Exchange 2007 routing spam but it is not an open relay

Posted on 2009-04-29
Last Modified: 2013-11-30
Dear experts,

I am experiencing a strange spam issue with my Exchange 2007 server (with the latest service pack and rollups) recently.

My config is:

Exchange 2007 SP1 with latest rollup (x64)
Windows Server 2008 x64
TrendMicro ScanMail (for spam and AV filtering)

I have checked that I am NOT an open relay by telneting to exchange port 25.

Also I have set Accepted Domains in Hub Transport and it is limited to my own domains only.

My problem is:

I am getting outgoing spam from my exchange server on the outgoing SMTP connector  the frequency is of this problem is about 3 to 4 spam a day that went thru my outgoing SMTP connector.

Based on what I see from the message tracking tool, I can see that the spam will come thru the incoming SMTP first, destined to one of our real email addresses (as well as a bunch of other non-local email addresses in the CC: field) local to our domain, the spam will then get Quarantined by the content filtering using SCL rating of 7 for our exchange server.

However the spam message will somehow get thru to our outgoing SMTP connector and the message get sent to the non-local recipients in the CC: field

Please find below outgoing and incoming SMTP logs and the relevant part of message tracking log, as well as the header of the spam message itself.

Some notes:

For illustration purpose our domain is (public) and mydomain.local (LAN)

Our exchange mail server is called SPOCK

In these logs I have changed the real user name to real_local_user

Our ISPs SMTP smart host I used for outgoing mail is from

The spammers are spoofing in this case

Here are the logs:

SMTP receive log:

2009-04-29T09:47:38.466Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,0,,,+,,
2009-04-29T09:47:38.466Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,1,,,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2009-04-29T09:47:38.467Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,2,,,>,"220 spock.mydomain.local Microsoft ESMTP MAIL Service ready at Wed, 29 Apr 2009 10:47:37 +0100",
2009-04-29T09:47:39.036Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,3,,,<,HELO,
2009-04-29T09:47:39.037Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,4,,,>,250 spock.mydomain.local Hello [],
2009-04-29T09:47:39.608Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,5,,,<,MAIL FROM: <>,
2009-04-29T09:47:39.608Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,6,,,*,08CB96538CAC4E8C;2009-04-29T09:47:38.466Z;1,receiving message
2009-04-29T09:47:39.608Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,7,,,>,250 2.1.0 Sender OK,
2009-04-29T09:47:40.261Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,8,,,<,RCPT TO: <>,
2009-04-29T09:47:40.264Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,9,,,>,250 2.1.5 Recipient OK,
2009-04-29T09:47:40.812Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,10,,,<,DATA,
2009-04-29T09:47:40.813Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,11,,,>,354 Start mail input; end with <CRLF>.<CRLF>,
2009-04-29T09:47:42.130Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,12,,,>,250 2.6.0 <000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4> Queued mail for delivery,
2009-04-29T09:47:42.691Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,13,,,<,QUIT,
2009-04-29T09:47:42.691Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,14,,,>,221 2.0.0 Service closing transmission channel,
2009-04-29T09:47:42.692Z,SPOCK\Default SPOCK,08CB96538CAC4E8C,15,,,-,,Local

SMTP send log:

2009-04-29T09:47:42.269Z,Main SMTP Send Connector,08CB96538CAC4E8E,0,,,*,,attempting to connect
2009-04-29T09:47:42.277Z,Main SMTP Send Connector,08CB96538CAC4E8E,1,,,+,,
2009-04-29T09:47:42.295Z,Main SMTP Send Connector,08CB96538CAC4E8E,2,,,<,"220 ESMTP Sendmail 8.13.8/8.13.8; Wed, 29 Apr 2009 10:49:43 +0100",
2009-04-29T09:47:42.295Z,Main SMTP Send Connector,08CB96538CAC4E8E,3,,,>,EHLO,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,4,,,<," Hello [] (may be forged), pleased to meet you",
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,5,,,<,250-ENHANCEDSTATUSCODES,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,6,,,<,250-PIPELINING,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,7,,,<,250-8BITMIME,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,8,,,<,250-SIZE,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,9,,,<,250-DSN,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,10,,,<,250-ETRN,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,11,,,<,250-DELIVERBY,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,12,,,<,250 HELP,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,13,,,*,419,sending message
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,14,,,>,MAIL FROM:<> SIZE=11988,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,15,,,>,RCPT TO:<>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,16,,,>,RCPT TO:<>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,17,,,>,RCPT TO:<>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,18,,,>,RCPT TO:<>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,19,,,>,RCPT TO:<>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,20,,,>,RCPT TO:<>,
2009-04-29T09:47:42.305Z,Main SMTP Send Connector,08CB96538CAC4E8E,21,,,>,RCPT TO:<>,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,22,,,<,250 2.1.0 <>... Sender ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,23,,,<,250 2.1.5 <>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,24,,,<,250 2.1.5 <>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,25,,,<,250 2.1.5 <>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,26,,,<,250 2.1.5 <>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,27,,,<,250 2.1.5 <>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,28,,,<,250 2.1.5 <>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,29,,,<,250 2.1.5 <>... Recipient ok,
2009-04-29T09:47:42.599Z,Main SMTP Send Connector,08CB96538CAC4E8E,30,,,>,DATA,
2009-04-29T09:47:42.607Z,Main SMTP Send Connector,08CB96538CAC4E8E,31,,,<,"354 Enter mail, end with ""."" on a line by itself",
2009-04-29T09:47:43.448Z,Main SMTP Send Connector,08CB96538CAC4E8E,32,,,<,250 2.0.0 n3T9nhiG006511 Message accepted for delivery,
2009-04-29T09:47:43.448Z,Main SMTP Send Connector,08CB96538CAC4E8E,33,,,>,QUIT,
2009-04-29T09:47:43.455Z,Main SMTP Send Connector,08CB96538CAC4E8E,34,,,<,221 2.0.0 closing connection,
2009-04-29T09:47:43.455Z,Main SMTP Send Connector,08CB96538CAC4E8E,35,,,-,,Local

message tracking log:

2009-04-29T09:47:42.130Z,,,,spock,08CB96538CAC4E8C;2009-04-29T09:47:38.466Z;0,SPOCK\Default SPOCK,SMTP,RECEIVE,419,<000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4>,,,7408,1,,,HM Revenue and Customs Notification Tax refund (Internal Revenue Service),,,00A:
2009-04-29T09:47:42.268Z,,,,spock,Quarantine,,DSN,DSN,420,<44a7df5a-7fdb-4d1b-a71d-560aa8754617>,,,18010,1,,,Undeliverable: ,,<>,
2009-04-29T09:47:42.985Z,,spock,,spock,,,STOREDRIVER,DELIVER,420,<44a7df5a-7fdb-4d1b-a71d-560aa8754617>,,,18491,1,,,Undeliverable: ,,,
2009-04-29T09:47:43.448Z,,spock,,,08CB96538CAC4E8E,Main SMTP Send Connector,SMTP,SEND,419,<000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4>,;;;;;;,250 2.1.5 <>... Recipient ok;250 2.1.5 <>... Recipient ok;250 2.1.5 <>... Recipient ok;250 2.1.5 <>... Recipient ok;250 2.1.5 <>... Recipient ok;250 2.1.5 <>... Recipient ok;250 2.1.5 <>... Recipient ok,11984,7,,;;;;;;,HM Revenue and Customs Notification Tax refund (Internal Revenue Service),,,2009-04-29T09:47:40.813Z

the spam message header:

Delivery of this message to the following recipients or distribution lists is quarantined:


Sent by Microsoft Exchange Server 2007

Diagnostic information for administrators:

Generating server: mydomain.local
#550 5.2.1 Content Filter agent quarantined this message ##

Original message headers:

thread-index: AcnIr4pOQbUab6mNS6mROwyg1OsA5Q==
Received: from ( by spock.mydomain.local ( with Microsoft SMTP Server id 8.1.358.0; Wed, 29 Apr 2009 10:47:40 +0100
Message-ID: <000801c9c989$38c6e552$0201a8c0@c-ffc4b14a8d7f4>
From: "HMRC Tax Refunds On-line" <>
To: <>
BCC: <>,
Subject: HM Revenue and Customs Notification Tax refund (Internal Revenue Service)
Content-Transfer-Encoding: 7bit
Date: Thu, 30 Apr 2009 04:45:55 -0700
MIME-Version: 1.0
Content-Type: multipart/related;
X-Priority: 3
X-MSMail-Priority: Normal
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
Return-Path: <>
Received-SPF: None (spock.mydomain.local: does not designate permitted sender hosts)
X-TM-AS-Product-Ver: SMEX-
X-TM-AS-Result: Yes-64.271900-4.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No

Question by:wl6538
    LVL 6

    Accepted Solution

    Take a network capture. You could have a mail zombie internally OR a misconfiguration externally.

    I could be missing something in your post but I don't see enough to tell me where the issue is. Only that the issue exists.

    What I suspect is that you aren't running an edge server or other type of front end other than a relay and have your recieve connector wide open. Because the traffic inbound appears to come from a "trusted IP" it's not rejected (

    I'd suggest installing and Edge server between the internet and your hub or simular Baracuda..etc.

    Author Comment

    Hi AJermo, thanks for the reply.

    Can you suggest a network packet capturing software? The only one I can think of is Ethereal but its operation seems a bit complex.

    Also to add some information: My exchange server is just standalone inside our Windows domain, I think I have to buy another Exchange licence from MS to get the Edge Server, is it correct? Also you are right my SMTP is just an open port on our ISA 2006 server, I can't think of a better way to use ISA to filter or check port 25 traffic going internally to Exchange

    I have just added to IP Block List Providers, hoping that will help the situation somewhat.

    LVL 6

    Assisted Solution

    I use netmon to capture and install netshark to analyze on my pc.
    The purpose of the capture is to verify the spam is coming from the outside (rather than guessing).

    Verify permissions/config on the recieve connector. ALot of reading but you'll get a better idea of what the configuration does..

    By default the connectors don't permit relay regardless so this may be a simple mis-config.

    Author Comment

    Hi Ajermo

    Ever since I enabled IP Block List, there have been no further incidents of this kind for 2 days so far.

    Thanks for the Technet article. I also found an article about setting up a standalone server - i think my main issue is by using it as standalone I HAVE to set the Default Receive Connector with "Anonymous users" permission otherwise I won't be getting any mail at all:

    I think I will monitor it over the weekend and see how it goes

    Author Comment

    The issue appears to be on going, however I have now noticed a pattern when these emails were being sent from our server.

    In all cases the emails were initially blocked by Content Filtering (Hub Transport -> Anti-Spam) and they were the ones being "Quarantine" when SCL is >= 7 to a mailbox I setup to collect quarantined emails.

    May be while the spam was being quarantined, the Exchange server was still trying to forward the mail to other recipients in the CC field? As I have noticed one legitimate email being blocked in this manor over the weekend and our server send out the email via SMTP to the remaining recipients in the CC field. (?)


    Expert Comment

    hello i got excatly the same probelm i have sbs exch2007 with sp1 and i am receveing spam from my exchnage unknow user and in the cc i have some users for exch and other from my domain which actualy not create just then also from another domainname just in cc
    and get in the user mail box
    any help
    i Have NETASQ u70 utm as firewalland antispam but i didn't anable smtp proxy on utm

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now