Exchange 2013 relay - SPAM


I hope someone can help me to lock down my Exchange 2013 server. At the moment, it is being hit with a lot spam and I need to get it stopped quickly. I need the server to be able to send out to any domain (ideally. I can potentially set it to a large list and add to it when needed) but I need it to only accept email from a few specific domains. Right now it's accepting email from almost any domain. How can I lock this down?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
Please check on to see if you are an open relay.

If you are - how many Receive Connectors do you have configured?

If more than one.  Disable all but one and restart the Transport Service, then test again.

If the relay is closed - disable the active one and enable a disabled one, restart the transport service and test again (repeating until you find the Receive connector that has the issue).

Once you know the relevant Receive Connector - disable it and then if it is needed, note down the settings, delete it and create a new one with the same settings and then enable it, restart the transport service and test again.

ishamsiAuthor Commented:
Hi Alan,

Thanks for the quick response. The tests pass but the problem I have is that, when the sender shows as is says "Sender ok". This is what I want to avoid. The output is:

[Method 0 @ 1413538136]
<<< 220 Microsoft ESMTP MAIL Service ready at Fri, 17 Oct 2014 10:31:40 +0100
>>> HELO
<<< 250 Hello []
>>> MAIL FROM: <>
<<< 250 2.1.0 Sender OK
>>> RCPT TO: <>
<<< 550 5.7.1 Unable to relay
>>> QUIT
<<< 221 2.0.0 Service closing transmission channel

Open in new window

For some reason I have 6 receive connectors but, like you say, I don't think they are all needed. I'll try your method of disabling each one and see how it goes.

Thanks again.
Alan HardistyCo-OwnerCommented:
Why do you want to restrict the possible senders to a handful of domains (out of curiosity)?

You can easily achieve this with something like Vamsoft ORF Fusion (Anti-Spam software) - just setup the software Sender Blacklist to blacklist ALL Addresses Except the list below and configure the list below with the relevant domains (* and then you have your restrictions in place happily.

The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Please create a transport rule to receive mails from specific domain only
ishamsiAuthor Commented:
Ok, so the receive connector test was interesting. After enabling one each I did a telnet test. On most of them, I couldn't even telnet at all. With one of them, it would accept any address as the sender address but when I tried to submit I got "451 4.7.0 Temporary server error." On one of the other ones I got 421 4.3.2 - Service not available. So it seems like a combination of receive connectors allow the mail through. Right now I have 22,387 mails in the submission queue and it's constantly growing so I need a solution quick!

The transport rule may do the job but I've had a look. If I try to create a rule under "Restrict messages by sender or recipient..." I can create the rule and apply only if the sender address includes certain words but then, under "Do the following.." there is no option to just say "Allow the mail".

Any other ideas?

ishamsiAuthor Commented:
Oh, and I want to restict the domains the mail comes from as they should only come from a few specific domains and I thought this was the best way to stop the spam hitting the server. Open to better suggestions however...
Alan HardistyCo-OwnerCommented:
Where are the 22,387 emails coming from?

Install VAmsoft ORF as a trial (42 days I think) and see if it handles the deluge so that you can have time to figure out what's going on without drowning.  You can always remove it later, or pay for it if you like it :)

ishamsiAuthor Commented:
They're just general spam. Stuff like "" with gibberish titles. I've played around with the receive connectors and have managed to disable three of them while keeping the relay working, but you can still relay with anything in the sender address. Could it be that the config of my receive connectors is incorrect?

Alan, if I don't get anywhere soon, I'm going to try that software. I just don't think I'd get the go-ahead to spend the necessary money on it so am going to try myself for a bit longer.

Can you think of another way to stop this spam hitting the server?
Alan HardistyCo-OwnerCommented:
You can't stop spam hitting the server - it's what your server does with it that determines if it becomes a problem.

Anyone should be able to send mail to your server, but if your server accepts the email and then rejects it, it has to send back an NDR email.

If the server receives the email, but if the recipient isn't valid and the server rejects it before accepting the email, then no NDR is sent from your server.

Who is the spam destined for?  Genuine users or invalid users?

If it is to genuine users, then you need to configure some form of anti-spam, which can be the Exchange Anti-Spam tools which aren't installed by default.  To install them, please visit this link:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ishamsiAuthor Commented:
Great, thanks for that explanation Alan. The recipients are not genuine users but the mails are going to the submission queue anyway and the server is delivering them. Do you know how I can stop that? Would the link you've given me help with that?
ishamsiAuthor Commented:
The problem is that one of the main purposes of this relay is to send out email from our SAP system so most of the recipients are external and do not exist within our organisation (customers/suppliers etc..).
Simon Butler (Sembee)ConsultantCommented:
You have a relay connector enabled on your server?
If so, it sounds like you may not have it locked down enough. Check the connector configuration and ensure that it accepts connections from the SAP system's IP address only.
DO NOT set it to the entire subnet.

Recipient filtering should be enabled, but if you are an open relay then that isn't going to help much.

Alan HardistyCo-OwnerCommented:
Relaying is fine - but it sounds like you need to setup Recipient filtering to reject emails destined to invalid mailboxes.

Let me find you a link (currently a passenger in a car!)
Alan HardistyCo-OwnerCommented:
ishamsiAuthor Commented:
Thanks again Alan. I've been having a look at that but haven't yet implemented anything. I'm not sure if it makes any difference or not but, just to explain the scenario; this server is exclusively used for relaying mail from applications and services. All our mailboxes live on Office 365.

What I really want to do is say to the Exchange server "unless the sender address is in one of these 5 or 6 domains, bounce the message". Is that not at all possible? The thing is, using recipient filtering could be tough. There will be 100s (probably 1000s) of legitimate external recipients so if possible, it would be much better for me to filter on the sender address rather than the recipient address. Can that be done?

ishamsiAuthor Commented:
Also, Simon, unfortunately it's not just SAP. There are quite a few IP address that mail destined for this server could come from.

Now, when I'm trying telnet tests I'm getting 452 4.3.1 Insufficient system resources. Presumably because the server is starting to creak with the amount of traffic. So, I may well have to install the trial of the software you mentioned Alan, just to give me some breathing space.

Ultimately though, if I can filter email on the domain of the sender, I think I'd be sorted.
Alan HardistyCo-OwnerCommented:
I don't know of a way to do that with Exchange, but I know Vamsoft and probably other Anti-Spam software could do that easily.
Alan HardistyCo-OwnerCommented:
One way to do that would be to restrict port 25 access on your Firewall to a specific list of IP Addresses which you would have to gather from the domains you want to accept emails from.

All others wouldn't even get close!

ishamsiAuthor Commented:
Bingo! That sounds like my solution. Just hope I catch the firewall guy in time. I owe you 500 pints nevermind 500 points. ;) Will close off the ticket once this implemented but, like you say, it's got to work!

Zaheer IqbalTechnical Assurance & ImplementationCommented:
Alan HardistyCo-OwnerCommented:
All part of the service ;)

Not sure how long it would take me to drink 500 pints, but happy to make a start :D

ishamsiAuthor Commented:
Hi gents,

Sorry I hadn't replied to this earlier. So, in an interesting turn of events, the spam stopped before I spoke to the firewall guy. I did try your suggestion, 1stITMAN (which to be fair, Alan had suggested earlier) and it stopped not long after that though I'm not sure if that's perhaps a red herring as once the queue died down, I disabled the anti-spam agents and still, since Friday, no more has come through. I have contacted the firewall guy to get the allowed IP arrange locked down anyway so hopefully this will go away. Will dish out the points now. Thanks all.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.