Solved

Exchange 2010 Queue full of emails with my domain and they are not valid emails Spoofed?

Posted on 2015-01-26
53
440 Views
Last Modified: 2015-01-27
Just installed Exchange 2010 Enterprise 64 bit

All of a sudden we are getting extreme number of spam messages and my queue is full of email addresses with my domain name mydomain.com

I ran this

Get-ReceiveConnector | Get-ADPermission | where {($_.ExtendedRights -like “*SMTP-Accept-Any-Recipient*”)} | where {$_.User -like ‘*anonymous*’} | ft identity,user,extendedrights


Which receive connectors require anoynomus permissions?  Is that a problem?
0
Comment
Question by:Thomas Grassi
  • 26
  • 14
  • 5
  • +2
53 Comments
 
LVL 18

Expert Comment

by:suriyaehnop
Comment Utility
Does the spam mail coming from internet or internal?
If you look for spam internet header you can identify the sender IP address.

By default Exchange 2010 has 2 Receive Connector - Client <ServerName> and Default <ServerName>
You can create another Receive Connector and enabled anonymous or you can enable it on Default <ServerName>
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 50 total points
Comment Utility
is there a particular reason as to why you even created the anonymous relay in the first place? Exchange 2010 doesn't come with any anonymous receive connectors by default.

When you ran the above command, did it actually give you any results? If so, you need to look at restricting the use of the anonymous receive connector to only the IP addresses which need to use it, be it servers that host an internal applications, etc.

To do this:
- Open the Exchange Management Console
- Expand Server Configuration then click on Hub Transport
- Click on your CAS server with the anonymous receive connector in the top pane (if you have more than one)
- Right click the anonymous receive connector in the bottom pane then click on Properties
- Click on the Network tab
- In the Receive mail from remote servers that have these IP addresses section at the bottom, make sure that only the IP addresses that actually need to have anonymous access to the submit mail through this connector is in the list
- Click OK when done

If you don't see a reason for the anonymous receive connector then I'd say to remove the anonymous access from it and see if anything breaks.

You may also want to do a lookup using your public IP address on the MX Toolbox website as you will most likely be listed on several blacklists due to your server being an open relay: http://mxtoolbox.com/blacklists.aspx
1
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
All the spam mail is from the internet

I have 5 connectors

[PS] C:\Windows\system32>get-receiveconnector

Identity                                Bindings                                Enabled
--------                                --------                                -------
TGCS025\Default TGCS025                 {[::]:25, 0.0.0.0:25}                   True       exchange users
TGCS025\Client TGCS025                  {[::]:587, 0.0.0.0:587}                 True     anonymous exchange users exchange server legacy exchange serverss
TGCS025\TGCSNET Connector               {10.2.8.36:25}                          True    exchange servers
TGCS025\TGCSNET Port 1025               {10.2.8.37:1025}                        True    exchange users exchange servers
TGCS025\TGCSNET Relay                   {0.0.0.0:25}                            True       exchange users.

My queue keeps filling up at wits end I suspended the submission queue which has many messages I can not delete that entry.

I think I am setup as a relay but I do not know why or how I am/


Thanks
0
 
LVL 18

Expert Comment

by:suriyaehnop
Comment Utility
You shall not enable anonymous on TGCS025\Client TGCS025. Disable it and verify if the queue still fill up.
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
VB-ITS

No results from the command I issued in my original post

Which connector should I change
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
suriyaehnop

How about default?
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
VB-ITS

No results from the command I issued in my original post

Which connector should I change
If the command didn't give you any results then you don't have any receive connectors configured as an open relay. I'd say the spam is just most likely due to the fact that the Anti-Spam components in Exchange 2010 aren't enabled by default so  your server is accepting everything and anything.

Do you have any Edge Transport servers in your environment? If no then you can enable the Anti-Spam agents on your Hub Transport servers. See this article for instructions: http://social.technet.microsoft.com/wiki/contents/articles/13918.how-to-install-antispam-agents-in-exchange-2010.aspx
0
 
LVL 18

Expert Comment

by:suriyaehnop
Comment Utility
trgrassijr55,

What is your mail flow? does the hub transport server connect directly to internet or any mail gateway in front of it?

If your mail flow like mine which MBX > Hub > Mail Gateway, then enable the anonymous on default.
1
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
VB-ITS

I used those exact instructions the other day to install the AntiSpam agents on mye server.
In EMS under server configuration hub transport I have a anti spam tab  ip allow list ip block list

Under organization  Hub transport I have anti spam tab
content filtering ip allow list ip allow list providers  etc

I did Restart Microsoft Exchange Transport Service

I am planning a system shutdown tomorrow maybe the restart did not work

One note I forgot to mention

I did upgrade from exchange 2007 to 2010 when I did that most of the settings already appeared in exchange 2010 from 2007.  But after I remove exchange 2007 from the network by uninstalling exchange 2007 I lost the spam functions on 2010  

That's when I saw that article you just posted and ran the script to install anti spam

Thoughts?


