[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Excessive spam getting past Exchange 2007 Edge Transport server.

Posted on 2007-07-23
14
Medium Priority
?
991 Views
Last Modified: 2012-05-05
I have an Exchange 2007 Edge Transport server letting in excessive spam through to users over the last week and a half. The auto update for anti-spam is enabled, there are no Exchange critical updates at Microsoft Update site. I have not installed the service pack for Exchange yet.

I need to find out how to stop the spam from getting through. Thanks for the help!
0
Comment
Question by:MultiTrends
14 Comments
 
LVL 7

Expert Comment

by:icky2000
ID: 19553946
I'll assume you have things set up properly on that Edge box. The antispam measures in Exchange 2007 are ok but they aren't great. People have mixed experience with them - in general there is a ton of spam that can still get through. Microsoft has provided some handy features but the updates are infrequent and nowhere near as comprehensive as from a vendor who has a full-featured antispam product. My recommendation would be to use another service for the antispam. You can buy something from a third party that sits on those Edge servers, or install it on separate servers separate from Exchange, or go with a hosted solution. All three options have their merits and downsides. Personally, I like the hosted approach (Postini, for instance, is really good - I'm not affiliated with them but have used them a lot and they are good). Good options for running your own software are things like GFI MailEssentials, Commtouch, and MailMarshal. There are plenty of other options too. Others on here aren't big fans of the hosted approach and probably have their favorites for antispam and can make further recommendations. Good luck.
0
 
LVL 33

Expert Comment

by:Busbar
ID: 19553981
first, apply the exchange rollup update 3 to the edge it will solve some issues.
using a new service is not ractical as we didn't trouibleshoot the edge yet,
Mutlitrend, can you pass the output from the command:
get-trasnportagents
0
 
LVL 2

Author Comment

by:MultiTrends
ID: 19556021
Thanks for both posts. I installed the Security rollup update 3 yesterday morning and it one of my clients received 5 spam messages shortly after.  Here is the output, hopefully the format is readable.

Identity                                           Enabled         Priority      
--------                                           -------         --------      
Connection Filtering Agent                         True            1              
Address Rewriting Inbound Agent                    True            2              
Edge Rule Agent                                    True            3              
Content Filter Agent                               True            4              
Sender Id Agent                                    True            5              
Sender Filter Agent                                True            6              
Recipient Filter Agent                             True            7              
Protocol Analysis Agent                            True            8              
Attachment Filtering Agent                         True            9              
Address Rewriting Outbound Agent                   True            10            
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 33

Expert Comment

by:Busbar
ID: 19557233
Ok, agents are enabled,
canm you check that they are enabled from the GUI, additionally can you tell me the contect filtering agent setting that you have.
0
 
LVL 2

Author Comment

by:MultiTrends
ID: 19557432
Yes, they show enabled in the GUI as well. The content filtering agent is currently set to reject messages greather than 7. I know this is higher than normal but we had alot of legitmate emails getting blocked so we upped it shortly after implementing Exch2007. It has been at 7 for many months with no problems until the last week and a half or so.

Thanks,
Q
0
 
LVL 33

Expert Comment

by:Busbar
ID: 19557485
mmmm ok it is becomes tricky,
1- make sure that partner permissions are removed from the recieve and send connector.
let us see what is the logs says:
Get-AgentLog -StartDate "4/17/2007 8:00 AM" -EndDate "4/17/2007 2:00 PM"
just adjust the date to be the dates of date and time of the SPAM you got
0
 
LVL 2

Author Comment

by:MultiTrends
ID: 19557632
The output is 25MB. Is there something in particular you were wanting to find out?
0
 
LVL 2

Author Comment

by:MultiTrends
ID: 19557710
Here is one of the spam messages and it got flagged a 4 by the Edge server.

