• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1023
  • Last Modified:

Spam still being received with MessageLabs implemented

Hi,
We're using MessageLabs to scan all our incoming email (on a SBS2k3 server) for spam and viruses which works via redirecting the MX record to them and then allowing their IP's to send mail in via filtering on the router. A block filter has been set on incoming traffic to their IP and Allow rules allowing the MessageLabs IP's to send through to the mail server on port 25. There are no SMTP connectors or POP connectors setup.

My issue is that I'm still receiving spam as it seems to be coming directly to the mail server and not via the MX record / MessageLabs. A lot of spam is being filtered by Messagelabs but some is still getting in somehow.

Sample header from a spam emails <MYDOMAIN> and <MY IP>, <INTERNAL EMAIL ADDY> are valid details for inside the network.
*********
Microsoft Mail Internet Headers Version 2.0
Received: from 125-229-210-44.dynamic.hinet.net ([125.229.210.44]) by <MY DOMAIN> with Microsoft SMTPSVC(6.0.3790.1830);
             Wed, 10 Oct 2007 13:57:59 +1000
Received: from [125.229.210.44] by no.com; Wed, 10 Oct 2007 03:57:58 +0000
Message-ID: <000801c80af1$066e03bc$42062b9f@lwkxof>
From: "daren chance" <barry@infoback.com>
To: <INTERNAL EMAIL ADDY>
Subject: Ciao, baby! :) Lenard Burnette.
Date: Wed, 10 Oct 2007 02:10:35 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
            boundary="----=_NextPart_000_0005_01C80AF1.06681A0B"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
Return-Path: barry@infoback.com
X-OriginalArrivalTime: 10 Oct 2007 03:57:59.0632 (UTC) FILETIME=[BF806D00:01C80AF1]

------=_NextPart_000_0005_01C80AF1.06681A0B
Content-Type: text/plain;
            charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

------=_NextPart_000_0005_01C80AF1.06681A0B
Content-Type: text/html;
            charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


------=_NextPart_000_0005_01C80AF1.06681A0B--
******************************
I've read http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21055840.html as I did originally get this message as well, and have enabled recipient filtering which seems to have stopped the queues going ballistic. I'm also about to enable 'Reset password on next logon' on all user accounts.

I'm kinda confused as to how the mail is still getting in - can anyone offer any advice or pointers?


0
gorlaz
Asked:
gorlaz
  • 4
  • 4
1 Solution
 
SembeeCommented:
Your block hasn't been done correctly.

Which method have you attempted to block the traffic?
Have you blocked it at the Exchange server or on the firewall?

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
gorlazAuthor Commented:
Hi Simon,

Block has been done on the router/firewall via a data filter. Router is a Draytek 2600.

There is one block rule set for the following - BLock if no further match, Direction = In, Protocol = TCP. Source - any, 255.255.255.255 (/32) ports > 1023, Destination <MY EXTERNAL IP> 255.255.255.0 (/24) Port = 25 to 25.

There are then many allow rules for MessageLans IP addresses set to - Pass Immediately, Direction - In, Protocol = TCP, Source = MessageLabIP, MessageLabSubnet >port 1023, destination <MY EXTERNAL IP> 255.255.255.0 (/24) port 25 to 25.

On second inspection I'm not sure the rules are branching correctly - I'll dbl check.

Does anything stick out?
0
 
SembeeCommented:
I cannot answer the question on how the block has been done on the firewall, as I am not familiar with that firewall model. I tend to make the block on the Exchange server itself if possible, as that process is well known and many people can look at it. The way you are doing it requires knowledge of the firewall.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
gorlazAuthor Commented:
Thanks Simon - how do you only allow certain IP ranges into the Exchange server?
0
 
SembeeCommented:
It is set on the SMTP virtual server, on Access under Connection. You set in there the address ranges that are required, along with any IP addresses that you need internally. DO NOT set your entire subnet.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0
 
gorlazAuthor Commented:
Thanks Simon, will have a look and post bacl
0
 
gorlazAuthor Commented:
Hi Simon,
One question - you said to not add the entire subnet. I take it then that the workstations already have access to the smtp server by connecting to exchange directly?
Thanks
0
 
SembeeCommented:
If the workstations are connecting with Outlook via MAPI (ie selecting Exchange server in the account setup) then you do not need any SMTP connection restrictions opened for those users at all.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now