Also my queue is full how can I clear the submission queue?

Thoughts
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
suriyaehnop

My Email server faces the internet via a Cisco Meraki router.  No email hub no email gateway

Still trying to clear the queue

any cmdlet to do it fast ? have an example?
0
 
LVL 18

Expert Comment

by:suriyaehnop
Comment Utility
Use your queue viewer to select the message and choose suspend.
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
I did upgrade from exchange 2007 to 2010 when I did that most of the settings already appeared in exchange 2010 from 2007.  But after I remove exchange 2007 from the network by uninstalling exchange 2007 I lost the spam functions on 2010  
Not sure what you mean by this. Are you saying the Anti-Spam tab is missing after you uninstalled Exchange 2007?
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
suriyaehnop

That's what I have been doing thanks
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
VT- ITS

Yes.
When I uninstalled 2007 then went to my EMC on the 2010 server the anti spam tabs were no longer available.

So I installed the script and then they appeared.

No that I removed anonymous I am not receiving any external email  

Which connected should I allow anonymous on?
0
 
LVL 18

Assisted Solution

by:suriyaehnop
suriyaehnop earned 50 total points
Comment Utility
I will recommended to enable anonymous on TGCS025\Default TGCS025  instead of TGCS025\Client TGCS025
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Anonymous is on Default TGCS025  now

incoming mail working so far

But my queues still have many Next Hop Domains listed I have suspended all of them for now
I have gmail Hotmail and yahoo with many entries.  I listed the totals and see if they continue to receive

How long will the next hop domains remain in the queue?

Can I delete them? cmdlet ?
0
 
LVL 1

Expert Comment

by:hassan afzal
Comment Utility
im afraid your server is being used as a email relay - id suggest look at queue check the headers and the block the ip on your networking equipment - also block the ip and original domain on your exch svr - you will probably get black listed soon too if you using your ip to send out and not a spam filter for out messages.
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
That would take forever to do I had thousands of emails from many external sites.

just checked mxtoolbox.com and my domain is not blacklisted.


I am not receiving external email

I have a receive connector problem here.

Need help any suggestions


Need help with the network tab on the connectors
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I would disable the Relay connector for now.  You need the Default connector and should have Anonymous enabled on that or you won't receive emails.

Once the Relay connector is disabled, restart the Microsoft Exchange Transport Service service and then empty the queue of the crap emails.

Monitor and if you still have issue, disable one more connector, restart the Transport Service and then monitor.

Once you know which Connector is causing you problems, then you can figure out what to do next (with guidance from the Experts here).

Alan
0
 
LVL 1

Expert Comment

by:hassan afzal
Comment Utility
likely hood is originating email is coming from one ip check the headers so see where it is spoofing from.

disabling Relay connector is also a good idea as Alan suggested - are these emails just stuck in the queue or they sending out ?

try clearing one of the queue and see if it rebuilds.

Hassan
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
First of all can you clarify whether you're receiving external emails or not? You say you are in one post, then in another you say you're not.

Which queue contains the large amount of emails? Inbound or outbound?

Can you also re-run the get-receiveconnector command again so we have a clear idea of the connectors that currently exist?
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
VB-ITS

[PS] C:\Windows\system32>get-receiveconnector

Identity                                Bindings                                Enabled
--------                                --------                                -------
TGCS025\Default TGCS025                 {[::]:25, 0.0.0.0:25}                   True
Local IP
All available IPV6  Port 587
All Available IPV4  Port 587
Receive mail from remote servers that have there ip addresses
.ffff.fff.ffff.ffff
0.0.0.0-255.255.255.255


TGCS025\Client TGCS025                  {[::]:587, 0.0.0.0:587}                 True
Local IP
All available IPV6  Port 25
All Available IPV4  Port 25
Receive mail from remote servers that have there ip addresses
.ffff.fff.ffff.ffff
0.0.0.0-255.255.255.255



TGCS025\TGCSNET Connector               {10.2.8.36:25}                          True
10.2.8.17
10.2.8.18     These ip addresses are computers on my local lan that send internal email via scripts
10.2.8.19
10.2.8.20Local IP
10.2.8.36       Port 25       (this is the ip address of my exchange server)
Receive mail from remote servers that have there ip addresses


TGCS025\TGCSNET Port 1025               {10.2.8.37:1025}                        True
Local IP
10.2.8.37       Port 1025       (this is the ip address of my exchange server used for ISPs that does not support  
                                                port 25 but these are only remote exchange users)
Receive mail from remote servers that have there ip addresses
0.0.0.0-255.255.255.255

TGCS025\TGCSNET Relay                   {0.0.0.0:25}                            False


[PS] C:\Windows\system32







hassan afzal & Alan

I did what Alan said.  Late last night I cleared all the queues after suspending them I was able to delete all the messages.
Then resumed the queue and they cleared.

