Spammers bypassing MX records direct to the server

Costas Georgiou
Costas Georgiou used Ask the Experts™
on
Hi Team,
    One of my users is receiving a lot of spam and after analyzing the header i found that the email is getting delivered directly to my server and not through my MX records.

How can i stop spammers from submitting emails direct to my server.

We are running Exchange 2013.
Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Huh?

How can you tell from the logs how a spammer determined your IP address? Was the email delivered via an address you have listening on port 25 but not pointed to by an MX record?
Costas GeorgiouNetwork Administrator

Author

Commented:
Correct: All my emails come trough trend micro and for spam emails i can see the email is delivered direct to My IP.

2 Samples below

Spam Email
Received:  by Server Name (192.168.75.3) with Microsoft SMTP Server (TLS) id
 15.0.1130.7; Wed, 20 Jan 2016 10:47:27 +1100
Received: from 64.203.220.232.dyn-cm-pool-29.pool.hargray.net (64.203.220.232)
 by MyServer.local (192.168.75.3) with Microsoft SMTP Server id
 15.0.1130.7 via Frontend Transport; Wed, 20 Jan 2016 10:47:24 +1100

Non Spam Email:
Received: from iout2.hes.trendmicro.com (54.219.191.112) by
 MyServer.local (192.168.75.3) with Microsoft SMTP Server (TLS) id
 15.0.1130.7 via Frontend Transport; Wed, 20 Jan 2016 10:43:38 +1100
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Do you allow a direct connection to your server for employee and support access?  That is, direct instead of VPN?
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Costas GeorgiouNetwork Administrator

Author

Commented:
Sorry John, i did not get your question.

With direct access do you mean Outlook anyware?
Outlook anyware : yes
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
How do you access your servers from a remote location?
Reconfigure your exchange server or front end firewall to only accept incoming email from Trends IPs, on  port 25.
Costas GeorgiouNetwork Administrator

Author

Commented:
Malmensa: Thanks, i agree,, i am working on that now.
We have a Cisco router and no firewall.. Just trying  to figure that out..
Jeff GloverSr. Systems Administrator

Commented:
If you just have a Cisco router, then use an ACL to do what Malmensa recommended
Yep, either an ACL on the router, or reconfig of Exchange should work just fine.
Costas GeorgiouNetwork Administrator

Author

Commented:
@ Malmensa: could you please shed some light on the Exchange configuration if possible.
Thanks
Network Administrator
Commented:
Thanks guys for your help.

I removed the backup MX records and the spam has stopped all together now.

First of its kind as always.
Thanks
Costas GeorgiouNetwork Administrator

Author

Commented:
no one pointed out the solution of remove the backup MX records

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial