Question : Exchange Event Log Analysis NDR Backscatter? Intruder?

Last month my server got was hit by an attack that generated hundreds of these types of errors. I stopped outbound mail, cleaned up the queues, and addressed the blacklist issues. I have scanned all computers including the server. I now have GFI spam app in place. Any suggestions on what additional steps I can take to prevent this type of attack in the future? I am running SBS 2003.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/23/2009
Time:            12:46:09 AM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #7480. The remote host "216.17.222.224", responded to the SMTP command "rcpt" with "421 4.7.1 ter.org[71.6.54.234]>: Client host rejected: Abusive activity detected - relay temporarily suppressed ". The full command sent was "RCPT TO: ". This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      NDR
Event ID:      3030
Date:            12/22/2009
Time:            7:35:37 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
A non-delivery report with a status code of 5.2.0 was generated for recipient rfc822;[email protected]t (Message-ID 5c@calruralwater.org>).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:31 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #355. The remote host "207.67.72.231", responded to the SMTP command "mail" with "421-Connection dropped because your IP is a suspected spam source. 421-Please retry delivery later. 421-If you believe this may be in error you may go here: 421 http://www.commtouch.com/Site/Resources/Check_IP_Reputation.asp ". The full command sent was "MAIL FROM: ". This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:36 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 : Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/). ". The full command sent was "RCPT TO:<[email protected].se> ". This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Answer : Exchange Event Log Analysis NDR Backscatter? Intruder?

That sounds like you were an authenticated relay - please have a read of my FAQ relating to similar problems with solutions:
http://www.it-eye.co.uk/faqs/readQuestion.php?qid=4

Random Solutions

Problem with insert into query..

How to copy section of each field from Colm 1 to Colm 2 in excel

Permissions issue with system folder

Select rows in one table that are not in another table.

Using 7-zip from command line. Has anybody done it?

Change style of the selected menu item

I am also trying to connect MS Access to NCR Teradata. I have not been able to connect through ADODB connection - when I try to open the connection I get this error: "Can't find host [MyServer]Cop1

Analysis services - MDX date calculation

handling empty textboxes

Condition statement to change wording in div block