ryank85
asked on
SBS 2011 Spam Issue
Hi All
A client of mine is having a problem with receiving 1000s of spam per day.
We have SBS pop collector configured to receive email from the hosting server every 5 minutes.
The problem is we are receiving lots and lots of spam each day. We have spam assassin enabled on the hosting server and the local exchange server has Eset mail security for exchange. The stats on the Eset is showing email being rejected every 30 seconds.
The strange thing is is that when I login to the webmail on the hosting server I cannot see these spam emails. I have checked the headers of the emails and it's showing as hitting the cpanel.
I have disabled port 25 on the router and changes the receive connector in exchange to download retrieve email from the pop3 hosting IP address.
Any ideas?
A client of mine is having a problem with receiving 1000s of spam per day.
We have SBS pop collector configured to receive email from the hosting server every 5 minutes.
The problem is we are receiving lots and lots of spam each day. We have spam assassin enabled on the hosting server and the local exchange server has Eset mail security for exchange. The stats on the Eset is showing email being rejected every 30 seconds.
The strange thing is is that when I login to the webmail on the hosting server I cannot see these spam emails. I have checked the headers of the emails and it's showing as hitting the cpanel.
I have disabled port 25 on the router and changes the receive connector in exchange to download retrieve email from the pop3 hosting IP address.
Any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cris Hanna - I am going to change them over to direct email to the exchange server, pop3 is a pain I must admit.
ESET Mail Security works great so I don't need to use Exchange Defender
The weird thing is that the hosting company cannot see the amount of spam at their end.
The SPAM is going to all users, not just one.
R
ESET Mail Security works great so I don't need to use Exchange Defender
The weird thing is that the hosting company cannot see the amount of spam at their end.
The SPAM is going to all users, not just one.
R
Then I would suggest that you have a workstation that is infected and has a mailbot which is grabbing email addresses from the workstation.
Regarding ESET, or any solution installed on the server. Think of the castle and most analogy. Having the mail scrubbed before crossing the most is going to have a much greater success rate than battling the enemy inside the castle walls
Regarding ESET, or any solution installed on the server. Think of the castle and most analogy. Having the mail scrubbed before crossing the most is going to have a much greater success rate than battling the enemy inside the castle walls
What version of SBS do you have as you haven't mentioned the version?
Alan
Alan
See the title Alan ;-)
Thanks Cris - Looked at the question and it wasn't in there - sometimes the answers are just staring you in the face :O
Can you run the following command in the Exchange Management Shell and post the output:
get-receiveconnector | fl
(You can obscure your domain name in the output before posting to protect your innocence)!
Alan
Can you run the following command in the Exchange Management Shell and post the output:
get-receiveconnector | fl
(You can obscure your domain name in the output before posting to protect your innocence)!
Alan
ASKER
thanks for your reply guys.
Also, when I stop the pop3 colletors on the SBS server, the spam stops also, so this leads me to beleive all the spam is coming from the hosting server.
All the client machines are off at weekend and spam still appears.
