Exchange 2013 relay - SPAM
Hi,
I hope someone can help me to lock down my Exchange 2013 server. At the moment, it is being hit with a lot spam and I need to get it stopped quickly. I need the server to be able to send out to any domain (ideally. I can potentially set it to a large list and add to it when needed) but I need it to only accept email from a few specific domains. Right now it's accepting email from almost any domain. How can I lock this down?
Thanks.
I hope someone can help me to lock down my Exchange 2013 server. At the moment, it is being hit with a lot spam and I need to get it stopped quickly. I need the server to be able to send out to any domain (ideally. I can potentially set it to a large list and add to it when needed) but I need it to only accept email from a few specific domains. Right now it's accepting email from almost any domain. How can I lock this down?
Thanks.
ASKER
Hi Alan,
Thanks for the quick response. The tests pass but the problem I have is that, when the sender shows as antispam@mailradar.com is says "Sender ok". This is what I want to avoid. The output is:
For some reason I have 6 receive connectors but, like you say, I don't think they are all needed. I'll try your method of disabling each one and see how it goes.
Thanks again.
Thanks for the quick response. The tests pass but the problem I have is that, when the sender shows as antispam@mailradar.com is says "Sender ok". This is what I want to avoid. The output is:
[Method 0 @ 1413538136]
<<< 220 server.domain.net Microsoft ESMTP MAIL Service ready at Fri, 17 Oct 2014 10:31:40 +0100
>>> HELO mailradar.com
<<< 250 server.domain.net Hello [193.230.245.6]
>>> MAIL FROM: <antispam@mailradar.com>
<<< 250 2.1.0 Sender OK
>>> RCPT TO: <relaytest@mailradar.com>
<<< 550 5.7.1 Unable to relay
>>> QUIT
<<< 221 2.0.0 Service closing transmission channelFor some reason I have 6 receive connectors but, like you say, I don't think they are all needed. I'll try your method of disabling each one and see how it goes.
Thanks again.
Why do you want to restrict the possible senders to a handful of domains (out of curiosity)?
You can easily achieve this with something like Vamsoft ORF Fusion (Anti-Spam software) www.vamsoft.com - just setup the software Sender Blacklist to blacklist ALL Addresses Except the list below and configure the list below with the relevant domains (*@domain.com) and then you have your restrictions in place happily.
Alan
You can easily achieve this with something like Vamsoft ORF Fusion (Anti-Spam software) www.vamsoft.com - just setup the software Sender Blacklist to blacklist ALL Addresses Except the list below and configure the list below with the relevant domains (*@domain.com) and then you have your restrictions in place happily.
Alan
Please create a transport rule to receive mails from specific domain only
ASKER
Ok, so the receive connector test was interesting. After enabling one each I did a telnet test. On most of them, I couldn't even telnet at all. With one of them, it would accept any address as the sender address but when I tried to submit I got "451 4.7.0 Temporary server error." On one of the other ones I got 421 4.3.2 - Service not available. So it seems like a combination of receive connectors allow the mail through. Right now I have 22,387 mails in the submission queue and it's constantly growing so I need a solution quick!
The transport rule may do the job but I've had a look. If I try to create a rule under "Restrict messages by sender or recipient..." I can create the rule and apply only if the sender address includes certain words but then, under "Do the following.." there is no option to just say "Allow the mail".
Any other ideas?
Thanks.
The transport rule may do the job but I've had a look. If I try to create a rule under "Restrict messages by sender or recipient..." I can create the rule and apply only if the sender address includes certain words but then, under "Do the following.." there is no option to just say "Allow the mail".
Any other ideas?
Thanks.
ASKER
Oh, and I want to restict the domains the mail comes from as they should only come from a few specific domains and I thought this was the best way to stop the spam hitting the server. Open to better suggestions however...
Where are the 22,387 emails coming from?
Install VAmsoft ORF as a trial (42 days I think) and see if it handles the deluge so that you can have time to figure out what's going on without drowning. You can always remove it later, or pay for it if you like it :)
Alan
Install VAmsoft ORF as a trial (42 days I think) and see if it handles the deluge so that you can have time to figure out what's going on without drowning. You can always remove it later, or pay for it if you like it :)
Alan
ASKER
They're just general spam. Stuff like "aostd@yahoo.com.tw" with gibberish titles. I've played around with the receive connectors and have managed to disable three of them while keeping the relay working, but you can still relay with anything in the sender address. Could it be that the config of my receive connectors is incorrect?
Alan, if I don't get anywhere soon, I'm going to try that software. I just don't think I'd get the go-ahead to spend the necessary money on it so am going to try myself for a bit longer.
Can you think of another way to stop this spam hitting the server?
Alan, if I don't get anywhere soon, I'm going to try that software. I just don't think I'd get the go-ahead to spend the necessary money on it so am going to try myself for a bit longer.
