Exchange 2010 Queue full of emails with my domain and they are not valid emails Spoofed?

Does the spam mail coming from internet or internal?
If you look for spam internet header you can identify the sender IP address.

By default Exchange 2010 has 2 Receive Connector - Client <ServerName> and Default <ServerName>
You can create another Receive Connector and enabled anonymous or you can enable it on Default <ServerName>

All the spam mail is from the internet

I have 5 connectors

[PS] C:\Windows\system32>get-receiveconnector

Identity                                Bindings                                Enabled
--------                                --------                                -------
TGCS025\Default TGCS025                 {[::]:25, 0.0.0.0:25}                   True       exchange users
TGCS025\Client TGCS025                  {[::]:587, 0.0.0.0:587}                 True     anonymous exchange users exchange server legacy exchange serverss
TGCS025\TGCSNET Connector               {10.2.8.36:25}                          True    exchange servers
TGCS025\TGCSNET Port 1025               {10.2.8.37:1025}                        True    exchange users exchange servers
TGCS025\TGCSNET Relay                   {0.0.0.0:25}                            True       exchange users.

My queue keeps filling up at wits end I suspended the submission queue which has many messages I can not delete that entry.

I think I am setup as a relay but I do not know why or how I am/


Thanks

You shall not enable anonymous on TGCS025\Client TGCS025. Disable it and verify if the queue still fill up.

VB-ITS

No results from the command I issued in my original post

Which connector should I change

suriyaehnop

How about default?

VB-ITS

No results from the command I issued in my original post

Which connector should I change

If the command didn't give you any results then you don't have any receive connectors configured as an open relay. I'd say the spam is just most likely due to the fact that the Anti-Spam components in Exchange 2010 aren't enabled by default so  your server is accepting everything and anything.

Do you have any Edge Transport servers in your environment? If no then you can enable the Anti-Spam agents on your Hub Transport servers. See this article for instructions: http://social.technet.microsoft.com/wiki/contents/articles/13918.how-to-install-antispam-agents-in-exchange-2010.aspx

trgrassijr55,

What is your mail flow? does the hub transport server connect directly to internet or any mail gateway in front of it?

If your mail flow like mine which MBX > Hub > Mail Gateway, then enable the anonymous on default.

VB-ITS

I used those exact instructions the other day to install the AntiSpam agents on mye server.
In EMS under server configuration hub transport I have a anti spam tab  ip allow list ip block list

Under organization  Hub transport I have anti spam tab
content filtering ip allow list ip allow list providers  etc

I did Restart Microsoft Exchange Transport Service

I am planning a system shutdown tomorrow maybe the restart did not work

One note I forgot to mention

I did upgrade from exchange 2007 to 2010 when I did that most of the settings already appeared in exchange 2010 from 2007.  But after I remove exchange 2007 from the network by uninstalling exchange 2007 I lost the spam functions on 2010  

That's when I saw that article you just posted and ran the script to install anti spam

Thoughts?


Also my queue is full how can I clear the submission queue?

Thoughts

suriyaehnop

My Email server faces the internet via a Cisco Meraki router.  No email hub no email gateway

Still trying to clear the queue

any cmdlet to do it fast ? have an example?

Use your queue viewer to select the message and choose suspend.

I did upgrade from exchange 2007 to 2010 when I did that most of the settings already appeared in exchange 2010 from 2007.  But after I remove exchange 2007 from the network by uninstalling exchange 2007 I lost the spam functions on 2010  

Not sure what you mean by this. Are you saying the Anti-Spam tab is missing after you uninstalled Exchange 2007?

suriyaehnop

That's what I have been doing thanks

VT- ITS

Yes.
When I uninstalled 2007 then went to my EMC on the 2010 server the anti spam tabs were no longer available.

So I installed the script and then they appeared.

No that I removed anonymous I am not receiving any external email  

Which connected should I allow anonymous on?

Anonymous is on Default TGCS025  now

incoming mail working so far

But my queues still have many Next Hop Domains listed I have suspended all of them for now
I have gmail Hotmail and yahoo with many entries.  I listed the totals and see if they continue to receive

How long will the next hop domains remain in the queue?

Can I delete them? cmdlet ?

im afraid your server is being used as a email relay - id suggest look at queue check the headers and the block the ip on your networking equipment - also block the ip and original domain on your exch svr - you will probably get black listed soon too if you using your ip to send out and not a spam filter for out messages.

That would take forever to do I had thousands of emails from many external sites.

just checked mxtoolbox.com and my domain is not blacklisted.


I am not receiving external email

I have a receive connector problem here.

Need help any suggestions


Need help with the network tab on the connectors

I would disable the Relay connector for now.  You need the Default connector and should have Anonymous enabled on that or you won't receive emails.

Once the Relay connector is disabled, restart the Microsoft Exchange Transport Service service and then empty the queue of the crap emails.

Monitor and if you still have issue, disable one more connector, restart the Transport Service and then monitor.

Once you know which Connector is causing you problems, then you can figure out what to do next (with guidance from the Experts here).

