• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2092
  • Last Modified:

Exchange 2013 spam, emails bypassing content filtering

Here you can see that content filtering was bypassed for most of the mail:

[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\get-AntispamSCLHistogram.ps1 -startDate 02/20/2015 | sort

Name                                                                                                              Value
----                                                                                                              -----
0                                                                                                                  1317
1                                                                                                                   129
2                                                                                                                    33
3                                                                                                                    54
4                                                                                                                    51
5                                                                                                                   120
6                                                                                                                    65
7                                                                                                                    97
8                                                                                                                    93
9                                                                                                                    30
not available: content filtering was bypassed.                                      89
not available: filter unable to process message. Failure...                    3
not available: policy is disabled.                                                          4356

[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>Get-ContentFilterConfig

RunspaceId                            : fd87b790-8920-492c-8f5f-19b8a18c3871
Name                                  : ContentFilterConfig
RejectionResponse                     : Message rejected as spam by Content Filtering.
OutlookEmailPostmarkValidationEnabled : True
BypassedRecipients                    : {}
QuarantineMailbox                     : quarantine@cloudex.xyz.com
SCLRejectThreshold                    : 9
SCLRejectEnabled                      : False
SCLDeleteThreshold                    : 9
SCLDeleteEnabled                      : True
SCLQuarantineThreshold                : 6
SCLQuarantineEnabled                  : True
BypassedSenders                       : {}
BypassedSenderDomains                 : {salesforce.com}
Enabled                               : True
ExternalMailEnabled                   : True
InternalMailEnabled                   : False
AdminDisplayName                      :
ExchangeVersion                       : 0.1 (8.0.535.0)
DistinguishedName                     : CN=ContentFilterConfig,CN=Message Hygiene,CN=Transport
Identity                              : ContentFilterConfig
Guid                                  : 867187e7-302f-440c-ab58-1efd0c9ccdf0
ObjectCategory                        : cloud.secure-iss.com/Configuration/Schema/ms-Exch-Message-Hygiene-Content-Filter-Config
ObjectClass                           : {top, msExchAgent, msExchMessageHygieneContentFilterConfig}
WhenChanged                           : 18/02/2015 8:06:08 AM
WhenCreated                           : 7/09/2011 2:33:49 PM
WhenChangedUTC                        : 17/02/2015 10:06:08 PM
WhenCreatedUTC                        : 7/09/2011 4:33:49 AM
OrganizationId                        :
Id                                    : ContentFilterConfig
OriginatingServer                     : CLOUD-PDC01.cloud.xyz.com
IsValid                               : True
ObjectState                           : Unchanged

This is a sample of the problem ]in the spam logs:

2015-02-18T06:26:38.424Z      <93fb2d71af4242988dcfb83b6a897aee@CLOUD-EXCH02.cloud.xyz.com>      <>      01kxp43xmtae000u72@e-technik.uni-rostock.de;      tony@blogsville.com.au      1      Content Filter Agent      OnEndOfData      AcceptMessage            SCL      not available: policy is disabled.            23200957-b10b-4f46-26d8-08d2195afc5b            Incoming
  • 3
  • 3
1 Solution
Simon Butler (Sembee)ConsultantCommented:
Do you have multiple Receive Connectors?
The last time I saw something like this it was because the agents were not enabled on the Receive Connector that was accepting email from the internet.

maccaduAuthor Commented:
I believe I have found the problem, but not the solution. We have 2 multirole CAS/mailbox servers in a DAG. We use a round robin DNS that directs incoming connections to either server. Mail that hits the active server (the one with the mailboxes mounted) is filtered correctly, but mail that hits the inactive mailbox server has to transfer the mail to the active server, and because the sending server is registered as internal, all mail is treated as internal and the content filter agent policy is disabled.

So, the question is: How do I tell the system that mail transferred should be filtered?
Simon Butler (Sembee)ConsultantCommented:
You should have filtering enabled on both servers. Don't depend on just one server doing the filtering, because as you have found, once the email is delivered to Exchange it is not filtered because it is internal message transfer.

All servers that accept email from the internet should be configured with the same protection levels, otherwise the protection is close to useless.

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

maccaduAuthor Commented:
Thanks Simon. Filtering is enabled on both  servers, but it appears that the IPBlockListProvider's are not working. The dodgy mail I am seeing replicating to the other server must be because they weren't filtered in the first place.
Running> [PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\get-AntispamTopRBLProviders.ps1
returns no results. Note that we don't have an edge server, just 2 multi-role CAS/Mailbox servers.

[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>Get-IPBlockListProvider

Name                                    LookupDomain                            Priority
----                                    ------------                            --------
Spamhaus                                   zen.spamhaus.org                       4
bl.spamcop.net                          bl.spamcop.net                             1
zen.spamhaus.org                     zen.spamhaus.org                       5
bb.barracudacentral.org           bb.barracudacentral.org            6
ix.dnsbl.manitu.net                    ix.dnsbl.manitu.net                     7
combined.njabl.org                    combined.njabl.org                     8
b.barracudacentral.org              b.barracudacentral.com            9
Simon Butler (Sembee)ConsultantCommented:
If the filtering is enabled but doesn't appear to be working, then what I would do is disable the filtering.
You will need to uninstall the agents. Once you have done so, restart the MS Exchange transport service.
Reinstall the agents and restart the transport service again.
Then configure it as with the working server so they are identical.

You will probably want to stop the NAT or whatever you have on your firewall sending external SMTP traffic to the problematic server while you reset things.

maccaduAuthor Commented:
Thanks Simon.

About 12 hours ago I removed all the IPBlockListProvider's, re-ran the Anti-malware install script and re-added just one IPBlockListProvider (spamhaus). The blocked IP's are now working, and the amount of spam we have received since then is minimal.

Thank you for your assistance in solving this. I am still mystified about what the actual problem was, but we achieved the desired end result :)

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now