One of our clients Exchange server is being used to send out mass amounts of Spam, I am struggling to isolate the issue. We have completed thorough scans on all client PCs, changed Passwords etc.
I notice that there are SMTP Current Sessions that last for longer that 5mins, the connected addresses are always from servers that have been Blacklisted.
How are they able to connect and why does the exchange server relay these messages? It apperas the only messages that fail are due to unknown User, all other Spam seems to be relayed?
I have configured the IMF and Barracuda lookups, restricted access to the SMTP Virtual Server to localhost.
Any suggestions would be greatly appreciated, I have detailed the config of the Exchange server below;
Sender ID and Connection Filtering
Perimeter IP List and Internal IP range
1. Allowed SMTP Servers for Domain.com: 192.168.1.101
1. Filter messages with Blank Senders
2. Drop Connection if Address matches Filter
3. Single addresses Blocked: @yourkilt.com
Block List Service Configuration
Exceptions to this rule include the following:
1. Single addresses allowed: One Entry
Global Accept and Deny Configuration List
1. Accept: Nil (Performs Barracuda lookup and accepts the connection if it passes the filter
2. Deny: 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199
1. Filter addresses that are not in Active Directory
Gateway Blocking Configuration
Block messages with an SCL greater than 8
Store Junk Email Configuration
Move messages with an SCL greater than 7 to the users Junk Email Folder
Sender ID Filtering
Accept: The Sender ID will be attached for further Spam processing.
SMTP Server Configuration
2. Basic Authentication
3. Integrated Windows Authentication
Allow all computers which successfully authenticate to relay, regardless of the list above: Disabled
Grant or Deny submit permissions to specific Users or Groups
Submitt: Authenticated users
Reverse DNS Lookups are enabled
1. Use DNS to route to each address space
Do not allow Public Referals
Connected Routing Groups: None
Do not send etrun/turn
SMTP Diagnostics Results
220 control3.tppinternet.net.au ESMTP
Not an open relay.
0 seconds - Good on Connection time
1.498 seconds - Good on Transaction time
OK - 188.8.131.52 resolves to control3.tppinternet.net.au
OK - Reverse DNS matches SMTP Banner
250 control3.tppinternet.net.au [187 ms]
MAIL FROM: <email@example.com>
250 ok [920 ms]
RCPT TO: <firstname.lastname@example.org>
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) [203 ms]
221 control3.tppinternet.net.au [187 ms