Solved

SBS 2011 Spam Issue

Posted on 2014-09-15
11
223 Views
Last Modified: 2014-11-24
Hi All

A client of mine is having a problem with receiving 1000s of spam per day.

We have SBS pop collector configured to receive email from the hosting server every 5 minutes.

The problem is we are receiving lots and lots of spam each day. We have spam assassin enabled on the hosting server and the local exchange server has Eset mail security for exchange. The stats on the Eset is showing email being rejected every 30 seconds.

The strange thing is is that when I login to the webmail on the hosting server I cannot see these spam emails. I have checked the headers of the emails and it's showing as hitting the cpanel.

I have disabled port 25 on the router and changes the receive connector in exchange to download retrieve email from the pop3 hosting IP address.
Any ideas?
0
Comment
Question by:ryank85
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 17

Expert Comment

by:WORKS2011
Comment Utility
what does http://intodns.com

one user or all users?
0
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 250 total points
Comment Utility
First of all, you should quit using the pop3 connector and have mail come straight to the exchange server.  Then I  would arrange for a service like Exchange Defender..all mail goes there, gets scrubbed, and then forwards to your exchange server.  Exchange is configured to only accept mail from Exchange Defender servers.   With port 25 turned off, are you still seeing all the spam?  if so, it's time to start scrubbing workstations with multiple malware tools.
0
 

Author Comment

by:ryank85
Comment Utility
Cris Hanna - I am going to change them over to direct email to the exchange server, pop3 is a pain I must admit.

ESET Mail Security works great so I don't need to use Exchange Defender

The weird thing is that the hosting company cannot see the amount of spam at their end.

The SPAM is going to all users, not just one.

R
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
Then I would suggest that you have a workstation that is infected and has a mailbot which is grabbing email addresses from the workstation.

Regarding ESET, or any solution installed on the server.  Think of the castle and most analogy.  Having the mail scrubbed before crossing the most is going to have a much greater success rate than battling the enemy inside the castle walls
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
What version of SBS do you have as you haven't mentioned the version?

Alan
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
See the title Alan ;-)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Thanks Cris - Looked at the question and it wasn't in there - sometimes the answers are just staring you in the face :O

Can you run the following command in the Exchange Management Shell and post the output:

get-receiveconnector | fl

(You can obscure your domain name in the output before posting to protect your innocence)!

Alan
0
 

Author Comment

by:ryank85
Comment Utility
thanks for your reply guys.

Also, when I stop the pop3 colletors on the SBS server, the spam stops also, so this leads me to beleive all the spam is coming from the hosting server.

All the client machines are off at weekend and spam still appears.



RunspaceId                              : 622afc32-573b-48f3-a5e3-af3b88f29375
AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {192.168.5.2:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : SERVER.mp.local
Comment                                 :
Enabled                                 : False
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : unlimited
MaxInboundConnectionPercentagePerSource : 100
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 49.06 MB (51,445,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 5000
PermissionGroups                        : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {192.168.5.2-192.168.5.255, 192.168.5.0-192.168.5.0}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : SERVER
SizeEnabled                             : EnabledWithoutValue
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Default SERVER
DistinguishedName                       : CN=Default SERVER,CN=SMTP Receive Connectors,CN=Protocols,CN=SERVER,CN=
                                          Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
                                          Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configurati
                                          on,DC=mp,DC=local
Identity                                : SERVER\Default SERVER
Guid                                    : 05e1bb94-d740-4c6e-b5a7-e512eec4777d
ObjectCategory                          : mp.local/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 9/17/2014 7:36:54 AM
WhenCreated                             : 11/14/2013 5:37:41 PM
WhenChangedUTC                          : 9/17/2014 6:36:54 AM
WhenCreatedUTC                          : 11/14/2013 5:37:41 PM
OrganizationId                          :
OriginatingServer                       : SERVER.mp.local
IsValid                                 : True

RunspaceId                              : 622afc32-573b-48f3-a5e3-af3b88f29375
AuthMechanism                           : Tls
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {192.168.5.2:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : remote.domain.co.uk
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:01:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {192.168.6.0-255.255.255.255, 192.168.5.1-192.168.5.1, 0.0.0.0-192.168.4.255}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : SERVER
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Windows SBS Internet Receive SERVER
DistinguishedName                       : CN=Windows SBS Internet Receive SERVER,CN=SMTP Receive Connectors,CN=Proto
                                          cols,CN=SERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDL
                                          T),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Se
                                          rvices,CN=Configuration,DC=mp,DC=local
Identity                                : SERVER\Windows SBS Internet Receive SERVER
Guid                                    : fcb5643d-5ed7-48d9-916e-0bc42c844440
ObjectCategory                          : mp.local/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 9/17/2014 7:36:59 AM
WhenCreated                             : 9/17/2014 7:36:57 AM
WhenChangedUTC                          : 9/17/2014 6:36:59 AM
WhenCreatedUTC                          : 9/17/2014 6:36:57 AM
OrganizationId                          :
OriginatingServer                       : SERVER.mp.local
IsValid                                 : True

RunspaceId                              : 622afc32-573b-48f3-a5e3-af3b88f29375
AuthMechanism                           : BasicAuth
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {127.0.0.1:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : SERVER.mp.local
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 06:00:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers, ExchangeUsers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {127.0.0.1-127.0.0.1}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : SERVER
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Windows SBS Fax Sharepoint Receive SERVER
DistinguishedName                       : CN=Windows SBS Fax Sharepoint Receive SERVER,CN=SMTP Receive Connectors,CN
                                          =Protocols,CN=SERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF
                                          23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange
                                          ,CN=Services,CN=Configuration,DC=mp,DC=local
Identity                                : SERVER\Windows SBS Fax Sharepoint Receive SERVER
Guid                                    : fc8f1282-5aba-4091-8f9d-d8aecd699207
ObjectCategory                          : mp.local/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 9/17/2014 7:37:02 AM
WhenCreated                             : 9/17/2014 7:37:02 AM
WhenChangedUTC                          : 9/17/2014 6:37:02 AM
WhenCreatedUTC                          : 9/17/2014 6:37:02 AM
OrganizationId                          :
OriginatingServer                       : SERVER.mp.local
IsValid                                 : True



Ryan
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
Comment Utility
Well - they all look fine.  Have you tested port 25 inbound to confirm that nothing can get past the router?

If that is the case and when you stop the POP3 collection, the spam stops, then it does look like that is the source.

As Cris has suggested - get emails delivered directly and as long as you have decent Anti-Spam installed / configured, the spam should decrease.
0
 

Author Comment

by:ryank85
Comment Utility
Yes I have tested the port and it is closed on the router.

I will make the change at the weekend and report back.

Thanks again for all your help
R
0
 

Author Comment

by:ryank85
Comment Utility
Ok just an update.

We pointed all the mail through a feature called spam experts managed but the hosting company. They filter the emails and forward into our server.

This solution has stopped all the spam.

Thanks for comments.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now