Solved

Exchange 2013 relay - SPAM

Posted on 2014-10-17
22
359 Views
Last Modified: 2014-10-23
Hi,

I hope someone can help me to lock down my Exchange 2013 server. At the moment, it is being hit with a lot spam and I need to get it stopped quickly. I need the server to be able to send out to any domain (ideally. I can potentially set it to a large list and add to it when needed) but I need it to only accept email from a few specific domains. Right now it's accepting email from almost any domain. How can I lock this down?

Thanks.
0
Comment
Question by:ishamsi
22 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40386265
Please check on http://www.mailradar.com/openrelay/ to see if you are an open relay.

If you are - how many Receive Connectors do you have configured?

If more than one.  Disable all but one and restart the Transport Service, then test again.

If the relay is closed - disable the active one and enable a disabled one, restart the transport service and test again (repeating until you find the Receive connector that has the issue).

Once you know the relevant Receive Connector - disable it and then if it is needed, note down the settings, delete it and create a new one with the same settings and then enable it, restart the transport service and test again.

Alan
0
 

Author Comment

by:ishamsi
ID: 40386271
Hi Alan,

Thanks for the quick response. The tests pass but the problem I have is that, when the sender shows as antispam@mailradar.com is says "Sender ok". This is what I want to avoid. The output is:

[Method 0 @ 1413538136]
<<< 220 server.domain.net Microsoft ESMTP MAIL Service ready at Fri, 17 Oct 2014 10:31:40 +0100
>>> HELO mailradar.com
<<< 250 server.domain.net Hello [193.230.245.6]
>>> MAIL FROM: <antispam@mailradar.com>
<<< 250 2.1.0 Sender OK
>>> RCPT TO: <relaytest@mailradar.com>
<<< 550 5.7.1 Unable to relay
>>> QUIT
<<< 221 2.0.0 Service closing transmission channel

Open in new window


For some reason I have 6 receive connectors but, like you say, I don't think they are all needed. I'll try your method of disabling each one and see how it goes.

Thanks again.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40386282
Why do you want to restrict the possible senders to a handful of domains (out of curiosity)?

You can easily achieve this with something like Vamsoft ORF Fusion (Anti-Spam software) www.vamsoft.com - just setup the software Sender Blacklist to blacklist ALL Addresses Except the list below and configure the list below with the relevant domains (*@domain.com) and then you have your restrictions in place happily.

Alan
0
 
LVL 9

Expert Comment

by:ash007
ID: 40386285
Please create a transport rule to receive mails from specific domain only
0
 

Author Comment

by:ishamsi
ID: 40386318
Ok, so the receive connector test was interesting. After enabling one each I did a telnet test. On most of them, I couldn't even telnet at all. With one of them, it would accept any address as the sender address but when I tried to submit I got "451 4.7.0 Temporary server error." On one of the other ones I got 421 4.3.2 - Service not available. So it seems like a combination of receive connectors allow the mail through. Right now I have 22,387 mails in the submission queue and it's constantly growing so I need a solution quick!

The transport rule may do the job but I've had a look. If I try to create a rule under "Restrict messages by sender or recipient..." I can create the rule and apply only if the sender address includes certain words but then, under "Do the following.." there is no option to just say "Allow the mail".

Any other ideas?

Thanks.
0
 

Author Comment

by:ishamsi
ID: 40386321
Oh, and I want to restict the domains the mail comes from as they should only come from a few specific domains and I thought this was the best way to stop the spam hitting the server. Open to better suggestions however...
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40386324
Where are the 22,387 emails coming from?

Install VAmsoft ORF as a trial (42 days I think) and see if it handles the deluge so that you can have time to figure out what's going on without drowning.  You can always remove it later, or pay for it if you like it :)

Alan
0
 

Author Comment

by:ishamsi
ID: 40386378
They're just general spam. Stuff like "aostd@yahoo.com.tw" with gibberish titles. I've played around with the receive connectors and have managed to disable three of them while keeping the relay working, but you can still relay with anything in the sender address. Could it be that the config of my receive connectors is incorrect?

Alan, if I don't get anywhere soon, I'm going to try that software. I just don't think I'd get the go-ahead to spend the necessary money on it so am going to try myself for a bit longer.

