Solved

Exchange users' email being flagged as spam - Need help troubleshooting please..

Posted on 2013-06-12
8
797 Views
Last Modified: 2013-07-17
Have a customer with an Exchange 2010 environment.. Starting last week they started receiving NDRs when trying to send emails to multiple domains.. It's not limited to a certain domain and it's not limited to a certain user..

According to the IT contact these are domains they email on a daily basis and have never had any issues..

They aren't on any blacklists and their server is clean (virus scan).. Their server is not an open relay.. Not using smart host..

I have tested to a domain bouncing them by sending a test email with no signature etc and I immediately get the bounce..

In the queue viewer there were emails that had a from address of <> that definitely looked like spam (subject line).. Is there any way I can track these down?

Email in queue viewer:

Identity: SERVER\73247\484884
Subject: Automatic reply: Your Complimentary Credit Scores Are Waiting For You
Internet Message ID: <c442983d72b840ea9e50847ea0b7db72@SERVER.DOMAIN.LOCAL>
From Address: <>
Status: Suspended
Size (KB): 4
Message Source Name: FromLocal
Source IP: 255.255.255.255
SCL: -1
Date Received: 6/10/2013 12:18:25 PM
Expiration Time: 6/12/2013 12:18:25 PM
Last Error:
Queue ID: SERVER\73247
Recipients: csn@soundcost.net

NDR Sample:
spam04.embarq.synacor.com rejected your message to the following e-mail addresses:
weavertire@embarqmail.com (weavertire@embarqmail.com)
spam04.embarq.synacor.com gave this error:
[P4] Message blocked due to spam content in the message.
Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery.


Diagnostic information for administrators:
Generating server: SERVER.DOMAIN.LOCAL
weavertire@embarqmail.com
spam04.embarq.synacor.com #554 5.7.1 [P4] Message blocked due to spam content in the message. ##
Original message headers:
Received: from SERVER.DOMAIN.LOCAL ([::1]) by SERVER.DOMAIN.LOCAL ([::1]) with
 mapi id 14.01.0355.002; Wed, 12 Jun 2013 08:44:36 -0400
From: TEST <TEST@ttttire.com>
To: "weavertire@embarqmail.com" <weavertire@embarqmail.com>
Subject: Test
Thread-Topic: Test
Thread-Index: Ac5napgxn9FVzAFnTBO0tanTNiiG8Q==
Date: Wed, 12 Jun 2013 12:44:35 +0000
Message-ID: <FCCF5254E4FD4440AE51E61F9E2EFA6E91CF7F@SERVER.DOMAIN.LOCAL>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [208.81.151.97]
Content-Type: multipart/alternative;
      boundary="_000_FCCF5254E4FD4440AE51E61F9E2EFA6E91CF7FBUZZARDEAGLELOCAL_"
MIME-Version: 1.0


Ideas on what do look at?

Thanks!
0
Comment
Question by:TBIRD2340
  • 3
  • 3
  • 2
8 Comments
 
LVL 13

Accepted Solution

by:
Michael Machie earned 500 total points
ID: 39241200
Are all outgoing emails bouncing back?

If attempting to send the same email to only one recipient at a time, does it succeed?
Can you send it to your personal (non-work) email address such as a Hotmail/Gmail address to test?

I know you mentioned your Domain was not blacklisted but I do know that my company has been flagged before and emails sent to some, but not all, external domains would fail. I had to clear us from the blacklist.

On another note, the receiving Domains may have filters and appliances to stop spam and if your Domain is blacklisted on their device you will receive this message as well.
If you are certain your Domain is not blacklisted then you may need to ask those recipients to whitelist your domain or email address.  The SPAM filters at their end are most likely identifying your emails as SPAM.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39241373
As [Machienet] notes, it's possible to be blocked without being on a public RBL.  

In any case, it sounds as if your client is, in fact, sending out spam e-mails.  I realize you've scanned the mail server itself, but it looks like the spam is coming from within the network, so you should have them begin a systematic check of all their computers.
0
 
LVL 1

Author Comment

by:TBIRD2340
ID: 39241411
No, not all outgoing emails.. Just to certain domains.. They have already contacted a few domains to get whitelisted but that is a pain to do and want to know why this happened..

Server is clean and I advised him to do a full scan on all PCs which he's trying to get scheduled..

Generally when this happens it is malware.. I'm just trying to figure out how to either pinpoint the PC(s) that are causing it or if there are none infected, what to do next..
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39241529
You could set up Wireshark or Network Monitor and capture traffic going to the mail server.  There will be a lot of traffic to weed through, but that will help you to identify the culprit.  You'll need to look at the payload for packet data, to see which ones might be spam.  This will be difficult.  

Barring that, you might try log files on the mail server.  You won't get as much data this way, but if you know when a mail went out, you might be able to use that to determine where that mail came from.
0
 
LVL 1

Author Comment

by:TBIRD2340
ID: 39334156
It ended up that they were sending bulk emails and getting listed on some spam list (not blacklisted).
0
 
LVL 1

Author Comment

by:TBIRD2340
ID: 39334194
I've requested that this question be closed as follows:

Accepted answer: 0 points for TBIRD2340's comment #a39334156

for the following reason:

This was the reason.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39334174
"As [Machienet] notes, it's possible to be blocked without being on a public RBL."
You really should assign points to [Machienet].
0
 
LVL 13

Expert Comment

by:Michael Machie
ID: 39334445
thanks [paulmacd] and [tbird2340]
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EXCHANGE 7 36
Impact of sending Global meeting request - Exchange 2013 2 16
Exchange 2013 weird behavior 6 31
Single Record DNS Zones 9 15
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video discusses moving either the default database or any database to a new volume.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question