062] S <-- 250-ENHANCEDSTATUSCODES
2014-03-20 14:58:37,293 - [     74062] S <-- 250-AUTH NTLM
2014-03-20 14:58:37,293 - [     74062] S <-- 250-8BITMIME
2014-03-20 14:58:37,293 - [     74062] S <-- 250 OK
2014-03-20 14:58:37,685 - [     74062] C --> RSET
2014-03-20 14:58:40,018 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:40,018 - [     74061] C --> RCPT TO:<friend5731@yahoo.com.tw>
2014-03-20 14:58:40,416 - [     74058] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:40,416 - [     74058] C --> RCPT TO:<s84485@yahoo.com.tw>
2014-03-20 14:58:40,900 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:40,900 - [     74059] C --> RCPT TO:<s85579280@yahoo.com.tw>
2014-03-20 14:58:41,029 - [     74063] ************ New connection from: 117.174.132.109
2014-03-20 14:58:41,312 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:41,312 - [     74060] C --> RCPT TO:<s19001008@yahoo.com.tw>
2014-03-20 14:58:41,500 - [     74063] C --> EHLO PC-201205081432
2014-03-20 14:58:41,500 - [     74063] S <-- 250-EXCHANGE.webcider.com Hello [10.0.0.20]
2014-03-20 14:58:41,500 - [     74063] S <-- 250-SIZE 377487360
2014-03-20 14:58:41,500 - [     74063] S <-- 250-PIPELINING
2014-03-20 14:58:41,500 - [     74063] S <-- 250-DSN
2014-03-20 14:58:41,500 - [     74063] S <-- 250-ENHANCEDSTATUSCODES
2014-03-20 14:58:41,500 - [     74063] S <-- 250-AUTH NTLM
2014-03-20 14:58:41,500 - [     74063] S <-- 250-8BITMIME
2014-03-20 14:58:41,500 - [     74063] S <-- 250 OK
2014-03-20 14:58:41,994 - [     74063] C --> RSET
2014-03-20 14:58:42,697 - [     74062] S <-- 250 2.0.0 Resetting
2014-03-20 14:58:42,697 - [     74062] C --> MAIL FROM:<tukwnhc@yahoo.com>
2014-03-20 14:58:42,697 - [     74062] S <-- 250 2.1.0 Sender OK
2014-03-20 14:58:42,697 - [     74062] C --> RCPT TO:<pink781215@yahoo.com.tw>
2014-03-20 14:58:45,035 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:45,035 - [     74061] C --> RCPT TO:<friend585@yahoo.com.tw>
2014-03-20 14:58:45,428 - [     74058] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:45,428 - [     74058] C --> DATA
2014-03-20 14:58:45,428 - [     74058] S <-- 503 Send RCPT TO before DATA command
2014-03-20 14:58:45,905 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:45,905 - [     74059] C --> RCPT TO:<s85579972532@yahoo.com.tw>
2014-03-20 14:58:46,319 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:46,319 - [     74060] C --> RCPT TO:<s19001030@yahoo.com.tw>
2014-03-20 14:58:47,001 - [     74063] S <-- 250 2.0.0 Resetting
2014-03-20 14:58:47,001 - [     74063] C --> MAIL FROM:<qrqsqz@yahoo.com>
2014-03-20 14:58:47,001 - [     74063] S <-- 250 2.1.0 Sender OK
2014-03-20 14:58:47,001 - [     74063] C --> RCPT TO:<in9456@yahoo.com.tw>
2014-03-20 14:58:47,520 - [     74057] ~~~~~~~~~~~~ Connection Terminated (124353:999999)
2014-03-20 14:58:47,688 - [     74062] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:47,688 - [     74062] C --> RCPT TO:<je76921@yahoo.com.tw>
2014-03-20 14:58:50,031 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:50,031 - [     74061] C --> RCPT TO:<friend58630@yahoo.com.tw>
2014-03-20 14:58:50,923 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:50,923 - [     74059] C --> RCPT TO:<s8557s8557@yahoo.com.tw>
2014-03-20 14:58:51,316 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:51,316 - [     74060] C --> RCPT TO:<s19001042@yahoo.com.tw>
2014-03-20 14:58:52,026 - [     74063] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:52,026 - [     74063] C --> RCPT TO:<in950109@yahoo.com.tw>
2014-03-20 14:58:52,694 - [     74062] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:52,694 - [     74062] C --> RCPT TO:<nhcaitw@yahoo.com.tw>
2014-03-20 14:58:55,048 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:55,048 - [     74061] C --> RCPT TO:<friend58799@yaho.com.tw>
2014-03-20 14:58:55,937 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:55,937 - [     74059] C --> RCPT TO:<s855828000@yahoo.com.tw>
2014-03-20 14:58:56,334 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:56,334 - [     74060] C --> RCPT TO:<s19001044@yahoo.com.tw>
2014-03-20 14:58:57,035 - [     74063] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:57,035 - [     74063] C --> RCPT TO:<in950629@yahoo.com.tw>
2014-03-20 14:58:57,696 - [     74062] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:58:57,696 - [     74062] C --> RCPT TO:<nico0620@yahoo.com.tw>