Can you think of another way to stop this spam hitting the server?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 400 total points
ID: 40386420
You can't stop spam hitting the server - it's what your server does with it that determines if it becomes a problem.

Anyone should be able to send mail to your server, but if your server accepts the email and then rejects it, it has to send back an NDR email.

If the server receives the email, but if the recipient isn't valid and the server rejects it before accepting the email, then no NDR is sent from your server.

Who is the spam destined for?  Genuine users or invalid users?

If it is to genuine users, then you need to configure some form of anti-spam, which can be the Exchange Anti-Spam tools which aren't installed by default.  To install them, please visit this link:

http://technet.microsoft.com/en-gb/library/bb201691(v=exchg.150).aspx

Alan
0
 

Author Comment

by:ishamsi
ID: 40386429
Great, thanks for that explanation Alan. The recipients are not genuine users but the mails are going to the submission queue anyway and the server is delivering them. Do you know how I can stop that? Would the link you've given me help with that?
0
 

Author Comment

by:ishamsi
ID: 40386430
The problem is that one of the main purposes of this relay is to send out email from our SAP system so most of the recipients are external and do not exist within our organisation (customers/suppliers etc..).
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40386443
You have a relay connector enabled on your server?
If so, it sounds like you may not have it locked down enough. Check the connector configuration and ensure that it accepts connections from the SAP system's IP address only.
DO NOT set it to the entire subnet.

Recipient filtering should be enabled, but if you are an open relay then that isn't going to help much.

Simon.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40386446
Relaying is fine - but it sounds like you need to setup Recipient filtering to reject emails destined to invalid mailboxes.

Let me find you a link (currently a passenger in a car!)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40386449
0
 

Author Comment

by:ishamsi
ID: 40386808
Thanks again Alan. I've been having a look at that but haven't yet implemented anything. I'm not sure if it makes any difference or not but, just to explain the scenario; this server is exclusively used for relaying mail from applications and services. All our mailboxes live on Office 365.

What I really want to do is say to the Exchange server "unless the sender address is in one of these 5 or 6 domains, bounce the message". Is that not at all possible? The thing is, using recipient filtering could be tough. There will be 100s (probably 1000s) of legitimate external recipients so if possible, it would be much better for me to filter on the sender address rather than the recipient address. Can that be done?

Cheers.
0
 

Author Comment

by:ishamsi
ID: 40386824
Also, Simon, unfortunately it's not just SAP. There are quite a few IP address that mail destined for this server could come from.

Now, when I'm trying telnet tests I'm getting 452 4.3.1 Insufficient system resources. Presumably because the server is starting to creak with the amount of traffic. So, I may well have to install the trial of the software you mentioned Alan, just to give me some breathing space.

Ultimately though, if I can filter email on the domain of the sender, I think I'd be sorted.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40386845
I don't know of a way to do that with Exchange, but I know Vamsoft and probably other Anti-Spam software could do that easily.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 400 total points
ID: 40386855
One way to do that would be to restrict port 25 access on your Firewall to a specific list of IP Addresses which you would have to gather from the domains you want to accept emails from.

All others wouldn't even get close!

Alan
0
 

Author Comment

by:ishamsi
ID: 40386880
Bingo! That sounds like my solution. Just hope I catch the firewall guy in time. I owe you 500 pints nevermind 500 points. ;) Will close off the ticket once this implemented but, like you say, it's got to work!

Cheers.
0
 
LVL 19

Assisted Solution

by:Zaheer Iqbal
Zaheer Iqbal earned 100 total points
ID: 40386889
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40386983
All part of the service ;)

Not sure how long it would take me to drink 500 pints, but happy to make a start :D

Alan
0
 

Author Comment

by:ishamsi
ID: 40398748
Hi gents,

Sorry I hadn't replied to this earlier. So, in an interesting turn of events, the spam stopped before I spoke to the firewall guy. I did try your suggestion, 1stITMAN (which to be fair, Alan had suggested earlier) and it stopped not long after that though I'm not sure if that's perhaps a red herring as once the queue died down, I disabled the anti-spam agents and still, since Friday, no more has come through. I have contacted the firewall guy to get the allowed IP arrange locked down anyway so hopefully this will go away. Will dish out the points now. Thanks all.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now