Exchange 2010 how can these SPAM emails be getting out?

I've done quite a bit the last week or so to try and cut down on the amount of SPAM we are both sending and receiving. I've created SPF records for our domains along with a few other other tweaks to our AV/Anti-Spam suite (which is Trend-Micro Worry Free Advanced). Despite my efforts we still seem to be sending out a little bit of spam based on the queue viewer. My question is how are these emails still getting generated? I've run every test I can find with regards to ensuring we are not an open relay and yet I see SPAM going out on my Default SMTP connector. I've configured Exchange with the Anti-Spam features a long time ago and ensure Recipient Filtering is turned on (verified in GUI and PowerShell) Would absolutely love to know how such emails are still getting out:

Identity: Brockman\483548\1750939
Subject: Pharmacy cheap medications
Internet Message ID: <001e01cfc6ec$07c0dbc7$d34132ab$>
From Address:
Status: Ready
Size (KB): 1
Message Source Name: SMTP:Default BROCKMAN
Source IP:
SCL: 9
Date Received: 9/2/2014 1:29:21 PM
Expiration Time: 9/4/2014 1:29:21 PM
Last Error: 
Queue ID: Brockman\483548
Recipients: (domain is mine but that account does not exist)

Open in new window

In addition to the above I've signed us up with the Trend Email Reputation Service so for example if you look up the above public IP it comes back as having a BAD reputation and that it is listed in QIL yet I still seem to be generating SPAM with that public address.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Based on what you've posted above, the message seems to be coming in, not going out. Recipient filtering should have taken care of it if the recipient doesn't exist; maybe that configuration that you made such a long time ago needs to be revisited.
The sender appears to be, and the recipient is

.sk is the TLD for Slovakia, and the address may or may not be spoofed, but central/eastern Europe isn't noted for its law-abiding internet activities...
Alan HardistyCo-OwnerCommented:
What makes you think you are sending out spam?

What are you seeing in the queues that indicates you have a problem as the message you posted doesn't say to me that you have a problem.

Your IP isn't Blacklisted anywhere, so not sure what you think the problem is.  It is probably just spam being sent to your server and you are sending an NDR.  Does your mail server receive email directly from the web for your domain or does a 3rd party receive it first?

ITGeneralAuthor Commented:
Well looking at my send logs I'm seeing lots of stuff along these lines: Does that not indicate that my mail server is actively trying to contact these other mail servers and deliver mail to them? I mean in the example below it doesn't look like the receiving mail server allowed it but surely its just a matter of time?

2014-09-03T13:06:40.336Z,Internet Mail(2010),08D1906AD42329F6,2,,,<," ESMTP Exim 4.82 #2 Wed, 03 Sep 2014 07:06:40 -0600 ",
2014-09-03T13:06:40.336Z,Internet Mail(2010),08D1906AD42329F6,3,,,<,"220-We do not authorize the use of this system to transport unsolicited, ",
2014-09-03T13:06:40.336Z,Internet Mail(2010),08D1906AD42329F6,4,,,<,220 and/or bulk e-mail.,
2014-09-03T13:06:40.336Z,Internet Mail(2010),08D1906AD42329F6,5,,,>,EHLO,
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,6,,,<, Hello [],
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,7,,,<,250-SIZE 52428800,
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,8,,,<,250-8BITMIME,
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,9,,,<,250-AUTH PLAIN LOGIN,
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,10,,,<,250-STARTTLS,
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,11,,,<,250 HELP,
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,12,,,>,STARTTLS,
2014-09-03T13:06:40.476Z,Internet Mail(2010),08D1906AD42329F6,13,,,<,220 TLS go ahead,
2014-09-03T13:06:40.585Z,Internet Mail(2010),08D1906AD42329F6,14,,,*,,Received certificate
2014-09-03T13:06:40.585Z,Internet Mail(2010),08D1906AD42329F6,15,,,*,60E372CBDB0479E099BCF34DC35EAE97170520B0,Certificate thumbprint
2014-09-03T13:06:40.585Z,Internet Mail(2010),08D1906AD42329F6,16,,,>,EHLO,
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,17,,,<, Hello [],
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,18,,,<,250-SIZE 52428800,
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,19,,,<,250-8BITMIME,
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,20,,,<,250-AUTH PLAIN LOGIN,
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,21,,,<,250 HELP,
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,22,,,*,1758688,sending message
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,23,,,>,MAIL FROM:<> SIZE=15796,
2014-09-03T13:06:40.710Z,Internet Mail(2010),08D1906AD42329F6,24,,,<,250 OK,
2014-09-03T13:06:40.710Z,Internet Mail(2010),08D1906AD42329F6,25,,,>,RCPT TO:<>,
2014-09-03T13:06:40.819Z,Internet Mail(2010),08D1906AD42329F6,26,,,<,"550 No Such User Here""",
2014-09-03T13:06:40.819Z,Internet Mail(2010),08D1906AD42329F6,27,,,>,QUIT,
2014-09-03T13:06:40.882Z,Internet Mail(2010),08D1906AD42329F6,28,,,<,221 closing connection,
2014-09-03T13:06:40.882Z,Internet Mail(2010),08D1906AD42329F6,29,,,-,,Local

