?
Solved

Exchange 2007 Spamming

Posted on 2007-10-18
22
Medium Priority
?
4,466 Views
Last Modified: 2013-12-09
We are having major problems sending email from our Exchange 2007 Server. Our server is appearing on blacklists and our outbound email is being refused. Upon inspection of the Outbound SMTP Queue, I have found literally hundreds of outbound emails, all have "From: <>" and "To:" random email domains. Its clear to me that something is using our Exchange server to send spam, most likely an internal MAPI client, however I am unsure/unable to locate the source of the problem.

Our setup is Exchange 2007 server which also is running Trendmicro Scanmail 8. The exchange server is behind a firewall and has a public IP nat'd to it on port 25. All outbound port 25 traffic is blocked expect from the Exchange IP.

This is a major problem and is effecting our business, therefore I am awarding 500 points to whoever can help me resolve this issue quickly...
0
Comment
Question by:The_R0CK
  • 10
  • 7
  • 3
  • +2
22 Comments
 
LVL 3

Author Comment

by:The_R0CK
ID: 20099277
Also I have actually assumed that our server is appearing on Blacklists. Upon further inspection I have actually found that we only appear on one: dnsbl-3.uceprotect.net LISTED!. However this site states that it is our ISP which is listed and not our IP directly. Unfortunately in our area we only have one ISP! therefore I do not have the luxary of choice....
0
 
LVL 36

Expert Comment

by:grblades
ID: 20099283
You could install a network analyser such as ethereal (http://www.ethereal.com/) and see who the top senders of email are by IP address. Any compromised machine is likely to be at the top.

Sembee also has a lot of very good guides on his website for exchange - http://www.amset.info/exchange/
0
 
LVL 36

Expert Comment

by:grblades
ID: 20099287
I would check to make sure you are rejecting amil to unknown users. See sembees article at http://www.amset.info/exchange/filter-unknown.asp.

You can send me a test email at test@cdlive.co.uk (post here when you have sent it) and I can see if you are on any other RBLs or there are any other problems with your mail configuration.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:The_R0CK
ID: 20099315
Thanks for the posts. I will look into these suggestions...

A specific problem I face is sending email to hotmail.com. I get the following message:

bay0-mc7-f7.bay0.hotmail.com #550 Your e-mail was rejected for policy reasons on this gateway. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation problems. If you are not an e-mail/network admin please contact your E-mail/Internet Service Provider for help. For e-mail delivery information, please go to http://postmaster.live.com ##

I havent been able to figure out how Hotmail block email and how to get us off there list.... Obviously I need to resolve the spamming issue first to prevent us from being put back on....
0
 
LVL 3

Author Comment

by:The_R0CK
ID: 20099353
Another issue I am facing is most of the information I can find about securing exchange is all based on the 2003 version.... such as Sembee's pages provided above. Its difficult to find feature for feature setting in 2007. Can anyone help me with specific settings in exchange 2007? I.E. how to ensure internal email senders are authenicated etc?
0
 
LVL 3

Author Comment

by:The_R0CK
ID: 20099356
grblades: I sent that test email....
0
 
LVL 36

Expert Comment

by:grblades
ID: 20099359
Hotmail are a major problem. They will accept and delete email without notifying anyone and if you ask they wont give you a reason why the emails are being deleted.

I believe hotmail have a paid service where they are more likely to accept your mail.
0
 
LVL 3

Author Comment

by:The_R0CK
ID: 20099368
It may be that all the messages in my outbound queues were NDR's??
Do outbound NDR's show "From: <>"??

I have now disabled "Allow NDR's" to be sent using the Outbound SMTP connector (Hub Transport), lets see if that helps...
0
 
LVL 3

Author Comment

by:The_R0CK
ID: 20099403
Only thing is with Hotmail, we were able to send email there, until 2 days ago when this problem started... I still cant find our domain on any blacklists.... strange indeed. However its not only Hotmail refusing our email, several of our customers and partners are blocking us.... most embarassing.
0
 
LVL 36

Accepted Solution

by:
grblades earned 1400 total points
ID: 20099411
I expect Sembee will post in here when he comes online. I would leave it 12 hours or so and if he does not post you can send him an email on his website.

> Received:  from mail.biosme.com (unknown [83.111.160.230])
It looks like you dont have  a PTR record for your IP address. You should contact your ISP and ask then to add a PTR record for 83.111.160.230 pointing to mail.biosme.com.

The only RBL I found was the UCEPROTECT one you mentioned. You say that there is no alternative ISP for you to use.
There is a way around this. You could reant a server from a hosting company and have it configured to only accept mail from your IP address and for that IP address to be trusted. You could then configure your exchange to send all outgoing mail to that server as a 'smart host'. It will then be the IP address of the rented server which matters in RBL terms so you will bypass the problem.
0
 
LVL 3

Author Comment

by:The_R0CK
ID: 20099509
Hmmm.... Strange this is when I look at our domain on www.dnsreport.com it show that we have a PTR (reverse DNS entry)?? Whats up with that?
0
 
LVL 36

Expert Comment

by:grblades
ID: 20099540
Its a different IP address. Your MX entry points to a mail server with IP address 83.111.184.160. The mails you are sending are coming from 83.111.160.230 and it is that IP address which does not have a PTR (reverse dns entry) record.
0
 
LVL 3

Author Comment

by:The_R0CK
ID: 20099550
I have checked with the ISP, they have confirmed that our PTR record is inplace as follows:
160.184.111.83.in-addr.arpa mail.biosme.com

DNSReport also backs up this statement.... Strange that our domain is showing up as "mail.biosme.com (unknown [83.111.160.230])". Any ideas on this?

