Balack
asked on
Does outgoing doesn't subject to anti-spam check?
This is a 2-Exchange servers 2007; one hosting mailbox/CAS/Hub transport, and the other Edge transport server. Recently, a lot users complaint that they receiving a lot of spams. Anti-spam feature is only setup on edge-transport server. On this server, I open exchange management shell, and type:
get-agentlog -startdate "10/22/2009 00:01am" -enddate "10/22/2009 11:59pm" > C:\agentlog_22102009.txt
I found that quite a lot of mail recipients that the backend exchange server (with ip: 10.176.0.44) sent are either problematic or non-exist. Pls see the excerpt of one of the entry from the above log:
Timestamp : 10/22/2009 6:09:16 PM
SessionId : 08CC210F7AF1C2A5
IPAddress : 10.176.0.44
MessageId : <c66e98b5-5016-47b2-8194-5 635be45613 6>
P1FromAddress : <>
P2FromAddresses : {administrator@abc.com}
Recipients : {eloquently34@questionable _domain.co m}
Agent : Content Filter Agent
Event : OnEndOfData
Action : AcceptMessage
SmtpResponse :
Reason : SCL
ReasonData : not available: policy is disabled.
Diagnostics :
I just don't understand why the reasondata Is: not available: policy is disabled.? Does it means that outgoing mails from backend exchange server (with ip 10.176.0.44) doesn't subject to antispam check? I believe the above entry is related to so many spams receiving day-by-day.
Pls enlighten.
get-agentlog -startdate "10/22/2009 00:01am" -enddate "10/22/2009 11:59pm" > C:\agentlog_22102009.txt
I found that quite a lot of mail recipients that the backend exchange server (with ip: 10.176.0.44) sent are either problematic or non-exist. Pls see the excerpt of one of the entry from the above log:
Timestamp : 10/22/2009 6:09:16 PM
SessionId : 08CC210F7AF1C2A5
IPAddress : 10.176.0.44
MessageId : <c66e98b5-5016-47b2-8194-5
P1FromAddress : <>
P2FromAddresses : {administrator@abc.com}
Recipients : {eloquently34@questionable
Agent : Content Filter Agent
Event : OnEndOfData
Action : AcceptMessage
SmtpResponse :
Reason : SCL
ReasonData : not available: policy is disabled.
Diagnostics :
I just don't understand why the reasondata Is: not available: policy is disabled.? Does it means that outgoing mails from backend exchange server (with ip 10.176.0.44) doesn't subject to antispam check? I believe the above entry is related to so many spams receiving day-by-day.
Pls enlighten.
ASKER
I refer to outbound mails, especially sent from my backend exchange - 10.176.0.44. As referring to one of the entry recorded in the log, mail recipient is SUSPECTED non-exist.
You have written "Recently, a lot users complaint that they receiving a lot of spams." what users are these?
As for outbound mail, this looks like backscatter to me. Your server sending out NDR reports.
P1FromAddress is <> which is typical of a Delivery Status Notification.
Ensure you have recipient filtering enabled on your Edge Transport server AND make sure that your Hub Transport server is not accessible from the outside world.
To enable recipient filtering:
In Exchange 2007 you can stop your server generating NDR's for nonexistent users by doing the following:
On the Edge Transport Server,
USING EMS:
Get-TransportAgent (you should see Recipient Filtering Agent Enabled in the list and it should say Enabled)
Set-RecipientFilterConfig -Enabled $true
Set-RecipientFilterConfig -RecipientValidationEnable d $true
Shaun
As for outbound mail, this looks like backscatter to me. Your server sending out NDR reports.
P1FromAddress is <> which is typical of a Delivery Status Notification.
Ensure you have recipient filtering enabled on your Edge Transport server AND make sure that your Hub Transport server is not accessible from the outside world.
To enable recipient filtering:
In Exchange 2007 you can stop your server generating NDR's for nonexistent users by doing the following:
On the Edge Transport Server,
USING EMS:
Get-TransportAgent (you should see Recipient Filtering Agent Enabled in the list and it should say Enabled)
Set-RecipientFilterConfig -Enabled $true
Set-RecipientFilterConfig -RecipientValidationEnable
Shaun
ASKER
Hi Shauncroucher,
These users are my company users. They complained a lot of spams being received.
As per your statement:
As for outbound mail, this looks like backscatter to me. Your server sending out NDR reports.
P1FromAddress is <> which is typical of a Delivery Status Notification.
Question: Is this normal? How to make the security tighter?
