MultiTrends
asked on
Excessive spam getting past Exchange 2007 Edge Transport server.
I have an Exchange 2007 Edge Transport server letting in excessive spam through to users over the last week and a half. The auto update for anti-spam is enabled, there are no Exchange critical updates at Microsoft Update site. I have not installed the service pack for Exchange yet.
I need to find out how to stop the spam from getting through. Thanks for the help!
I need to find out how to stop the spam from getting through. Thanks for the help!
I'll assume you have things set up properly on that Edge box. The antispam measures in Exchange 2007 are ok but they aren't great. People have mixed experience with them - in general there is a ton of spam that can still get through. Microsoft has provided some handy features but the updates are infrequent and nowhere near as comprehensive as from a vendor who has a full-featured antispam product. My recommendation would be to use another service for the antispam. You can buy something from a third party that sits on those Edge servers, or install it on separate servers separate from Exchange, or go with a hosted solution. All three options have their merits and downsides. Personally, I like the hosted approach (Postini, for instance, is really good - I'm not affiliated with them but have used them a lot and they are good). Good options for running your own software are things like GFI MailEssentials, Commtouch, and MailMarshal. There are plenty of other options too. Others on here aren't big fans of the hosted approach and probably have their favorites for antispam and can make further recommendations. Good luck.
first, apply the exchange rollup update 3 to the edge it will solve some issues.
using a new service is not ractical as we didn't trouibleshoot the edge yet,
Mutlitrend, can you pass the output from the command:
get-trasnportagents
using a new service is not ractical as we didn't trouibleshoot the edge yet,
Mutlitrend, can you pass the output from the command:
get-trasnportagents
ASKER
Thanks for both posts. I installed the Security rollup update 3 yesterday morning and it one of my clients received 5 spam messages shortly after. Here is the output, hopefully the format is readable.
Identity Enabled Priority
-------- ------- --------
Connection Filtering Agent True 1
Address Rewriting Inbound Agent True 2
Edge Rule Agent True 3
Content Filter Agent True 4
Sender Id Agent True 5
Sender Filter Agent True 6
Recipient Filter Agent True 7
Protocol Analysis Agent True 8
Attachment Filtering Agent True 9
Address Rewriting Outbound Agent True 10
Identity Enabled Priority
-------- ------- --------
Connection Filtering Agent True 1
Address Rewriting Inbound Agent True 2
Edge Rule Agent True 3
Content Filter Agent True 4
Sender Id Agent True 5
Sender Filter Agent True 6
Recipient Filter Agent True 7
Protocol Analysis Agent True 8
Attachment Filtering Agent True 9
Address Rewriting Outbound Agent True 10
Ok, agents are enabled,
canm you check that they are enabled from the GUI, additionally can you tell me the contect filtering agent setting that you have.
canm you check that they are enabled from the GUI, additionally can you tell me the contect filtering agent setting that you have.
ASKER
Yes, they show enabled in the GUI as well. The content filtering agent is currently set to reject messages greather than 7. I know this is higher than normal but we had alot of legitmate emails getting blocked so we upped it shortly after implementing Exch2007. It has been at 7 for many months with no problems until the last week and a half or so.
Thanks,
Q
Thanks,
Q
mmmm ok it is becomes tricky,
1- make sure that partner permissions are removed from the recieve and send connector.
let us see what is the logs says:
Get-AgentLog -StartDate "4/17/2007 8:00 AM" -EndDate "4/17/2007 2:00 PM"
just adjust the date to be the dates of date and time of the SPAM you got
1- make sure that partner permissions are removed from the recieve and send connector.
let us see what is the logs says:
Get-AgentLog -StartDate "4/17/2007 8:00 AM" -EndDate "4/17/2007 2:00 PM"
just adjust the date to be the dates of date and time of the SPAM you got
ASKER
The output is 25MB. Is there something in particular you were wanting to find out?
ASKER
Here is one of the spam messages and it got flagged a 4 by the Edge server.
From: Patrick Jacob [mailto:knburn@hay.net]
Sent: July 23, 2007 3:03 PM
To: Recipient
Subject: carcinogen combatted diversionary
cape defraud, conklin concerto cryostat, congressman allusion. brucellosis astigmatic dietz bolshevism
appeal compress aerobic. dialysis abbreviate chocolate batavia curve budget bushy additive
celia consolation analyst avow. congenial breadth buzz dim beheld cafeteria counterargument
From: Patrick Jacob [mailto:knburn@hay.net]
Sent: July 23, 2007 3:03 PM
To: Recipient
Subject: carcinogen combatted diversionary
cape defraud, conklin concerto cryostat, congressman allusion. brucellosis astigmatic dietz bolshevism
appeal compress aerobic. dialysis abbreviate chocolate batavia curve budget bushy additive
celia consolation analyst avow. congenial breadth buzz dim beheld cafeteria counterargument
you can restrict the time and the sender so we can know where is the issue.
also Spam updates are installed ? do you use forefront?
also Spam updates are installed ? do you use forefront?
ASKER
The time and sender varies alot so I can't restrict it very well. Here is a snippet from the agent log on the above message:
Timestamp : 23/07/2007 3:05:27 PM
SessionId : 08C99B58BA220B41
IPAddress :
MessageId : <001401c7cd86$563d7b10$001 8460c@ostr ava18mhz>
P1FromAddress : knburn@hay.net
P2FromAddresses : {knburn@hay.net}
Recipients : {everyone@domain.ca}
Agent : Content Filter Agent
Event : OnEndOfData
Action : AcceptMessage
SmtpResponse :
Reason : SCL
ReasonData : 4
No, I am not currently using Forefront. As far as spam updates go, I'm not sure how to tell what the date is on the current spam signature file. Microsoft update shows no Exchange updates available. The event log shows the following info about spam updates:
Date: 25/07/2007 5:35am
Event ID: 1004
Source: MSExchange Anti-spam
Starting scan for updates
Date: 25/07/2007 5:36am
Event ID: 1005
Source: MSExchange Anti-spam
Update scan complete.
I've read that you need either a Forefront Security license or Exchange Enterprise CALs in order to receive spam updates. I don't have Forefront and I am using Exchange Standard Edition but I do remember seeing spam updates at Microsoft Updates before that I downloaded.
Thanks for all your input Busbar.
Timestamp : 23/07/2007 3:05:27 PM
SessionId : 08C99B58BA220B41
IPAddress :
MessageId : <001401c7cd86$563d7b10$001
P1FromAddress : knburn@hay.net
P2FromAddresses : {knburn@hay.net}
Recipients : {everyone@domain.ca}
Agent : Content Filter Agent
Event : OnEndOfData
Action : AcceptMessage
SmtpResponse :
Reason : SCL
ReasonData : 4
No, I am not currently using Forefront. As far as spam updates go, I'm not sure how to tell what the date is on the current spam signature file. Microsoft update shows no Exchange updates available. The event log shows the following info about spam updates:
Date: 25/07/2007 5:35am
Event ID: 1004
Source: MSExchange Anti-spam
Starting scan for updates
Date: 25/07/2007 5:36am
Event ID: 1005
Source: MSExchange Anti-spam
Update scan complete.
I've read that you need either a Forefront Security license or Exchange Enterprise CALs in order to receive spam updates. I don't have Forefront and I am using Exchange Standard Edition but I do remember seeing spam updates at Microsoft Updates before that I downloaded.
Thanks for all your input Busbar.
ASKER
Is that it? I still need suggestions on how to resolve this spam getting through??
Thanks,
Q
Thanks,
Q
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for getting back to me, I appreciate it.
I have Exchange's spam filtering set higher (7) because too many legit messages were being blocked in the past so I would rather not set it down to 4. I have recently configured Safelist Aggregation using the script from MS to poll every Outlook user and have set it to run every night. I also just enabled zen.spamhaus.org as an IP Block List Provider matching any return code so hopefully that last addition will make the difference. I'll monitor it and let you know.
Thanks again for all your help.
Q
I have Exchange's spam filtering set higher (7) because too many legit messages were being blocked in the past so I would rather not set it down to 4. I have recently configured Safelist Aggregation using the script from MS to poll every Outlook user and have set it to run every night. I also just enabled zen.spamhaus.org as an IP Block List Provider matching any return code so hopefully that last addition will make the difference. I'll monitor it and let you know.
Thanks again for all your help.
Q
Hi there.
One thing I found is that from your agents above you need to set the priority of the Content Filter to 3 and the Edge Filter to 4.
Because both the Edge Rule agent and the Content Filter agent run on the OnEndOfData SMTP transport event, the priority value applied to each transport agent is used to determine which transport agent runs first. By default, the Edge Rule agent runs before the Content Filter agent to reduce the cost of processing messages that may be blocked by the Edge Rule agent. However, because the Edge Rule agent runs before the Content Filter agent and therefore the SCL value has not yet been stamped on the message, you can't use the with a spam confidence (SCL) rating that is greater than or equal to limit transport rule condition in the default configuration
Please read the following; Yet another product of Microsoft's that you need to hunt around for the correct configurations. :)
I also agree on a third party solution but that is if your budget allows for this. At present mine does not.
:)
http://technet.microsoft.com/en-us/library/bb691082.aspx
One thing I found is that from your agents above you need to set the priority of the Content Filter to 3 and the Edge Filter to 4.
Because both the Edge Rule agent and the Content Filter agent run on the OnEndOfData SMTP transport event, the priority value applied to each transport agent is used to determine which transport agent runs first. By default, the Edge Rule agent runs before the Content Filter agent to reduce the cost of processing messages that may be blocked by the Edge Rule agent. However, because the Edge Rule agent runs before the Content Filter agent and therefore the SCL value has not yet been stamped on the message, you can't use the with a spam confidence (SCL) rating that is greater than or equal to limit transport rule condition in the default configuration
Please read the following; Yet another product of Microsoft's that you need to hunt around for the correct configurations. :)
I also agree on a third party solution but that is if your budget allows for this. At present mine does not.
:)
http://technet.microsoft.com/en-us/library/bb691082.aspx