asked on

Exchange 2010 Relaying SPAM

Hey there, I have an exchange server 2010. Recently the queue has been filling up with crap headed out from our exchange server. Looks like from the logs, that an IP in pakistan was sending some of the e-mails through us.

How to I stop this from happening.

I have 2 receive connectors, one set up for port 587 for a backup utility to e-mail reports through and the other is the default port 25. I tried to uncheck ANONYMOUS from the permissions on the default, but then e-mail will not come in.

Thank you for any assistance you can provide.
-Ben

Alan Hardisty

Please visit www.checkor.com and check if you are an open relay and if you are, have a read of my blog for how to fix it:

http://alanhardisty.wordpress.com/2010/07/12/how-to-close-an-open-relay-in-exchange-2007-2010/

Adam Brown

Also check the Authentication tab on your receive connector. If "Externally Secured" has a check by it on a connector with no Address limitations, it will operate as an Open Relay. Remove that checkmark and the relay should close.

Also, off topic: @Alan - Someone poached your post without attribution (FYI): www.burgers-online.com/?p=411

bcameron70

ASKER

I tried the Checkor.com and it looks like I am not open. i checked the tracking log explorer and included the subject name keyword to match one of the spams, that is how I came up with the pakistan IP in the header info.

How else should I be tracking this then to find where all the Spams are being created/routed?
THank you

Alan Hardisty

Okay - who is the sender if the emails going out and what Anti-Spam measures have you got installed.

Thanks acbrown2010 - will check and see what needs to be done.

bcameron70

ASKER

They are labeled coming from internal @domain name addresses, which is not our default policy. We have Trend Micro Worry Free security and 3 desktops internal, all have been scanned and scrubbed with Trend, Malwarebytes and superantispyware. We've tried turning off machines to see if it would stop the spam...no such luck

Is there something in the header of one of these messages, or in the exchange logs that could tell me where they came from physically (ip address?)

Alan Hardisty

Nice! Possibly an Authenticated Relay then.

Please can you post the output of "get-receiveconnector | fl" from the Exchange Management Shell.

How strict is your Security Policy for passwords / password changes?

How many users on your network?

bcameron70

ASKER

6 users, 4 of us are IT staff with complex over 10char passwords as well as the other 2.

bcameron70

ASKER

RunspaceId : d18d4b08-0eab-4c32-a4a5-2a0a41e38e11
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {:::25, 0.0.0.0:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
BareLinefeedRejectionEnabled : False
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : exchange3.domain.com
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : unlimited
MaxInboundConnectionPercentagePerSource : 100
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 5000
PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : EXCHANGE3
SizeEnabled : EnabledWithoutValue
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default EXCHANGE3
DistinguishedName : CN=Default EXCHANGE3,CN=SMTP Receive Connectors,CN=Protocols,CN=EXCHANGE3,CN=
Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=aba
custek,DC=com
Identity : EXCHANGE3\Default EXCHANGE3
Guid : a4b2b2b1-1581-4356-a8fc-7bb537509d80
ObjectCategory : domain.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 4/2/2012 3:02:37 PM
WhenCreated : 4/30/2011 11:44:23 AM
WhenChangedUTC : 4/2/2012 7:02:37 PM
WhenCreatedUTC : 4/30/2011 3:44:23 PM
OrganizationId :
OriginatingServer : exchange3.domain.com
IsValid : True

