Solved

Microsoft blocking all emails sent to @hotmail.com from my mail relay

Posted on 2014-04-28
8
1,265 Views
Last Modified: 2014-05-03
Running Exchange 2010 SP1 RU6.  Received complaints from my users unable to send mail to their hotmail account.  Verified that we were not listed in any RBLs.  Filled out the form on microsoft's website and they indicated that there was abusive/suspicious behavior coming from my mail relay, that we were namespace mining.  They gave the example of:

Time of abuse:  2014-04-24 09:16:00 and 2014-04-25 09:18:00
 
Total RCPT To commands sent: 6579
 
Total email Sent: 214

I used Get-Messagetrackinglog to find all mail sent to @hotmail accounts during this period, but it does not tell me the RCPT To attempts.

Is there any way to search the tracking logs for RCPT To commands?  I'm trying to track down what could be causing this.
0
Comment
Question by:gobears1294
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 40028013
First, you need to configure Exchange to send NDRs to a mailbox
See http://technet.microsoft.com/en-us/library/bb400930(EXCHG.80).aspx which is also applicable to 2010.

Also, review the information contained within
http://www.petri.co.il/monitor-exchange-2007-non-delivery-reports-ndr.htm
which is also applicable to monitoring NDRs in 2010.

Configure your firewall so that only the Exchange server can send SMTP mail on port 25.  All other systems should be sending email through the Exchange server.  Log any attempts by other devices and have your logging system send you alerts immediately until this issue is resolved.

Allowing any machine on the inside to initiate traffic on port 25 going outbound is asking to get RBLd.

Configure your firewall so that traffic directed to port 25 only goes to the Exchange server.  Log any other attempts for later review.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40028057
You may wish to have your ISP create a PTR record that matches your IP back to your banner - for example mail.domain.com.

Also, you may wish to look into creating an SPF record that tells Hotmail.com who is authorized to send mail as yourdomain.com. Lastly, how are you sending mail?

Are you sending through a filtering service or appliance? For $2 per user/per month I normally recommend getting Microsoft's Exchange Online Protection to scan all inbound and outbound messages for viruses and spam. Keeps it all out of your network and does not consume your bandwidth.
0
 

Author Comment

by:gobears1294
ID: 40028500
The firewall is set up to only allow the exchange server to communicate on port 25.  Our external DNS has a ptr record and an SPF record.  I had our IT Security folks check out the firewall logs and it does show 6000+ commands sent in a 4 hour period to microsoft's servers.  I was able to look at the connection log and get the session IDs for all these connections (see below for a sample).  My issue is, I don't know how to correlate the session IDs with a user or application server IP so I can figure out who performed these commands.

