• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4473
  • Last Modified:

Exchange 2007 Spamming

We are having major problems sending email from our Exchange 2007 Server. Our server is appearing on blacklists and our outbound email is being refused. Upon inspection of the Outbound SMTP Queue, I have found literally hundreds of outbound emails, all have "From: <>" and "To:" random email domains. Its clear to me that something is using our Exchange server to send spam, most likely an internal MAPI client, however I am unsure/unable to locate the source of the problem.

Our setup is Exchange 2007 server which also is running Trendmicro Scanmail 8. The exchange server is behind a firewall and has a public IP nat'd to it on port 25. All outbound port 25 traffic is blocked expect from the Exchange IP.

This is a major problem and is effecting our business, therefore I am awarding 500 points to whoever can help me resolve this issue quickly...
0
The_R0CK
Asked:
The_R0CK
  • 10
  • 7
  • 3
  • +2
2 Solutions
 
The_R0CKAuthor Commented:
Also I have actually assumed that our server is appearing on Blacklists. Upon further inspection I have actually found that we only appear on one: dnsbl-3.uceprotect.net LISTED!. However this site states that it is our ISP which is listed and not our IP directly. Unfortunately in our area we only have one ISP! therefore I do not have the luxary of choice....
0
 
grbladesCommented:
You could install a network analyser such as ethereal (http://www.ethereal.com/) and see who the top senders of email are by IP address. Any compromised machine is likely to be at the top.

Sembee also has a lot of very good guides on his website for exchange - http://www.amset.info/exchange/
0
 
grbladesCommented:
I would check to make sure you are rejecting amil to unknown users. See sembees article at http://www.amset.info/exchange/filter-unknown.asp.

You can send me a test email at test@cdlive.co.uk (post here when you have sent it) and I can see if you are on any other RBLs or there are any other problems with your mail configuration.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
The_R0CKAuthor Commented:
Thanks for the posts. I will look into these suggestions...

A specific problem I face is sending email to hotmail.com. I get the following message:

bay0-mc7-f7.bay0.hotmail.com #550 Your e-mail was rejected for policy reasons on this gateway. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation problems. If you are not an e-mail/network admin please contact your E-mail/Internet Service Provider for help. For e-mail delivery information, please go to http://postmaster.live.com ##

I havent been able to figure out how Hotmail block email and how to get us off there list.... Obviously I need to resolve the spamming issue first to prevent us from being put back on....
0
 
The_R0CKAuthor Commented:
Another issue I am facing is most of the information I can find about securing exchange is all based on the 2003 version.... such as Sembee's pages provided above. Its difficult to find feature for feature setting in 2007. Can anyone help me with specific settings in exchange 2007? I.E. how to ensure internal email senders are authenicated etc?
0
 
The_R0CKAuthor Commented:
grblades: I sent that test email....
0
 
grbladesCommented:
Hotmail are a major problem. They will accept and delete email without notifying anyone and if you ask they wont give you a reason why the emails are being deleted.

I believe hotmail have a paid service where they are more likely to accept your mail.
0
 
The_R0CKAuthor Commented:
It may be that all the messages in my outbound queues were NDR's??
Do outbound NDR's show "From: <>"??

I have now disabled "Allow NDR's" to be sent using the Outbound SMTP connector (Hub Transport), lets see if that helps...
0
 
The_R0CKAuthor Commented:
Only thing is with Hotmail, we were able to send email there, until 2 days ago when this problem started... I still cant find our domain on any blacklists.... strange indeed. However its not only Hotmail refusing our email, several of our customers and partners are blocking us.... most embarassing.
0
 
grbladesCommented:
I expect Sembee will post in here when he comes online. I would leave it 12 hours or so and if he does not post you can send him an email on his website.

> Received:  from mail.biosme.com (unknown [83.111.160.230])
It looks like you dont have  a PTR record for your IP address. You should contact your ISP and ask then to add a PTR record for 83.111.160.230 pointing to mail.biosme.com.

The only RBL I found was the UCEPROTECT one you mentioned. You say that there is no alternative ISP for you to use.
There is a way around this. You could reant a server from a hosting company and have it configured to only accept mail from your IP address and for that IP address to be trusted. You could then configure your exchange to send all outgoing mail to that server as a 'smart host'. It will then be the IP address of the rented server which matters in RBL terms so you will bypass the problem.
0
 
The_R0CKAuthor Commented:
Hmmm.... Strange this is when I look at our domain on www.dnsreport.com it show that we have a PTR (reverse DNS entry)?? Whats up with that?
0
 
grbladesCommented:
Its a different IP address. Your MX entry points to a mail server with IP address 83.111.184.160. The mails you are sending are coming from 83.111.160.230 and it is that IP address which does not have a PTR (reverse dns entry) record.
0
 
The_R0CKAuthor Commented:
I have checked with the ISP, they have confirmed that our PTR record is inplace as follows:
160.184.111.83.in-addr.arpa mail.biosme.com

DNSReport also backs up this statement.... Strange that our domain is showing up as "mail.biosme.com (unknown [83.111.160.230])". Any ideas on this?