It could indeed be that our email is being blocked due to reverse-dns lookup failure...
0
 
LVL 36

Expert Comment

by:grblades
ID: 20099568
Your mail server is saying it is mail.biosme.com and the IP address which sent the mail to us was 83.111.160.230. That IP address cannot be forged. Looking up the IP address it appears to be located in Dubai, UAE which I guess is your location.
0
 
LVL 3

Author Comment

by:The_R0CK
ID: 20099570
Ok yes.. you are absolutely right!!

The reverse DNS IP is not actually our email server.... damn how did I miss that? Just shows a second pair of eyes really helps at times.

I will now request the ISP to correct the PTR record, probably take 24 hours and I will update. Thanks for the assistance....!

Also, it seems that by disabling sending of NDR to outside, has stopped the emails building up in my outbound queue. Perhaps someone was hamering our smtp with fake domains, and our server couldnt send out the NDR's??? not sure really...
0
 
LVL 36

Expert Comment

by:grblades
ID: 20099584
It may be related to my 2nd post I made about making sure exchange is configured to reject mail to non existing users. If you dont then you end up sending out non delivery reports to the (faked) senders email address. This in itself can get you on a RBL (http://www.backscatterer.org/ in particular).
0
 
LVL 104

Assisted Solution

by:Sembee
Sembee earned 600 total points
ID: 20103509
The messages that you are seeing in the queues are NDRs. It looks like you are facing NDR spam. Recipient filtering is available on Exchange 2007, I haven't written the article on it yet though. It is in the list of things to do.

Are you running a single server? If so then you will need to install the antispam agents first.

In powershell, change to the following directory (presuming default locations)
C:\Program Files\Microsoft\Exchange Server\Scripts

Then use tab to select install-AntispamAgents.ps1
Run that and restart Exchange 2007 EMC.

Then go to Organisation Configuration, Hub Transport and select the Anti-spam option.
Disable every option (as they are enabled by default) except for recipient filtering. Go in to the properties of recipient filtering and enable the option "Block messages sent to recipients not in the global address list" on the Blocked Recipients list.
Apply/OK out.

To get the change to take, restart the Microsoft Exchange Transport Service.
No need to enable tarpit, as that is enabled by default anyway.

To clean the queues, I don't have a good method yet (again because I haven't had time to sit and work one out) so the quick and dirty method will have to do.
In Server configuration, right click on the Server and choose properties. Click on the tab limits. Make a note of the defaults and then change each timeout to 1 minutes. Do NOT change the retry setting unless prompted to. Again apply/OK out and restart the Exchange Transport Service.
That will flush out the queues.

I would suggest that you change the NDR setting back to the default.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0
 
LVL 3

Author Comment

by:The_R0CK
ID: 20138494
Hi Simon,

Thanks for that info, actually quite impressive the antispam feature! All seems to be good now, reverse DNS issue resolved (thanks for helping find that grblades!), and queues are clear (thanks Simon)!
0
 

Expert Comment

by:hiyusuf
ID: 20776530
HI Sembee
Well i am facing the same problem of messages in queue viewer from unwanted domains ,i think they are junk or may be spam and also it creates a dns connecters and always retry and rety i would like to now is it coming from some internal machines or are the spammers are hitting my exchange 2007 server or what is the exact issue and whats the solution for it.Kindly help me
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20777324
hiyusuf - this is an old question. Unlike a forum it is not possible to "bump" questions back up the list. The only people who will see your post are those that have already participated. Instead you should post your question as a new question in the Exchange Server Zone which will allow other experts the chance to see the question and respond.

Simon
Exchange Server Zone Advisor.
0
 

Expert Comment

by:Hans de Jongh
ID: 20817365
Sembee,

I have tried your solutions, but for some strange reason "anti-spam" doenst block anything.
After installing the script i searched the eventlogs and got this error:
Anti-spam agents are enabled, but the list of internal SMTP servers is empty. If there are any MTAs between this server and the Internet, populate this list by using the Set-TransportConfig cmdlet in the Exchange Management Shell.

But there is no other mailservers in this domain...
so i gave this commmand: set-transportconfig -internalsmtpservers 192.168.10.100
that is the ip of my exchange server.
But still it wont work...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20817505
hdejongh - as I have already stated - this is an old question. I would suggest that you post your query as a new question so that other experts get the opportunity to respond to it.

Simon
Exchange Server Zone Advisor.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
In this article, I will demonstrate that how to do a PST migration from Exchange Server to Office 365. This method allows importing one single PST, or multiple PST's at once.
how to add IIS SMTP to handle application/Scanner relays into office 365.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question