bcameron70
asked on
Exchange 2010 Relaying SPAM
Hey there, I have an exchange server 2010. Recently the queue has been filling up with crap headed out from our exchange server. Looks like from the logs, that an IP in pakistan was sending some of the e-mails through us.
How to I stop this from happening.
I have 2 receive connectors, one set up for port 587 for a backup utility to e-mail reports through and the other is the default port 25. I tried to uncheck ANONYMOUS from the permissions on the default, but then e-mail will not come in.
Thank you for any assistance you can provide.
-Ben
How to I stop this from happening.
I have 2 receive connectors, one set up for port 587 for a backup utility to e-mail reports through and the other is the default port 25. I tried to uncheck ANONYMOUS from the permissions on the default, but then e-mail will not come in.
Thank you for any assistance you can provide.
-Ben
Also check the Authentication tab on your receive connector. If "Externally Secured" has a check by it on a connector with no Address limitations, it will operate as an Open Relay. Remove that checkmark and the relay should close.
Also, off topic: @Alan - Someone poached your post without attribution (FYI): www.burgers-online.com/?p=411
Also, off topic: @Alan - Someone poached your post without attribution (FYI): www.burgers-online.com/?p=411
ASKER
I tried the Checkor.com and it looks like I am not open. i checked the tracking log explorer and included the subject name keyword to match one of the spams, that is how I came up with the pakistan IP in the header info.
How else should I be tracking this then to find where all the Spams are being created/routed?
THank you
How else should I be tracking this then to find where all the Spams are being created/routed?
THank you
Okay - who is the sender if the emails going out and what Anti-Spam measures have you got installed.
Thanks acbrown2010 - will check and see what needs to be done.
Thanks acbrown2010 - will check and see what needs to be done.
ASKER
They are labeled coming from internal @domain name addresses, which is not our default policy. We have Trend Micro Worry Free security and 3 desktops internal, all have been scanned and scrubbed with Trend, Malwarebytes and superantispyware. We've tried turning off machines to see if it would stop the spam...no such luck
Is there something in the header of one of these messages, or in the exchange logs that could tell me where they came from physically (ip address?)
Is there something in the header of one of these messages, or in the exchange logs that could tell me where they came from physically (ip address?)
Nice! Possibly an Authenticated Relay then.
Please can you post the output of "get-receiveconnector | fl" from the Exchange Management Shell.
How strict is your Security Policy for passwords / password changes?
How many users on your network?
Please can you post the output of "get-receiveconnector | fl" from the Exchange Management Shell.
How strict is your Security Policy for passwords / password changes?
How many users on your network?
ASKER
6 users, 4 of us are IT staff with complex over 10char passwords as well as the other 2.
ASKER
RunspaceId : d18d4b08-0eab-4c32-a4a5-2a 0a41e38e11
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {:::25, 0.0.0.0:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotification Enabled : True
EightBitMimeEnabled : True
BareLinefeedRejectionEnabl ed : False
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : exchange3.domain.com
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeou t : 00:05:00
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSou rce : unlimited
MaxInboundConnectionPercen tagePerSou rce : 100
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 5000
PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ff ff:ffff:ff ff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : EXCHANGE3
SizeEnabled : EnabledWithoutValue
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default EXCHANGE3
DistinguishedName : CN=Default EXCHANGE3,CN=SMTP Receive Connectors,CN=Protocols,CN =EXCHANGE3 ,CN=
Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admin istrative
Groups,CN=domain,CN=Micros oft Exchange,CN=Services,CN=Co nfiguratio n,DC=aba
custek,DC=com
Identity : EXCHANGE3\Default EXCHANGE3
Guid : a4b2b2b1-1581-4356-a8fc-7b b537509d80
ObjectCategory : domain.com/Configuration/S chema/ms-E xch-Smtp-R eceive-Con nector
ObjectClass : {top, msExchSmtpReceiveConnector }
WhenChanged : 4/2/2012 3:02:37 PM
WhenCreated : 4/30/2011 11:44:23 AM
WhenChangedUTC : 4/2/2012 7:02:37 PM
WhenCreatedUTC : 4/30/2011 3:44:23 PM
OrganizationId :
OriginatingServer : exchange3.domain.com
IsValid : True
RunspaceId : d18d4b08-0eab-4c32-a4a5-2a 0a41e38e11
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
Banner :
BinaryMimeEnabled : True
Bindings : {:::587, 0.0.0.0:587}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotification Enabled : True
