[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
04/29/2009 at 04:31AM PDT, ID: 24365060
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.7

Exchange 2007 routing spam but it is not an open relay

Asked by wl6538 in Exchange Email Server, Simple Mail Transfer Protocol (SMTP), Email Servers

Tags: exchange 2007 spam relay

Dear experts,

I am experiencing a strange spam issue with my Exchange 2007 server (with the latest service pack and rollups) recently.

My config is:

Exchange 2007 SP1 with latest rollup (x64)
Windows Server 2008 x64
TrendMicro ScanMail (for spam and AV filtering)

I have checked that I am NOT an open relay by telneting to exchange port 25.

Also I have set Accepted Domains in Hub Transport and it is limited to my own domains only.

My problem is:

I am getting outgoing spam from my exchange server on the outgoing SMTP connector  the frequency is of this problem is about 3 to 4 spam a day that went thru my outgoing SMTP connector.

Based on what I see from the message tracking tool, I can see that the spam will come thru the incoming SMTP first, destined to one of our real email addresses (as well as a bunch of other non-local email addresses in the CC: field) local to our domain, the spam will then get Quarantined by the content filtering using SCL rating of 7 for our exchange server.

However the spam message will somehow get thru to our outgoing SMTP connector and the message get sent to the non-local recipients in the CC: field

Please find below outgoing and incoming SMTP logs and the relevant part of message tracking log, as well as the header of the spam message itself.


Some notes:

For illustration purpose our domain is mydomain.com (public) and mydomain.local (LAN)

Our exchange mail server is called SPOCK

In these logs I have changed the real user name to real_local_user

Our ISPs SMTP smart host I used for outgoing mail is from fluidata.co.uk

The spammers are spoofing hmrc.gov.gov.uk in this case

Here are the logs:

SMTP receive log:

2009-04-29T09:47:38.466Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,0,192.168.116.4:25,123.18.150.215:4384,+,,
2009-04-29T09:47:38.466Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,1,192.168.116.4:25,123.18.150.215:4384,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2009-04-29T09:47:38.467Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,2,192.168.116.4:25,123.18.150.215:4384,>,"220 spock.mydomain.local Microsoft ESMTP MAIL Service ready at Wed, 29 Apr 2009 10:47:37 +0100",
2009-04-29T09:47:39.036Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,3,192.168.116.4:25,123.18.150.215:4384,<,HELO hmrc.gov.uk,
2009-04-29T09:47:39.037Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,4,192.168.116.4:25,123.18.150.215:4384,>,250 spock.mydomain.local Hello [123.18.150.215],
2009-04-29T09:47:39.608Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,5,192.168.116.4:25,123.18.150.215:4384,<,MAIL FROM: <operator_num_83wgf@hmrc.gov.uk>,
2009-04-29T09:47:39.608Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,6,192.168.116.4:25,123.18.150.215:4384,*,08CB96538CAC4E8C;2009-04-29T09:47:38.466Z;1,receiving message
2009-04-29T09:47:39.608Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,7,192.168.116.4:25,123.18.150.215:4384,>,250 2.1.0 Sender OK,
2009-04-29T09:47:40.261Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,8,192.168.116.4:25,123.18.150.215:4384,<,RCPT TO: <real_local_user@mydomain.com>,
2009-04-29T09:47:40.264Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,9,192.168.116.4:25,123.18.150.215:4384,>,250 2.1.5 Recipient OK,
2009-04-29T09:47:40.812Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,10,192.168.116.4:25,123.18.150.215:4384,<,DATA,
2009-04-29T09:47:40.813Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,11,192.168.116.4:25,123.18.150.215:4384,>,354 Start mail input; end with <CRLF>.<CRLF>,
2009-04-29T09:47:42.130Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,12,192.168.116.4:25,123.18.150.215:4384,>,250 2.6.0 <000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4> Queued mail for delivery,
2009-04-29T09:47:42.691Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,13,192.168.116.4:25,123.18.150.215:4384,<,QUIT,
2009-04-29T09:47:42.691Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,14,192.168.116.4:25,123.18.150.215:4384,>,221 2.0.0 Service closing transmission channel,
2009-04-29T09:47:42.692Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,15,192.168.116.4:25,123.18.150.215:4384,-,,Local




SMTP send log:

