gorlaz
asked on
Spam still being received with MessageLabs implemented
Hi,
We're using MessageLabs to scan all our incoming email (on a SBS2k3 server) for spam and viruses which works via redirecting the MX record to them and then allowing their IP's to send mail in via filtering on the router. A block filter has been set on incoming traffic to their IP and Allow rules allowing the MessageLabs IP's to send through to the mail server on port 25. There are no SMTP connectors or POP connectors setup.
My issue is that I'm still receiving spam as it seems to be coming directly to the mail server and not via the MX record / MessageLabs. A lot of spam is being filtered by Messagelabs but some is still getting in somehow.
Sample header from a spam emails <MYDOMAIN> and <MY IP>, <INTERNAL EMAIL ADDY> are valid details for inside the network.
*********
Microsoft Mail Internet Headers Version 2.0
Received: from 125-229-210-44.dynamic.hin et.net ([125.229.210.44]) by <MY DOMAIN> with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 10 Oct 2007 13:57:59 +1000
Received: from [125.229.210.44] by no.com; Wed, 10 Oct 2007 03:57:58 +0000
Message-ID: <000801c80af1$066e03bc$420 62b9f@lwkx of>
From: "daren chance" <barry@infoback.com>
To: <INTERNAL EMAIL ADDY>
Subject: Ciao, baby! :) Lenard Burnette.
Date: Wed, 10 Oct 2007 02:10:35 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0 00_0005_01 C80AF1.066 81A0B"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
Return-Path: barry@infoback.com
X-OriginalArrivalTime: 10 Oct 2007 03:57:59.0632 (UTC) FILETIME=[BF806D00:01C80AF 1]
------=_NextPart_000_0005_ 01C80AF1.0 6681A0B
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_0005_ 01C80AF1.0 6681A0B
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_0005_ 01C80AF1.0 6681A0B--
************************** ****
I've read https://www.experts-exchange.com/questions/21055840/It-started-with-an-SMTP-Server-Remote-Queue-Length-Alert-on-my-exchange-server-2003.html as I did originally get this message as well, and have enabled recipient filtering which seems to have stopped the queues going ballistic. I'm also about to enable 'Reset password on next logon' on all user accounts.
I'm kinda confused as to how the mail is still getting in - can anyone offer any advice or pointers?
We're using MessageLabs to scan all our incoming email (on a SBS2k3 server) for spam and viruses which works via redirecting the MX record to them and then allowing their IP's to send mail in via filtering on the router. A block filter has been set on incoming traffic to their IP and Allow rules allowing the MessageLabs IP's to send through to the mail server on port 25. There are no SMTP connectors or POP connectors setup.
My issue is that I'm still receiving spam as it seems to be coming directly to the mail server and not via the MX record / MessageLabs. A lot of spam is being filtered by Messagelabs but some is still getting in somehow.
Sample header from a spam emails <MYDOMAIN> and <MY IP>, <INTERNAL EMAIL ADDY> are valid details for inside the network.
*********
Microsoft Mail Internet Headers Version 2.0
Received: from 125-229-210-44.dynamic.hin
Wed, 10 Oct 2007 13:57:59 +1000
Received: from [125.229.210.44] by no.com; Wed, 10 Oct 2007 03:57:58 +0000
Message-ID: <000801c80af1$066e03bc$420
From: "daren chance" <barry@infoback.com>
To: <INTERNAL EMAIL ADDY>
Subject: Ciao, baby! :) Lenard Burnette.
Date: Wed, 10 Oct 2007 02:10:35 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
Return-Path: barry@infoback.com
X-OriginalArrivalTime: 10 Oct 2007 03:57:59.0632 (UTC) FILETIME=[BF806D00:01C80AF
------=_NextPart_000_0005_
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding:
------=_NextPart_000_0005_
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding:
------=_NextPart_000_0005_
**************************
I've read https://www.experts-exchange.com/questions/21055840/It-started-with-an-SMTP-Server-Remote-Queue-Length-Alert-on-my-exchange-server-2003.html as I did originally get this message as well, and have enabled recipient filtering which seems to have stopped the queues going ballistic. I'm also about to enable 'Reset password on next logon' on all user accounts.
I'm kinda confused as to how the mail is still getting in - can anyone offer any advice or pointers?
ASKER
Hi Simon,
Block has been done on the router/firewall via a data filter. Router is a Draytek 2600.
There is one block rule set for the following - BLock if no further match, Direction = In, Protocol = TCP. Source - any, 255.255.255.255 (/32) ports > 1023, Destination <MY EXTERNAL IP> 255.255.255.0 (/24) Port = 25 to 25.
There are then many allow rules for MessageLans IP addresses set to - Pass Immediately, Direction - In, Protocol = TCP, Source = MessageLabIP, MessageLabSubnet >port 1023, destination <MY EXTERNAL IP> 255.255.255.0 (/24) port 25 to 25.
On second inspection I'm not sure the rules are branching correctly - I'll dbl check.
Does anything stick out?
Block has been done on the router/firewall via a data filter. Router is a Draytek 2600.
There is one block rule set for the following - BLock if no further match, Direction = In, Protocol = TCP. Source - any, 255.255.255.255 (/32) ports > 1023, Destination <MY EXTERNAL IP> 255.255.255.0 (/24) Port = 25 to 25.
There are then many allow rules for MessageLans IP addresses set to - Pass Immediately, Direction - In, Protocol = TCP, Source = MessageLabIP, MessageLabSubnet >port 1023, destination <MY EXTERNAL IP> 255.255.255.0 (/24) port 25 to 25.
On second inspection I'm not sure the rules are branching correctly - I'll dbl check.
Does anything stick out?
I cannot answer the question on how the block has been done on the firewall, as I am not familiar with that firewall model. I tend to make the block on the Exchange server itself if possible, as that process is well known and many people can look at it. The way you are doing it requires knowledge of the firewall.
Simon.
--
If your question has been answered, pleased remember to accept the answer and close the question.
Simon.
--
If your question has been answered, pleased remember to accept the answer and close the question.
ASKER
Thanks Simon - how do you only allow certain IP ranges into the Exchange server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Simon, will have a look and post bacl
ASKER
Hi Simon,
One question - you said to not add the entire subnet. I take it then that the workstations already have access to the smtp server by connecting to exchange directly?
Thanks
One question - you said to not add the entire subnet. I take it then that the workstations already have access to the smtp server by connecting to exchange directly?
Thanks
If the workstations are connecting with Outlook via MAPI (ie selecting Exchange server in the account setup) then you do not need any SMTP connection restrictions opened for those users at all.
Simon.
--
If your question has been answered, please remember to accept the answer and close the question.
Simon.
--
If your question has been answered, please remember to accept the answer and close the question.
Which method have you attempted to block the traffic?
Have you blocked it at the Exchange server or on the firewall?
Simon.
--
If your question has been answered, pleased remember to accept the answer and close the question.