EightBitMimeEnabled : True
BareLinefeedRejectionEnabl ed : False
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : exchange3.domain.com
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeou t : 00:05:00
MessageRateLimit : 5
MessageRateSource : User
MaxInboundConnection : 5000
MaxInboundConnectionPerSou rce : 20
MaxInboundConnectionPercen tagePerSou rce : 2
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : ExchangeUsers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ff ff:ffff:ff ff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : True
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : EXCHANGE3
SizeEnabled : Enabled
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Client EXCHANGE3
DistinguishedName : CN=Client EXCHANGE3,CN=SMTP Receive Connectors,CN=Protocols,CN =EXCHANGE3 ,CN=S
ervers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admin istrative G
roups,CN=domain,CN=Microso ft Exchange,CN=Services,CN=Co nfiguratio n,DC=abac
ustek,DC=com
Identity : EXCHANGE3\Client EXCHANGE3
Guid : ced73c83-6252-4aee-a590-7f 2033c7a364
ObjectCategory : domain.com/Configuration/S chema/ms-E xch-Smtp-R eceive-Con nector
ObjectClass : {top, msExchSmtpReceiveConnector }
WhenChanged : 4/30/2011 11:44:46 AM
WhenCreated : 4/30/2011 11:44:24 AM
WhenChangedUTC : 4/30/2011 3:44:46 PM
WhenCreatedUTC : 4/30/2011 3:44:24 PM
OrganizationId :
OriginatingServer : exchange3.domain.com
IsValid : True
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {:::25, 0.0.0.0:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotification
EightBitMimeEnabled : True
BareLinefeedRejectionEnabl
DomainSecureEnabled : False
EnhancedStatusCodesEnabled
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : exchange3.domain.com
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeou
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSou
MaxInboundConnectionPercen
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 5000
PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ff
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : EXCHANGE3
SizeEnabled : EnabledWithoutValue
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default EXCHANGE3
DistinguishedName : CN=Default EXCHANGE3,CN=SMTP Receive Connectors,CN=Protocols,CN
Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admin
Groups,CN=domain,CN=Micros
custek,DC=com
Identity : EXCHANGE3\Default EXCHANGE3
Guid : a4b2b2b1-1581-4356-a8fc-7b
ObjectCategory : domain.com/Configuration/S
ObjectClass : {top, msExchSmtpReceiveConnector
WhenChanged : 4/2/2012 3:02:37 PM
WhenCreated : 4/30/2011 11:44:23 AM
WhenChangedUTC : 4/2/2012 7:02:37 PM
WhenCreatedUTC : 4/30/2011 3:44:23 PM
OrganizationId :
OriginatingServer : exchange3.domain.com
IsValid : True
RunspaceId : d18d4b08-0eab-4c32-a4a5-2a
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
Banner :
BinaryMimeEnabled : True
Bindings : {:::587, 0.0.0.0:587}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotification
EightBitMimeEnabled : True
BareLinefeedRejectionEnabl
DomainSecureEnabled : False
EnhancedStatusCodesEnabled
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : exchange3.domain.com
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeou
MessageRateLimit : 5
MessageRateSource : User
MaxInboundConnection : 5000
MaxInboundConnectionPerSou
MaxInboundConnectionPercen
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : ExchangeUsers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ff
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : True
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : EXCHANGE3
SizeEnabled : Enabled
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Client EXCHANGE3
DistinguishedName : CN=Client EXCHANGE3,CN=SMTP Receive Connectors,CN=Protocols,CN
ervers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admin
roups,CN=domain,CN=Microso
ustek,DC=com
Identity : EXCHANGE3\Client EXCHANGE3
Guid : ced73c83-6252-4aee-a590-7f
ObjectCategory : domain.com/Configuration/S
ObjectClass : {top, msExchSmtpReceiveConnector
WhenChanged : 4/30/2011 11:44:46 AM
WhenCreated : 4/30/2011 11:44:24 AM
WhenChangedUTC : 4/30/2011 3:44:46 PM
WhenCreatedUTC : 4/30/2011 3:44:24 PM
OrganizationId :
OriginatingServer : exchange3.domain.com
IsValid : True
Actually, you might be running into a backscatter spam situation. Without seeing the mail that's being sent, I can't tell, but it's possible that you're getting flooded with mail that is to someone that doesn't belong to your environment, with a spoofed From address. If you have your server configured to produce NDRs, you'd end up sending NDR emails with the spam attached to the email address written in the From field on the original. Check your NDR settings in Organization Configuration\Hub Transport\Remote Domains. Right Click the default, select properties, then go to the Message Format, and remove the checkmark next to Allow Non-Delivery Reports. If that stops the problem, then you're in a Backscatter situation, and doing that will fix it.