So I disabled the relay connector this was one I had on exchange 2007 not sure if I really need it now.

See above receive connector info


After disabling The Relay connector the I am now getting some external email


Can we double check my connector settings to see what I have wrong?

Thanks guys
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
It would be more useful to show the full receive connector settings.  Please post the output from:

get-receiveconnector | fl

Thanks

Alan
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Alan

Thanks see attached
receive.txt
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
You may also want to look at investing in an online mail hygiene solution (once we have solved your original issue) such as MessageLabs, Mimecast, WebRoot, etc. to prevent these sort of emails from even hitting your servers in the first place.

Some of these providers also provide email continuity as well as backup mail services in the event that your Exchange server goes down. Something worth looking into.
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Thanks I was going to ask about that in another question.

Was going to try Forefront I only have 25 email users. small company.

I hope we can figure out the receive connector settings
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - not seeing anything too scary with the connector settings.

Who is the originator of the messages in the queue?  Is it <> as the sender?

If it is - then that's just the Administrator and you are probably suffering from NDR Spam - which means you aren't filtering Invalid Recipients and you are basically accepting the messages, then the server realises the recipient is invalid and HAS to send back an NDR email to the sender.

If you used Recipient Filtering, then your server would check it's list of recipients and if it doesn't find the recipient listed, it rejects the emails and then the Sender is responsible for the NDR message and your queue will remain empty.
0
 
LVL 1

Expert Comment

by:hassan afzal
Comment Utility
we faced this EXACT problem and ended blocking the originating ip on the sonic wall.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
The problem with blocking by IP Address is that the IP's will/may change and then you are constantly trying to block a moving target and as spammers regularly use dynamic IP's, you will eventually be blocking people you want (possibly) and may end up only allowing a handful of IP's through.

Anti-Spam software that does Recipient Filtering (amongst other things) would be a good call.  We use Vamsoft ORF Fusion which is great low-cost software that doesn't have to be renewed annually!.

Alan
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Alan

Does Vamsoft ORE Fusion email reports to each client with a list of messages that was quarteened?


Thanks for checking my receive connectors

I have not seen any attacks since I cleared the queues last night.

Will keep and eye open today.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Usually it is configured to either Accept or Reject emails, but you can configure it to forward the 'junk' emails to an alternative internal address (for example) which can then be reviewed.

Other software would be able to do that, but I've never used any, so can't recommend anything else unfortunately.
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
I just restarted the exchange server had to move it into the server rack.

Now my Outlook clients are putting the junk mail into the junk folder this is the first time since I switched them over to exchange 2010 a week ago.

May needed to restart all the services?

I have a few emails in my junk folder what can we look at to see if we can block them?


Getting a lot from subject Voice Message

How to I look at the header info? and what to look for?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Look at the Message Queue and if you have to, double-click into an email to see the Sender.
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Alan

The Message Queue is empty

Only entry in the queue is submission queue.


I found the header of the junk mail

What do you think I should block?

Received: from voice_global.co.uk (72.44.227.114) by
 TGCS025.our.network.tgcsnet.com (10.2.8.36) with Microsoft SMTP Server id
 14.1.438.0; Tue, 27 Jan 2015 10:55:19 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=_a4299b656bc693a46deed75d2ffcf383"
Date: Tue, 27 Jan 2015 15:50:02 +0000
From: Voice <no-replay@voice_global.co.uk>
To: <thomasrgrassijr@tgcsnet.com>
Subject: Voice Message
Message-ID: <090843544137939550240490408966335@voice_global.co.uk>
User-Agent: Roundcube Webmail/1.0.4
Return-Path: no-replay@voice_global.co.uk
X-MS-Exchange-Organization-AuthSource: TGCS025.our.network.tgcsnet.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: voice_global.co.uk
X-MS-Exchange-Organization-SenderIdResult: Fail
Received-SPF: Fail (TGCS025.our.network.tgcsnet.com: domain of
 no-replay@voice_global.co.uk does not designate 72.44.227.114 as permitted
 sender) receiver=TGCS025.our.network.tgcsnet.com; client-ip=72.44.227.114;
 helo=voice_global.co.uk;
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report:
 DV:3.3.14519.472;SID:SenderIDStatus Fail;OrigIP:72.44.227.114
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Looks like spam to me.