2009-04-29T09:47:42.269Z,Main SMTP Send Connector,08CB96538CAC4E8E,0,,89.105.96.56:25,*,,attempting to connect
2009-04-29T09:47:42.277Z,Main SMTP Send Connector,08CB96538CAC4E8E,1,192.168.116.4:2037,89.105.96.56:25,+,,
2009-04-29T09:47:42.295Z,Main SMTP Send Connector,08CB96538CAC4E8E,2,192.168.116.4:2037,89.105.96.56:25,<,"220 smtp2.fluidata.co.uk ESMTP Sendmail 8.13.8/8.13.8; Wed, 29 Apr 2009 10:49:43 +0100",
2009-04-29T09:47:42.295Z,Main SMTP Send Connector,08CB96538CAC4E8E,3,192.168.116.4:2037,89.105.96.56:25,>,EHLO spock.mydomain.com,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,4,192.168.116.4:2037,89.105.96.56:25,<,"250-smtp2.fluidata.co.uk Hello mydomain.com.fluidata.co.uk [mydomain.com] (may be forged), pleased to meet you",
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,5,192.168.116.4:2037,89.105.96.56:25,<,250-ENHANCEDSTATUSCODES,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,6,192.168.116.4:2037,89.105.96.56:25,<,250-PIPELINING,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,7,192.168.116.4:2037,89.105.96.56:25,<,250-8BITMIME,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,8,192.168.116.4:2037,89.105.96.56:25,<,250-SIZE,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,9,192.168.116.4:2037,89.105.96.56:25,<,250-DSN,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,10,192.168.116.4:2037,89.105.96.56:25,<,250-ETRN,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,11,192.168.116.4:2037,89.105.96.56:25,<,250-DELIVERBY,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,12,192.168.116.4:2037,89.105.96.56:25,<,250 HELP,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,13,192.168.116.4:2037,89.105.96.56:25,*,419,sending message
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,14,192.168.116.4:2037,89.105.96.56:25,>,MAIL FROM:<operator_num_83wgf@hmrc.gov.uk> SIZE=11988,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,15,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@cnsfarnell.com>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,16,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@city.ac.uk>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,17,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@excite.co.uk>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,18,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@elsevier.com>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,19,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@bywaters.co.uk>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,20,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@bradfordcollege.ac.uk>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,21,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@breathe.com>,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,22,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.0 <operator_num_83wgf@hmrc.gov.uk>... Sender ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,23,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@cnsfarnell.com>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,24,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@city.ac.uk>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,25,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@excite.co.uk>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,26,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@elsevier.com>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,27,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@bywaters.co.uk>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,28,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@bradfordcollege.ac.uk>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,29,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@breathe.com>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,30,192.168.116.4:2037,89.105.96.56:25,>,DATA,
2009-04-29T09:47:42.607Z,Main SMTP Send Connector,08CB96538CAC4E8E,31,192.168.116.4:2037,89.105.96.56:25,<,"354 Enter mail, end with ""."" on a line by itself",
2009-04-29T09:47:43.448Z,Main SMTP Send Connector,08CB96538CAC4E8E,32,192.168.116.4:2037,89.105.96.56:25,<,250 2.0.0 n3T9nhiG006511 Message accepted for delivery,
2009-04-29T09:47:43.448Z,Main SMTP Send Connector,08CB96538CAC4E8E,33,192.168.116.4:2037,89.105.96.56:25,>,QUIT,
2009-04-29T09:47:43.455Z,Main SMTP Send Connector,08CB96538CAC4E8E,34,192.168.116.4:2037,89.105.96.56:25,<,221 2.0.0 smtp2.fluidata.co.uk closing connection,
2009-04-29T09:47:43.455Z,Main SMTP Send Connector,08CB96538CAC4E8E,35,192.168.116.4:2037,89.105.96.56:25,-,,Local



message tracking log:



