Solved

Exchange users' email being flagged as spam - Need help troubleshooting please..

Posted on 2013-06-12
8
817 Views
Last Modified: 2013-07-17
Have a customer with an Exchange 2010 environment.. Starting last week they started receiving NDRs when trying to send emails to multiple domains.. It's not limited to a certain domain and it's not limited to a certain user..

According to the IT contact these are domains they email on a daily basis and have never had any issues..

They aren't on any blacklists and their server is clean (virus scan).. Their server is not an open relay.. Not using smart host..

I have tested to a domain bouncing them by sending a test email with no signature etc and I immediately get the bounce..

In the queue viewer there were emails that had a from address of <> that definitely looked like spam (subject line).. Is there any way I can track these down?

Email in queue viewer:

Identity: SERVER\73247\484884
Subject: Automatic reply: Your Complimentary Credit Scores Are Waiting For You
Internet Message ID: <c442983d72b840ea9e50847ea0b7db72@SERVER.DOMAIN.LOCAL>
From Address: <>
Status: Suspended
Size (KB): 4
Message Source Name: FromLocal
Source IP: 255.255.255.255
SCL: -1
Date Received: 6/10/2013 12:18:25 PM
Expiration Time: 6/12/2013 12:18:25 PM
Last Error:
Queue ID: SERVER\73247
Recipients: csn@soundcost.net

NDR Sample:
spam04.embarq.synacor.com rejected your message to the following e-mail addresses:
weavertire@embarqmail.com (weavertire@embarqmail.com)
spam04.embarq.synacor.com gave this error:
[P4] Message blocked due to spam content in the message.
Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery.


Diagnostic information for administrators:
Generating server: SERVER.DOMAIN.LOCAL
weavertire@embarqmail.com
spam04.embarq.synacor.com #554 5.7.1 [P4] Message blocked due to spam content in the message. ##
Original message headers:
Received: from SERVER.DOMAIN.LOCAL ([::1]) by SERVER.DOMAIN.LOCAL ([::1]) with
 mapi id 14.01.0355.002; Wed, 12 Jun 2013 08:44:36 -0400
From: TEST <TEST@ttttire.com>
To: "weavertire@embarqmail.com" <weavertire@embarqmail.com>
Subject: Test
Thread-Topic: Test
Thread-Index: Ac5napgxn9FVzAFnTBO0tanTNiiG8Q==
Date: Wed, 12 Jun 2013 12:44:35 +0000
Message-ID: <FCCF5254E4FD4440AE51E61F9E2EFA6E91CF7F@SERVER.DOMAIN.LOCAL>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [208.81.151.97]
Content-Type: multipart/alternative;
      boundary="_000_FCCF5254E4FD4440AE51E61F9E2EFA6E91CF7FBUZZARDEAGLELOCAL_"
MIME-Version: 1.0


Ideas on what do look at?

Thanks!
0
Comment
Question by:TBIRD2340
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 13

Accepted Solution

by:
Michael Machie earned 500 total points
ID: 39241200
Are all outgoing emails bouncing back?

If attempting to send the same email to only one recipient at a time, does it succeed?
Can you send it to your personal (non-work) email address such as a Hotmail/Gmail address to test?

I know you mentioned your Domain was not blacklisted but I do know that my company has been flagged before and emails sent to some, but not all, external domains would fail. I had to clear us from the blacklist.

On another note, the receiving Domains may have filters and appliances to stop spam and if your Domain is blacklisted on their device you will receive this message as well.
If you are certain your Domain is not blacklisted then you may need to ask those recipients to whitelist your domain or email address.  The SPAM filters at their end are most likely identifying your emails as SPAM.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39241373
As [Machienet] notes, it's possible to be blocked without being on a public RBL.  

In any case, it sounds as if your client is, in fact, sending out spam e-mails.  I realize you've scanned the mail server itself, but it looks like the spam is coming from within the network, so you should have them begin a systematic check of all their computers.
0
 
LVL 1

Author Comment

by:TBIRD2340
ID: 39241411
No, not all outgoing emails.. Just to certain domains.. They have already contacted a few domains to get whitelisted but that is a pain to do and want to know why this happened..

Server is clean and I advised him to do a full scan on all PCs which he's trying to get scheduled..

Generally when this happens it is malware.. I'm just trying to figure out how to either pinpoint the PC(s) that are causing it or if there are none infected, what to do next..
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39241529
You could set up Wireshark or Network Monitor and capture traffic going to the mail server.  There will be a lot of traffic to weed through, but that will help you to identify the culprit.  You'll need to look at the payload for packet data, to see which ones might be spam.  This will be difficult.  

Barring that, you might try log files on the mail server.  You won't get as much data this way, but if you know when a mail went out, you might be able to use that to determine where that mail came from.
0
 
LVL 1

Author Comment

by:TBIRD2340
ID: 39334156
It ended up that they were sending bulk emails and getting listed on some spam list (not blacklisted).
0
 
LVL 1

Author Comment

by:TBIRD2340
ID: 39334194
I've requested that this question be closed as follows:

Accepted answer: 0 points for TBIRD2340's comment #a39334156

for the following reason:

This was the reason.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39334174
"As [Machienet] notes, it's possible to be blocked without being on a public RBL."
You really should assign points to [Machienet].
0
 
LVL 13

Expert Comment

by:Michael Machie
ID: 39334445
thanks [paulmacd] and [tbird2340]
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Find out what you should include to make the best professional email signature for your organization.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question