Solved

SBS 2011 Spam Issue

Posted on 2014-09-15
11
228 Views
Last Modified: 2014-11-24
Hi All

A client of mine is having a problem with receiving 1000s of spam per day.

We have SBS pop collector configured to receive email from the hosting server every 5 minutes.

The problem is we are receiving lots and lots of spam each day. We have spam assassin enabled on the hosting server and the local exchange server has Eset mail security for exchange. The stats on the Eset is showing email being rejected every 30 seconds.

The strange thing is is that when I login to the webmail on the hosting server I cannot see these spam emails. I have checked the headers of the emails and it's showing as hitting the cpanel.

I have disabled port 25 on the router and changes the receive connector in exchange to download retrieve email from the pop3 hosting IP address.
Any ideas?
0
Comment
Question by:ryank85
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 17

Expert Comment

by:WORKS2011
ID: 40324373
what does http://intodns.com 

one user or all users?
0
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 250 total points
ID: 40325074
First of all, you should quit using the pop3 connector and have mail come straight to the exchange server.  Then I  would arrange for a service like Exchange Defender..all mail goes there, gets scrubbed, and then forwards to your exchange server.  Exchange is configured to only accept mail from Exchange Defender servers.   With port 25 turned off, are you still seeing all the spam?  if so, it's time to start scrubbing workstations with multiple malware tools.
0
 

Author Comment

by:ryank85
ID: 40327701
Cris Hanna - I am going to change them over to direct email to the exchange server, pop3 is a pain I must admit.

ESET Mail Security works great so I don't need to use Exchange Defender

The weird thing is that the hosting company cannot see the amount of spam at their end.

The SPAM is going to all users, not just one.

R
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40327744
Then I would suggest that you have a workstation that is infected and has a mailbot which is grabbing email addresses from the workstation.

Regarding ESET, or any solution installed on the server.  Think of the castle and most analogy.  Having the mail scrubbed before crossing the most is going to have a much greater success rate than battling the enemy inside the castle walls
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40327748
What version of SBS do you have as you haven't mentioned the version?

Alan
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40327753
See the title Alan ;-)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40327794
Thanks Cris - Looked at the question and it wasn't in there - sometimes the answers are just staring you in the face :O

Can you run the following command in the Exchange Management Shell and post the output:

get-receiveconnector | fl

(You can obscure your domain name in the output before posting to protect your innocence)!

Alan
0
 

Author Comment

by:ryank85
ID: 40327829
thanks for your reply guys.

Also, when I stop the pop3 colletors on the SBS server, the spam stops also, so this leads me to beleive all the spam is coming from the hosting server.

All the client machines are off at weekend and spam still appears.



RunspaceId                              : 622afc32-573b-48f3-a5e3-af3b88f29375
AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {192.168.5.2:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : SERVER.mp.local
Comment                                 :
Enabled                                 : False
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : unlimited
MaxInboundConnectionPercentagePerSource : 100
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 49.06 MB (51,445,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 5000
PermissionGroups                        : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {192.168.5.2-192.168.5.255, 192.168.5.0-192.168.5.0}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : SERVER
SizeEnabled                             : EnabledWithoutValue
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Default SERVER
DistinguishedName                       : CN=Default SERVER,CN=SMTP Receive Connectors,CN=Protocols,CN=SERVER,CN=
                                          Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
                                          Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configurati
                                          on,DC=mp,DC=local
Identity                                : SERVER\Default SERVER
Guid                                    : 05e1bb94-d740-4c6e-b5a7-e512eec4777d
ObjectCategory                          : mp.local/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 9/17/2014 7:36:54 AM
WhenCreated                             : 11/14/2013 5:37:41 PM
WhenChangedUTC                          : 9/17/2014 6:36:54 AM
WhenCreatedUTC                          : 11/14/2013 5:37:41 PM
OrganizationId                          :
OriginatingServer                       : SERVER.mp.local
IsValid                                 : True

RunspaceId                              : 622afc32-573b-48f3-a5e3-af3b88f29375
AuthMechanism                           : Tls
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {192.168.5.2:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : remote.domain.co.uk
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:01:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {192.168.6.0-255.255.255.255, 192.168.5.1-192.168.5.1, 0.0.0.0-192.168.4.255}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : SERVER
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Windows SBS Internet Receive SERVER
DistinguishedName                       : CN=Windows SBS Internet Receive SERVER,CN=SMTP Receive Connectors,CN=Proto
                                          cols,CN=SERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDL
                                          T),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Se
                                          rvices,CN=Configuration,DC=mp,DC=local
Identity                                : SERVER\Windows SBS Internet Receive SERVER
Guid                                    : fcb5643d-5ed7-48d9-916e-0bc42c844440
ObjectCategory                          : mp.local/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 9/17/2014 7:36:59 AM
WhenCreated                             : 9/17/2014 7:36:57 AM
WhenChangedUTC                          : 9/17/2014 6:36:59 AM
WhenCreatedUTC                          : 9/17/2014 6:36:57 AM
OrganizationId                          :
OriginatingServer                       : SERVER.mp.local
IsValid                                 : True

RunspaceId                              : 622afc32-573b-48f3-a5e3-af3b88f29375
AuthMechanism                           : BasicAuth
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {127.0.0.1:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : SERVER.mp.local
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 06:00:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers, ExchangeUsers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {127.0.0.1-127.0.0.1}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : SERVER
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Windows SBS Fax Sharepoint Receive SERVER
DistinguishedName                       : CN=Windows SBS Fax Sharepoint Receive SERVER,CN=SMTP Receive Connectors,CN
                                          =Protocols,CN=SERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF
                                          23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange
                                          ,CN=Services,CN=Configuration,DC=mp,DC=local
Identity                                : SERVER\Windows SBS Fax Sharepoint Receive SERVER
Guid                                    : fc8f1282-5aba-4091-8f9d-d8aecd699207
ObjectCategory                          : mp.local/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 9/17/2014 7:37:02 AM
WhenCreated                             : 9/17/2014 7:37:02 AM
WhenChangedUTC                          : 9/17/2014 6:37:02 AM
WhenCreatedUTC                          : 9/17/2014 6:37:02 AM
OrganizationId                          :
OriginatingServer                       : SERVER.mp.local
IsValid                                 : True



Ryan
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 40327879
Well - they all look fine.  Have you tested port 25 inbound to confirm that nothing can get past the router?

If that is the case and when you stop the POP3 collection, the spam stops, then it does look like that is the source.

As Cris has suggested - get emails delivered directly and as long as you have decent Anti-Spam installed / configured, the spam should decrease.
0
 

Author Comment

by:ryank85
ID: 40327891
Yes I have tested the port and it is closed on the router.

I will make the change at the weekend and report back.

Thanks again for all your help
R
0
 

Author Comment

by:ryank85
ID: 40463112
Ok just an update.

We pointed all the mail through a feature called spam experts managed but the hosting company. They filter the emails and forward into our server.

This solution has stopped all the spam.

Thanks for comments.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question