Currently, I registered 2 MX records - Edge transport being the first priority and hub transport being secondary. What are those worries being configured in such a way?
My edge transport's transport agent is enabled with TRUE for the above 2 settings.
Pls give advise what I can improve the situation. Thanks,
These users are my company users. They complained a lot of spams being received.
As per your statement:
As for outbound mail, this looks like backscatter to me. Your server sending out NDR reports.
P1FromAddress is <> which is typical of a Delivery Status Notification.
Question: Is this normal? How to make the security tighter?
Currently, I registered 2 MX records - Edge transport being the first priority and hub transport being secondary. What are those worries being configured in such a way?
My edge transport's transport agent is enabled with TRUE for the above 2 settings.
Pls give advise what I can improve the situation. Thanks,
If you are using the Hub server AND the Edge Transport server for inbound mail then you will need to make sure both have recipient filtering enabled.
For the Hub, that means installing the Antispamagents and making sure it is enabled both as a Transport agent, and as an Antispam feature.
In Exchange 2007 you can stop your server generating NDR's for nonexistent users by doing the following (on a Hub Server):
Ensure you have the Anti-Spam agents enabled on the server that is responsible for Internet outbound mail.
If this is a Hub Transport Server you will need to install the Anti-Spam agents. To do this follow the instructions below:
Open Exchange Management Shell (EMS)
Type Install-AntispamAgents.ps1
Type Restart-MSTransportAgent
THEN
USING EMS:
Get-TransportAgent (you should see Recipient Filtering Agent Enabled in the list)
Set-RecipientFilterConfig -Enabled $true
Set-RecipientFilterConfig -RecipientValidationEnable d $true
OR USING EMC
Re-open Exchange Management Shell (EMC)
Navigate to Org Config --> Hub Transport --> 'Anti-Spam' tab.
Ensure Recipient Filtering is Enabled (if not enable)
Open Recipient Filtering --> Block Recipients --> Block messages sent to recipients not listed in the Global Address List
For more information visit:
http://support.microsoft.com/kb/555924 (Installing Spam agents)
Additionally, you should review the microsoft article above and make sure you have all the same settings for Antispam on the Hub server as you do for the Edge server, because at the moment, spammers will be attacking BOTH servers.
Shaun
For the Hub, that means installing the Antispamagents and making sure it is enabled both as a Transport agent, and as an Antispam feature.
In Exchange 2007 you can stop your server generating NDR's for nonexistent users by doing the following (on a Hub Server):
Ensure you have the Anti-Spam agents enabled on the server that is responsible for Internet outbound mail.
If this is a Hub Transport Server you will need to install the Anti-Spam agents. To do this follow the instructions below:
Open Exchange Management Shell (EMS)
Type Install-AntispamAgents.ps1
Type Restart-MSTransportAgent
THEN
USING EMS:
Get-TransportAgent (you should see Recipient Filtering Agent Enabled in the list)
Set-RecipientFilterConfig -Enabled $true
Set-RecipientFilterConfig -RecipientValidationEnable
OR USING EMC
Re-open Exchange Management Shell (EMC)
Navigate to Org Config --> Hub Transport --> 'Anti-Spam' tab.
Ensure Recipient Filtering is Enabled (if not enable)
Open Recipient Filtering --> Block Recipients --> Block messages sent to recipients not listed in the Global Address List
For more information visit:
http://support.microsoft.com/kb/555924 (Installing Spam agents)
Additionally, you should review the microsoft article above and make sure you have all the same settings for Antispam on the Hub server as you do for the Edge server, because at the moment, spammers will be attacking BOTH servers.
Shaun
ASKER
Hi Shauncroucher,
I found that in hub transport server, the permission groups for default receive connector include "anonymous users"; shall I exclude them since hub transport server is not supposedly accessible from Internet?
I found that in hub transport server, the permission groups for default receive connector include "anonymous users"; shall I exclude them since hub transport server is not supposedly accessible from Internet?
Well, you have an MX record that is publishing this server as available.
If I were you, I would ONLY have the Edge Transport Server available for inbound connections, do all the anti-spam and filtering here, and not allow inbound connections to the Hub server.
You could always remove the MX that points to the Hub server, or remove any forwarding rules that you have for the Hub, or yes, as you say, remove the Anonymous users group.
Shaun
If I were you, I would ONLY have the Edge Transport Server available for inbound connections, do all the anti-spam and filtering here, and not allow inbound connections to the Hub server.