It could indeed be that our email is being blocked due to reverse-dns lookup failure...
0
 
grbladesCommented:
Your mail server is saying it is mail.biosme.com and the IP address which sent the mail to us was 83.111.160.230. That IP address cannot be forged. Looking up the IP address it appears to be located in Dubai, UAE which I guess is your location.
0
 
The_R0CKAuthor Commented:
Ok yes.. you are absolutely right!!

The reverse DNS IP is not actually our email server.... damn how did I miss that? Just shows a second pair of eyes really helps at times.

I will now request the ISP to correct the PTR record, probably take 24 hours and I will update. Thanks for the assistance....!

Also, it seems that by disabling sending of NDR to outside, has stopped the emails building up in my outbound queue. Perhaps someone was hamering our smtp with fake domains, and our server couldnt send out the NDR's??? not sure really...
0
 
grbladesCommented:
It may be related to my 2nd post I made about making sure exchange is configured to reject mail to non existing users. If you dont then you end up sending out non delivery reports to the (faked) senders email address. This in itself can get you on a RBL (http://www.backscatterer.org/ in particular).
0
 
SembeeCommented:
The messages that you are seeing in the queues are NDRs. It looks like you are facing NDR spam. Recipient filtering is available on Exchange 2007, I haven't written the article on it yet though. It is in the list of things to do.

Are you running a single server? If so then you will need to install the antispam agents first.

In powershell, change to the following directory (presuming default locations)
C:\Program Files\Microsoft\Exchange Server\Scripts

Then use tab to select install-AntispamAgents.ps1
Run that and restart Exchange 2007 EMC.

Then go to Organisation Configuration, Hub Transport and select the Anti-spam option.
Disable every option (as they are enabled by default) except for recipient filtering. Go in to the properties of recipient filtering and enable the option "Block messages sent to recipients not in the global address list" on the Blocked Recipients list.
Apply/OK out.

To get the change to take, restart the Microsoft Exchange Transport Service.
No need to enable tarpit, as that is enabled by default anyway.

To clean the queues, I don't have a good method yet (again because I haven't had time to sit and work one out) so the quick and dirty method will have to do.
In Server configuration, right click on the Server and choose properties. Click on the tab limits. Make a note of the defaults and then change each timeout to 1 minutes. Do NOT change the retry setting unless prompted to. Again apply/OK out and restart the Exchange Transport Service.
That will flush out the queues.

I would suggest that you change the NDR setting back to the default.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0
 
The_R0CKAuthor Commented:
Hi Simon,

Thanks for that info, actually quite impressive the antispam feature! All seems to be good now, reverse DNS issue resolved (thanks for helping find that grblades!), and queues are clear (thanks Simon)!
0
 
hiyusufCommented:
HI Sembee
Well i am facing the same problem of messages in queue viewer from unwanted domains ,i think they are junk or may be spam and also it creates a dns connecters and always retry and rety i would like to now is it coming from some internal machines or are the spammers are hitting my exchange 2007 server or what is the exact issue and whats the solution for it.Kindly help me
0
 
SembeeCommented:
hiyusuf - this is an old question. Unlike a forum it is not possible to "bump" questions back up the list. The only people who will see your post are those that have already participated. Instead you should post your question as a new question in the Exchange Server Zone which will allow other experts the chance to see the question and respond.

Simon
Exchange Server Zone Advisor.
0
 
Hans de JonghCommented:
Sembee,

I have tried your solutions, but for some strange reason "anti-spam" doenst block anything.
After installing the script i searched the eventlogs and got this error:
Anti-spam agents are enabled, but the list of internal SMTP servers is empty. If there are any MTAs between this server and the Internet, populate this list by using the Set-TransportConfig cmdlet in the Exchange Management Shell.

But there is no other mailservers in this domain...
so i gave this commmand: set-transportconfig -internalsmtpservers 192.168.10.100
that is the ip of my exchange server.
But still it wont work...
0
 
SembeeCommented:
hdejongh - as I have already stated - this is an old question. I would suggest that you post your query as a new question so that other experts get the opportunity to respond to it.

Simon
Exchange Server Zone Advisor.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 10
  • 7
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now