2009-04-29T09:47:42.130Z,123.18.150.215,,192.168.116.4,spock,08CB96538CAC4E8C;2009-04-29T09:47:38.466Z;0,SPOCK\Default SPOCK,SMTP,RECEIVE,419,<000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4>,,,7408,1,,,HM Revenue and Customs Notification Tax refund (Internal Revenue Service),operator_num_83wgf@hmrc.gov.uk,operator_num_83wgf@hmrc.gov.uk,00A:
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@mydomain.com,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@bradfordcollege.ac.uk,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@breathe.com,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@bywaters.co.uk,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@city.ac.uk,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@cnsfarnell.com,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@elsevier.com,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@excite.co.uk,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.268Z,,,,spock,Quarantine,,DSN,DSN,420,<44a7df5a-7fdb-4d1b-a71d-560aa8754617>,email_admin@mydomain.com,,18010,1,,,Undeliverable: ,postmaster@mydomain.com,<>,
2009-04-29T09:47:42.322Z,,spock,,spock,,,STOREDRIVER,DELIVER,419,,real_local_user@mydomain.com,,11988,1,,,,,operator_num_83wgf@hmrc.gov.uk,2009-04-29T09:47:40.813Z
2009-04-29T09:47:42.985Z,,spock,,spock,,,STOREDRIVER,DELIVER,420,<44a7df5a-7fdb-4d1b-a71d-560aa8754617>,email_admin@mydomain.com,,18491,1,,,Undeliverable: ,postmaster@mydomain.com,Administrator@mydomain.com,
2009-04-29T09:47:43.448Z,192.168.116.4,spock,89.105.96.56,smtp2.fluidata.co.uk,08CB96538CAC4E8E,Main SMTP Send Connector,SMTP,SEND,419,<000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4>,real_local_user@cnsfarnell.com;real_local_user@city.ac.uk;real_local_user@excite.co.uk;real_local_user@elsevier.com;real_local_user@bywaters.co.uk;real_local_user@bradfordcollege.ac.uk;real_local_user@breathe.com,250 2.1.5 <real_local_user@cnsfarnell.com>... Recipient ok;250 2.1.5 <real_local_user@city.ac.uk>... Recipient ok;250 2.1.5 <real_local_user@excite.co.uk>... Recipient ok;250 2.1.5 <real_local_user@elsevier.com>... Recipient ok;250 2.1.5 <real_local_user@bywaters.co.uk>... Recipient ok;250 2.1.5 <real_local_user@bradfordcollege.ac.uk>... Recipient ok;250 2.1.5 <real_local_user@breathe.com>... Recipient ok,11984,7,,;;;;;;,HM Revenue and Customs Notification Tax refund (Internal Revenue Service),operator_num_83wgf@hmrc.gov.uk,operator_num_83wgf@hmrc.gov.uk,2009-04-29T09:47:40.813Z


the spam message header:

Delivery of this message to the following recipients or distribution lists is quarantined:

real_local_user@mydomain.com

Subject:


--------------------------------------------------------------------------------
Sent by Microsoft Exchange Server 2007






Diagnostic information for administrators:

Generating server: mydomain.local

real_local_user@mydomain.com
#550 5.2.1 Content Filter agent quarantined this message ##

Original message headers:

thread-index: AcnIr4pOQbUab6mNS6mROwyg1OsA5Q==
Received: from hmrc.gov.uk (123.18.150.215) by spock.mydomain.local (192.168.116.4) with Microsoft SMTP Server id 8.1.358.0; Wed, 29 Apr 2009 10:47:40 +0100
Message-ID: <000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4>
From: "HMRC Tax Refunds On-line" <operator_num_83wgf@hmrc.gov.uk>
To: <real_local_user@mydomain.com>
BCC: <real_local_user@bradfordcollege.ac.uk>,
      <real_local_user@breathe.com>,
      <real_local_user@bywaters.co.uk>,
      <real_local_user@city.ac.uk>,
      <real_local_user@cnsfarnell.com>,
      <real_local_user@elsevier.com>,
      <real_local_user@excite.co.uk>
Subject: HM Revenue and Customs Notification Tax refund (Internal Revenue Service)
Content-Transfer-Encoding: 7bit
Date: Thu, 30 Apr 2009 04:45:55 -0700
MIME-Version: 1.0
Content-Type: multipart/related;
      boundary="----=_NextPart_000_0004_01C9C94E.8C659770";
      type="multipart/alternative"
X-Priority: 3
X-MSMail-Priority: Normal
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
Return-Path: <operator_num_83wgf@hmrc.gov.uk>
Received-SPF: None (spock.mydomain.local: operator_num_83wgf@hmrc.gov.uk does not designate permitted sender hosts)
X-TM-AS-Product-Ver: SMEX-8.0.0.4125-5.600.1016-16610.003
X-TM-AS-Result: Yes-64.271900-4.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No




[+][-]04/29/09 05:35 AM, ID: 24259686

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Exchange Email Server, Simple Mail Transfer Protocol (SMTP), Email Servers
Tags: exchange 2007 spam relay
Sign Up Now!
Solution Provided By: AJermo
Participating Experts: 1
Solution Grade: B
 
 
[+][-]04/29/09 06:19 AM, ID: 24260064

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04/29/09 06:47 AM, ID: 24260370

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 30-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]05/01/09 04:21 AM, ID: 24278073

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05/05/09 11:23 AM, ID: 24307529

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20090824-EE-VQP-74 - Hierarchy / EE_QW_3_20080625