Question : Exchange Event Log Analysis NDR Backscatter? Intruder?

Last month my server got was hit by an attack that generated hundreds of these types of errors. I stopped outbound mail, cleaned up the queues, and addressed the blacklist issues. I have scanned all computers including the server. I now have GFI spam app in place. Any suggestions on what additional steps I can take to prevent this type of attack in the future? I am running SBS 2003.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/23/2009
Time:            12:46:09 AM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #7480. The remote host "216.17.222.224", responded to the SMTP command "rcpt" with "421 4.7.1 ter.org[71.6.54.234]>: Client host rejected: Abusive activity detected - relay temporarily suppressed  ". The full command sent was "RCPT TO:  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      NDR
Event ID:      3030
Date:            12/22/2009
Time:            7:35:37 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
A non-delivery report with a status code of 5.2.0 was generated for recipient rfc822;[email protected]t (Message-ID 5c@calruralwater.org>).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:31 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #355. The remote host "207.67.72.231", responded to the SMTP command "mail" with "421-Connection dropped because your IP is a suspected spam source.  421-Please retry delivery later.  421-If you believe this may be in error you may go here:  421 http://www.commtouch.com/Site/Resources/Check_IP_Reputation.asp  ". The full command sent was "MAIL FROM:  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.



Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:36 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 : Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/).  ". The full command sent was "RCPT TO:<[email protected].se>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Answer : Exchange Event Log Analysis NDR Backscatter? Intruder?

That sounds like you were an authenticated relay - please have a read of my FAQ relating to similar problems with solutions:

http://www.it-eye.co.uk/faqs/readQuestion.php?qid=4

Random Solutions  
 
programming4us programming4us