Alan

likely hood is originating email is coming from one ip check the headers so see where it is spoofing from.

disabling Relay connector is also a good idea as Alan suggested - are these emails just stuck in the queue or they sending out ?

try clearing one of the queue and see if it rebuilds.

Hassan

First of all can you clarify whether you're receiving external emails or not? You say you are in one post, then in another you say you're not.

Which queue contains the large amount of emails? Inbound or outbound?

Can you also re-run the get-receiveconnector command again so we have a clear idea of the connectors that currently exist?

VB-ITS

[PS] C:\Windows\system32>get-receiveconnector

Identity                                Bindings                                Enabled
--------                                --------                                -------
TGCS025\Default TGCS025                 {[::]:25, 0.0.0.0:25}                   True
Local IP
All available IPV6  Port 587
All Available IPV4  Port 587
Receive mail from remote servers that have there ip addresses
.ffff.fff.ffff.ffff
0.0.0.0-255.255.255.255


TGCS025\Client TGCS025                  {[::]:587, 0.0.0.0:587}                 True
Local IP
All available IPV6  Port 25
All Available IPV4  Port 25
Receive mail from remote servers that have there ip addresses
.ffff.fff.ffff.ffff
0.0.0.0-255.255.255.255



TGCS025\TGCSNET Connector               {10.2.8.36:25}                          True
10.2.8.17
10.2.8.18     These ip addresses are computers on my local lan that send internal email via scripts
10.2.8.19
10.2.8.20Local IP
10.2.8.36       Port 25       (this is the ip address of my exchange server)
Receive mail from remote servers that have there ip addresses


TGCS025\TGCSNET Port 1025               {10.2.8.37:1025}                        True
Local IP
10.2.8.37       Port 1025       (this is the ip address of my exchange server used for ISPs that does not support  
                                                port 25 but these are only remote exchange users)
Receive mail from remote servers that have there ip addresses
0.0.0.0-255.255.255.255

TGCS025\TGCSNET Relay                   {0.0.0.0:25}                            False


[PS] C:\Windows\system32







hassan afzal & Alan

I did what Alan said.  Late last night I cleared all the queues after suspending them I was able to delete all the messages.
Then resumed the queue and they cleared.

So I disabled the relay connector this was one I had on exchange 2007 not sure if I really need it now.

See above receive connector info


After disabling The Relay connector the I am now getting some external email


Can we double check my connector settings to see what I have wrong?

Thanks guys

It would be more useful to show the full receive connector settings.  Please post the output from:

get-receiveconnector | fl

Thanks

Alan

Alan

Thanks see attached
receive.txt

You may also want to look at investing in an online mail hygiene solution (once we have solved your original issue) such as MessageLabs, Mimecast, WebRoot, etc. to prevent these sort of emails from even hitting your servers in the first place.

Some of these providers also provide email continuity as well as backup mail services in the event that your Exchange server goes down. Something worth looking into.

Thanks I was going to ask about that in another question.

Was going to try Forefront I only have 25 email users. small company.

I hope we can figure out the receive connector settings

Okay - not seeing anything too scary with the connector settings.

Who is the originator of the messages in the queue?  Is it <> as the sender?

If it is - then that's just the Administrator and you are probably suffering from NDR Spam - which means you aren't filtering Invalid Recipients and you are basically accepting the messages, then the server realises the recipient is invalid and HAS to send back an NDR email to the sender.

If you used Recipient Filtering, then your server would check it's list of recipients and if it doesn't find the recipient listed, it rejects the emails and then the Sender is responsible for the NDR message and your queue will remain empty.

we faced this EXACT problem and ended blocking the originating ip on the sonic wall.

The problem with blocking by IP Address is that the IP's will/may change and then you are constantly trying to block a moving target and as spammers regularly use dynamic IP's, you will eventually be blocking people you want (possibly) and may end up only allowing a handful of IP's through.

Anti-Spam software that does Recipient Filtering (amongst other things) would be a good call.  We use Vamsoft ORF Fusion which is great low-cost software that doesn't have to be renewed annually!.

Alan

Alan

Does Vamsoft ORE Fusion email reports to each client with a list of messages that was quarteened?


Thanks for checking my receive connectors

I have not seen any attacks since I cleared the queues last night.

Will keep and eye open today.

Usually it is configured to either Accept or Reject emails, but you can configure it to forward the 'junk' emails to an alternative internal address (for example) which can then be reviewed.

Other software would be able to do that, but I've never used any, so can't recommend anything else unfortunately.

I just restarted the exchange server had to move it into the server rack.

Now my Outlook clients are putting the junk mail into the junk folder this is the first time since I switched them over to exchange 2010 a week ago.

May needed to restart all the services?

I have a few emails in my junk folder what can we look at to see if we can block them?


Getting a lot from subject Voice Message

How to I look at the header info? and what to look for?

Look at the Message Queue and if you have to, double-click into an email to see the Sender.

Alan

The Message Queue is empty

Only entry in the queue is submission queue.


I found the header of the junk mail

What do you think I should block?

Received: from voice_global.co.uk (72.44.227.114) by
 TGCS025.our.network.tgcsnet.com (10.2.8.36) with Microsoft SMTP Server id
 14.1.438.0; Tue, 27 Jan 2015 10:55:19 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=_a4299b656bc693a46deed75d2ffcf383"
Date: Tue, 27 Jan 2015 15:50:02 +0000
From: Voice <no-replay@voice_global.co.uk>
To: <thomasrgrassijr@tgcsnet.com>
Subject: Voice Message
Message-ID: <090843544137939550240490408966335@voice_global.co.uk>
User-Agent: Roundcube Webmail/1.0.4
Return-Path: no-replay@voice_global.co.uk
X-MS-Exchange-Organization-AuthSource: TGCS025.our.network.tgcsnet.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: voice_global.co.uk
X-MS-Exchange-Organization-SenderIdResult: Fail
Received-SPF: Fail (TGCS025.our.network.tgcsnet.com: domain of
 no-replay@voice_global.co.uk does not designate 72.44.227.114 as permitted
 sender) receiver=TGCS025.our.network.tgcsnet.com; client-ip=72.44.227.114;
 helo=voice_global.co.uk;
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report:
 DV:3.3.14519.472;SID:SenderIDStatus Fail;OrigIP:72.44.227.114

Looks like spam to me.

The SPF check fails, so if you had software that could reject emails based on SPF failure, it could reject the message.

Does thomasrgrassijr @ tgcsnet.com exist as a user on your server?

yes that is my email address

So the ORF Fusion would take care of these?

Wonder why the Exchange Spam Agents do not

My Outlook has high level on junk specified. Which is Outlook 2013

I'm not a fan of the Exchange Anti-Spam Agents - way too inflexible IMHO.

You can Trial ORF for 42 days and I can help you configure it (if you need help).

ORF can be configured to reject emails that fail SPF check.

I'm assuming you don't have a voicemail service that emails you voice messages?

Alan

Alan

Thanks

I will open another question for ORF

doing system maint on the server now will install ORF later today.

No problems.

I'm out all day tomorrow (UK time) at Microsoft's London HQ so may not be able to respond to ORF questions, but will do my best to respond as soon as I can (if you don't raise the question shortly that is).

Alan

Alan Thanks

Hey do you have any input for this one?

https://www.experts-exchange.com/questions/28604282/Exchange-2010-New-MailboxExportRequest-Script-Help.html

Another one I opened yesterday.

Looks like you are getting close on that one.  I will monitor the question.

Alan thanks

this command is the one I am having difficulty with

Search-Mailbox -Identity journal -SearchQuery {sent:'$Start'..'$End'} -LogOnly -LogLevel full -DeleteContent


It keeps giving my a prompt Folder Name  

the command waits for input  

Thoughts?

Best not to get into that one in this question or it will confuse people further down the line.

I'll post something in the question.

Alan yes thanks

Guys

I have a program febooti it is a batch command line smtp client

wrote many scripts using this to email me system status reports on a daily basis.
Now that I disabled the relay connector I am not receiving those emails.

I can send internal email from outlook clients no problem

Can send email out to external clients no problem

Can receive external email from other email clients and remote outlook users.

also my WSUS server sends email as does SQl none are working now.

They all use port 25

How can I setup the relay connector to work in my environment ?

H Guys

Update

After further testing I tried this

telnet 10.2.8.36 25

220 tgcs025.our.network.tgcsnet.com Microsoft ESMTP MAIL Service ready at Tue, 2
7 Jan 2015 14:58:13 -0500
helo
250 tgcs025.our.network.tgcsnet.com Hello [10.2.8.69]
mail from: trgrassijr@me.com
530 5.7.1 Client was not authenticated


Connection to host lost.

C:\

On the default connector I have anonymous checked

What is wrong here?


ID: 40572824    has my receive list

Guys
Update

Just tried this

Enabled the TGCSNET Relay connector with on anonymous checked

Then ran this
[PS] C:\Windows\system32>Get-ReceiveConnector "TGCSNET Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -E
xtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
TGCS025\TGCSNET R... NT AUTHORITY\ANON... False False


But still getting  530 5.7.1 Client was not authenticated



Thoughts

Alan

How do I add the relay permission?

I should then remove TGCSNET Relay correct?

Alan

1, disabled Relay Connector
2. Restarted Transport Service

Agree that will be easier.

Now Ran the above command

[PS] C:\Windows\system32>Get-ReceiveConnector "TGCSNET Connector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON
" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
TGCS025\TGCSNET C... NT AUTHORITY\ANON... False False

Then restarted transport service again

But still getting  530 5.7.1 Client was not authenticated

What am I missing here?    Could it be authentication settings?
TGCSNET-Connector.txt

All Working now Guys

Thanks for all the help.

Alan

Just installed ORF Fusion now that Email is flowing again

Just have to check all my scripts and some devices have built in email code need to test them

Thanks again