RunspaceId : d18d4b08-0eab-4c32-a4a5-2a0a41e38e11
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
Banner :
BinaryMimeEnabled : True
Bindings : {:::587, 0.0.0.0:587}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
BareLinefeedRejectionEnabled : False
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : exchange3.domain.com
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : 5
MessageRateSource : User
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : ExchangeUsers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : True
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : EXCHANGE3
SizeEnabled : Enabled
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Client EXCHANGE3
DistinguishedName : CN=Client EXCHANGE3,CN=SMTP Receive Connectors,CN=Protocols,CN=EXCHANGE3,CN=S
ervers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative G
roups,CN=domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=abac
ustek,DC=com
Identity : EXCHANGE3\Client EXCHANGE3
Guid : ced73c83-6252-4aee-a590-7f2033c7a364
ObjectCategory : domain.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 4/30/2011 11:44:46 AM
WhenCreated : 4/30/2011 11:44:24 AM
WhenChangedUTC : 4/30/2011 3:44:46 PM
WhenCreatedUTC : 4/30/2011 3:44:24 PM
OrganizationId :
OriginatingServer : exchange3.domain.com
IsValid : True

Adam Brown

Actually, you might be running into a backscatter spam situation. Without seeing the mail that's being sent, I can't tell, but it's possible that you're getting flooded with mail that is to someone that doesn't belong to your environment, with a spoofed From address. If you have your server configured to produce NDRs, you'd end up sending NDR emails with the spam attached to the email address written in the From field on the original. Check your NDR settings in Organization Configuration\Hub Transport\Remote Domains. Right Click the default, select properties, then go to the Message Format, and remove the checkmark next to Allow Non-Delivery Reports. If that stops the problem, then you're in a Backscatter situation, and doing that will fix it.

Alan Hardisty

You don't want to disable NDR's. Does your Trend software allow Recipient Filtering? If so - is it enabled?

Your IP is listed on Backscatterer.org, so acbrown2010 is on the right tracks.

Adam Brown

I think his trend software is on the desktops and not in the email path. Would probably be a good idea to look into a service like Postini or Appriver for handling your incoming mail and spam filtering.

bcameron70

ASKER

I have Trend's Scanmail installed on the exchange server

exTechnology

You might also want check your SPF to make sure you don't allow any other unauthorized email servers to send emails from your domain.

bcameron70

ASKER

I look at the e-mails going out in the queue, the sender info is null also

Alan Hardisty

Doesn't look like Scanmail can query AD to determine of a user is valid or not, so you have the wrong Anti-Spam Product installed. You NEED Recipient Filtering or you will continue to be listed on Backscatterer.org

Using telnet to test the point I get the following:

220 exchange3.yourdomain.com Microsoft ESMTP MAIL Service ready at Mon, 2 Apr 201
2 17:00:13 -0400
ehlo mail.mydomain.co.uk
250-exchange3.yourdomain.com Hello [87.194.xxx.xxx]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
mail from: alan@mydomain.co.uk
250 2.1.0 Sender OK
rcpt to: madeuprecipient@yourdomain.com
250 2.1.5 Recipient OK

I should get the following in response to rcpt to: madeuprecipient@yourdomain.com:
550 5.1.1 Bad destination mailbox address (madeuprecipient@yourdomain.com).

This proves that Recipient Filtering isn't enabled and that you have a Backscatter problem, not an internal or authenticated relays spam problem.

Backscatter is the sending of NDR emails back to spam emails that have forged sender addresses. Your NDR thus hits some email accounts that have never been advertised and have only ever been setup to act as a trap for spam, which once an email is received to that address, you get instantly blacklisted. If you Filter Invalid Recipient with your Anti-Spam software, this problem will stop immediately.

You might want to consider using Vamsoft ORF instead of Trend - it is probably cheaper and works much better.

Alan Hardisty

Off Topic Comment to acbrown2010 - plagiarism handled :) Thanks.

Adam Brown

I saw that. You're welcome :D

bcameron70

ASKER

Wow...great explanation! Let me see what I can come up with out of that...wasn't there a setting to check reverse DNS of incoming e-mails to make sure they were coming from a verified source? Perhaps that does not apply to this.

SOLUTION

Adam Brown

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER CERTIFIED SOLUTION

Alan Hardisty

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

bcameron70

ASKER

Thank you both so much for the help! You gave me a whole different view of what is going on with the server. I will check out the sender ID filtering too!