Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Exchange 2007 routing spam but it is not an open relay

Posted on 2009-04-29
6
Medium Priority
?
2,126 Views
Last Modified: 2013-11-30
Dear experts,

I am experiencing a strange spam issue with my Exchange 2007 server (with the latest service pack and rollups) recently.

My config is:

Exchange 2007 SP1 with latest rollup (x64)
Windows Server 2008 x64
TrendMicro ScanMail (for spam and AV filtering)

I have checked that I am NOT an open relay by telneting to exchange port 25.

Also I have set Accepted Domains in Hub Transport and it is limited to my own domains only.

My problem is:

I am getting outgoing spam from my exchange server on the outgoing SMTP connector  the frequency is of this problem is about 3 to 4 spam a day that went thru my outgoing SMTP connector.

Based on what I see from the message tracking tool, I can see that the spam will come thru the incoming SMTP first, destined to one of our real email addresses (as well as a bunch of other non-local email addresses in the CC: field) local to our domain, the spam will then get Quarantined by the content filtering using SCL rating of 7 for our exchange server.

However the spam message will somehow get thru to our outgoing SMTP connector and the message get sent to the non-local recipients in the CC: field

Please find below outgoing and incoming SMTP logs and the relevant part of message tracking log, as well as the header of the spam message itself.


Some notes:

For illustration purpose our domain is mydomain.com (public) and mydomain.local (LAN)

Our exchange mail server is called SPOCK

In these logs I have changed the real user name to real_local_user

Our ISPs SMTP smart host I used for outgoing mail is from fluidata.co.uk

The spammers are spoofing hmrc.gov.gov.uk in this case

Here are the logs:

SMTP receive log:

2009-04-29T09:47:38.466Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,0,192.168.116.4:25,123.18.150.215:4384,+,,
2009-04-29T09:47:38.466Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,1,192.168.116.4:25,123.18.150.215:4384,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2009-04-29T09:47:38.467Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,2,192.168.116.4:25,123.18.150.215:4384,>,"220 spock.mydomain.local Microsoft ESMTP MAIL Service ready at Wed, 29 Apr 2009 10:47:37 +0100",
2009-04-29T09:47:39.036Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,3,192.168.116.4:25,123.18.150.215:4384,<,HELO hmrc.gov.uk,
2009-04-29T09:47:39.037Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,4,192.168.116.4:25,123.18.150.215:4384,>,250 spock.mydomain.local Hello [123.18.150.215],
2009-04-29T09:47:39.608Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,5,192.168.116.4:25,123.18.150.215:4384,<,MAIL FROM: <operator_num_83wgf@hmrc.gov.uk>,
2009-04-29T09:47:39.608Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,6,192.168.116.4:25,123.18.150.215:4384,*,08CB96538CAC4E8C;2009-04-29T09:47:38.466Z;1,receiving message
2009-04-29T09:47:39.608Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,7,192.168.116.4:25,123.18.150.215:4384,>,250 2.1.0 Sender OK,
2009-04-29T09:47:40.261Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,8,192.168.116.4:25,123.18.150.215:4384,<,RCPT TO: <real_local_user@mydomain.com>,
2009-04-29T09:47:40.264Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,9,192.168.116.4:25,123.18.150.215:4384,>,250 2.1.5 Recipient OK,
2009-04-29T09:47:40.812Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,10,192.168.116.4:25,123.18.150.215:4384,<,DATA,
2009-04-29T09:47:40.813Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,11,192.168.116.4:25,123.18.150.215:4384,>,354 Start mail input; end with <CRLF>.<CRLF>,
2009-04-29T09:47:42.130Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,12,192.168.116.4:25,123.18.150.215:4384,>,250 2.6.0 <000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4> Queued mail for delivery,
2009-04-29T09:47:42.691Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,13,192.168.116.4:25,123.18.150.215:4384,<,QUIT,
2009-04-29T09:47:42.691Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,14,192.168.116.4:25,123.18.150.215:4384,>,221 2.0.0 Service closing transmission channel,
2009-04-29T09:47:42.692Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,15,192.168.116.4:25,123.18.150.215:4384,-,,Local




SMTP send log:

2009-04-29T09:47:42.269Z,Main SMTP Send Connector,08CB96538CAC4E8E,0,,89.105.96.56:25,*,,attempting to connect
2009-04-29T09:47:42.277Z,Main SMTP Send Connector,08CB96538CAC4E8E,1,192.168.116.4:2037,89.105.96.56:25,+,,
2009-04-29T09:47:42.295Z,Main SMTP Send Connector,08CB96538CAC4E8E,2,192.168.116.4:2037,89.105.96.56:25,<,"220 smtp2.fluidata.co.uk ESMTP Sendmail 8.13.8/8.13.8; Wed, 29 Apr 2009 10:49:43 +0100",
2009-04-29T09:47:42.295Z,Main SMTP Send Connector,08CB96538CAC4E8E,3,192.168.116.4:2037,89.105.96.56:25,>,EHLO spock.mydomain.com,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,4,192.168.116.4:2037,89.105.96.56:25,<,"250-smtp2.fluidata.co.uk Hello mydomain.com.fluidata.co.uk [mydomain.com] (may be forged), pleased to meet you",
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,5,192.168.116.4:2037,89.105.96.56:25,<,250-ENHANCEDSTATUSCODES,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,6,192.168.116.4:2037,89.105.96.56:25,<,250-PIPELINING,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,7,192.168.116.4:2037,89.105.96.56:25,<,250-8BITMIME,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,8,192.168.116.4:2037,89.105.96.56:25,<,250-SIZE,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,9,192.168.116.4:2037,89.105.96.56:25,<,250-DSN,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,10,192.168.116.4:2037,89.105.96.56:25,<,250-ETRN,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,11,192.168.116.4:2037,89.105.96.56:25,<,250-DELIVERBY,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,12,192.168.116.4:2037,89.105.96.56:25,<,250 HELP,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,13,192.168.116.4:2037,89.105.96.56:25,*,419,sending message
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,14,192.168.116.4:2037,89.105.96.56:25,>,MAIL FROM:<operator_num_83wgf@hmrc.gov.uk> SIZE=11988,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,15,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@cnsfarnell.com>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,16,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@city.ac.uk>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,17,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@excite.co.uk>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,18,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@elsevier.com>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,19,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@bywaters.co.uk>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,20,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@bradfordcollege.ac.uk>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,21,192.168.116.4:2037,89.105.96.56:25,>,RCPT TO:<real_local_user@breathe.com>,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,22,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.0 <operator_num_83wgf@hmrc.gov.uk>... Sender ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,23,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@cnsfarnell.com>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,24,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@city.ac.uk>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,25,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@excite.co.uk>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,26,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@elsevier.com>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,27,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@bywaters.co.uk>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,28,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@bradfordcollege.ac.uk>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,29,192.168.116.4:2037,89.105.96.56:25,<,250 2.1.5 <real_local_user@breathe.com>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,30,192.168.116.4:2037,89.105.96.56:25,>,DATA,
2009-04-29T09:47:42.607Z,Main SMTP Send Connector,08CB96538CAC4E8E,31,192.168.116.4:2037,89.105.96.56:25,<,"354 Enter mail, end with ""."" on a line by itself",
2009-04-29T09:47:43.448Z,Main SMTP Send Connector,08CB96538CAC4E8E,32,192.168.116.4:2037,89.105.96.56:25,<,250 2.0.0 n3T9nhiG006511 Message accepted for delivery,
2009-04-29T09:47:43.448Z,Main SMTP Send Connector,08CB96538CAC4E8E,33,192.168.116.4:2037,89.105.96.56:25,>,QUIT,
2009-04-29T09:47:43.455Z,Main SMTP Send Connector,08CB96538CAC4E8E,34,192.168.116.4:2037,89.105.96.56:25,<,221 2.0.0 smtp2.fluidata.co.uk closing connection,
2009-04-29T09:47:43.455Z,Main SMTP Send Connector,08CB96538CAC4E8E,35,192.168.116.4:2037,89.105.96.56:25,-,,Local



message tracking log:



2009-04-29T09:47:42.130Z,123.18.150.215,,192.168.116.4,spock,08CB96538CAC4E8C;2009-04-29T09:47:38.466Z;0,SPOCK\Default SPOCK,SMTP,RECEIVE,419,<000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4>,,,7408,1,,,HM Revenue and Customs Notification Tax refund (Internal Revenue Service),operator_num_83wgf@hmrc.gov.uk,operator_num_83wgf@hmrc.gov.uk,00A:
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@mydomain.com,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@bradfordcollege.ac.uk,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@breathe.com,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@bywaters.co.uk,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@city.ac.uk,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@cnsfarnell.com,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@elsevier.com,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.192Z,,spock,,,,,AGENT,RECEIVE,419,,real_local_user@excite.co.uk,,0,1,,,,,operator_num_83wgf@hmrc.gov.uk,
2009-04-29T09:47:42.268Z,,,,spock,Quarantine,,DSN,DSN,420,<44a7df5a-7fdb-4d1b-a71d-560aa8754617>,email_admin@mydomain.com,,18010,1,,,Undeliverable: ,postmaster@mydomain.com,<>,
2009-04-29T09:47:42.322Z,,spock,,spock,,,STOREDRIVER,DELIVER,419,,real_local_user@mydomain.com,,11988,1,,,,,operator_num_83wgf@hmrc.gov.uk,2009-04-29T09:47:40.813Z
2009-04-29T09:47:42.985Z,,spock,,spock,,,STOREDRIVER,DELIVER,420,<44a7df5a-7fdb-4d1b-a71d-560aa8754617>,email_admin@mydomain.com,,18491,1,,,Undeliverable: ,postmaster@mydomain.com,Administrator@mydomain.com,
2009-04-29T09:47:43.448Z,192.168.116.4,spock,89.105.96.56,smtp2.fluidata.co.uk,08CB96538CAC4E8E,Main SMTP Send Connector,SMTP,SEND,419,<000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4>,real_local_user@cnsfarnell.com;real_local_user@city.ac.uk;real_local_user@excite.co.uk;real_local_user@elsevier.com;real_local_user@bywaters.co.uk;real_local_user@bradfordcollege.ac.uk;real_local_user@breathe.com,250 2.1.5 <real_local_user@cnsfarnell.com>... Recipient ok;250 2.1.5 <real_local_user@city.ac.uk>... Recipient ok;250 2.1.5 <real_local_user@excite.co.uk>... Recipient ok;250 2.1.5 <real_local_user@elsevier.com>... Recipient ok;250 2.1.5 <real_local_user@bywaters.co.uk>... Recipient ok;250 2.1.5 <real_local_user@bradfordcollege.ac.uk>... Recipient ok;250 2.1.5 <real_local_user@breathe.com>... Recipient ok,11984,7,,;;;;;;,HM Revenue and Customs Notification Tax refund (Internal Revenue Service),operator_num_83wgf@hmrc.gov.uk,operator_num_83wgf@hmrc.gov.uk,2009-04-29T09:47:40.813Z


the spam message header:

Delivery of this message to the following recipients or distribution lists is quarantined:

real_local_user@mydomain.com

Subject:


--------------------------------------------------------------------------------
Sent by Microsoft Exchange Server 2007






Diagnostic information for administrators:

Generating server: mydomain.local

real_local_user@mydomain.com
#550 5.2.1 Content Filter agent quarantined this message ##

Original message headers:

thread-index: AcnIr4pOQbUab6mNS6mROwyg1OsA5Q==
Received: from hmrc.gov.uk (123.18.150.215) by spock.mydomain.local (192.168.116.4) with Microsoft SMTP Server id 8.1.358.0; Wed, 29 Apr 2009 10:47:40 +0100
Message-ID: <000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4>
From: "HMRC Tax Refunds On-line" <operator_num_83wgf@hmrc.gov.uk>
To: <real_local_user@mydomain.com>
BCC: <real_local_user@bradfordcollege.ac.uk>,
      <real_local_user@breathe.com>,
      <real_local_user@bywaters.co.uk>,
      <real_local_user@city.ac.uk>,
      <real_local_user@cnsfarnell.com>,
      <real_local_user@elsevier.com>,
      <real_local_user@excite.co.uk>
Subject: HM Revenue and Customs Notification Tax refund (Internal Revenue Service)
Content-Transfer-Encoding: 7bit
Date: Thu, 30 Apr 2009 04:45:55 -0700
MIME-Version: 1.0
Content-Type: multipart/related;
      boundary="----=_NextPart_000_0004_01C9C94E.8C659770";
      type="multipart/alternative"
X-Priority: 3
X-MSMail-Priority: Normal
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
Return-Path: <operator_num_83wgf@hmrc.gov.uk>
Received-SPF: None (spock.mydomain.local: operator_num_83wgf@hmrc.gov.uk does not designate permitted sender hosts)
X-TM-AS-Product-Ver: SMEX-8.0.0.4125-5.600.1016-16610.003
X-TM-AS-Result: Yes-64.271900-4.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No




0
Comment
Question by:wl6538
  • 3
  • 2
6 Comments
 
LVL 6

Accepted Solution

by:
AJermo earned 1500 total points
ID: 24259686
Take a network capture. You could have a mail zombie internally OR a misconfiguration externally.

I could be missing something in your post but I don't see enough to tell me where the issue is. Only that the issue exists.

What I suspect is that you aren't running an edge server or other type of front end other than a relay and have your recieve connector wide open. Because the traffic inbound appears to come from a "trusted IP" it's not rejected (123.18.150.215).

I'd suggest installing and Edge server between the internet and your hub or simular device..eg Baracuda..etc.
0
 

Author Comment

by:wl6538
ID: 24260064
Hi AJermo, thanks for the reply.

Can you suggest a network packet capturing software? The only one I can think of is Ethereal but its operation seems a bit complex.

Also to add some information: My exchange server is just standalone inside our Windows domain, I think I have to buy another Exchange licence from MS to get the Edge Server, is it correct? Also you are right my SMTP is just an open port on our ISA 2006 server, I can't think of a better way to use ISA to filter or check port 25 traffic going internally to Exchange

I have just added zen.spamhaus.org to IP Block List Providers, hoping that will help the situation somewhat.


0
 
LVL 6

Assisted Solution

by:AJermo
AJermo earned 1500 total points
ID: 24260370
I use netmon to capture and install netshark to analyze on my pc.
The purpose of the capture is to verify the spam is coming from the outside (rather than guessing).

Verify permissions/config on the recieve connector. ALot of reading but you'll get a better idea of what the configuration does..

http://technet.microsoft.com/en-us/library/aa997170.aspx

By default the connectors don't permit relay regardless so this may be a simple mis-config.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:wl6538
ID: 24278073
Hi Ajermo

Ever since I enabled IP Block List, there have been no further incidents of this kind for 2 days so far.

Thanks for the Technet article. I also found an article about setting up a standalone server - i think my main issue is by using it as standalone I HAVE to set the Default Receive Connector with "Anonymous users" permission otherwise I won't be getting any mail at all:

http://msexchangeteam.com/archive/2006/11/17/431555.aspx

I think I will monitor it over the weekend and see how it goes
0
 

Author Comment

by:wl6538
ID: 24307529
The issue appears to be on going, however I have now noticed a pattern when these emails were being sent from our server.

In all cases the emails were initially blocked by Content Filtering (Hub Transport -> Anti-Spam) and they were the ones being "Quarantine" when SCL is >= 7 to a mailbox I setup to collect quarantined emails.

May be while the spam was being quarantined, the Exchange server was still trying to forward the mail to other recipients in the CC field? As I have noticed one legitimate email being blocked in this manor over the weekend and our server send out the email via SMTP to the remaining recipients in the CC field. (?)


0
 

Expert Comment

by:bugs-it
ID: 35361147
hello i got excatly the same probelm i have sbs exch2007 with sp1 and i am receveing spam from my exchnage unknow user and in the cc i have some users for exch and other from my domain which actualy not create just anyname@mydomain.com then also from another domainname just in cc
and get in the user mail box
any help
i Have NETASQ u70 utm as firewalland antispam but i didn't anable smtp proxy on utm
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Upgrading from older Exchange server to the latest Exchange server can be tiresome, error-prone and risky, without being a seasoned exchange server administrators. It can become even problematic if you're an organization that runs on tight timeline…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question