Can you think of another way to stop this spam hitting the server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great, thanks for that explanation Alan. The recipients are not genuine users but the mails are going to the submission queue anyway and the server is delivering them. Do you know how I can stop that? Would the link you've given me help with that?
ASKER
The problem is that one of the main purposes of this relay is to send out email from our SAP system so most of the recipients are external and do not exist within our organisation (customers/suppliers etc..).
You have a relay connector enabled on your server?
If so, it sounds like you may not have it locked down enough. Check the connector configuration and ensure that it accepts connections from the SAP system's IP address only.
DO NOT set it to the entire subnet.
Recipient filtering should be enabled, but if you are an open relay then that isn't going to help much.
Simon.
If so, it sounds like you may not have it locked down enough. Check the connector configuration and ensure that it accepts connections from the SAP system's IP address only.
DO NOT set it to the entire subnet.
Recipient filtering should be enabled, but if you are an open relay then that isn't going to help much.
Simon.
Relaying is fine - but it sounds like you need to setup Recipient filtering to reject emails destined to invalid mailboxes.
Let me find you a link (currently a passenger in a car!)
Let me find you a link (currently a passenger in a car!)
ASKER
Thanks again Alan. I've been having a look at that but haven't yet implemented anything. I'm not sure if it makes any difference or not but, just to explain the scenario; this server is exclusively used for relaying mail from applications and services. All our mailboxes live on Office 365.
What I really want to do is say to the Exchange server "unless the sender address is in one of these 5 or 6 domains, bounce the message". Is that not at all possible? The thing is, using recipient filtering could be tough. There will be 100s (probably 1000s) of legitimate external recipients so if possible, it would be much better for me to filter on the sender address rather than the recipient address. Can that be done?
Cheers.
What I really want to do is say to the Exchange server "unless the sender address is in one of these 5 or 6 domains, bounce the message". Is that not at all possible? The thing is, using recipient filtering could be tough. There will be 100s (probably 1000s) of legitimate external recipients so if possible, it would be much better for me to filter on the sender address rather than the recipient address. Can that be done?
Cheers.
ASKER
Also, Simon, unfortunately it's not just SAP. There are quite a few IP address that mail destined for this server could come from.
Now, when I'm trying telnet tests I'm getting 452 4.3.1 Insufficient system resources. Presumably because the server is starting to creak with the amount of traffic. So, I may well have to install the trial of the software you mentioned Alan, just to give me some breathing space.
Ultimately though, if I can filter email on the domain of the sender, I think I'd be sorted.
Now, when I'm trying telnet tests I'm getting 452 4.3.1 Insufficient system resources. Presumably because the server is starting to creak with the amount of traffic. So, I may well have to install the trial of the software you mentioned Alan, just to give me some breathing space.
Ultimately though, if I can filter email on the domain of the sender, I think I'd be sorted.
I don't know of a way to do that with Exchange, but I know Vamsoft and probably other Anti-Spam software could do that easily.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Bingo! That sounds like my solution. Just hope I catch the firewall guy in time. I owe you 500 pints nevermind 500 points. ;) Will close off the ticket once this implemented but, like you say, it's got to work!
Cheers.
Cheers.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
All part of the service ;)
Not sure how long it would take me to drink 500 pints, but happy to make a start :D
Alan
Not sure how long it would take me to drink 500 pints, but happy to make a start :D
Alan
ASKER
Hi gents,
Sorry I hadn't replied to this earlier. So, in an interesting turn of events, the spam stopped before I spoke to the firewall guy. I did try your suggestion, 1stITMAN (which to be fair, Alan had suggested earlier) and it stopped not long after that though I'm not sure if that's perhaps a red herring as once the queue died down, I disabled the anti-spam agents and still, since Friday, no more has come through. I have contacted the firewall guy to get the allowed IP arrange locked down anyway so hopefully this will go away. Will dish out the points now. Thanks all.
Sorry I hadn't replied to this earlier. So, in an interesting turn of events, the spam stopped before I spoke to the firewall guy. I did try your suggestion, 1stITMAN (which to be fair, Alan had suggested earlier) and it stopped not long after that though I'm not sure if that's perhaps a red herring as once the queue died down, I disabled the anti-spam agents and still, since Friday, no more has come through. I have contacted the firewall guy to get the allowed IP arrange locked down anyway so hopefully this will go away. Will dish out the points now. Thanks all.
If you are - how many Receive Connectors do you have configured?
If more than one. Disable all but one and restart the Transport Service, then test again.
If the relay is closed - disable the active one and enable a disabled one, restart the transport service and test again (repeating until you find the Receive connector that has the issue).
Once you know the relevant Receive Connector - disable it and then if it is needed, note down the settings, delete it and create a new one with the same settings and then enable it, restart the transport service and test again.
Alan