You don't want to disable NDR's. Does your Trend software allow Recipient Filtering? If so - is it enabled?
Your IP is listed on Backscatterer.org, so acbrown2010 is on the right tracks.
Your IP is listed on Backscatterer.org, so acbrown2010 is on the right tracks.
I think his trend software is on the desktops and not in the email path. Would probably be a good idea to look into a service like Postini or Appriver for handling your incoming mail and spam filtering.
ASKER
I have Trend's Scanmail installed on the exchange server
You might also want check your SPF to make sure you don't allow any other unauthorized email servers to send emails from your domain.
ASKER
I look at the e-mails going out in the queue, the sender info is null also
Doesn't look like Scanmail can query AD to determine of a user is valid or not, so you have the wrong Anti-Spam Product installed. You NEED Recipient Filtering or you will continue to be listed on Backscatterer.org
Using telnet to test the point I get the following:
220 exchange3.yourdomain.com Microsoft ESMTP MAIL Service ready at Mon, 2 Apr 201
2 17:00:13 -0400
ehlo mail.mydomain.co.uk
250-exchange3.yourdomain.c om Hello [87.194.xxx.xxx]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
mail from: alan@mydomain.co.uk
250 2.1.0 Sender OK
rcpt to: madeuprecipient@yourdomain .com
250 2.1.5 Recipient OK
I should get the following in response to rcpt to: madeuprecipient@yourdomain .com:
550 5.1.1 Bad destination mailbox address (madeuprecipient@yourdomai n.com).
This proves that Recipient Filtering isn't enabled and that you have a Backscatter problem, not an internal or authenticated relays spam problem.
Backscatter is the sending of NDR emails back to spam emails that have forged sender addresses. Your NDR thus hits some email accounts that have never been advertised and have only ever been setup to act as a trap for spam, which once an email is received to that address, you get instantly blacklisted. If you Filter Invalid Recipient with your Anti-Spam software, this problem will stop immediately.
You might want to consider using Vamsoft ORF instead of Trend - it is probably cheaper and works much better.
Using telnet to test the point I get the following:
220 exchange3.yourdomain.com Microsoft ESMTP MAIL Service ready at Mon, 2 Apr 201
2 17:00:13 -0400
ehlo mail.mydomain.co.uk
250-exchange3.yourdomain.c
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
mail from: alan@mydomain.co.uk
250 2.1.0 Sender OK
rcpt to: madeuprecipient@yourdomain
250 2.1.5 Recipient OK
I should get the following in response to rcpt to: madeuprecipient@yourdomain
550 5.1.1 Bad destination mailbox address (madeuprecipient@yourdomai
This proves that Recipient Filtering isn't enabled and that you have a Backscatter problem, not an internal or authenticated relays spam problem.
Backscatter is the sending of NDR emails back to spam emails that have forged sender addresses. Your NDR thus hits some email accounts that have never been advertised and have only ever been setup to act as a trap for spam, which once an email is received to that address, you get instantly blacklisted. If you Filter Invalid Recipient with your Anti-Spam software, this problem will stop immediately.
You might want to consider using Vamsoft ORF instead of Trend - it is probably cheaper and works much better.
Off Topic Comment to acbrown2010 - plagiarism handled :) Thanks.
I saw that. You're welcome :D
ASKER
Wow...great explanation! Let me see what I can come up with out of that...wasn't there a setting to check reverse DNS of incoming e-mails to make sure they were coming from a verified source? Perhaps that does not apply to this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you both so much for the help! You gave me a whole different view of what is going on with the server. I will check out the sender ID filtering too!
http://alanhardisty.wordpress.com/2010/07/12/how-to-close-an-open-relay-in-exchange-2007-2010/