From: Patrick Jacob [mailto:knburn@hay.net]
Sent: July 23, 2007 3:03 PM
To: Recipient
Subject: carcinogen combatted diversionary

cape defraud, conklin concerto cryostat, congressman allusion. brucellosis astigmatic dietz bolshevism
appeal compress aerobic. dialysis abbreviate chocolate batavia curve budget bushy additive
celia consolation analyst avow. congenial breadth buzz dim beheld cafeteria counterargument
0
 
LVL 33

Expert Comment

by:Busbar
ID: 19562753
you can restrict the time and the sender so we can know where is the issue.

also Spam updates are installed ? do you use forefront?
0
 
LVL 2

Author Comment

by:MultiTrends
ID: 19565211
The time and sender varies alot so I can't restrict it very well. Here is a snippet from the agent log on the above message:
Timestamp       : 23/07/2007 3:05:27 PM
SessionId       : 08C99B58BA220B41
IPAddress       :
MessageId       : <001401c7cd86$563d7b10$0018460c@ostrava18mhz>
P1FromAddress   : knburn@hay.net
P2FromAddresses : {knburn@hay.net}
Recipients      : {everyone@domain.ca}
Agent           : Content Filter Agent
Event           : OnEndOfData
Action          : AcceptMessage
SmtpResponse    :
Reason          : SCL
ReasonData      : 4

No, I am not currently using Forefront. As far as spam updates go, I'm not sure how to tell what the date is on the current spam signature file. Microsoft update shows no Exchange updates available. The event log shows the following info about spam updates:

Date: 25/07/2007 5:35am
Event ID: 1004
Source: MSExchange Anti-spam
Starting scan for updates

Date: 25/07/2007 5:36am
Event ID: 1005
Source: MSExchange Anti-spam
Update scan complete.

I've read that you need either a Forefront Security license or Exchange Enterprise CALs in order to receive spam updates. I don't have Forefront and I am using Exchange Standard Edition but I do remember seeing spam updates at Microsoft Updates before that I downloaded.

Thanks for all your input Busbar.

0
 
LVL 2

Author Comment

by:MultiTrends
ID: 19630925
Is that it? I still need suggestions on how to resolve this spam getting through??

Thanks,
Q
0
 
LVL 33

Accepted Solution

by:
Busbar earned 2000 total points
ID: 19631469
Sorry multi trend I was busy in the past few days.
it seems that the message is passing because the SCL is set to 4, so you can configure the agent to reject message on SCL of 4, and then add the required safe sender to the safe list at the client side, and configure safelist aggregation.
http://technet.microsoft.com/en-us/library/aa998280.aspx
add to that I will recommend using an RBL like spamhuas as it will allow you to reject messages and reduce the spam level.
0
 
LVL 2

Author Comment

by:MultiTrends
ID: 19645979
Thanks for getting back to me, I appreciate it.

I have Exchange's spam filtering set higher (7) because too many legit messages were being blocked in the past so I would rather not set it down to 4. I have recently configured Safelist Aggregation using the script from MS to poll every Outlook user and have set it to run every night. I also just enabled zen.spamhaus.org as an IP Block List Provider matching any return code so hopefully that last addition will make the difference. I'll monitor it and let you know.

Thanks again for all your help.
Q
0
 

Expert Comment

by:saltrock2k
ID: 24136340
Hi there.

One thing I found is that from your agents above you need to set the priority of the Content Filter to 3 and the Edge Filter to 4.

Because both the Edge Rule agent and the Content Filter agent run on the OnEndOfData SMTP transport event, the priority value applied to each transport agent is used to determine which transport agent runs first. By default, the Edge Rule agent runs before the Content Filter agent to reduce the cost of processing messages that may be blocked by the Edge Rule agent. However, because the Edge Rule agent runs before the Content Filter agent and therefore the SCL value has not yet been stamped on the message, you can't use the with a spam confidence (SCL) rating that is greater than or equal to limit transport rule condition in the default configuration

Please read the following; Yet another product of Microsoft's that you need to hunt around for the correct configurations. :)

I also agree on a third party solution but that is if your budget allows for this. At present mine does not.
:)


http://technet.microsoft.com/en-us/library/bb691082.aspx
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question