Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 673
  • Last Modified:

Exchange 2010 Queue full of emails with my domain and they are not valid emails Spoofed?

Just installed Exchange 2010 Enterprise 64 bit

All of a sudden we are getting extreme number of spam messages and my queue is full of email addresses with my domain name mydomain.com

I ran this

Get-ReceiveConnector | Get-ADPermission | where {($_.ExtendedRights -like “*SMTP-Accept-Any-Recipient*”)} | where {$_.User -like ‘*anonymous*’} | ft identity,user,extendedrights


Which receive connectors require anoynomus permissions?  Is that a problem?
0
Thomas Grassi
Asked:
Thomas Grassi
  • 26
  • 14
  • 5
  • +2
5 Solutions
 
suriyaehnopCommented:
Does the spam mail coming from internet or internal?
If you look for spam internet header you can identify the sender IP address.

By default Exchange 2010 has 2 Receive Connector - Client <ServerName> and Default <ServerName>
You can create another Receive Connector and enabled anonymous or you can enable it on Default <ServerName>
0
 
VB ITSCommented:
is there a particular reason as to why you even created the anonymous relay in the first place? Exchange 2010 doesn't come with any anonymous receive connectors by default.

When you ran the above command, did it actually give you any results? If so, you need to look at restricting the use of the anonymous receive connector to only the IP addresses which need to use it, be it servers that host an internal applications, etc.

To do this:
- Open the Exchange Management Console
- Expand Server Configuration then click on Hub Transport
- Click on your CAS server with the anonymous receive connector in the top pane (if you have more than one)
- Right click the anonymous receive connector in the bottom pane then click on Properties
- Click on the Network tab
- In the Receive mail from remote servers that have these IP addresses section at the bottom, make sure that only the IP addresses that actually need to have anonymous access to the submit mail through this connector is in the list
- Click OK when done

If you don't see a reason for the anonymous receive connector then I'd say to remove the anonymous access from it and see if anything breaks.

You may also want to do a lookup using your public IP address on the MX Toolbox website as you will most likely be listed on several blacklists due to your server being an open relay: http://mxtoolbox.com/blacklists.aspx
1
 
Thomas GrassiSystems AdministratorAuthor Commented:
All the spam mail is from the internet

I have 5 connectors

[PS] C:\Windows\system32>get-receiveconnector

Identity                                Bindings                                Enabled
--------                                --------                                -------
TGCS025\Default TGCS025                 {[::]:25, 0.0.0.0:25}                   True       exchange users
TGCS025\Client TGCS025                  {[::]:587, 0.0.0.0:587}                 True     anonymous exchange users exchange server legacy exchange serverss
TGCS025\TGCSNET Connector               {10.2.8.36:25}                          True    exchange servers
TGCS025\TGCSNET Port 1025               {10.2.8.37:1025}                        True    exchange users exchange servers
TGCS025\TGCSNET Relay                   {0.0.0.0:25}                            True       exchange users.

My queue keeps filling up at wits end I suspended the submission queue which has many messages I can not delete that entry.

I think I am setup as a relay but I do not know why or how I am/


Thanks
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
suriyaehnopCommented:
You shall not enable anonymous on TGCS025\Client TGCS025. Disable it and verify if the queue still fill up.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
VB-ITS

No results from the command I issued in my original post

Which connector should I change
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
suriyaehnop

How about default?
0
 
VB ITSCommented:
VB-ITS

No results from the command I issued in my original post

Which connector should I change
If the command didn't give you any results then you don't have any receive connectors configured as an open relay. I'd say the spam is just most likely due to the fact that the Anti-Spam components in Exchange 2010 aren't enabled by default so  your server is accepting everything and anything.

Do you have any Edge Transport servers in your environment? If no then you can enable the Anti-Spam agents on your Hub Transport servers. See this article for instructions: http://social.technet.microsoft.com/wiki/contents/articles/13918.how-to-install-antispam-agents-in-exchange-2010.aspx
0
 
suriyaehnopCommented:
trgrassijr55,

What is your mail flow? does the hub transport server connect directly to internet or any mail gateway in front of it?

If your mail flow like mine which MBX > Hub > Mail Gateway, then enable the anonymous on default.
1
 
Thomas GrassiSystems AdministratorAuthor Commented:
VB-ITS

I used those exact instructions the other day to install the AntiSpam agents on mye server.
In EMS under server configuration hub transport I have a anti spam tab  ip allow list ip block list

Under organization  Hub transport I have anti spam tab
content filtering ip allow list ip allow list providers  etc

I did Restart Microsoft Exchange Transport Service

I am planning a system shutdown tomorrow maybe the restart did not work

One note I forgot to mention

I did upgrade from exchange 2007 to 2010 when I did that most of the settings already appeared in exchange 2010 from 2007.  But after I remove exchange 2007 from the network by uninstalling exchange 2007 I lost the spam functions on 2010  

That's when I saw that article you just posted and ran the script to install anti spam

Thoughts?


Also my queue is full how can I clear the submission queue?

Thoughts
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
suriyaehnop

My Email server faces the internet via a Cisco Meraki router.  No email hub no email gateway

Still trying to clear the queue

any cmdlet to do it fast ? have an example?
0
 
suriyaehnopCommented:
Use your queue viewer to select the message and choose suspend.
0
 
VB ITSCommented:
I did upgrade from exchange 2007 to 2010 when I did that most of the settings already appeared in exchange 2010 from 2007.  But after I remove exchange 2007 from the network by uninstalling exchange 2007 I lost the spam functions on 2010  
Not sure what you mean by this. Are you saying the Anti-Spam tab is missing after you uninstalled Exchange 2007?
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
suriyaehnop

That's what I have been doing thanks
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
VT- ITS

Yes.
When I uninstalled 2007 then went to my EMC on the 2010 server the anti spam tabs were no longer available.

So I installed the script and then they appeared.

No that I removed anonymous I am not receiving any external email  

Which connected should I allow anonymous on?
0
 
suriyaehnopCommented:
I will recommended to enable anonymous on TGCS025\Default TGCS025  instead of TGCS025\Client TGCS025
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Anonymous is on Default TGCS025  now

incoming mail working so far

But my queues still have many Next Hop Domains listed I have suspended all of them for now
I have gmail Hotmail and yahoo with many entries.  I listed the totals and see if they continue to receive

How long will the next hop domains remain in the queue?

Can I delete them? cmdlet ?
0
 
hassan afzalCommented:
im afraid your server is being used as a email relay - id suggest look at queue check the headers and the block the ip on your networking equipment - also block the ip and original domain on your exch svr - you will probably get black listed soon too if you using your ip to send out and not a spam filter for out messages.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
That would take forever to do I had thousands of emails from many external sites.

just checked mxtoolbox.com and my domain is not blacklisted.


I am not receiving external email

I have a receive connector problem here.

Need help any suggestions


Need help with the network tab on the connectors
0
 
Alan HardistyCommented:
I would disable the Relay connector for now.  You need the Default connector and should have Anonymous enabled on that or you won't receive emails.

Once the Relay connector is disabled, restart the Microsoft Exchange Transport Service service and then empty the queue of the crap emails.

Monitor and if you still have issue, disable one more connector, restart the Transport Service and then monitor.

Once you know which Connector is causing you problems, then you can figure out what to do next (with guidance from the Experts here).

Alan
0
 
hassan afzalCommented:
likely hood is originating email is coming from one ip check the headers so see where it is spoofing from.

disabling Relay connector is also a good idea as Alan suggested - are these emails just stuck in the queue or they sending out ?

try clearing one of the queue and see if it rebuilds.

Hassan
0
 
VB ITSCommented:
First of all can you clarify whether you're receiving external emails or not? You say you are in one post, then in another you say you're not.

Which queue contains the large amount of emails? Inbound or outbound?

Can you also re-run the get-receiveconnector command again so we have a clear idea of the connectors that currently exist?
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
VB-ITS

[PS] C:\Windows\system32>get-receiveconnector

Identity                                Bindings                                Enabled
--------                                --------                                -------
TGCS025\Default TGCS025                 {[::]:25, 0.0.0.0:25}                   True
Local IP
All available IPV6  Port 587
All Available IPV4  Port 587
Receive mail from remote servers that have there ip addresses
.ffff.fff.ffff.ffff
0.0.0.0-255.255.255.255


TGCS025\Client TGCS025                  {[::]:587, 0.0.0.0:587}                 True
Local IP
All available IPV6  Port 25
All Available IPV4  Port 25
Receive mail from remote servers that have there ip addresses
.ffff.fff.ffff.ffff
0.0.0.0-255.255.255.255



TGCS025\TGCSNET Connector               {10.2.8.36:25}                          True
10.2.8.17
10.2.8.18     These ip addresses are computers on my local lan that send internal email via scripts
10.2.8.19
10.2.8.20Local IP
10.2.8.36       Port 25       (this is the ip address of my exchange server)
Receive mail from remote servers that have there ip addresses


TGCS025\TGCSNET Port 1025               {10.2.8.37:1025}                        True
Local IP
10.2.8.37       Port 1025       (this is the ip address of my exchange server used for ISPs that does not support  
                                                port 25 but these are only remote exchange users)
Receive mail from remote servers that have there ip addresses
0.0.0.0-255.255.255.255

TGCS025\TGCSNET Relay                   {0.0.0.0:25}                            False


[PS] C:\Windows\system32







hassan afzal & Alan

I did what Alan said.  Late last night I cleared all the queues after suspending them I was able to delete all the messages.
Then resumed the queue and they cleared.

So I disabled the relay connector this was one I had on exchange 2007 not sure if I really need it now.

See above receive connector info


After disabling The Relay connector the I am now getting some external email


Can we double check my connector settings to see what I have wrong?

Thanks guys
0
 
Alan HardistyCommented:
It would be more useful to show the full receive connector settings.  Please post the output from:

get-receiveconnector | fl

Thanks

Alan
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Alan

Thanks see attached
receive.txt
0
 
VB ITSCommented:
You may also want to look at investing in an online mail hygiene solution (once we have solved your original issue) such as MessageLabs, Mimecast, WebRoot, etc. to prevent these sort of emails from even hitting your servers in the first place.

Some of these providers also provide email continuity as well as backup mail services in the event that your Exchange server goes down. Something worth looking into.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Thanks I was going to ask about that in another question.

Was going to try Forefront I only have 25 email users. small company.

I hope we can figure out the receive connector settings
0
 
Alan HardistyCommented:
Okay - not seeing anything too scary with the connector settings.

Who is the originator of the messages in the queue?  Is it <> as the sender?

If it is - then that's just the Administrator and you are probably suffering from NDR Spam - which means you aren't filtering Invalid Recipients and you are basically accepting the messages, then the server realises the recipient is invalid and HAS to send back an NDR email to the sender.

If you used Recipient Filtering, then your server would check it's list of recipients and if it doesn't find the recipient listed, it rejects the emails and then the Sender is responsible for the NDR message and your queue will remain empty.
0
 
hassan afzalCommented:
we faced this EXACT problem and ended blocking the originating ip on the sonic wall.
0
 
Alan HardistyCommented:
The problem with blocking by IP Address is that the IP's will/may change and then you are constantly trying to block a moving target and as spammers regularly use dynamic IP's, you will eventually be blocking people you want (possibly) and may end up only allowing a handful of IP's through.

Anti-Spam software that does Recipient Filtering (amongst other things) would be a good call.  We use Vamsoft ORF Fusion which is great low-cost software that doesn't have to be renewed annually!.

Alan
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Alan

Does Vamsoft ORE Fusion email reports to each client with a list of messages that was quarteened?


Thanks for checking my receive connectors

I have not seen any attacks since I cleared the queues last night.

Will keep and eye open today.
0
 
Alan HardistyCommented:
Usually it is configured to either Accept or Reject emails, but you can configure it to forward the 'junk' emails to an alternative internal address (for example) which can then be reviewed.

Other software would be able to do that, but I've never used any, so can't recommend anything else unfortunately.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
I just restarted the exchange server had to move it into the server rack.

Now my Outlook clients are putting the junk mail into the junk folder this is the first time since I switched them over to exchange 2010 a week ago.

May needed to restart all the services?

I have a few emails in my junk folder what can we look at to see if we can block them?


Getting a lot from subject Voice Message

How to I look at the header info? and what to look for?
0
 
Alan HardistyCommented:
Look at the Message Queue and if you have to, double-click into an email to see the Sender.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Alan

The Message Queue is empty

Only entry in the queue is submission queue.


I found the header of the junk mail

What do you think I should block?

Received: from voice_global.co.uk (72.44.227.114) by
 TGCS025.our.network.tgcsnet.com (10.2.8.36) with Microsoft SMTP Server id
 14.1.438.0; Tue, 27 Jan 2015 10:55:19 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=_a4299b656bc693a46deed75d2ffcf383"
Date: Tue, 27 Jan 2015 15:50:02 +0000
From: Voice <no-replay@voice_global.co.uk>
To: <thomasrgrassijr@tgcsnet.com>
Subject: Voice Message
Message-ID: <090843544137939550240490408966335@voice_global.co.uk>
User-Agent: Roundcube Webmail/1.0.4
Return-Path: no-replay@voice_global.co.uk
X-MS-Exchange-Organization-AuthSource: TGCS025.our.network.tgcsnet.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: voice_global.co.uk
X-MS-Exchange-Organization-SenderIdResult: Fail
Received-SPF: Fail (TGCS025.our.network.tgcsnet.com: domain of
 no-replay@voice_global.co.uk does not designate 72.44.227.114 as permitted
 sender) receiver=TGCS025.our.network.tgcsnet.com; client-ip=72.44.227.114;
 helo=voice_global.co.uk;
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report:
 DV:3.3.14519.472;SID:SenderIDStatus Fail;OrigIP:72.44.227.114
0
 
Alan HardistyCommented:
Looks like spam to me.

The SPF check fails, so if you had software that could reject emails based on SPF failure, it could reject the message.

Does thomasrgrassijr @ tgcsnet.com exist as a user on your server?
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
yes that is my email address

So the ORF Fusion would take care of these?

Wonder why the Exchange Spam Agents do not

My Outlook has high level on junk specified. Which is Outlook 2013
0
 
Alan HardistyCommented:
I'm not a fan of the Exchange Anti-Spam Agents - way too inflexible IMHO.

You can Trial ORF for 42 days and I can help you configure it (if you need help).

ORF can be configured to reject emails that fail SPF check.

I'm assuming you don't have a voicemail service that emails you voice messages?

Alan
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Alan

Thanks

I will open another question for ORF

doing system maint on the server now will install ORF later today.
0
 
Alan HardistyCommented:
No problems.

I'm out all day tomorrow (UK time) at Microsoft's London HQ so may not be able to respond to ORF questions, but will do my best to respond as soon as I can (if you don't raise the question shortly that is).

Alan
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Alan Thanks

Hey do you have any input for this one?

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28604282.html

Another one I opened yesterday.
0
 
Alan HardistyCommented:
Looks like you are getting close on that one.  I will monitor the question.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Alan thanks

this command is the one I am having difficulty with

Search-Mailbox -Identity journal -SearchQuery {sent:'$Start'..'$End'} -LogOnly -LogLevel full -DeleteContent


It keeps giving my a prompt Folder Name  

the command waits for input  

Thoughts?
0
 
Alan HardistyCommented:
Best not to get into that one in this question or it will confuse people further down the line.

I'll post something in the question.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Alan yes thanks
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Guys

I have a program febooti it is a batch command line smtp client

wrote many scripts using this to email me system status reports on a daily basis.
Now that I disabled the relay connector I am not receiving those emails.

I can send internal email from outlook clients no problem

Can send email out to external clients no problem

Can receive external email from other email clients and remote outlook users.

also my WSUS server sends email as does SQl none are working now.

They all use port 25

How can I setup the relay connector to work in my environment ?
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
H Guys

Update

After further testing I tried this

telnet 10.2.8.36 25

220 tgcs025.our.network.tgcsnet.com Microsoft ESMTP MAIL Service ready at Tue, 2
7 Jan 2015 14:58:13 -0500
helo
250 tgcs025.our.network.tgcsnet.com Hello [10.2.8.69]
mail from: trgrassijr@me.com
530 5.7.1 Client was not authenticated


Connection to host lost.

C:\

On the default connector I have anonymous checked

What is wrong here?


ID: 40572824    has my receive list
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Guys
Update

Just tried this

Enabled the TGCSNET Relay connector with on anonymous checked

Then ran this
[PS] C:\Windows\system32>Get-ReceiveConnector "TGCSNET Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -E
xtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
TGCS025\TGCSNET R... NT AUTHORITY\ANON... False False


But still getting  530 5.7.1 Client was not authenticated



Thoughts
0
 
Alan HardistyCommented:
Telnetting to IP 10.2.8.36 25 will connect you to:

TGCSNET Connector

Authentication for this connector is set as Tls, ExternalAuthoritative with Permissions for ExchangeServers

Forget changing the other connectors - use that one and allow anonymous and add Relay permissions as that one is locked down to a few internal IPs, so should be relatively safe.

Alan
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Alan

How do I add the relay permission?

I should then remove TGCSNET Relay correct?
0
 
Alan HardistyCommented:
Use the command you have already been using:

Get-ReceiveConnector "TGCSNET Connector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

For now - disable the Relay connector and then restart the Transport service and test.  If you find a week or two down the line the Relay connector is no longer needed, then delete it, but it's easier to leave it disabled as it is quicker to resurrect it if you find you can't live without it!!
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Alan

1, disabled Relay Connector
2. Restarted Transport Service

Agree that will be easier.

Now Ran the above command

[PS] C:\Windows\system32>Get-ReceiveConnector "TGCSNET Connector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON
" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
TGCS025\TGCSNET C... NT AUTHORITY\ANON... False False

Then restarted transport service again

But still getting  530 5.7.1 Client was not authenticated

What am I missing here?    Could it be authentication settings?
TGCSNET-Connector.txt
0
 
Alan HardistyCommented:
Still no anonymous auth enabled on that connector.  Set that - restart the transport service and test with telnet again.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
All Working now Guys

Thanks for all the help.

Alan

Just installed ORF Fusion now that Email is flowing again

Just have to check all my scripts and some devices have built in email code need to test them

Thanks again
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 26
  • 14
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now