#Fields: date-time      session      source      Destination      direction      description
2014-04-25T13:19:39.205Z      08D0EAB0C25C4885      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:39.283Z      08D0EAB0C25C4885      SMTP      hotmail.com      >      mx2.hotmail.com[207.46.8.167, 65.55.92.184, 65.55.92.168, 65.54.188.72, 65.54.188.94, 65.54.188.110, 65.55.92.152, 65.55.33.135, 65.55.37.88, 207.46.8.199, 65.55.92.136, 65.55.33.119, 65.55.37.120, 65.55.37.104, 65.54.188.126], mx1.hotmail.com[65.55.92....
2014-04-25T13:19:39.330Z      08D0EAB0C25C4885      SMTP      hotmail.com      >      Established connection to 207.46.8.167
2014-04-25T13:19:39.767Z      08D0EAB0C25C4885      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:39.767Z      08D0EAB0C25C4888      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:39.830Z      08D0EAB0C25C4888      SMTP      hotmail.com      >      Established connection to 65.55.92.184
2014-04-25T13:19:40.439Z      08D0EAB0C25C4888      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:40.439Z      08D0EAB0C25C4889      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:40.502Z      08D0EAB0C25C4889      SMTP      hotmail.com      >      Established connection to 65.55.92.168
2014-04-25T13:19:41.158Z      08D0EAB0C25C4889      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:41.158Z      08D0EAB0C25C488A      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:41.189Z      08D0EAB0C25C488A      SMTP      hotmail.com      >      Established connection to 65.54.188.72
2014-04-25T13:19:41.580Z      08D0EAB0C25C488A      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:41.580Z      08D0EAB0C25C488B      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:41.611Z      08D0EAB0C25C488B      SMTP      hotmail.com      >      Established connection to 65.54.188.94
2014-04-25T13:19:41.986Z      08D0EAB0C25C488B      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:41.986Z      08D0EAB0C25C488C      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:42.017Z      08D0EAB0C25C488C      SMTP      hotmail.com      >      Established connection to 65.54.188.110
2014-04-25T13:19:42.392Z      08D0EAB0C25C488C      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:42.392Z      08D0EAB0C25C488D      SMTP      hotmail.com      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:42.439Z      08D0EAB0C25C488D      SMTP      hotmail.com      >      Established connection to 65.55.92.152
2014-04-25T13:19:43.111Z      08D0EAB0C25C488D      SMTP      hotmail.com      -      Messages: 0 Bytes: 0 (Attempting next target)
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 15

Accepted Solution

by:
WalkaboutTigger earned 500 total points
ID: 40028604
Have you tried using ExLogAnalyzer, which can be found by going to the blog entry describing it -
http://blogs.technet.com/b/exchange/archive/2010/01/20/making-sense-of-exchange-logs-using-exloganalyzer.aspx

or you can access it's MSDN development page directly by going to

http://archive.msdn.microsoft.com/ExLogAnalyzer

Are you still experiencing these high numbers of emails being sent to hotmail.com?
If so, until the issue is resolved, I would add hotmail.com to the Exchange environment which will A) quickly reduce the number of hits Microsoft is seeing, and B) almost immediately tell you which machines these messages are coming from.

Needless to say, somewhere in your environment is a bit of malware crying havoc.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 40029038
this may seem a little foolish, but did you try looking during non-office hours ?

running a simple netstat might reveal the culprit

alternatively, you can stop deliveries for a small period of time and manually look at the email. the emitter is in the headers

--

you can also analyse the receive connector's log rather than the send connector. the ip address of the remote machine is mentioned there.

then either setup verbose logging so you also have the sender and recipients email addresses, or simply look for machines that send huge volumes of email. anyway the recipient is quite meaningless as it is likely that you are spamming the world rather than just hotmail.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40032498
The first thing you should do is update the server

Exchange 2010 SP1 RU6 hasn't been supported for quite some time - Exchange 2010 SP2 isn't even a supported version. You need to go to Exchange 2010 SP3.

Once you have done so, change the Administrator password, as that is the usual target for attempts to use your machine. What do the queues look like?

Do you have just port 25 open to the server? Are the Receive Connectors on a default configuration?

Simon.
0
 

Author Closing Comment

by:gobears1294
ID: 40038477
We ended up rerouting mail to hotmail through a different send connector.  In addition, we'll be relaying all email through a third party smtp relay (currently looking at Sendgrid) so that we don't get blocked in the future.  Never figured out what happened, but it hasn't happened again so we'll see how it goes.  Told microsoft and they delisted our primary IP address.  I'll start routing mail through it again next week.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 40038941
it is obvious that you have/had a piece of malware in your network.

unless you do find/found that malware, your actions will most likely prove inefficient because you'll get in trouble with the third party at some point, and if not you'll just contribute to the number of spam email sent to the wan.

be responsible and track the root of the problem if you have not yet done so.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Office 365 Login Audit Report 1 36
Question about Exchange Calendar Updating 3 37
Exchange DAG - maintenance question/ query 2 23
Exchange 2007 3 35
Read this checklist to learn more about the 15 things you should never include in an email signature.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question