Exchange 2013 spam, emails bypassing content filtering
Here you can see that content filtering was bypassed for most of the mail:
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\get-A
name
Name Value
---- -----
0 1317
1 129
2 33
3 54
4 51
5 120
6 65
7 97
8 93
9 30
not available: content filtering was bypassed. 89
not available: filter unable to process message. Failure... 3
not available: policy is disabled. 4356
[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>Get-Con
RunspaceId : fd87b790-8920-492c-8f5f-19
Name : ContentFilterConfig
RejectionResponse : Message rejected as spam by Content Filtering.
OutlookEmailPostmarkValida
BypassedRecipients : {}
QuarantineMailbox : quarantine@cloudex.xyz.com
SCLRejectThreshold : 9
SCLRejectEnabled : False
SCLDeleteThreshold : 9
SCLDeleteEnabled : True
SCLQuarantineThreshold : 6
SCLQuarantineEnabled : True
BypassedSenders : {}
BypassedSenderDomains : {salesforce.com}
Enabled : True
ExternalMailEnabled : True
InternalMailEnabled : False
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=ContentFilterConfig,CN=
Settings,CN=Secure-ISS,CN=
Exchange,CN=Services,CN=Co
Identity : ContentFilterConfig
Guid : 867187e7-302f-440c-ab58-1e
ObjectCategory : cloud.secure-iss.com/Confi
ObjectClass : {top, msExchAgent, msExchMessageHygieneConten
WhenChanged : 18/02/2015 8:06:08 AM
WhenCreated : 7/09/2011 2:33:49 PM
WhenChangedUTC : 17/02/2015 10:06:08 PM
WhenCreatedUTC : 7/09/2011 4:33:49 AM
OrganizationId :
Id : ContentFilterConfig
OriginatingServer : CLOUD-PDC01.cloud.xyz.com
IsValid : True
ObjectState : Unchanged
This is a sample of the problem ]in the spam logs:
2015-02-18T06:26:38.424Z 192.168.67.198:2525 192.168.67.199:36147 94.66.85.28 <93fb2d71af4242988dcfb83b6
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\get-A
name
Name Value
---- -----
0 1317
1 129
2 33
3 54
4 51
5 120
6 65
7 97
8 93
9 30
not available: content filtering was bypassed. 89
not available: filter unable to process message. Failure... 3
not available: policy is disabled. 4356
[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>Get-Con
RunspaceId : fd87b790-8920-492c-8f5f-19
Name : ContentFilterConfig
RejectionResponse : Message rejected as spam by Content Filtering.
OutlookEmailPostmarkValida
BypassedRecipients : {}
QuarantineMailbox : quarantine@cloudex.xyz.com
SCLRejectThreshold : 9
SCLRejectEnabled : False
SCLDeleteThreshold : 9
SCLDeleteEnabled : True
SCLQuarantineThreshold : 6
SCLQuarantineEnabled : True
BypassedSenders : {}
BypassedSenderDomains : {salesforce.com}
Enabled : True
ExternalMailEnabled : True
InternalMailEnabled : False
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=ContentFilterConfig,CN=
Settings,CN=Secure-ISS,CN=
Exchange,CN=Services,CN=Co
Identity : ContentFilterConfig
Guid : 867187e7-302f-440c-ab58-1e
ObjectCategory : cloud.secure-iss.com/Confi
ObjectClass : {top, msExchAgent, msExchMessageHygieneConten
WhenChanged : 18/02/2015 8:06:08 AM
WhenCreated : 7/09/2011 2:33:49 PM
WhenChangedUTC : 17/02/2015 10:06:08 PM
WhenCreatedUTC : 7/09/2011 4:33:49 AM
OrganizationId :
Id : ContentFilterConfig
OriginatingServer : CLOUD-PDC01.cloud.xyz.com
IsValid : True
ObjectState : Unchanged
This is a sample of the problem ]in the spam logs:
2015-02-18T06:26:38.424Z 192.168.67.198:2525 192.168.67.199:36147 94.66.85.28 <93fb2d71af4242988dcfb83b6
ASKER
I believe I have found the problem, but not the solution. We have 2 multirole CAS/mailbox servers in a DAG. We use a round robin DNS that directs incoming connections to either server. Mail that hits the active server (the one with the mailboxes mounted) is filtered correctly, but mail that hits the inactive mailbox server has to transfer the mail to the active server, and because the sending server is registered as internal, all mail is treated as internal and the content filter agent policy is disabled.
So, the question is: How do I tell the system that mail transferred should be filtered?
So, the question is: How do I tell the system that mail transferred should be filtered?
You should have filtering enabled on both servers. Don't depend on just one server doing the filtering, because as you have found, once the email is delivered to Exchange it is not filtered because it is internal message transfer.
All servers that accept email from the internet should be configured with the same protection levels, otherwise the protection is close to useless.
Simon.
All servers that accept email from the internet should be configured with the same protection levels, otherwise the protection is close to useless.
Simon.
ASKER
Thanks Simon. Filtering is enabled on both servers, but it appears that the IPBlockListProvider's are not working. The dodgy mail I am seeing replicating to the other server must be because they weren't filtered in the first place.
Running> [PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\get-A
returns no results. Note that we don't have an edge server, just 2 multi-role CAS/Mailbox servers.
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>Get-IPB
Name LookupDomain Priority
---- ------------ --------
Spamhaus zen.spamhaus.org 4
bl.spamcop.net bl.spamcop.net 1
zen.spamhaus.org zen.spamhaus.org 5
bb.barracudacentral.org bb.barracudacentral.org 6
ix.dnsbl.manitu.net ix.dnsbl.manitu.net 7
combined.njabl.org combined.njabl.org 8
b.barracudacentral.org b.barracudacentral.com 9
Running> [PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\get-A
returns no results. Note that we don't have an edge server, just 2 multi-role CAS/Mailbox servers.
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>Get-IPB
Name LookupDomain Priority
---- ------------ --------
Spamhaus zen.spamhaus.org 4
bl.spamcop.net bl.spamcop.net 1
zen.spamhaus.org zen.spamhaus.org 5
bb.barracudacentral.org bb.barracudacentral.org 6
ix.dnsbl.manitu.net ix.dnsbl.manitu.net 7
combined.njabl.org combined.njabl.org 8
b.barracudacentral.org b.barracudacentral.com 9
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Simon.
About 12 hours ago I removed all the IPBlockListProvider's, re-ran the Anti-malware install script and re-added just one IPBlockListProvider (spamhaus). The blocked IP's are now working, and the amount of spam we have received since then is minimal.
Thank you for your assistance in solving this. I am still mystified about what the actual problem was, but we achieved the desired end result :)
About 12 hours ago I removed all the IPBlockListProvider's, re-ran the Anti-malware install script and re-added just one IPBlockListProvider (spamhaus). The blocked IP's are now working, and the amount of spam we have received since then is minimal.
Thank you for your assistance in solving this. I am still mystified about what the actual problem was, but we achieved the desired end result :)
The last time I saw something like this it was because the agents were not enabled on the Receive Connector that was accepting email from the internet.
Simon.