Solved

Exchange 2010 Relaying SPAM

Posted on 2012-04-02
22
551 Views
Last Modified: 2012-04-02
Hey there, I have an exchange server 2010.  Recently the queue has been filling up with crap headed out from our exchange server.  Looks like from the logs, that an IP in pakistan was sending some of the e-mails through us.

How to I stop this from happening.

I have 2 receive connectors, one set up for port 587 for a backup utility to e-mail reports through and the other is the default port 25.  I tried to uncheck ANONYMOUS from the permissions on the default, but then e-mail will not come in.

Thank you for any assistance you can provide.
-Ben
0
Comment
Question by:bcameron70
  • 8
  • 7
  • 5
  • +1
22 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37797775
Please visit www.checkor.com and check if you are an open relay and if you are, have a read of my blog for how to fix it:

http://alanhardisty.wordpress.com/2010/07/12/how-to-close-an-open-relay-in-exchange-2007-2010/
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37797875
Also check the Authentication tab on your receive connector. If "Externally Secured" has a check by it on a connector with no Address limitations, it will operate as an Open Relay. Remove that checkmark and the relay should close.

Also, off topic: @Alan - Someone poached your post without attribution (FYI): www.burgers-online.com/?p=411
0
 

Author Comment

by:bcameron70
ID: 37797919
I tried the Checkor.com and it looks like I am not open.  i checked the tracking log explorer and included the subject name keyword to match one of the spams, that is how I came up with the pakistan IP in the header info.

How else should I be tracking this then to find where all the Spams are being created/routed?
THank you
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37798041
Okay - who is the sender if the emails going out and what Anti-Spam measures have you got installed.

Thanks acbrown2010 - will check and see what needs to be done.
0
 

Author Comment

by:bcameron70
ID: 37798105
They are labeled coming from internal @domain name addresses, which is not our default policy.  We have Trend Micro Worry Free security and 3 desktops internal, all have been scanned and scrubbed with Trend, Malwarebytes and superantispyware.  We've tried turning off machines to see if it would stop the spam...no such luck

Is there something in the header of one of these messages, or in the exchange logs that could tell me where they came from physically (ip address?)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37798127
Nice!  Possibly an Authenticated Relay then.

Please can you post the output of "get-receiveconnector | fl" from the Exchange Management Shell.

How strict is your Security Policy for passwords / password changes?

How many users on your network?
0
 

Author Comment

by:bcameron70
ID: 37798138
6 users, 4 of us are IT staff with complex over 10char passwords as well as the other 2.
0
 

Author Comment

by:bcameron70
ID: 37798166
RunspaceId                              : d18d4b08-0eab-4c32-a4a5-2a0a41e38e11
AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {:::25, 0.0.0.0:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : exchange3.domain.com
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : unlimited
MaxInboundConnectionPercentagePerSource : 100
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 5000
PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : EXCHANGE3
SizeEnabled                             : EnabledWithoutValue
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Default EXCHANGE3
DistinguishedName                       : CN=Default EXCHANGE3,CN=SMTP Receive Connectors,CN=Protocols,CN=EXCHANGE3,CN=
                                          Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
                                          Groups,CN=domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=aba
                                          custek,DC=com
Identity                                : EXCHANGE3\Default EXCHANGE3
Guid                                    : a4b2b2b1-1581-4356-a8fc-7bb537509d80
ObjectCategory                          : domain.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 4/2/2012 3:02:37 PM
WhenCreated                             : 4/30/2011 11:44:23 AM
WhenChangedUTC                          : 4/2/2012 7:02:37 PM
WhenCreatedUTC                          : 4/30/2011 3:44:23 PM
OrganizationId                          :
OriginatingServer                       : exchange3.domain.com
IsValid                                 : True

RunspaceId                              : d18d4b08-0eab-4c32-a4a5-2a0a41e38e11
AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {:::587, 0.0.0.0:587}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : exchange3.domain.com
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : 5
MessageRateSource                       : User
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : ExchangeUsers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : True
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : EXCHANGE3
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Client EXCHANGE3
DistinguishedName                       : CN=Client EXCHANGE3,CN=SMTP Receive Connectors,CN=Protocols,CN=EXCHANGE3,CN=S
                                          ervers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative G
                                          roups,CN=domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=abac
                                          ustek,DC=com
Identity                                : EXCHANGE3\Client EXCHANGE3
Guid                                    : ced73c83-6252-4aee-a590-7f2033c7a364
ObjectCategory                          : domain.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 4/30/2011 11:44:46 AM
WhenCreated                             : 4/30/2011 11:44:24 AM
WhenChangedUTC                          : 4/30/2011 3:44:46 PM
WhenCreatedUTC                          : 4/30/2011 3:44:24 PM
OrganizationId                          :
OriginatingServer                       : exchange3.domain.com
IsValid                                 : True
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37798170
Actually, you might be running into a backscatter spam situation. Without seeing the mail that's being sent, I can't tell, but it's possible that you're getting flooded with mail that is to someone that doesn't belong to your environment, with a spoofed From address. If you have your server configured to produce NDRs, you'd end up sending NDR emails with the spam attached to the email address written in the From field on the original. Check your NDR settings in Organization Configuration\Hub Transport\Remote Domains. Right Click the default, select properties, then go to the Message Format, and remove the checkmark next to Allow Non-Delivery Reports. If that stops the problem, then you're in a Backscatter situation, and doing that will fix it.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37798206
You don't want to disable NDR's.  Does your Trend software allow Recipient Filtering?  If so - is it enabled?