The SPF check fails, so if you had software that could reject emails based on SPF failure, it could reject the message.

Does thomasrgrassijr @ tgcsnet.com exist as a user on your server?
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
yes that is my email address

So the ORF Fusion would take care of these?

Wonder why the Exchange Spam Agents do not

My Outlook has high level on junk specified. Which is Outlook 2013
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I'm not a fan of the Exchange Anti-Spam Agents - way too inflexible IMHO.

You can Trial ORF for 42 days and I can help you configure it (if you need help).

ORF can be configured to reject emails that fail SPF check.

I'm assuming you don't have a voicemail service that emails you voice messages?

Alan
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Alan

Thanks

I will open another question for ORF

doing system maint on the server now will install ORF later today.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
No problems.

I'm out all day tomorrow (UK time) at Microsoft's London HQ so may not be able to respond to ORF questions, but will do my best to respond as soon as I can (if you don't raise the question shortly that is).

Alan
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Alan Thanks

Hey do you have any input for this one?

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28604282.html

Another one I opened yesterday.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Looks like you are getting close on that one.  I will monitor the question.
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Alan thanks

this command is the one I am having difficulty with

Search-Mailbox -Identity journal -SearchQuery {sent:'$Start'..'$End'} -LogOnly -LogLevel full -DeleteContent


It keeps giving my a prompt Folder Name  

the command waits for input  

Thoughts?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Best not to get into that one in this question or it will confuse people further down the line.

I'll post something in the question.
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Alan yes thanks
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Guys

I have a program febooti it is a batch command line smtp client

wrote many scripts using this to email me system status reports on a daily basis.
Now that I disabled the relay connector I am not receiving those emails.

I can send internal email from outlook clients no problem

Can send email out to external clients no problem

Can receive external email from other email clients and remote outlook users.

also my WSUS server sends email as does SQl none are working now.

They all use port 25

How can I setup the relay connector to work in my environment ?
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
H Guys

Update

After further testing I tried this

telnet 10.2.8.36 25

220 tgcs025.our.network.tgcsnet.com Microsoft ESMTP MAIL Service ready at Tue, 2
7 Jan 2015 14:58:13 -0500
helo
250 tgcs025.our.network.tgcsnet.com Hello [10.2.8.69]
mail from: trgrassijr@me.com
530 5.7.1 Client was not authenticated


Connection to host lost.

C:\

On the default connector I have anonymous checked

What is wrong here?


ID: 40572824    has my receive list
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Guys
Update

Just tried this

Enabled the TGCSNET Relay connector with on anonymous checked

Then ran this
[PS] C:\Windows\system32>Get-ReceiveConnector "TGCSNET Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -E
xtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
TGCS025\TGCSNET R... NT AUTHORITY\ANON... False False


But still getting  530 5.7.1 Client was not authenticated



Thoughts
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 400 total points
Comment Utility
Telnetting to IP 10.2.8.36 25 will connect you to:

TGCSNET Connector

Authentication for this connector is set as Tls, ExternalAuthoritative with Permissions for ExchangeServers

Forget changing the other connectors - use that one and allow anonymous and add Relay permissions as that one is locked down to a few internal IPs, so should be relatively safe.

Alan
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Alan

How do I add the relay permission?

I should then remove TGCSNET Relay correct?
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 400 total points
Comment Utility
Use the command you have already been using:

Get-ReceiveConnector "TGCSNET Connector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

For now - disable the Relay connector and then restart the Transport service and test.  If you find a week or two down the line the Relay connector is no longer needed, then delete it, but it's easier to leave it disabled as it is quicker to resurrect it if you find you can't live without it!!
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Alan

1, disabled Relay Connector
2. Restarted Transport Service

Agree that will be easier.

Now Ran the above command

[PS] C:\Windows\system32>Get-ReceiveConnector "TGCSNET Connector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON
" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
TGCS025\TGCSNET C... NT AUTHORITY\ANON... False False

Then restarted transport service again

But still getting  530 5.7.1 Client was not authenticated

What am I missing here?    Could it be authentication settings?
TGCSNET-Connector.txt
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 400 total points
Comment Utility
Still no anonymous auth enabled on that connector.  Set that - restart the transport service and test with telnet again.
0
 
LVL 23

Author Closing Comment

by:Thomas Grassi
Comment Utility
All Working now Guys

Thanks for all the help.

Alan

Just installed ORF Fusion now that Email is flowing again

Just have to check all my scripts and some devices have built in email code need to test them

Thanks again
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now