Link to home
Start Free TrialLog in
Avatar of wl6538
wl6538

asked on

Exchange 2007 routing spam but it is not an open relay

Dear experts,

I am experiencing a strange spam issue with my Exchange 2007 server (with the latest service pack and rollups) recently.

My config is:

Exchange 2007 SP1 with latest rollup (x64)
Windows Server 2008 x64
TrendMicro ScanMail (for spam and AV filtering)

I have checked that I am NOT an open relay by telneting to exchange port 25.

Also I have set Accepted Domains in Hub Transport and it is limited to my own domains only.

My problem is:

I am getting outgoing spam from my exchange server on the outgoing SMTP connector  the frequency is of this problem is about 3 to 4 spam a day that went thru my outgoing SMTP connector.

Based on what I see from the message tracking tool, I can see that the spam will come thru the incoming SMTP first, destined to one of our real email addresses (as well as a bunch of other non-local email addresses in the CC: field) local to our domain, the spam will then get Quarantined by the content filtering using SCL rating of 7 for our exchange server.

However the spam message will somehow get thru to our outgoing SMTP connector and the message get sent to the non-local recipients in the CC: field

Please find below outgoing and incoming SMTP logs and the relevant part of message tracking log, as well as the header of the spam message itself.


Some notes:

For illustration purpose our domain is mydomain.com (public) and mydomain.local (LAN)

Our exchange mail server is called SPOCK

In these logs I have changed the real user name to real_local_user

Our ISPs SMTP smart host I used for outgoing mail is from fluidata.co.uk

The spammers are spoofing hmrc.gov.gov.uk in this case

Here are the logs:

SMTP receive log:

2009-04-29T09:47:38.466Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,0,192.168.116.4:25,123.18.150.215:4384,+,,
2009-04-29T09:47:38.466Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,1,192.168.116.4:25,123.18.150.215:4384,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2009-04-29T09:47:38.467Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,2,192.168.116.4:25,123.18.150.215:4384,>,"220 spock.mydomain.local Microsoft ESMTP MAIL Service ready at Wed, 29 Apr 2009 10:47:37 +0100",
2009-04-29T09:47:39.036Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,3,192.168.116.4:25,123.18.150.215:4384,<,HELO hmrc.gov.uk,
2009-04-29T09:47:39.037Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,4,192.168.116.4:25,123.18.150.215:4384,>,250 spock.mydomain.local Hello [123.18.150.215],
2009-04-29T09:47:39.608Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,5,192.168.116.4:25,123.18.150.215:4384,<,MAIL FROM: <operator_num_83wgf@hmrc.gov.uk>,
2009-04-29T09:47:39.608Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,6,192.168.116.4:25,123.18.150.215:4384,*,08CB96538CAC4E8C;2009-04-29T09:47:38.466Z;1,receiving message
2009-04-29T09:47:39.608Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,7,192.168.116.4:25,123.18.150.215:4384,>,250 2.1.0 Sender OK,
2009-04-29T09:47:40.261Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,8,192.168.116.4:25,123.18.150.215:4384,<,RCPT TO: <real_local_user@mydomain.com>,
2009-04-29T09:47:40.264Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,9,192.168.116.4:25,123.18.150.215:4384,>,250 2.1.5 Recipient OK,
2009-04-29T09:47:40.812Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,10,192.168.116.4:25,123.18.150.215:4384,<,DATA,
2009-04-29T09:47:40.813Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,11,192.168.116.4:25,123.18.150.215:4384,>,354 Start mail input; end with <CRLF>.<CRLF>,
2009-04-29T09:47:42.130Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,12,192.168.116.4:25,123.18.150.215:4384,>,250 2.6.0 <000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4> Queued mail for delivery,
2009-04-29T09:47:42.691Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,13,192.168.116.4:25,123.18.150.215:4384,<,QUIT,
2009-04-29T09:47:42.691Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,14,192.168.116.4:25,123.18.150.215:4384,>,221 2.0.0 Service closing transmission channel,
2009-04-29T09:47:42.692Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,15,192.168.116.4:25,123.18.150.215:4384,-,,Local




SMTP send log:

2009-04-29T09:47:42.269Z,Main SMTP Send Connector,08CB96538CAC4E8E,0,,89.105.96.56:25,*,,attempting to connect
2009-04-29T09:47:42.277Z,Main SMTP Send Connector,08CB96538CAC4E8E,1,192.168.116.4:2037,89.105.96.56:25,+,,
2009-04-29T09:47:42.295Z,Main SMTP Send Connector,08CB96538CAC4E8E,2,192.168.116.4:2037,89.105.96.56:25,<,"220 smtp2.fluidata.co.uk ESMTP Sendmail 8.13.8/8.13.8; Wed, 29 Apr 2009 10:49:43 +0100",
2009-04-29T09:47:42.295Z,Main SMTP Send Connector,08CB96538CAC4E8E,3,192.168.116.4:2037,89.105.96.56:25,>,EHLO spock.mydomain.com,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,4,192.168.116.4:2037,89.105.96.56:25,<,"250-smtp2.fluidata.co.uk Hello mydomain.com.fluidata.co.uk [mydomain.com] (may be forged), pleased to meet you",
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,5,192.168.116.4:2037,89.105.96.56:25,<,250-ENHANCEDSTATUSCODES,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,6,192.168.116.4:2037,89.105.96.56:25,<,250-PIPELINING,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,7,192.168.116.4:2037,89.105.96.56:25,<,250-8BITMIME,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,8,192.168.116.4:2037,89.105.96.56:25,<,250-SIZE,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,9,192.168.116.4:2037,89.105.96.56:25,<,250-DSN,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,10,192.168.116.4:2037,89.105.96.56:25,<,250-ETRN,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,11,192.168.116.4:2037,89.105.96.56:25,<,250-DELIVERBY,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,12,192.168.116.4:2037,89.105.96.56:25,<,250 HELP,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,13,192.168.116.4:2037,89.105.96.56:25,*,419,sending message
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,14,192.168.116.4:2037,89.105.96.56:25,>,MAIL FROM:<operator_num_83wgf@hmrc.gov.uk> SIZE=11988,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,15,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@cnsfarnell.com>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,16,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@city.ac.uk>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,17,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@excite.co.uk>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,18,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@elsevier.com>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,19,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@bywaters.co.uk>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,20,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@bradfordcollege.ac.uk>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,21,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@breathe.com>,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,22,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.0 <operator_num_83wgf@hmrc.gov.uk>... Sender ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,23,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@cnsfarnell.com>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,24,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@city.ac.uk>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,25,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@excite.co.uk>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,26,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@elsevier.com>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,27,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@bywaters.co.uk>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,28,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@bradfordcollege.ac.uk>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,29,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@breathe.com>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,30,192.168.116.4:2037,89.105.96.56:25,>,DATA,
2009-04-29T09:47:42.607Z,Main SMTP Send Connector,08CB96538CAC4E8E,31,192.168.116.4:2037,89.105.96.56:25,<,"354 Enter mail, end with ""."" on a line by itself",
2009-04-29T09:47:43.448Z,Main SMTP Send Connector,08CB96538CAC4E8E,32,192.168.116.4:2037,89.105.96.56:25,<,250 2.0.0 n3T9nhiG006511 Message accepted for delivery,
2009-04-29T09:47:43.448Z,Main SMTP Send Connector,08CB96538CAC4E8E,33,192.168.116.4:2037,89.105.96.56:25,>,QUIT,
2009-04-29T09:47:43.455Z,Main SMTP Send Connector,08CB96538CAC4E8E,34,192.168.116.4:2037,89.105.96.56:25,<,221 2.0.0 smtp2.fluidata.co.uk closing connection,
2009-04-29T09:47:43.455Z,Main SMTP Send Connector,08CB96538CAC4E8E,35,192.168.116.4:2037,89.105.96.56:25,-,,Local



message tracking log:



2009-04-29T09:47:42.130Z,123.18.150.215,,192.168.116.4,spock,08CB96538CAC4E8C;2009-04-29T09:47:38.466Z;0,SPOCK\Default SPOCK,SMTP,RECEIVE,419,<000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4>,,,7408,1,,,HM Revenue and Customs Notification Tax refund (Internal Revenue Service),operator_num_83wgf@hmrc.gov.uk,operator_num_83wgf@hmrc.gov.uk,00A:
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@mydomain.com,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@bradfordcollege.ac.uk,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@breathe.com,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@bywaters.co.uk,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@city.ac.uk,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@cnsfarnell.com,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@elsevier.com,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@excite.co.uk,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.268Z,,,,spock,Quarantine,,DSN,DSN,420,<44a7df5a-7fdb-4d1b-a71d-560aa8754617>,email_admin@mydomain.com,,18010,1,,,Undeliverable: ,postmaster@mydomain.com,<>,
2009-04-29T09:47:42.322Z,,spock,,spock,,,STOREDRIVER,DELIVER,419,,real_local_user@mydomain.com,,11988,1,,,,,operator_num_83wgf@hmrc.gov.uk,2009-04-29T09:47:40.813Z
2009-04-29T09:47:42.985Z,,spock,,spock,,,STOREDRIVER,DELIVER,420,<44a7df5a-7fdb-4d1b-a71d-560aa8754617>,email_admin@mydomain.com,,18491,1,,,Undeliverable: ,postmaster@mydomain.com,Administrator@mydomain.com,
2009-04-29T09:47:43.448Z,192.168.116.4,spock,89.105.96.56,smtp2.fluidata.co.uk,08CB96538CAC4E8E,Main SMTP Send Connector,SMTP,SEND,419,<000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4>,real_local_user@cnsfarnell.com;real_local_user@city.ac.uk;real_local_user@excite.co.uk;real_local_user@elsevier.com;real_local_user@bywaters.co.uk;real_local_user@bradfordcollege.ac.uk;real_local_user@breathe.com,250 2.1.5 <real_local_user@cnsfarnell.com>... Recipient ok;250 2.1.5 <real_local_user@city.ac.uk>... Recipient ok;250 2.1.5 <real_local_user@excite.co.uk>... Recipient ok;250 2.1.5 <real_local_user@elsevier.com>... Recipient ok;250 2.1.5 <real_local_user@bywaters.co.uk>... Recipient ok;250 2.1.5 <real_local_user@bradfordcollege.ac.uk>... Recipient ok;250 2.1.5 <real_local_user@breathe.com>... Recipient ok,11984,7,,;;;;;;,HM Revenue and Customs Notification Tax refund (Internal Revenue Service),operator_num_83wgf@hmrc.gov.uk,operator_num_83wgf@hmrc.gov.uk,2009-04-29T09:47:40.813Z


