Solved

Exchange 2013 spam, emails bypassing content filtering

Posted on 2015-02-19
6
1,218 Views
Last Modified: 2015-02-23
Here you can see that content filtering was bypassed for most of the mail:

[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\get-AntispamSCLHistogram.ps1 -startDate 02/20/2015 | sort
name

Name                                                                                                              Value
----                                                                                                              -----
0                                                                                                                  1317
1                                                                                                                   129
2                                                                                                                    33
3                                                                                                                    54
4                                                                                                                    51
5                                                                                                                   120
6                                                                                                                    65
7                                                                                                                    97
8                                                                                                                    93
9                                                                                                                    30
not available: content filtering was bypassed.                                      89
not available: filter unable to process message. Failure...                    3
not available: policy is disabled.                                                          4356

[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>Get-ContentFilterConfig


RunspaceId                            : fd87b790-8920-492c-8f5f-19b8a18c3871
Name                                  : ContentFilterConfig
RejectionResponse                     : Message rejected as spam by Content Filtering.
OutlookEmailPostmarkValidationEnabled : True
BypassedRecipients                    : {}
QuarantineMailbox                     : quarantine@cloudex.xyz.com
SCLRejectThreshold                    : 9
SCLRejectEnabled                      : False
SCLDeleteThreshold                    : 9
SCLDeleteEnabled                      : True
SCLQuarantineThreshold                : 6
SCLQuarantineEnabled                  : True
BypassedSenders                       : {}
BypassedSenderDomains                 : {salesforce.com}
Enabled                               : True
ExternalMailEnabled                   : True
InternalMailEnabled                   : False
AdminDisplayName                      :
ExchangeVersion                       : 0.1 (8.0.535.0)
DistinguishedName                     : CN=ContentFilterConfig,CN=Message Hygiene,CN=Transport
                                        Settings,CN=Secure-ISS,CN=Microsoft
                                        Exchange,CN=Services,CN=Configuration,DC=cloud,DC=xyz,DC=com
Identity                              : ContentFilterConfig
Guid                                  : 867187e7-302f-440c-ab58-1efd0c9ccdf0
ObjectCategory                        : cloud.secure-iss.com/Configuration/Schema/ms-Exch-Message-Hygiene-Content-Filter-Config
ObjectClass                           : {top, msExchAgent, msExchMessageHygieneContentFilterConfig}
WhenChanged                           : 18/02/2015 8:06:08 AM
WhenCreated                           : 7/09/2011 2:33:49 PM
WhenChangedUTC                        : 17/02/2015 10:06:08 PM
WhenCreatedUTC                        : 7/09/2011 4:33:49 AM
OrganizationId                        :
Id                                    : ContentFilterConfig
OriginatingServer                     : CLOUD-PDC01.cloud.xyz.com
IsValid                               : True
ObjectState                           : Unchanged

This is a sample of the problem ]in the spam logs:

2015-02-18T06:26:38.424Z      192.168.67.198:2525      192.168.67.199:36147      94.66.85.28      <93fb2d71af4242988dcfb83b6a897aee@CLOUD-EXCH02.cloud.xyz.com>      <>      01kxp43xmtae000u72@e-technik.uni-rostock.de;      tony@blogsville.com.au      1      Content Filter Agent      OnEndOfData      AcceptMessage            SCL      not available: policy is disabled.            23200957-b10b-4f46-26d8-08d2195afc5b            Incoming
0
Comment
Question by:maccadu
  • 3
  • 3
6 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40620969
Do you have multiple Receive Connectors?
The last time I saw something like this it was because the agents were not enabled on the Receive Connector that was accepting email from the internet.

Simon.
0
 

Author Comment

by:maccadu
ID: 40622482
I believe I have found the problem, but not the solution. We have 2 multirole CAS/mailbox servers in a DAG. We use a round robin DNS that directs incoming connections to either server. Mail that hits the active server (the one with the mailboxes mounted) is filtered correctly, but mail that hits the inactive mailbox server has to transfer the mail to the active server, and because the sending server is registered as internal, all mail is treated as internal and the content filter agent policy is disabled.

So, the question is: How do I tell the system that mail transferred should be filtered?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40622778
You should have filtering enabled on both servers. Don't depend on just one server doing the filtering, because as you have found, once the email is delivered to Exchange it is not filtered because it is internal message transfer.

All servers that accept email from the internet should be configured with the same protection levels, otherwise the protection is close to useless.

Simon.
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 

Author Comment

by:maccadu
ID: 40625038
Thanks Simon. Filtering is enabled on both  servers, but it appears that the IPBlockListProvider's are not working. The dodgy mail I am seeing replicating to the other server must be because they weren't filtered in the first place.
Running> [PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\get-AntispamTopRBLProviders.ps1
returns no results. Note that we don't have an edge server, just 2 multi-role CAS/Mailbox servers.

[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>Get-IPBlockListProvider

Name                                    LookupDomain                            Priority
----                                    ------------                            --------
Spamhaus                                   zen.spamhaus.org                       4
bl.spamcop.net                          bl.spamcop.net                             1
zen.spamhaus.org                     zen.spamhaus.org                       5
bb.barracudacentral.org           bb.barracudacentral.org            6
ix.dnsbl.manitu.net                    ix.dnsbl.manitu.net                     7
combined.njabl.org                    combined.njabl.org                     8
b.barracudacentral.org              b.barracudacentral.com            9
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40625289
If the filtering is enabled but doesn't appear to be working, then what I would do is disable the filtering.
You will need to uninstall the agents. Once you have done so, restart the MS Exchange transport service.
Reinstall the agents and restart the transport service again.
Then configure it as with the working server so they are identical.

You will probably want to stop the NAT or whatever you have on your firewall sending external SMTP traffic to the problematic server while you reset things.

Simon.
0
 

Author Comment

by:maccadu
ID: 40627121
Thanks Simon.

About 12 hours ago I removed all the IPBlockListProvider's, re-ran the Anti-malware install script and re-added just one IPBlockListProvider (spamhaus). The blocked IP's are now working, and the amount of spam we have received since then is minimal.

Thank you for your assistance in solving this. I am still mystified about what the actual problem was, but we achieved the desired end result :)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now