Question : Exchange Event Log Analysis NDR Backscatter? Intruder?

Last month my server got was hit by an attack that generated hundreds of these types of errors. I stopped outbound mail, cleaned up the queues, and addressed the blacklist issues. I have scanned all computers including the server. I now have GFI spam app in place. Any suggestions on what additional steps I can take to prevent this type of attack in the future? I am running SBS 2003.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/23/2009
Time:            12:46:09 AM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #7480. The remote host "216.17.222.224", responded to the SMTP command "rcpt" with "421 4.7.1 ter.org[71.6.54.234]>: Client host rejected: Abusive activity detected - relay temporarily suppressed ". The full command sent was "RCPT TO: ". This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      NDR
Event ID:      3030
Date:            12/22/2009
Time:            7:35:37 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
A non-delivery report with a status code of 5.2.0 was generated for recipient rfc822;[email protected]t (Message-ID 5c@calruralwater.org>).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:31 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #355. The remote host "207.67.72.231", responded to the SMTP command "mail" with "421-Connection dropped because your IP is a suspected spam source. 421-Please retry delivery later. 421-If you believe this may be in error you may go here: 421 http://www.commtouch.com/Site/Resources/Check_IP_Reputation.asp ". The full command sent was "MAIL FROM: ". This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            12/22/2009
Time:            7:35:36 PM
User:            N/A
Computer:      CALWATERSERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #366. The remote host "62.168.128.20", responded to the SMTP command "rcpt" with "450 4.7.1 : Sender address rejected: Service unavailable, greylisted (http://projects.puremagic.com/greylisting/). ". The full command sent was "RCPT TO:<[email protected].se> ". This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Answer : Exchange Event Log Analysis NDR Backscatter? Intruder?

That sounds like you were an authenticated relay - please have a read of my FAQ relating to similar problems with solutions:
http://www.it-eye.co.uk/faqs/readQuestion.php?qid=4

Random Solutions

Color Translator

what are the rules in windows 7 with CAL's with terminal server connections?

Access 2007 Subtract Multiple Values in Report

How to print table structure in VFP 9

Cannot delete users from site collection on wss 3.0

Operator '>' can not be applied to operands of type double or decimal

to_date MS-Access

Flash will only work when I run IE in admin mode

How to populated a row of a subFORM, with too much collumns of values and no scrollbars

access 2003 parse data length undetermined