Your IP is listed on Backscatterer.org, so acbrown2010 is on the right tracks.
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 
LVL 38

Expert Comment

by:Adam Brown
ID: 37798218
I think his trend software is on the desktops and not in the email path. Would probably be a good idea to look into a service like Postini or Appriver for handling your incoming mail and spam filtering.
0
 

Author Comment

by:bcameron70
ID: 37798229
I have Trend's Scanmail installed on the exchange server
0
 
LVL 2

Expert Comment

by:exTechnology
ID: 37798246
You might also want check your SPF to make sure you don't allow any other unauthorized email servers to send emails from your domain.
0
 

Author Comment

by:bcameron70
ID: 37798267
I look at the e-mails going out in the queue, the sender info is null also
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37798309
Doesn't look like Scanmail can query AD to determine of a user is valid or not, so you have the wrong Anti-Spam Product installed.  You NEED Recipient Filtering or you will continue to be listed on Backscatterer.org

Using telnet to test the point I get the following:

220 exchange3.yourdomain.com Microsoft ESMTP MAIL Service ready at Mon, 2 Apr 201
2 17:00:13 -0400
ehlo mail.mydomain.co.uk
250-exchange3.yourdomain.com Hello [87.194.xxx.xxx]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
mail from: alan@mydomain.co.uk
250 2.1.0 Sender OK
rcpt to: madeuprecipient@yourdomain.com
250 2.1.5 Recipient OK

I should get the following in response to rcpt to: madeuprecipient@yourdomain.com:
550 5.1.1 Bad destination mailbox address (madeuprecipient@yourdomain.com).

This proves that Recipient Filtering isn't enabled and that you have a Backscatter problem, not an internal or authenticated relays spam problem.

Backscatter is the sending of NDR emails back to spam emails that have forged sender addresses.  Your NDR thus hits some email accounts that have never been advertised and have only ever been setup to act as a trap for spam, which once an email is received to that address, you get instantly blacklisted.  If you Filter Invalid Recipient with your Anti-Spam software, this problem will stop immediately.

You might want to consider using Vamsoft ORF instead of Trend - it is probably cheaper and works much better.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37798313
Off Topic Comment to acbrown2010 - plagiarism handled :)  Thanks.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37798376
I saw that. You're welcome :D
0
 

Author Comment

by:bcameron70
ID: 37798857
Wow...great explanation!  Let me see what I can come up with out of that...wasn't there a setting to check reverse DNS of incoming e-mails to make sure they were coming from a verified source?  Perhaps that does not apply to this.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 37798865
That's Sender Policy Framework (SPF). Enabling it on your network can help authenticate emails sent from your network and it is useful in establishing a Sender ID for use in filtering. One of the built-in features that can help with this problem (though you have to enable it) is Sender ID filtering in Exchange 2010. http://technet.microsoft.com/en-us/library/aa997658.aspx has some explanation for enabling and managing the Spam Agents for Exchange 2010. The one you want in particular is sender ID filtering, which is explained here: http://technet.microsoft.com/en-us/library/aa996295.aspx
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 37798881
Reverse DNS is not your problem at the moment - lack of Recipient Filtering is.

Your server is accepting messages for invalid recipients and as soon as it accepts the message (which your anti-spam software should be rejecting), it becomes responsible for sending back an NDR message.  If the message was rejected as it was destined for an invalid recipient, then the sending server is responsible for sending the NDR, not your server and thus you don't get blacklisted and don't get queues on NDR's going nowhere because the supposed sender is invalid and thus your server can't find the mail server responsible for the spoofed sender because it doesn't exist!

You could enable the Anti-Spam features on your Hub Transport server and enable Recipient Filtering, but you would probably have to remove the Trend Anti-Spam software to make the Exchange Tools work properly.  Personally I don't use the Exchange tools as they are way too inflexible for my liking, but you may get on with them better than I do:

http://technet.microsoft.com/en-us/library/bb201691.aspx
0
 

Author Closing Comment

by:bcameron70
ID: 37798927
Thank you both so much for the help!  You gave me a whole different view of what is going on with the server.  I will check out the sender ID filtering too!
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now