Open in new window

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

It looks as though your server is sending an NDR, in this case to, which is default behaviour for Exchange when it receives an email addressed to a non-existent user on your domain.

This can become a problem if your server is sending out large quantities of NDRs as such traffic (known as backscatter - see here for a good explanation: can itself be classed as spam. To avoid this NDRs can be turned off temporarily.
Alan HardistyCo-OwnerCommented:
If this is NDR spam, then you don't want to turn off NDR's as that violates email RFC's, but that does suggest that you are accepting emails for Invalid Recipients and then because you have accepted the message(s), you are required to send an NDR back.

You need to look at Recipient Filtering more carefully as it doesn't look like it is working.  If it were, any invalid recipients would be rejected and you wouldn't be responsible for sending out an NDR message.

I did say temporarily...
Alan HardistyCo-OwnerCommented:
I know ;)

It's just not a long-term solution to the problem and as soon as they are turned back on again, then the problem will surface again.
ITGeneralAuthor Commented:
And this is what has triggered this post basically is that our domain has been flagged as a Backscatterer. What I don't understand is that I have recipient filtering turned on

I've also got tarpit enabled for I believe its at least 10 if not 15 seconds.

I am running TrendMicro Worry-Free (ha!) Advanced. The setup is such that there is a Trend agent on the Exchange box - I have been in contact with Trend and they've told me Exchange should be handling the recipient filtering portion as mail should be "hitting it first". I've zipped up some logs and set off to them but wanted to know if from an Exchange side if there's any further I can do.
Alan HardistyCo-OwnerCommented:
It's definitely not working:

ehlo Hello []
mail from:
250 2.1.0 Sender OK
rcpt to:
250 2.1.5 Recipient OK

Please type the following in the Exchange Management Shell:

get-recipientfilterconfig | ft RecipientValidationEnabled

What result do you get (TRUE / FALSE)?
ITGeneralAuthor Commented:
[PS] C:\Windows\system32>Get-RecipientFilterConfig | ft RecipientValidationEnabled

Alan HardistyCo-OwnerCommented:
Good - what about Trend settings as that will be what intercepts emails first?
ITGeneralAuthor Commented:
Apparently to get that functionality for Trend I have to sign up for their Hosted Email Security service - which I'm licensed for but there's some issues/complications that I have with it as we use multiple domain names and the way the licensing works they want you to "hard assign" licenses to each user. A real management nightmare so I'm trying to get that sorted with them. However from what they've told me in the past email should be hitting Exchange first before the Trend Messaging Security Agent gets a hold of the email.

Either way sounds like I need more info from Trend I think.
Alan HardistyCo-OwnerCommented:
Well until the telnet test produces a different result for a bad mailbox (unless you do have a user with as an email address), then Trend / Exchange isn't recipient filtering, it then accepts the email and then your server HAS to send back an NDR.

Get the Recipient Filtering sorted and then the NDR's will go away and your question / problem should be resolved.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ITGeneralAuthor Commented:
Appreciate the quick responses from everyone.
Alan HardistyCo-OwnerCommented:
No problems - come back if you don't get any joy with Trend.

Thanks for the points.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.