Solved

Getting Spam After Upgrade of IMSS from 5.7 to 7.0

Posted on 2008-06-25
8
1,996 Views
Last Modified: 2009-12-21
Last Friday, we upgraded IMSS from 5.7 to 7.0.  Additionally, we use Postini for both in and outbound email spam protection, so all of our message headers inbound have a Postini "footprint" as it were.  

However, after the upgrade to 7.0, we have been getting spam email messages that simply say:

From:  postmaster@localhost
Subject:  Delivery Final Failure Notice
Body:  Can not deliver the message you sent.  Will not retry.

The header of the message has no Postini relays mentioned, and is in fact rather short, with a message id of <messageid@127.0.0.1>  but the message itself came FROM our IMSS server to our back-end Exchange Server and the postmaster account is NOT the one specified in the IMSS notification settings either.

IMSS is configured to only allow relaying to our internal Exchange server and our Postini relays.  What's different about this is that in 7.0, it lists 127.0.0.1 as a valid IP to allow relaying.  Trend Micro says we cannot remove it (i tried, twice, it keeps coming back) -- they say it's the way the program operates, but I think it's a little weird that 127.0.0.1 just so happens to be in the message ID of these spam messages too....

Any advice would be appreciated -- am I barking up the wrong tree?  Or is Trend really screwing me over in this new version??  Confused and frustrated with their technical support right now :(
0
Comment
Question by:kaos_theory
  • 4
  • 2
  • 2
8 Comments
 
LVL 19

Expert Comment

by:MrLonandB
ID: 21865228
Where in IMSS do you show 127.0.0.1...? We've just recently moved from IMSS 7.0...but I still have it on the Server and it worked fine for us. Do you have that IP identified somewhere in: Administration > IMSS Configuration > SMTP Routing...or just where do you have it?
0
 
LVL 2

Author Comment

by:kaos_theory
ID: 21865265
It's under:  Administration > IMSS Configuration > SMTP Routing > Connections tab, under Connection Control, we have "Deny All, except the following list", and to the right is our internal server IP, our Postini relays, and the loopback address....
0
 
LVL 19

Accepted Solution

by:
MrLonandB earned 500 total points
ID: 21865547
I see. Ours is set to "Accept all..." because it sits in a DMZ and delivers mail out directly...not to Postini as does yours.

But I am suspecting that the 127.0.0.1...is not the cause of the problem you are having. If you go to the "Message Rule" tab, under "Permitted Senders of Relayed Mail", do you have the "Specified IP addresses" configured?

The reason for my mentioning this, and even though your setup is a bit different than ours, when we first got 7.0...we had similar problems to what you are having. To correct the problem, Trend had me add my internal subnet AND the specific IP of my Exchange Server in there. So I had entries like this in the box adjacent to "Specified IP Addresses":

172.16.0.0:255.255.0.0
172.16.1.187

WIthout those IP addresses, I could not get mail to go out and would receive non-delivery notices similar to what you are having. Might be worth a try in your case to see if it makes a difference.
0
 
LVL 2

Author Comment

by:kaos_theory
ID: 21865647
Yeah, these settings migrated successfully from 5.7, the two domains we have, and "specified IP Addresses" with only the internal IP of our back end server and the Postini range as well listed under "permitted senders of relayed mail".

What's odd about the delivery notices is the bad grammar and the notification email address doesn't match our customized version of postmaster@"ourdomain.com"...
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 2

Author Comment

by:kaos_theory
ID: 21865707
Oh, also, I forgot to mention we're not having any outbound email flow issues...the undeliverable I got last night seemed unrelated to any messages I sent over the past few days....
0
 
LVL 2

Author Comment

by:kaos_theory
ID: 21865740
uhoh lol

Screeching halt on the breaks...Just sent a test message to a bogus account and got the same undeliverable notice -- this makes me feel so much better!!!  Now, to find out where the heck that pesky "postmaster@localhost" account is hiding so I can get rid of it.

Thanks for your help....sorry for the false alarm but at least you get free points :)  
0
 
LVL 2

Expert Comment

by:fulloutput
ID: 26025284
kaos theory, I am seeing similar messages after moving to IMSS7. Did you manage to locate the where the source address for the Delivery Final Failure Notice messages was set?
0
 
LVL 2

Expert Comment

by:fulloutput
ID: 26094429
Trend Micro Hotfix 56270 fixes the non-delivery report to include useful information such as the address that failed and remote server response code.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Nearly six years ago I was hired by a company to be their senior server engineer. One of my first projects was to implement Exchange Server 2007 on a Windows Server 2008 Single Copy Cluster for high availability. That was the easy part; read on to l…
Resolve DNS query failed errors for Exchange
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now