the spam message header:

Delivery of this message to the following recipients or distribution lists is quarantined:

real_local_user@mydomain.com

Subject:


--------------------------------------------------------------------------------
Sent by Microsoft Exchange Server 2007






Diagnostic information for administrators:

Generating server: mydomain.local

real_local_user@mydomain.com
#550 5.2.1 Content Filter agent quarantined this message ##

Original message headers:

thread-index: AcnIr4pOQbUab6mNS6mROwyg1OsA5Q==
Received: from hmrc.gov.uk (123.18.150.215) by spock.mydomain.local (192.168.116.4) with Microsoft SMTP Server id 8.1.358.0; Wed, 29 Apr 2009 10:47:40 +0100
Message-ID: <000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4>
From: "HMRC Tax Refunds On-line" <operator_num_83wgf@hmrc.gov.uk>
To: <real_local_user@mydomain.com>
BCC: <real_local_user@bradfordcollege.ac.uk>,
      <real_local_user@breathe.com>,
      <real_local_user@bywaters.co.uk>,
      <real_local_user@city.ac.uk>,
      <real_local_user@cnsfarnell.com>,
      <real_local_user@elsevier.com>,
      <real_local_user@excite.co.uk>
Subject: HM Revenue and Customs Notification Tax refund (Internal Revenue Service)
Content-Transfer-Encoding: 7bit
Date: Thu, 30 Apr 2009 04:45:55 -0700
MIME-Version: 1.0
Content-Type: multipart/related;
      boundary="----=_NextPart_000_0004_01C9C94E.8C659770";
      type="multipart/alternative"
X-Priority: 3
X-MSMail-Priority: Normal
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
Return-Path: <operator_num_83wgf@hmrc.gov.uk>
Received-SPF: None (spock.mydomain.local: operator_num_83wgf@hmrc.gov.uk does not designate permitted sender hosts)
X-TM-AS-Product-Ver: SMEX-8.0.0.4125-5.600.1016-16610.003
X-TM-AS-Result: Yes-64.271900-4.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No




ASKER CERTIFIED SOLUTION
Avatar of AJermo
AJermo
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of wl6538
wl6538

ASKER

Hi AJermo, thanks for the reply.

Can you suggest a network packet capturing software? The only one I can think of is Ethereal but its operation seems a bit complex.

Also to add some information: My exchange server is just standalone inside our Windows domain, I think I have to buy another Exchange licence from MS to get the Edge Server, is it correct? Also you are right my SMTP is just an open port on our ISA 2006 server, I can't think of a better way to use ISA to filter or check port 25 traffic going internally to Exchange

I have just added zen.spamhaus.org to IP Block List Providers, hoping that will help the situation somewhat.


SOLUTION
Avatar of AJermo
AJermo
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of wl6538
wl6538

ASKER

Hi Ajermo

Ever since I enabled IP Block List, there have been no further incidents of this kind for 2 days so far.

Thanks for the Technet article. I also found an article about setting up a standalone server - i think my main issue is by using it as standalone I HAVE to set the Default Receive Connector with "Anonymous users" permission otherwise I won't be getting any mail at all:

http://msexchangeteam.com/archive/2006/11/17/431555.aspx

I think I will monitor it over the weekend and see how it goes
Avatar of wl6538
wl6538

ASKER

The issue appears to be on going, however I have now noticed a pattern when these emails were being sent from our server.

In all cases the emails were initially blocked by Content Filtering (Hub Transport -> Anti-Spam) and they were the ones being "Quarantine" when SCL is >= 7 to a mailbox I setup to collect quarantined emails.

May be while the spam was being quarantined, the Exchange server was still trying to forward the mail to other recipients in the CC field? As I have noticed one legitimate email being blocked in this manor over the weekend and our server send out the email via SMTP to the remaining recipients in the CC field. (?)


Avatar of bugs-it
bugs-it
hello i got excatly the same probelm i have sbs exch2007 with sp1 and i am receveing spam from my exchnage unknow user and in the cc i have some users for exch and other from my domain which actualy not create just anyname@mydomain.com then also from another domainname just in cc
and get in the user mail box
any help
i Have NETASQ u70 utm as firewalland antispam but i didn't anable smtp proxy on utm