Solved

Exchange users' email being flagged as spam - Need help troubleshooting please..

Posted on 2013-06-12
8
777 Views
Last Modified: 2013-07-17
Have a customer with an Exchange 2010 environment.. Starting last week they started receiving NDRs when trying to send emails to multiple domains.. It's not limited to a certain domain and it's not limited to a certain user..

According to the IT contact these are domains they email on a daily basis and have never had any issues..

They aren't on any blacklists and their server is clean (virus scan).. Their server is not an open relay.. Not using smart host..

I have tested to a domain bouncing them by sending a test email with no signature etc and I immediately get the bounce..

In the queue viewer there were emails that had a from address of <> that definitely looked like spam (subject line).. Is there any way I can track these down?

Email in queue viewer:

Identity: SERVER\73247\484884
Subject: Automatic reply: Your Complimentary Credit Scores Are Waiting For You
Internet Message ID: <c442983d72b840ea9e50847ea0b7db72@SERVER.DOMAIN.LOCAL>
From Address: <>
Status: Suspended
Size (KB): 4
Message Source Name: FromLocal
Source IP: 255.255.255.255
SCL: -1
Date Received: 6/10/2013 12:18:25 PM
Expiration Time: 6/12/2013 12:18:25 PM
Last Error:
Queue ID: SERVER\73247
Recipients: csn@soundcost.net

NDR Sample:
spam04.embarq.synacor.com rejected your message to the following e-mail addresses:
weavertire@embarqmail.com (weavertire@embarqmail.com)
spam04.embarq.synacor.com gave this error:
[P4] Message blocked due to spam content in the message.
Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery.


Diagnostic information for administrators:
Generating server: SERVER.DOMAIN.LOCAL
weavertire@embarqmail.com
spam04.embarq.synacor.com #554 5.7.1 [P4] Message blocked due to spam content in the message. ##
Original message headers:
Received: from SERVER.DOMAIN.LOCAL ([::1]) by SERVER.DOMAIN.LOCAL ([::1]) with
 mapi id 14.01.0355.002; Wed, 12 Jun 2013 08:44:36 -0400
From: TEST <TEST@ttttire.com>
To: "weavertire@embarqmail.com" <weavertire@embarqmail.com>
Subject: Test
Thread-Topic: Test
Thread-Index: Ac5napgxn9FVzAFnTBO0tanTNiiG8Q==
Date: Wed, 12 Jun 2013 12:44:35 +0000
Message-ID: <FCCF5254E4FD4440AE51E61F9E2EFA6E91CF7F@SERVER.DOMAIN.LOCAL>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [208.81.151.97]
Content-Type: multipart/alternative;
      boundary="_000_FCCF5254E4FD4440AE51E61F9E2EFA6E91CF7FBUZZARDEAGLELOCAL_"
MIME-Version: 1.0


Ideas on what do look at?

Thanks!
0
Comment
Question by:TBIRD2340
  • 3
  • 3
  • 2
8 Comments
 
LVL 13

Accepted Solution

by:
Michael Machie earned 500 total points
ID: 39241200
Are all outgoing emails bouncing back?

If attempting to send the same email to only one recipient at a time, does it succeed?
Can you send it to your personal (non-work) email address such as a Hotmail/Gmail address to test?

I know you mentioned your Domain was not blacklisted but I do know that my company has been flagged before and emails sent to some, but not all, external domains would fail. I had to clear us from the blacklist.

On another note, the receiving Domains may have filters and appliances to stop spam and if your Domain is blacklisted on their device you will receive this message as well.
If you are certain your Domain is not blacklisted then you may need to ask those recipients to whitelist your domain or email address.  The SPAM filters at their end are most likely identifying your emails as SPAM.
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 39241373
As [Machienet] notes, it's possible to be blocked without being on a public RBL.  

In any case, it sounds as if your client is, in fact, sending out spam e-mails.  I realize you've scanned the mail server itself, but it looks like the spam is coming from within the network, so you should have them begin a systematic check of all their computers.
0
 
LVL 1

Author Comment

by:TBIRD2340
ID: 39241411
No, not all outgoing emails.. Just to certain domains.. They have already contacted a few domains to get whitelisted but that is a pain to do and want to know why this happened..

Server is clean and I advised him to do a full scan on all PCs which he's trying to get scheduled..

Generally when this happens it is malware.. I'm just trying to figure out how to either pinpoint the PC(s) that are causing it or if there are none infected, what to do next..
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 39241529
You could set up Wireshark or Network Monitor and capture traffic going to the mail server.  There will be a lot of traffic to weed through, but that will help you to identify the culprit.  You'll need to look at the payload for packet data, to see which ones might be spam.  This will be difficult.  

Barring that, you might try log files on the mail server.  You won't get as much data this way, but if you know when a mail went out, you might be able to use that to determine where that mail came from.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:TBIRD2340
ID: 39334156
It ended up that they were sending bulk emails and getting listed on some spam list (not blacklisted).
0
 
LVL 1

Author Comment

by:TBIRD2340
ID: 39334194
I've requested that this question be closed as follows:

Accepted answer: 0 points for TBIRD2340's comment #a39334156

for the following reason:

This was the reason.
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 39334174
"As [Machienet] notes, it's possible to be blocked without being on a public RBL."
You really should assign points to [Machienet].
0
 
LVL 13

Expert Comment

by:Michael Machie
ID: 39334445
thanks [paulmacd] and [tbird2340]
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now