asked on

Exchange 2007 Spamming

We are having major problems sending email from our Exchange 2007 Server. Our server is appearing on blacklists and our outbound email is being refused. Upon inspection of the Outbound SMTP Queue, I have found literally hundreds of outbound emails, all have "From: <>" and "To:" random email domains. Its clear to me that something is using our Exchange server to send spam, most likely an internal MAPI client, however I am unsure/unable to locate the source of the problem.

Our setup is Exchange 2007 server which also is running Trendmicro Scanmail 8. The exchange server is behind a firewall and has a public IP nat'd to it on port 25. All outbound port 25 traffic is blocked expect from the Exchange IP.

This is a major problem and is effecting our business, therefore I am awarding 500 points to whoever can help me resolve this issue quickly...

The_R0CK

ASKER

Also I have actually assumed that our server is appearing on Blacklists. Upon further inspection I have actually found that we only appear on one: dnsbl-3.uceprotect.net LISTED!. However this site states that it is our ISP which is listed and not our IP directly. Unfortunately in our area we only have one ISP! therefore I do not have the luxary of choice....

grblades

You could install a network analyser such as ethereal (http://www.ethereal.com/) and see who the top senders of email are by IP address. Any compromised machine is likely to be at the top.

Sembee also has a lot of very good guides on his website for exchange - http://www.amset.info/exchange/

grblades

I would check to make sure you are rejecting amil to unknown users. See sembees article at http://www.amset.info/exchange/filter-unknown.asp.

You can send me a test email at test@cdlive.co.uk (post here when you have sent it) and I can see if you are on any other RBLs or there are any other problems with your mail configuration.

The_R0CK

ASKER

Thanks for the posts. I will look into these suggestions...

A specific problem I face is sending email to hotmail.com. I get the following message:

bay0-mc7-f7.bay0.hotmail.com #550 Your e-mail was rejected for policy reasons on this gateway. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation problems. If you are not an e-mail/network admin please contact your E-mail/Internet Service Provider for help. For e-mail delivery information, please go to http://postmaster.live.com ##

I havent been able to figure out how Hotmail block email and how to get us off there list.... Obviously I need to resolve the spamming issue first to prevent us from being put back on....

The_R0CK

ASKER

Another issue I am facing is most of the information I can find about securing exchange is all based on the 2003 version.... such as Sembee's pages provided above. Its difficult to find feature for feature setting in 2007. Can anyone help me with specific settings in exchange 2007? I.E. how to ensure internal email senders are authenicated etc?

The_R0CK

ASKER

grblades: I sent that test email....

grblades

Hotmail are a major problem. They will accept and delete email without notifying anyone and if you ask they wont give you a reason why the emails are being deleted.

I believe hotmail have a paid service where they are more likely to accept your mail.

The_R0CK

ASKER

It may be that all the messages in my outbound queues were NDR's??
Do outbound NDR's show "From: <>"??

I have now disabled "Allow NDR's" to be sent using the Outbound SMTP connector (Hub Transport), lets see if that helps...

The_R0CK

ASKER

Only thing is with Hotmail, we were able to send email there, until 2 days ago when this problem started... I still cant find our domain on any blacklists.... strange indeed. However its not only Hotmail refusing our email, several of our customers and partners are blocking us.... most embarassing.

ASKER CERTIFIED SOLUTION

grblades

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

The_R0CK

ASKER

Hmmm.... Strange this is when I look at our domain on www.dnsreport.com it show that we have a PTR (reverse DNS entry)?? Whats up with that?

grblades

Its a different IP address. Your MX entry points to a mail server with IP address 83.111.184.160. The mails you are sending are coming from 83.111.160.230 and it is that IP address which does not have a PTR (reverse dns entry) record.

The_R0CK

ASKER

I have checked with the ISP, they have confirmed that our PTR record is inplace as follows:
160.184.111.83.in-addr.arpa mail.biosme.com

DNSReport also backs up this statement.... Strange that our domain is showing up as "mail.biosme.com (unknown [83.111.160.230])". Any ideas on this?

It could indeed be that our email is being blocked due to reverse-dns lookup failure...

grblades

Your mail server is saying it is mail.biosme.com and the IP address which sent the mail to us was 83.111.160.230. That IP address cannot be forged. Looking up the IP address it appears to be located in Dubai, UAE which I guess is your location.

The_R0CK

ASKER

Ok yes.. you are absolutely right!!

The reverse DNS IP is not actually our email server.... damn how did I miss that? Just shows a second pair of eyes really helps at times.

I will now request the ISP to correct the PTR record, probably take 24 hours and I will update. Thanks for the assistance....!

Also, it seems that by disabling sending of NDR to outside, has stopped the emails building up in my outbound queue. Perhaps someone was hamering our smtp with fake domains, and our server couldnt send out the NDR's??? not sure really...

grblades

It may be related to my 2nd post I made about making sure exchange is configured to reject mail to non existing users. If you dont then you end up sending out non delivery reports to the (faked) senders email address. This in itself can get you on a RBL (http://www.backscatterer.org/ in particular).

SOLUTION

Sembee

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

The_R0CK

ASKER

Hi Simon,

Thanks for that info, actually quite impressive the antispam feature! All seems to be good now, reverse DNS issue resolved (thanks for helping find that grblades!), and queues are clear (thanks Simon)!

hiyusuf

HI Sembee
Well i am facing the same problem of messages in queue viewer from unwanted domains ,i think they are junk or may be spam and also it creates a dns connecters and always retry and rety i would like to now is it coming from some internal machines or are the spammers are hitting my exchange 2007 server or what is the exact issue and whats the solution for it.Kindly help me

Sembee

hiyusuf - this is an old question. Unlike a forum it is not possible to "bump" questions back up the list. The only people who will see your post are those that have already participated. Instead you should post your question as a new question in the Exchange Server Zone which will allow other experts the chance to see the question and respond.

Simon
Exchange Server Zone Advisor.

Hans de Jongh

Sembee,

I have tried your solutions, but for some strange reason "anti-spam" doenst block anything.
After installing the script i searched the eventlogs and got this error:
Anti-spam agents are enabled, but the list of internal SMTP servers is empty. If there are any MTAs between this server and the Internet, populate this list by using the Set-TransportConfig cmdlet in the Exchange Management Shell.

But there is no other mailservers in this domain...
so i gave this commmand: set-transportconfig -internalsmtpservers 192.168.10.100
that is the ip of my exchange server.
But still it wont work...

Sembee

hdejongh - as I have already stated - this is an old question. I would suggest that you post your query as a new question so that other experts get the opportunity to respond to it.

Simon
Exchange Server Zone Advisor.