RunspaceId : 622afc32-573b-48f3-a5e3-af
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {192.168.5.2:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotification
EightBitMimeEnabled : True
BareLinefeedRejectionEnabl
DomainSecureEnabled : False
EnhancedStatusCodesEnabled
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : SERVER.mp.local
Comment :
Enabled : False
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeou
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSou
MaxInboundConnectionPercen
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 49.06 MB (51,445,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 5000
PermissionGroups : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {192.168.5.2-192.168.5.255
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : SERVER
SizeEnabled : EnabledWithoutValue
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default SERVER
DistinguishedName : CN=Default SERVER,CN=SMTP Receive Connectors,CN=Protocols,CN
Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admin
Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Co
on,DC=mp,DC=local
Identity : SERVER\Default SERVER
Guid : 05e1bb94-d740-4c6e-b5a7-e5
ObjectCategory : mp.local/Configuration/Sch
ObjectClass : {top, msExchSmtpReceiveConnector
WhenChanged : 9/17/2014 7:36:54 AM
WhenCreated : 11/14/2013 5:37:41 PM
WhenChangedUTC : 9/17/2014 6:36:54 AM
WhenCreatedUTC : 11/14/2013 5:37:41 PM
OrganizationId :
OriginatingServer : SERVER.mp.local
IsValid : True
RunspaceId : 622afc32-573b-48f3-a5e3-af
AuthMechanism : Tls
Banner :
BinaryMimeEnabled : True
Bindings : {192.168.5.2:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotification
EightBitMimeEnabled : True
BareLinefeedRejectionEnabl
DomainSecureEnabled : False
EnhancedStatusCodesEnabled
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : remote.domain.co.uk
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeou
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSou
MaxInboundConnectionPercen
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : AnonymousUsers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {192.168.6.0-255.255.255.2
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : SERVER
SizeEnabled : Enabled
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Windows SBS Internet Receive SERVER
DistinguishedName : CN=Windows SBS Internet Receive SERVER,CN=SMTP Receive Connectors,CN=Proto
cols,CN=SERVER,CN=Servers,
T),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Se
rvices,CN=Configuration,DC
Identity : SERVER\Windows SBS Internet Receive SERVER
Guid : fcb5643d-5ed7-48d9-916e-0b
ObjectCategory : mp.local/Configuration/Sch
ObjectClass : {top, msExchSmtpReceiveConnector
WhenChanged : 9/17/2014 7:36:59 AM
WhenCreated : 9/17/2014 7:36:57 AM
WhenChangedUTC : 9/17/2014 6:36:59 AM
WhenCreatedUTC : 9/17/2014 6:36:57 AM
OrganizationId :
OriginatingServer : SERVER.mp.local
IsValid : True
RunspaceId : 622afc32-573b-48f3-a5e3-af
AuthMechanism : BasicAuth
Banner :
BinaryMimeEnabled : True
Bindings : {127.0.0.1:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotification
EightBitMimeEnabled : True
BareLinefeedRejectionEnabl
DomainSecureEnabled : False
EnhancedStatusCodesEnabled
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : SERVER.mp.local
Comment :
Enabled : True
ConnectionTimeout : 06:00:00
ConnectionInactivityTimeou
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSou
MaxInboundConnectionPercen
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : AnonymousUsers, ExchangeUsers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {127.0.0.1-127.0.0.1}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : SERVER
SizeEnabled : Enabled
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Windows SBS Fax Sharepoint Receive SERVER
DistinguishedName : CN=Windows SBS Fax Sharepoint Receive SERVER,CN=SMTP Receive Connectors,CN
=Protocols,CN=SERVER,CN=Se
23SPDLT),CN=Administrative
,CN=Services,CN=Configurat
Identity : SERVER\Windows SBS Fax Sharepoint Receive SERVER
Guid : fc8f1282-5aba-4091-8f9d-d8
ObjectCategory : mp.local/Configuration/Sch
ObjectClass : {top, msExchSmtpReceiveConnector
WhenChanged : 9/17/2014 7:37:02 AM
WhenCreated : 9/17/2014 7:37:02 AM
WhenChangedUTC : 9/17/2014 6:37:02 AM
WhenCreatedUTC : 9/17/2014 6:37:02 AM
OrganizationId :
OriginatingServer : SERVER.mp.local
IsValid : True
Ryan
Also, when I stop the pop3 colletors on the SBS server, the spam stops also, so this leads me to beleive all the spam is coming from the hosting server.
All the client machines are off at weekend and spam still appears.