You could always remove the MX that points to the Hub server, or remove any forwarding rules that you have for the Hub, or yes, as you say, remove the Anonymous users group.
Shaun
ASKER
Hi Shaun,
I just install antispam on hub transport server, by typing ./installantispma.ps1. Antispam is installed, but, a few of the settings not automatically set. For example, in exchange shell, I type "get-antispamupdates", I got the following manual settings:
updatemode: Manual
SpamSignatureUpdatesEnable : false
IPReputationUpdatesEnable: false
MicrosoftUpdate: Manual
I did restart antispamupdate and transport services a few times, but, still no effect.
How to get them updated in no time?
Thanks,
I just install antispam on hub transport server, by typing ./installantispma.ps1. Antispam is installed, but, a few of the settings not automatically set. For example, in exchange shell, I type "get-antispamupdates", I got the following manual settings:
updatemode: Manual
SpamSignatureUpdatesEnable
IPReputationUpdatesEnable:
MicrosoftUpdate: Manual
I did restart antispamupdate and transport services a few times, but, still no effect.
How to get them updated in no time?
Thanks,
You need to use the Enable-AntiSpamUpdates for this. get-antispamupdates does not mean go and get the updates, it means show me the antispamupdate settings. The settings here mainly deal with Foresfront updates (which you may not be using). The native Exchange 2007 updates are retreived biweekly only from Microsoft updates according to the article below.
Enable-Antispamupdates <SERVERNAME> -IPReputationUpdatesEnable d $True -UpdateMode Automatic -SpamSignatureUpdatesEnabl ed $True -MicrosoftUpdate: $True
See: http://technet.microsoft.com/en-us/library/bb123990.aspx and http://technet.microsoft.com/en-us/library/aa998006.aspx
Just make sure you have recipient filtering enabled as this will stop you getting blacklisted due to backscatter
I would highly recommend purchasing dedicated Anti-Spam software and using this on your Transport servers. Either Microsoft Forefront or another of your choosing.
Shaun
Enable-Antispamupdates <SERVERNAME> -IPReputationUpdatesEnable
See: http://technet.microsoft.com/en-us/library/bb123990.aspx and http://technet.microsoft.com/en-us/library/aa998006.aspx
Just make sure you have recipient filtering enabled as this will stop you getting blacklisted due to backscatter
I would highly recommend purchasing dedicated Anti-Spam software and using this on your Transport servers. Either Microsoft Forefront or another of your choosing.
Shaun
ASKER
Hi Shauncroucher,
Things looked better now, as less outgoing mails queued as viewer from the edge transport server's queue viewer. I checked the updated log file using "get-agentlog", and found that the above log entry, with ip: 10.176.0.44 that sent by administrator for Delivery Status Notification doesn't exist.
I'll follow up for a couple of days, and update you about the status.
Appreciate your advise.
Things looked better now, as less outgoing mails queued as viewer from the edge transport server's queue viewer. I checked the updated log file using "get-agentlog", and found that the above log entry, with ip: 10.176.0.44 that sent by administrator for Delivery Status Notification doesn't exist.
I'll follow up for a couple of days, and update you about the status.
Appreciate your advise.
ASKER
Hi Shauncroucher,
In hub transport server, I failed to configure antispamupdates with microsoftupdate > configured. The current situation is, all settings in antispamupdates are configured, except MicrosoftUpdate.
MicrosoftUpdate shows "notconfigured". When I type " enable-antispamupdates -MicrosoftUpdates configured", the following error message occurred:
Enable-antispamupdates: Failed to request Microsoft Update or Microsoft updates is already enabled.
At line:1 Char:23
Enable-antispamupdate <<<< MicrosoftUpdate configured
Still, MicrosoftUpdate is still "NotConfigured"; why?
In hub transport server, I failed to configure antispamupdates with microsoftupdate > configured. The current situation is, all settings in antispamupdates are configured, except MicrosoftUpdate.
MicrosoftUpdate shows "notconfigured". When I type " enable-antispamupdates -MicrosoftUpdates configured", the following error message occurred:
Enable-antispamupdates: Failed to request Microsoft Update or Microsoft updates is already enabled.
At line:1 Char:23
Enable-antispamupdate <<<< MicrosoftUpdate configured
Still, MicrosoftUpdate is still "NotConfigured"; why?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellence! It solved my problem and works like a charm.
Glad I could help,
Shaun
Shaun
As for 'lots of SPAM', I would always recommend coupling the facilities available in Exchange with third party software such as Microsoft Forefront or other Anti-spam software.
Shaun