Exchange 2010 how can these SPAM emails be getting out?

Posted on 2014-09-02
Medium Priority
Last Modified: 2014-09-04
I've done quite a bit the last week or so to try and cut down on the amount of SPAM we are both sending and receiving. I've created SPF records for our domains along with a few other other tweaks to our AV/Anti-Spam suite (which is Trend-Micro Worry Free Advanced). Despite my efforts we still seem to be sending out a little bit of spam based on the queue viewer. My question is how are these emails still getting generated? I've run every test I can find with regards to ensuring we are not an open relay and yet I see SPAM going out on my Default SMTP connector. I've configured Exchange with the Anti-Spam features a long time ago and ensure Recipient Filtering is turned on (verified in GUI and PowerShell) Would absolutely love to know how such emails are still getting out:

Identity: Brockman\483548\1750939
Subject: Pharmacy cheap medications
Internet Message ID: <001e01cfc6ec$07c0dbc7$d34132ab$@mados.sk>
From Address: noqipo18@mados.sk
Status: Ready
Size (KB): 1
Message Source Name: SMTP:Default BROCKMAN
Source IP:
SCL: 9
Date Received: 9/2/2014 1:29:21 PM
Expiration Time: 9/4/2014 1:29:21 PM
Last Error: 
Queue ID: Brockman\483548
Recipients:  webextra@shec.com (domain is mine but that account does not exist)

Open in new window

In addition to the above I've signed us up with the Trend Email Reputation Service so for example if you look up the above public IP it comes back as having a BAD reputation and that it is listed in QIL yet I still seem to be generating SPAM with that public address.
Question by:ITGeneral
  • 7
  • 5
  • 3
LVL 15

Expert Comment

ID: 40299620
Based on what you've posted above, the message seems to be coming in, not going out. Recipient filtering should have taken care of it if the recipient doesn't exist; maybe that configuration that you made such a long time ago needs to be revisited.
The sender appears to be noqipo18@mados.sk, and the recipient is webextra@shec.com.

.sk is the TLD for Slovakia, and the address may or may not be spoofed, but central/eastern Europe isn't noted for its law-abiding internet activities...
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40299626
What makes you think you are sending out spam?

What are you seeing in the queues that indicates you have a problem as the message you posted doesn't say to me that you have a problem.

Your IP isn't Blacklisted anywhere, so not sure what you think the problem is.  It is probably just spam being sent to your server and you are sending an NDR.  Does your mail server receive email directly from the web for your domain or does a 3rd party receive it first?


Author Comment

ID: 40302064
Well looking at my send logs I'm seeing lots of stuff along these lines: Does that not indicate that my mail server is actively trying to contact these other mail servers and deliver mail to them? I mean in the example below it doesn't look like the receiving mail server allowed it but surely its just a matter of time?

2014-09-03T13:06:40.336Z,Internet Mail(2010),08D1906AD42329F6,2,,,<,"220-box775.bluehost.com ESMTP Exim 4.82 #2 Wed, 03 Sep 2014 07:06:40 -0600 ",
2014-09-03T13:06:40.336Z,Internet Mail(2010),08D1906AD42329F6,3,,,<,"220-We do not authorize the use of this system to transport unsolicited, ",
2014-09-03T13:06:40.336Z,Internet Mail(2010),08D1906AD42329F6,4,,,<,220 and/or bulk e-mail.,
2014-09-03T13:06:40.336Z,Internet Mail(2010),08D1906AD42329F6,5,,,>,EHLO Brockman.shec.com,
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,6,,,<,250-box775.bluehost.com Hello Brockman.shec.com [],
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,7,,,<,250-SIZE 52428800,
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,8,,,<,250-8BITMIME,
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,9,,,<,250-AUTH PLAIN LOGIN,
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,10,,,<,250-STARTTLS,
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,11,,,<,250 HELP,
2014-09-03T13:06:40.398Z,Internet Mail(2010),08D1906AD42329F6,12,,,>,STARTTLS,
2014-09-03T13:06:40.476Z,Internet Mail(2010),08D1906AD42329F6,13,,,<,220 TLS go ahead,
2014-09-03T13:06:40.585Z,Internet Mail(2010),08D1906AD42329F6,14,,,*,,Received certificate
2014-09-03T13:06:40.585Z,Internet Mail(2010),08D1906AD42329F6,15,,,*,60E372CBDB0479E099BCF34DC35EAE97170520B0,Certificate thumbprint
2014-09-03T13:06:40.585Z,Internet Mail(2010),08D1906AD42329F6,16,,,>,EHLO Brockman.shec.com,
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,17,,,<,250-box775.bluehost.com Hello Brockman.shec.com [],
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,18,,,<,250-SIZE 52428800,
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,19,,,<,250-8BITMIME,
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,20,,,<,250-AUTH PLAIN LOGIN,
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,21,,,<,250 HELP,
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,22,,,*,1758688,sending message
2014-09-03T13:06:40.648Z,Internet Mail(2010),08D1906AD42329F6,23,,,>,MAIL FROM:<> SIZE=15796,
2014-09-03T13:06:40.710Z,Internet Mail(2010),08D1906AD42329F6,24,,,<,250 OK,
2014-09-03T13:06:40.710Z,Internet Mail(2010),08D1906AD42329F6,25,,,>,RCPT TO:<portera6@cyclingreflections.com>,
2014-09-03T13:06:40.819Z,Internet Mail(2010),08D1906AD42329F6,26,,,<,"550 No Such User Here""",
2014-09-03T13:06:40.819Z,Internet Mail(2010),08D1906AD42329F6,27,,,>,QUIT,
2014-09-03T13:06:40.882Z,Internet Mail(2010),08D1906AD42329F6,28,,,<,221 box775.bluehost.com closing connection,
2014-09-03T13:06:40.882Z,Internet Mail(2010),08D1906AD42329F6,29,,,-,,Local

Open in new window

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 15

Expert Comment

ID: 40302118
It looks as though your server is sending an NDR, in this case to portera6@cyclingreflections.com, which is default behaviour for Exchange when it receives an email addressed to a non-existent user on your domain.

This can become a problem if your server is sending out large quantities of NDRs as such traffic (known as backscatter - see here for a good explanation: http://en.wikipedia.org/wiki/Backscatter_%28email%29) can itself be classed as spam. To avoid this NDRs can be turned off temporarily.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40302128
If this is NDR spam, then you don't want to turn off NDR's as that violates email RFC's, but that does suggest that you are accepting emails for Invalid Recipients and then because you have accepted the message(s), you are required to send an NDR back.

You need to look at Recipient Filtering more carefully as it doesn't look like it is working.  If it were, any invalid recipients would be rejected and you wouldn't be responsible for sending out an NDR message.

LVL 15

Expert Comment

ID: 40302180
I did say temporarily...
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40302242
I know ;)

It's just not a long-term solution to the problem and as soon as they are turned back on again, then the problem will surface again.

Author Comment

ID: 40303354
And this is what has triggered this post basically is that our domain has been flagged as a Backscatterer. What I don't understand is that I have recipient filtering turned on

I've also got tarpit enabled for I believe its at least 10 if not 15 seconds.

I am running TrendMicro Worry-Free (ha!) Advanced. The setup is such that there is a Trend agent on the Exchange box - I have been in contact with Trend and they've told me Exchange should be handling the recipient filtering portion as mail should be "hitting it first". I've zipped up some logs and set off to them but wanted to know if from an Exchange side if there's any further I can do.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40303559
It's definitely not working:

220 mail.gsuinc.ca
ehlo mail.mydomain.co.uk
250-Brockman.shec.com Hello [217.xxx.xxx.226]
mail from: alan@mydomain.co.uk
250 2.1.0 Sender OK
rcpt to: bananas@shec.com
250 2.1.5 Recipient OK

Please type the following in the Exchange Management Shell:

get-recipientfilterconfig | ft RecipientValidationEnabled

What result do you get (TRUE / FALSE)?

Author Comment

ID: 40303566
[PS] C:\Windows\system32>Get-RecipientFilterConfig | ft RecipientValidationEnabled

LVL 76

Expert Comment

by:Alan Hardisty
ID: 40303580
Good - what about Trend settings as that will be what intercepts emails first?

Author Comment

ID: 40303669
Apparently to get that functionality for Trend I have to sign up for their Hosted Email Security service - which I'm licensed for but there's some issues/complications that I have with it as we use multiple domain names and the way the licensing works they want you to "hard assign" licenses to each user. A real management nightmare so I'm trying to get that sorted with them. However from what they've told me in the past email should be hitting Exchange first before the Trend Messaging Security Agent gets a hold of the email.

Either way sounds like I need more info from Trend I think.
LVL 76

Accepted Solution

Alan Hardisty earned 2000 total points
ID: 40303701
Well until the telnet test produces a different result for a bad mailbox (unless you do have a user with banana@shec.com as an email address), then Trend / Exchange isn't recipient filtering, it then accepts the email and then your server HAS to send back an NDR.

Get the Recipient Filtering sorted and then the NDR's will go away and your question / problem should be resolved.

Author Closing Comment

ID: 40303712
Appreciate the quick responses from everyone.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40303720
No problems - come back if you don't get any joy with Trend.

Thanks for the points.


Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question