RunspaceId : 622afc32-573b-48f3-a5e3-af
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {192.168.5.2:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotification
EightBitMimeEnabled : True
BareLinefeedRejectionEnabl
DomainSecureEnabled : False
EnhancedStatusCodesEnabled
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : SERVER.mp.local
Comment :
Enabled : False
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeou
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSou
MaxInboundConnectionPercen
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 49.06 MB (51,445,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 5000
PermissionGroups : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {192.168.5.2-192.168.5.255
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : SERVER
SizeEnabled : EnabledWithoutValue
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default SERVER
DistinguishedName : CN=Default SERVER,CN=SMTP Receive Connectors,CN=Protocols,CN
Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admin
Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Co
on,DC=mp,DC=local
Identity : SERVER\Default SERVER
Guid : 05e1bb94-d740-4c6e-b5a7-e5
ObjectCategory : mp.local/Configuration/Sch
ObjectClass : {top, msExchSmtpReceiveConnector
WhenChanged : 9/17/2014 7:36:54 AM
WhenCreated : 11/14/2013 5:37:41 PM
WhenChangedUTC : 9/17/2014 6:36:54 AM
WhenCreatedUTC : 11/14/2013 5:37:41 PM
OrganizationId :
OriginatingServer : SERVER.mp.local
IsValid : True
RunspaceId : 622afc32-573b-48f3-a5e3-af
AuthMechanism : Tls
Banner :
BinaryMimeEnabled : True
Bindings : {192.168.5.2:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotification
EightBitMimeEnabled : True
BareLinefeedRejectionEnabl
DomainSecureEnabled : False
EnhancedStatusCodesEnabled
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : remote.domain.co.uk
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeou
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSou
MaxInboundConnectionPercen
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : AnonymousUsers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {192.168.6.0-255.255.255.2
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : SERVER
SizeEnabled : Enabled
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Windows SBS Internet Receive SERVER
DistinguishedName : CN=Windows SBS Internet Receive SERVER,CN=SMTP Receive Connectors,CN=Proto
cols,CN=SERVER,CN=Servers,
T),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Se
rvices,CN=Configuration,DC
Identity : SERVER\Windows SBS Internet Receive SERVER
Guid : fcb5643d-5ed7-48d9-916e-0b
ObjectCategory : mp.local/Configuration/Sch
ObjectClass : {top, msExchSmtpReceiveConnector
WhenChanged : 9/17/2014 7:36:59 AM
WhenCreated : 9/17/2014 7:36:57 AM
WhenChangedUTC : 9/17/2014 6:36:59 AM
WhenCreatedUTC : 9/17/2014 6:36:57 AM
OrganizationId :
OriginatingServer : SERVER.mp.local
IsValid : True
RunspaceId : 622afc32-573b-48f3-a5e3-af
AuthMechanism : BasicAuth
Banner :
BinaryMimeEnabled : True
Bindings : {127.0.0.1:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotification
EightBitMimeEnabled : True
BareLinefeedRejectionEnabl
DomainSecureEnabled : False
EnhancedStatusCodesEnabled
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : SERVER.mp.local
Comment :
Enabled : True
ConnectionTimeout : 06:00:00
ConnectionInactivityTimeou
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSou
MaxInboundConnectionPercen
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : AnonymousUsers, ExchangeUsers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {127.0.0.1-127.0.0.1}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : SERVER
SizeEnabled : Enabled
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Windows SBS Fax Sharepoint Receive SERVER
DistinguishedName : CN=Windows SBS Fax Sharepoint Receive SERVER,CN=SMTP Receive Connectors,CN
=Protocols,CN=SERVER,CN=Se
23SPDLT),CN=Administrative
,CN=Services,CN=Configurat
Identity : SERVER\Windows SBS Fax Sharepoint Receive SERVER
Guid : fc8f1282-5aba-4091-8f9d-d8
ObjectCategory : mp.local/Configuration/Sch
ObjectClass : {top, msExchSmtpReceiveConnector
WhenChanged : 9/17/2014 7:37:02 AM
WhenCreated : 9/17/2014 7:37:02 AM
WhenChangedUTC : 9/17/2014 6:37:02 AM
WhenCreatedUTC : 9/17/2014 6:37:02 AM
OrganizationId :
OriginatingServer : SERVER.mp.local
IsValid : True
Ryan
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes I have tested the port and it is closed on the router.
I will make the change at the weekend and report back.
Thanks again for all your help
R
I will make the change at the weekend and report back.
Thanks again for all your help
R
ASKER
Ok just an update.
We pointed all the mail through a feature called spam experts managed but the hosting company. They filter the emails and forward into our server.
This solution has stopped all the spam.
Thanks for comments.
We pointed all the mail through a feature called spam experts managed but the hosting company. They filter the emails and forward into our server.
This solution has stopped all the spam.
Thanks for comments.
one user or all users?