Solved

Microsoft blocking all emails sent to @hotmail.com from my mail relay

Posted on 2014-04-28
8
1,315 Views
Last Modified: 2014-05-03
Running Exchange 2010 SP1 RU6.  Received complaints from my users unable to send mail to their hotmail account.  Verified that we were not listed in any RBLs.  Filled out the form on microsoft's website and they indicated that there was abusive/suspicious behavior coming from my mail relay, that we were namespace mining.  They gave the example of:

Time of abuse:  2014-04-24 09:16:00 and 2014-04-25 09:18:00
 
Total RCPT To commands sent: 6579
 
Total email Sent: 214

I used Get-Messagetrackinglog to find all mail sent to @hotmail accounts during this period, but it does not tell me the RCPT To attempts.

Is there any way to search the tracking logs for RCPT To commands?  I'm trying to track down what could be causing this.
0
Comment
Question by:gobears1294
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 40028013
First, you need to configure Exchange to send NDRs to a mailbox
See http://technet.microsoft.com/en-us/library/bb400930(EXCHG.80).aspx which is also applicable to 2010.

Also, review the information contained within
http://www.petri.co.il/monitor-exchange-2007-non-delivery-reports-ndr.htm
which is also applicable to monitoring NDRs in 2010.

Configure your firewall so that only the Exchange server can send SMTP mail on port 25.  All other systems should be sending email through the Exchange server.  Log any attempts by other devices and have your logging system send you alerts immediately until this issue is resolved.

Allowing any machine on the inside to initiate traffic on port 25 going outbound is asking to get RBLd.

Configure your firewall so that traffic directed to port 25 only goes to the Exchange server.  Log any other attempts for later review.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40028057
You may wish to have your ISP create a PTR record that matches your IP back to your banner - for example mail.domain.com.

Also, you may wish to look into creating an SPF record that tells Hotmail.com who is authorized to send mail as yourdomain.com. Lastly, how are you sending mail?

Are you sending through a filtering service or appliance? For $2 per user/per month I normally recommend getting Microsoft's Exchange Online Protection to scan all inbound and outbound messages for viruses and spam. Keeps it all out of your network and does not consume your bandwidth.
0
 

Author Comment

by:gobears1294
ID: 40028500
The firewall is set up to only allow the exchange server to communicate on port 25.  Our external DNS has a ptr record and an SPF record.  I had our IT Security folks check out the firewall logs and it does show 6000+ commands sent in a 4 hour period to microsoft's servers.  I was able to look at the connection log and get the session IDs for all these connections (see below for a sample).  My issue is, I don't know how to correlate the session IDs with a user or application server IP so I can figure out who performed these commands.

#Fields: date-time      session      source      Destination      direction      description
2014-04-25T13:19:39.205Z      08D0EAB0C25C4885      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:39.283Z      08D0EAB0C25C4885      SMTP      hotmail.com      >      mx2.hotmail.com[207.46.8.167, 65.55.92.184, 65.55.92.168, 65.54.188.72, 65.54.188.94, 65.54.188.110, 65.55.92.152, 65.55.33.135, 65.55.37.88, 207.46.8.199, 65.55.92.136, 65.55.33.119, 65.55.37.120, 65.55.37.104, 65.54.188.126], mx1.hotmail.com[65.55.92....
2014-04-25T13:19:39.330Z      08D0EAB0C25C4885      SMTP      hotmail.com      >      Established connection to 207.46.8.167
2014-04-25T13:19:39.767Z      08D0EAB0C25C4885      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:39.767Z      08D0EAB0C25C4888      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:39.830Z      08D0EAB0C25C4888      SMTP      hotmail.com      >      Established connection to 65.55.92.184
2014-04-25T13:19:40.439Z      08D0EAB0C25C4888      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:40.439Z      08D0EAB0C25C4889      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:40.502Z      08D0EAB0C25C4889      SMTP      hotmail.com      >      Established connection to 65.55.92.168
2014-04-25T13:19:41.158Z      08D0EAB0C25C4889      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:41.158Z      08D0EAB0C25C488A      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:41.189Z      08D0EAB0C25C488A      SMTP      hotmail.com      >      Established connection to 65.54.188.72
2014-04-25T13:19:41.580Z      08D0EAB0C25C488A      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:41.580Z      08D0EAB0C25C488B      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:41.611Z      08D0EAB0C25C488B      SMTP      hotmail.com      >      Established connection to 65.54.188.94
2014-04-25T13:19:41.986Z      08D0EAB0C25C488B      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:41.986Z      08D0EAB0C25C488C      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:42.017Z      08D0EAB0C25C488C      SMTP      hotmail.com      >      Established connection to 65.54.188.110
2014-04-25T13:19:42.392Z      08D0EAB0C25C488C      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:42.392Z      08D0EAB0C25C488D      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:42.439Z      08D0EAB0C25C488D      SMTP      hotmail.com      >      Established connection to 65.55.92.152
2014-04-25T13:19:43.111Z      08D0EAB0C25C488D      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 15

Accepted Solution

by:
WalkaboutTigger earned 500 total points
ID: 40028604
Have you tried using ExLogAnalyzer, which can be found by going to the blog entry describing it -
http://blogs.technet.com/b/exchange/archive/2010/01/20/making-sense-of-exchange-logs-using-exloganalyzer.aspx

or you can access it's MSDN development page directly by going to

http://archive.msdn.microsoft.com/ExLogAnalyzer

Are you still experiencing these high numbers of emails being sent to hotmail.com?
If so, until the issue is resolved, I would add hotmail.com to the Exchange environment which will A) quickly reduce the number of hits Microsoft is seeing, and B) almost immediately tell you which machines these messages are coming from.

Needless to say, somewhere in your environment is a bit of malware crying havoc.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 40029038
this may seem a little foolish, but did you try looking during non-office hours ?

running a simple netstat might reveal the culprit

alternatively, you can stop deliveries for a small period of time and manually look at the email. the emitter is in the headers

--

you can also analyse the receive connector's log rather than the send connector. the ip address of the remote machine is mentioned there.

then either setup verbose logging so you also have the sender and recipients email addresses, or simply look for machines that send huge volumes of email. anyway the recipient is quite meaningless as it is likely that you are spamming the world rather than just hotmail.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40032498
The first thing you should do is update the server

Exchange 2010 SP1 RU6 hasn't been supported for quite some time - Exchange 2010 SP2 isn't even a supported version. You need to go to Exchange 2010 SP3.

Once you have done so, change the Administrator password, as that is the usual target for attempts to use your machine. What do the queues look like?

Do you have just port 25 open to the server? Are the Receive Connectors on a default configuration?

Simon.
0
 

Author Closing Comment

by:gobears1294
ID: 40038477
We ended up rerouting mail to hotmail through a different send connector.  In addition, we'll be relaying all email through a third party smtp relay (currently looking at Sendgrid) so that we don't get blocked in the future.  Never figured out what happened, but it hasn't happened again so we'll see how it goes.  Told microsoft and they delisted our primary IP address.  I'll start routing mail through it again next week.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 40038941
it is obvious that you have/had a piece of malware in your network.

unless you do find/found that malware, your actions will most likely prove inefficient because you'll get in trouble with the third party at some point, and if not you'll just contribute to the number of spam email sent to the wan.

be responsible and track the root of the problem if you have not yet done so.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Read this checklist to learn more about the 15 things you should never include in an email signature.
This video discusses moving either the default database or any database to a new volume.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question