2014-03-20 14:58:58,944 - [     74058] ~~~~~~~~~~~~ Connection Terminated (126028:999999)
2014-03-20 14:59:00,061 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:00,061 - [     74061] C --> RCPT TO:<friend5922@yahoo.com.tw>
2014-03-20 14:59:00,947 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:00,947 - [     74059] C --> RCPT TO:<s85583199@yahoo.com.tw>
2014-03-20 14:59:01,341 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:01,341 - [     74060] C --> RCPT TO:<s19001046@yahoo.com.tw>
2014-03-20 14:59:02,041 - [     74063] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:02,041 - [     74063] C --> RCPT TO:<in952341@yahoo.com.tw>
2014-03-20 14:59:02,704 - [     74062] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:02,704 - [     74062] C --> RCPT TO:<mm771031@yahoo.com.tw>
2014-03-20 14:59:05,073 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:05,073 - [     74061] C --> RCPT TO:<friend592@yahoo.com.tw>
2014-03-20 14:59:05,944 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:05,944 - [     74059] C --> RCPT TO:<s85584298@yahoo.com.tw>
2014-03-20 14:59:06,368 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:06,368 - [     74060] C --> RCPT TO:<s19001088@yahoo.com.tw>
2014-03-20 14:59:07,044 - [     74063] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:07,044 - [     74063] C --> RCPT TO:<in96552000@yahoo.com.tw>
2014-03-20 14:59:07,729 - [     74062] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:07,729 - [     74062] C --> RCPT TO:<mika96951@yahoo.com.tw>
2014-03-20 14:59:10,072 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:10,072 - [     74061] C --> RCPT TO:<friend594@yahoo.com.tw>
2014-03-20 14:59:10,945 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:10,945 - [     74059] C --> RCPT TO:<s85584975@yahoo.com.tw>
2014-03-20 14:59:11,360 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:11,360 - [     74060] C --> RCPT TO:<s19001092@yahoo.com.tw>
2014-03-20 14:59:12,072 - [     74063] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:12,072 - [     74063] C --> RCPT TO:<in968@yahoo.com.tw>
2014-03-20 14:59:12,744 - [     74062] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:12,744 - [     74062] C --> RCPT TO:<niki9955@yahoo.com.tw>
2014-03-20 14:59:15,077 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:15,077 - [     74061] C --> RCPT TO:<friend598@yahoo.com.tw>
2014-03-20 14:59:15,948 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:15,948 - [     74059] C --> RCPT TO:<s85585589@yahoo.com.tw>
2014-03-20 14:59:16,356 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:16,356 - [     74060] C --> RCPT TO:<s19001093@yahoo.com.tw>
2014-03-20 14:59:16,860 - [     74064] ************ New connection from: 27.18.22.158
2014-03-20 14:59:17,074 - [     74063] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:17,074 - [     74063] C --> RCPT TO:<in9822@yahoo.com.tw>
2014-03-20 14:59:17,508 - [     74064] C --> EHLO PC-201401110338
2014-03-20 14:59:17,508 - [     74064] S <-- 250-EXCHANGE.webcider.com Hello [10.0.0.20]
2014-03-20 14:59:17,508 - [     74064] S <-- 250-SIZE 377487360
2014-03-20 14:59:17,508 - [     74064] S <-- 250-PIPELINING
2014-03-20 14:59:17,508 - [     74064] S <-- 250-DSN
2014-03-20 14:59:17,508 - [     74064] S <-- 250-ENHANCEDSTATUSCODES
2014-03-20 14:59:17,508 - [     74064] S <-- 250-AUTH NTLM
2014-03-20 14:59:17,508 - [     74064] S <-- 250-8BITMIME
2014-03-20 14:59:17,508 - [     74064] S <-- 250 OK
2014-03-20 14:59:17,751 - [     74062] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:17,751 - [     74062] C --> RCPT TO:<n1245990@yahoo.com.tw>
2014-03-20 14:59:18,175 - [     74064] C --> RSET
2014-03-20 14:59:20,089 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:20,089 - [     74061] C --> RCPT TO:<friend5s@yahoo.com.tw>
2014-03-20 14:59:20,963 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:20,963 - [     74059] C --> RCPT TO:<s855855@yahoo.com.tw>
2014-03-20 14:59:21,370 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:21,370 - [     74060] C --> RCPT TO:<s19001111@yahoo.com.tw>
2014-03-20 14:59:22,097 - [     74063] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:22,097 - [     74063] C --> RCPT TO:<in9865@yahoo.com.tw>
2014-03-20 14:59:22,776 - [     74062] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:22,776 - [     74062] C --> RCPT TO:<p24970151@yahoo.com.tw>
