Does outgoing doesn't subject to anti-spam check?

Balack
Balack used Ask the Experts™
on
This is a 2-Exchange servers 2007; one hosting mailbox/CAS/Hub transport, and the other Edge transport server. Recently, a lot users complaint that they receiving a lot of spams. Anti-spam feature is only setup on edge-transport server. On this server, I open exchange management shell, and type:

      get-agentlog -startdate "10/22/2009 00:01am" -enddate "10/22/2009 11:59pm" > C:\agentlog_22102009.txt

I found that quite a lot of mail recipients that the backend exchange server (with ip: 10.176.0.44) sent are either problematic or non-exist. Pls see the excerpt of one of the entry from the above log:

   Timestamp       : 10/22/2009 6:09:16 PM
SessionId       : 08CC210F7AF1C2A5
IPAddress       : 10.176.0.44
MessageId       : <c66e98b5-5016-47b2-8194-5635be456136>
P1FromAddress   : <>
P2FromAddresses : {administrator@abc.com}
Recipients      : {eloquently34@questionable_domain.com}
Agent           : Content Filter Agent
Event           : OnEndOfData
Action          : AcceptMessage
SmtpResponse    :
Reason          : SCL
ReasonData      : not available: policy is disabled.
Diagnostics     :

I just don't understand why the reasondata Is: not available: policy is disabled.? Does it means that outgoing mails from backend exchange server (with ip 10.176.0.44) doesn't subject to antispam check? I believe the above entry is related to so many spams receiving day-by-day.

Pls enlighten.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Are you talking about Inbound to your users, or outbound to the world. You seem to be talking about both?

As for 'lots of SPAM', I would always recommend coupling the facilities available in Exchange with third party software such as Microsoft Forefront or other Anti-spam software.

Shaun

Author

Commented:
I refer to outbound mails, especially sent from my backend exchange - 10.176.0.44. As referring to one of the entry recorded in the log, mail recipient is SUSPECTED non-exist.
You have written "Recently, a lot users complaint that they receiving a lot of spams." what users are these?

As for outbound mail, this looks like backscatter to me. Your server sending out NDR reports.

P1FromAddress is <> which is typical of a Delivery Status Notification.

Ensure you have recipient filtering enabled on your Edge Transport server AND make sure that your Hub Transport server is not accessible from the outside world.

To enable recipient filtering:

In Exchange 2007 you can stop your server generating NDR's for nonexistent users by doing the following:
 
On the Edge Transport Server,
 
USING EMS:
 
Get-TransportAgent (you should see Recipient Filtering Agent Enabled in the list and it should say Enabled)
Set-RecipientFilterConfig -Enabled $true
Set-RecipientFilterConfig -RecipientValidationEnabled $true
 
Shaun
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Hi Shauncroucher,

These users are my company users. They complained a lot of spams being received.

As per your statement:

  As for outbound mail, this looks like backscatter to me. Your server sending out NDR reports.

   P1FromAddress is <> which is typical of a Delivery Status Notification.

Question: Is this normal? How to make the security tighter?

Currently, I registered 2 MX records - Edge transport being the first priority and hub transport being secondary. What are those worries being configured in such a way?

My edge transport's transport agent is enabled with TRUE for the above 2 settings.

Pls give advise what I can improve the situation. Thanks,
If you are using the Hub server AND the Edge Transport server for inbound mail then you will need to make sure both have recipient filtering enabled.

For the Hub, that means installing the Antispamagents and making sure it is enabled both as a Transport agent, and as an Antispam feature.

In Exchange 2007 you can stop your server generating NDR's for nonexistent users by doing the following (on a Hub Server):
 
Ensure you have the Anti-Spam agents enabled on the server that is responsible for Internet outbound mail.
If this is a Hub Transport Server you will need to install the Anti-Spam agents. To do this follow the instructions below:
 
Open Exchange Management Shell (EMS)
Type Install-AntispamAgents.ps1
Type Restart-MSTransportAgent
 
THEN
 
USING EMS:
 
Get-TransportAgent (you should see Recipient Filtering Agent Enabled in the list)
Set-RecipientFilterConfig -Enabled $true
Set-RecipientFilterConfig -RecipientValidationEnabled $true
 
OR USING EMC
Re-open Exchange Management Shell (EMC)
Navigate to Org Config --> Hub Transport --> 'Anti-Spam' tab.
Ensure Recipient Filtering is Enabled (if not enable)
Open Recipient Filtering --> Block Recipients --> Block messages sent to recipients not listed in the Global Address List
 
 
For more information visit:
 
http://support.microsoft.com/kb/555924 (Installing Spam agents)

Additionally, you should review the microsoft article above and make sure you have all the same settings for Antispam on the Hub server as you do for the Edge server, because at the moment, spammers will be attacking BOTH servers.

