Solved

Microsoft blocking all emails sent to @hotmail.com from my mail relay

Posted on 2014-04-28
8
1,244 Views
Last Modified: 2014-05-03
Running Exchange 2010 SP1 RU6.  Received complaints from my users unable to send mail to their hotmail account.  Verified that we were not listed in any RBLs.  Filled out the form on microsoft's website and they indicated that there was abusive/suspicious behavior coming from my mail relay, that we were namespace mining.  They gave the example of:

Time of abuse:  2014-04-24 09:16:00 and 2014-04-25 09:18:00
 
Total RCPT To commands sent: 6579
 
Total email Sent: 214

I used Get-Messagetrackinglog to find all mail sent to @hotmail accounts during this period, but it does not tell me the RCPT To attempts.

Is there any way to search the tracking logs for RCPT To commands?  I'm trying to track down what could be causing this.
0
Comment
Question by:gobears1294
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
Comment Utility
First, you need to configure Exchange to send NDRs to a mailbox
See http://technet.microsoft.com/en-us/library/bb400930(EXCHG.80).aspx which is also applicable to 2010.

Also, review the information contained within
http://www.petri.co.il/monitor-exchange-2007-non-delivery-reports-ndr.htm
which is also applicable to monitoring NDRs in 2010.

Configure your firewall so that only the Exchange server can send SMTP mail on port 25.  All other systems should be sending email through the Exchange server.  Log any attempts by other devices and have your logging system send you alerts immediately until this issue is resolved.

Allowing any machine on the inside to initiate traffic on port 25 going outbound is asking to get RBLd.

Configure your firewall so that traffic directed to port 25 only goes to the Exchange server.  Log any other attempts for later review.
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
You may wish to have your ISP create a PTR record that matches your IP back to your banner - for example mail.domain.com.

Also, you may wish to look into creating an SPF record that tells Hotmail.com who is authorized to send mail as yourdomain.com. Lastly, how are you sending mail?

Are you sending through a filtering service or appliance? For $2 per user/per month I normally recommend getting Microsoft's Exchange Online Protection to scan all inbound and outbound messages for viruses and spam. Keeps it all out of your network and does not consume your bandwidth.
0
 

Author Comment

by:gobears1294
Comment Utility
The firewall is set up to only allow the exchange server to communicate on port 25.  Our external DNS has a ptr record and an SPF record.  I had our IT Security folks check out the firewall logs and it does show 6000+ commands sent in a 4 hour period to microsoft's servers.  I was able to look at the connection log and get the session IDs for all these connections (see below for a sample).  My issue is, I don't know how to correlate the session IDs with a user or application server IP so I can figure out who performed these commands.

#Fields: date-time      session      source      Destination      direction      description
2014-04-25T13:19:39.205Z      08D0EAB0C25C4885      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:39.283Z      08D0EAB0C25C4885      SMTP      hotmail.com      >      mx2.hotmail.com[207.46.8.167, 65.55.92.184, 65.55.92.168, 65.54.188.72, 65.54.188.94, 65.54.188.110, 65.55.92.152, 65.55.33.135, 65.55.37.88, 207.46.8.199, 65.55.92.136, 65.55.33.119, 65.55.37.120, 65.55.37.104, 65.54.188.126], mx1.hotmail.com[65.55.92....
2014-04-25T13:19:39.330Z      08D0EAB0C25C4885      SMTP      hotmail.com      >      Established connection to 207.46.8.167
2014-04-25T13:19:39.767Z      08D0EAB0C25C4885      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:39.767Z      08D0EAB0C25C4888      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:39.830Z      08D0EAB0C25C4888      SMTP      hotmail.com      >      Established connection to 65.55.92.184
2014-04-25T13:19:40.439Z      08D0EAB0C25C4888      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:40.439Z      08D0EAB0C25C4889      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:40.502Z      08D0EAB0C25C4889      SMTP      hotmail.com      >      Established connection to 65.55.92.168
2014-04-25T13:19:41.158Z      08D0EAB0C25C4889      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:41.158Z      08D0EAB0C25C488A      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:41.189Z      08D0EAB0C25C488A      SMTP      hotmail.com      >      Established connection to 65.54.188.72
2014-04-25T13:19:41.580Z      08D0EAB0C25C488A      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:41.580Z      08D0EAB0C25C488B      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:41.611Z      08D0EAB0C25C488B      SMTP      hotmail.com      >      Established connection to 65.54.188.94
2014-04-25T13:19:41.986Z      08D0EAB0C25C488B      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:41.986Z      08D0EAB0C25C488C      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:42.017Z      08D0EAB0C25C488C      SMTP      hotmail.com      >      Established connection to 65.54.188.110
2014-04-25T13:19:42.392Z      08D0EAB0C25C488C      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:42.392Z      08D0EAB0C25C488D      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:42.439Z      08D0EAB0C25C488D      SMTP      hotmail.com      >      Established connection to 65.55.92.152
2014-04-25T13:19:43.111Z      08D0EAB0C25C488D      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
0
 
LVL 15

Accepted Solution

by:
WalkaboutTigger earned 500 total points
Comment Utility
Have you tried using ExLogAnalyzer, which can be found by going to the blog entry describing it -
http://blogs.technet.com/b/exchange/archive/2010/01/20/making-sense-of-exchange-logs-using-exloganalyzer.aspx

or you can access it's MSDN development page directly by going to

http://archive.msdn.microsoft.com/ExLogAnalyzer

Are you still experiencing these high numbers of emails being sent to hotmail.com?
If so, until the issue is resolved, I would add hotmail.com to the Exchange environment which will A) quickly reduce the number of hits Microsoft is seeing, and B) almost immediately tell you which machines these messages are coming from.

Needless to say, somewhere in your environment is a bit of malware crying havoc.
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
this may seem a little foolish, but did you try looking during non-office hours ?

running a simple netstat might reveal the culprit

alternatively, you can stop deliveries for a small period of time and manually look at the email. the emitter is in the headers

--

you can also analyse the receive connector's log rather than the send connector. the ip address of the remote machine is mentioned there.

then either setup verbose logging so you also have the sender and recipients email addresses, or simply look for machines that send huge volumes of email. anyway the recipient is quite meaningless as it is likely that you are spamming the world rather than just hotmail.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
The first thing you should do is update the server

Exchange 2010 SP1 RU6 hasn't been supported for quite some time - Exchange 2010 SP2 isn't even a supported version. You need to go to Exchange 2010 SP3.

Once you have done so, change the Administrator password, as that is the usual target for attempts to use your machine. What do the queues look like?

Do you have just port 25 open to the server? Are the Receive Connectors on a default configuration?

Simon.
0
 

Author Closing Comment

by:gobears1294
Comment Utility
We ended up rerouting mail to hotmail through a different send connector.  In addition, we'll be relaying all email through a third party smtp relay (currently looking at Sendgrid) so that we don't get blocked in the future.  Never figured out what happened, but it hasn't happened again so we'll see how it goes.  Told microsoft and they delisted our primary IP address.  I'll start routing mail through it again next week.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
it is obvious that you have/had a piece of malware in your network.

unless you do find/found that malware, your actions will most likely prove inefficient because you'll get in trouble with the third party at some point, and if not you'll just contribute to the number of spam email sent to the wan.

be responsible and track the root of the problem if you have not yet done so.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
how to add IIS SMTP to handle application/Scanner relays into office 365.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now