2014-03-20 14:59:23,177 - [     74064] S <-- 250 2.0.0 Resetting
2014-03-20 14:59:23,177 - [     74064] C --> MAIL FROM:<yew@yahoo.com>
2014-03-20 14:59:23,177 - [     74064] S <-- 250 2.1.0 Sender OK
2014-03-20 14:59:23,177 - [     74064] C --> RCPT TO:<dominique168@yahoo.com.tw>
2014-03-20 14:59:25,112 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:25,112 - [     74061] C --> RCPT TO:<friend5tw@yahoo.com.tw>
2014-03-20 14:59:25,956 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:25,956 - [     74059] C --> RCPT TO:<s85587s@yahoo.com.tw>
2014-03-20 14:59:26,370 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:26,370 - [     74060] C --> RCPT TO:<s19002023@yahoo.com.tw>
2014-03-20 14:59:27,120 - [     74063] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:27,120 - [     74063] C --> RCPT TO:<in9876543@yahoo.com.tw>
2014-03-20 14:59:27,785 - [     74062] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:27,785 - [     74062] C --> RCPT TO:<jbps936211@yahoo.com.tw>
2014-03-20 14:59:28,194 - [     74064] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:28,194 - [     74064] C --> RCPT TO:<dominique3317@yahoo.com.tw>
2014-03-20 14:59:30,129 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:30,129 - [     74061] C --> RCPT TO:<friend60227@yahoo.com.tw>
2014-03-20 14:59:30,973 - [     74059] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:30,973 - [     74059] C --> DATA
2014-03-20 14:59:30,973 - [     74059] S <-- 503 Send RCPT TO before DATA command
2014-03-20 14:59:31,356 - [     74060] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:31,356 - [     74060] C --> DATA
2014-03-20 14:59:31,356 - [     74060] S <-- 503 Send RCPT TO before DATA command
2014-03-20 14:59:32,135 - [     74063] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:32,135 - [     74063] C --> RCPT TO:<in9877@yahoo.com.tw>
2014-03-20 14:59:32,803 - [     74062] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:32,803 - [     74062] C --> RCPT TO:<pei582001@yahoo.com.tw>
2014-03-20 14:59:33,186 - [     74064] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:33,186 - [     74064] C --> RCPT TO:<dominique424@yahoo.com.tw>
2014-03-20 14:59:35,151 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:35,151 - [     74061] C --> RCPT TO:<friend60321@yahoo.com.tw>
2014-03-20 14:59:37,139 - [     74063] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:37,139 - [     74063] C --> RCPT TO:<in9889@yahoo.com.tw>
2014-03-20 14:59:37,823 - [     74062] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:37,823 - [     74062] C --> RCPT TO:<mjnba23@yahoo.com.tw>
2014-03-20 14:59:38,198 - [     74064] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:38,198 - [     74064] C --> RCPT TO:<dominique6006@yahoo.com.tw>
2014-03-20 14:59:40,167 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:40,167 - [     74061] C --> RCPT TO:<friend60507@yahoo.com.tw>
2014-03-20 14:59:42,156 - [     74063] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:42,156 - [     74063] C --> RCPT TO:<in9902@yahoo.com.tw>
2014-03-20 14:59:42,828 - [     74062] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:42,828 - [     74062] C --> RCPT TO:<n224793999@yahoo.com.tw>
2014-03-20 14:59:43,221 - [     74064] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:43,221 - [     74064] C --> RCPT TO:<dominique64tw@yahoo.com.tw>
2014-03-20 14:59:44,007 - [     74059] ~~~~~~~~~~~~ Connection Terminated (124147:999999)
2014-03-20 14:59:44,610 - [     74060] ~~~~~~~~~~~~ Connection Terminated (124300:999999)
2014-03-20 14:59:45,171 - [     74061] S <-- 550 5.7.1 Unable to relay
2014-03-20 14:59:45,171 - [     74061] C --> RCPT TO:<friend605@yahoo.com.tw>

Best Answer

SMTP provides no guarantee of delivery and no guarantee of timely delivery. the only thing you can do is rule out your systems as the cause of the delay. Here's what I would suggest: Find a sample email sent from your client and compare the time it got to your firewall against the time it got to your proxy and then against the time it got to your Exchange server. If there's a large delay then you can look deeper into why that is happening. If there's no delay then the problem probably isn't on your side and there's nothing you can do about it.

Best Answer

Related Solutions

IIS SMTP: 550 5.7.1 Unable to relay

Reverse DNS does not match SMTP Banner

Related Topic