Shaun

Author

Commented:
Hi Shauncroucher,

I found that in hub transport server, the permission groups for default receive connector include "anonymous users"; shall I exclude them since hub transport server is not supposedly accessible from Internet?
Well, you have an MX record that is publishing this server as available.

If I were you, I would ONLY have the Edge Transport Server available for inbound connections, do all the anti-spam and filtering here, and not allow inbound connections to the Hub server.

You could always remove the MX that points to the Hub server, or remove any forwarding rules that you have for the Hub, or yes, as you say, remove the Anonymous users group.

Shaun

Author

Commented:
Hi Shaun,

I just install antispam on hub transport server,  by typing ./installantispma.ps1. Antispam is installed, but, a few of the settings not automatically set. For example, in exchange shell, I type "get-antispamupdates", I got the following manual settings:
 
             updatemode:    Manual
             SpamSignatureUpdatesEnable:  false
            IPReputationUpdatesEnable: false
           MicrosoftUpdate: Manual

I did restart antispamupdate and transport services a few times, but, still no effect.

How to get them updated in no time?

Thanks,
You need to use the Enable-AntiSpamUpdates for this. get-antispamupdates does not mean go and get the updates, it means show me the antispamupdate settings. The settings here mainly deal with Foresfront updates (which you may not be using). The native Exchange 2007 updates are retreived biweekly only from Microsoft updates according to the article below.

Enable-Antispamupdates <SERVERNAME> -IPReputationUpdatesEnabled $True -UpdateMode Automatic -SpamSignatureUpdatesEnabled $True -MicrosoftUpdate: $True

See: http://technet.microsoft.com/en-us/library/bb123990.aspx and http://technet.microsoft.com/en-us/library/aa998006.aspx

Just make sure you have recipient filtering enabled as this will stop you getting blacklisted due to backscatter

I would highly recommend purchasing dedicated Anti-Spam software and using this on your Transport servers. Either Microsoft Forefront or another of your choosing.

Shaun

Author

Commented:
Hi Shauncroucher,

Things looked better now, as less outgoing mails queued as viewer from the edge transport server's queue viewer. I checked the updated log file using "get-agentlog", and found that the above log entry, with ip: 10.176.0.44 that sent by administrator for Delivery Status Notification doesn't exist.

I'll follow up for a couple of days, and update you about the status.

Appreciate your advise.

Author

Commented:
Hi Shauncroucher,

In hub transport server, I failed to configure antispamupdates with microsoftupdate > configured. The current situation is, all settings in antispamupdates are configured, except MicrosoftUpdate.

MicrosoftUpdate shows "notconfigured". When I type " enable-antispamupdates -MicrosoftUpdates configured", the following error message occurred:

   Enable-antispamupdates: Failed to request Microsoft Update or Microsoft updates is already enabled.
  At line:1 Char:23

   Enable-antispamupdate <<<< MicrosoftUpdate configured

Still, MicrosoftUpdate is still "NotConfigured"; why?
You need to set the MicrosoftUpdates to update using the following options as defined in http://technet.microsoft.com/en-us/library/aa998006.aspx:

RequestDisabled   - This value disables Automatic Update.

RequestNotifyDownload - Automatic Update notifies you when new updates are ready for download.

RequestNotifyInstall - Automatic Update downloads updates and notifies you when they are available for installation.

RequestScheduled  - This value sets download and installation of updates according to the configuration of the Automatic Update on the computer.

So the command would be this to enable the updates to run as per Automatic update settings on the computer:

Enable-AntiSpamUpdates -MicrosftUpdate RequestScheduled

Shaun

Author

Commented:
Excellence! It solved my problem and works like a charm.
Glad I could help,

Shaun

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial