tech911
asked on
Exchange Server 2010 - Single User - Large Amounts Of Spam : Compromised?
Have 10 user network
Running Win 2k8 Servers, with Exchange 2010
Running all SMTP mail through the Microsoft O365 Email Filter/AntiSpam system in the cloud (Smarthost)
Have one of the users, getting about 400 spam messages per day.
Checked the properties of the spam mail - Does NOT appear to be coming in from outside, does not show that it was received from the Microsoft Smarthost (aka Antispam/Filtering Server out at O365), although a lot of the info appears to be missing?
I am thinking there is either a bug on our system or someone's account is compromised and the messages/spam are coming from one of my 10 users.
How can I tell where those messages are coming from. I recall turning on some verbose logging, then checking the event logs, but I cannot remember how to do it.
Thanks in advance.
Running Win 2k8 Servers, with Exchange 2010
Running all SMTP mail through the Microsoft O365 Email Filter/AntiSpam system in the cloud (Smarthost)
Have one of the users, getting about 400 spam messages per day.
Checked the properties of the spam mail - Does NOT appear to be coming in from outside, does not show that it was received from the Microsoft Smarthost (aka Antispam/Filtering Server out at O365), although a lot of the info appears to be missing?
I am thinking there is either a bug on our system or someone's account is compromised and the messages/spam are coming from one of my 10 users.
How can I tell where those messages are coming from. I recall turning on some verbose logging, then checking the event logs, but I cannot remember how to do it.
Thanks in advance.
If you setup a spam filter for the default action, which is to "Move message to Junk Email folder", the spam is supposedly to be routed to each user's Junk Email folder. for the info on EOP
https://technet.microsoft.com/en-us/library/jj837173(v=exchg.150).aspx
also Advanced spam filtering (ASF) options give administrators the ability to inspect various content attributes of a message. ASF options can be set on, off, or to test mode. The test mode may help to also check on the High confidence spam setting
https://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx
Configure your spam filter policies
https://technet.microsoft.com/en-us/library/jj837173(v=exchg.150).aspx
also Advanced spam filtering (ASF) options give administrators the ability to inspect various content attributes of a message. ASF options can be set on, off, or to test mode. The test mode may help to also check on the High confidence spam setting
https://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx
Configure your spam filter policies
To ensure that spam is being properly detected and acted upon, you can send a GTUBE message through the service. Similar to the EICAR antivirus test file, GTUBE provides a test by which you can verify that the service is detecting incoming spam. A GTUBE message should always be detected as spam by the spam filter, and the actions that are performed upon the message should match your configured settings.https://technet.microsoft.com/en-us/library/jj200684(v=exchg.150).aspx
Include the following GTUBE text in a mail message on a single line, without any spaces or line breaks:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-ST ANDARD-ANT I-UBE-TEST -EMAIL*C.3 4X
Also do ensure that proper SPF records are set up in DNS. This helps as the SPF records validates that mail sent from a domain really is coming from that domain and is not spoofed.
Also there is an email trace tool to help check on the spam tagged to that specific email
Also there is an email trace tool to help check on the spam tagged to that specific email
To find out why a message was marked as spam, run the message trace (see Run a message trace), locate the message in the results, and then view specific details about the messagehttps://technet.microsoft.com/en-sg/library/aa49e3f9-a5b1-4410-aac2-ddbbf3f5bfb2(v=exchg.150)#BKMB_Whywasamessagemarkedasspam
ASKER
Gentlemen
Thank you for the response.
Here is what has transpired since my last post.
We turned off all computers and wireless access points only the domain controller and exchange were on... still receiving spam that does not appear to be flowing through the EOP so it is not a machine on the network relaying.
Only 2 users mailboxes are receiving the messages.
I have put in transport filers for top level domains .top .link .download and .xyz
This has mitigated the spam going into the mailboxes, but doesn't really fix the problem.
I attempted to allow only email from the msft EOP ip addresses to come into the system, but that does not seem to help.
So my question or request would be can either of you give me a check list of places / configuration options I should check to validate I have things configured properly.
I am using EOP as a smart host.
How could the messages be circumventing the EOP system?
Thank you for the response.
Here is what has transpired since my last post.
We turned off all computers and wireless access points only the domain controller and exchange were on... still receiving spam that does not appear to be flowing through the EOP so it is not a machine on the network relaying.
Only 2 users mailboxes are receiving the messages.
I have put in transport filers for top level domains .top .link .download and .xyz
This has mitigated the spam going into the mailboxes, but doesn't really fix the problem.
I attempted to allow only email from the msft EOP ip addresses to come into the system, but that does not seem to help.
So my question or request would be can either of you give me a check list of places / configuration options I should check to validate I have things configured properly.
I am using EOP as a smart host.
How could the messages be circumventing the EOP system?
This check may be useful as it touch on MX and spam filtering to make it effective
If your domain’s MX record doesn’t point to Office 365, the spam filters won’t be as effective. If your MX record doesn’t point to Office 365, there will be some valid messages that the service misclassifies as spam and some spam messages that the service misclassifies as legitimate email.https://technet.microsoft.com/en-sg/library/jj937232(v=excg.150).aspx
Whatever your needs, this guide will help you understand how your MX records, SPF records, and, potentially, connectors need to be set up.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I agree that I have a hole somewhere?
On the firewall I have HTTP and HTTPS open and available so that they (my users) can use OWA.
I am thinking that is my issue, but I am not sure.
I only have 80, 443, and 25 open and routing to exchange.
I will begin to turn things off and see where we are.
Chris
On the firewall I have HTTP and HTTPS open and available so that they (my users) can use OWA.
I am thinking that is my issue, but I am not sure.
I only have 80, 443, and 25 open and routing to exchange.
I will begin to turn things off and see where we are.
Chris
I am thinking of some sanity check...
Use the Get-HostedConnectionFilter
Check the IP Allow list and look out for any spam confidence level (SCL) that may have -1 (meaning it is classified as non-spam) for all domains. Also on Transport rule that sets the SCL for all domains especially if there is any exception for the domain set to 0.
Check for any condition-based rule that specify the users, groups, and/or domains for whom to apply this policy. Custom policies always take precedence over the default policy.
I am thinking if there is any list that need to be in sync between EOP and OWA
Use the Get-HostedConnectionFilter
Check the IP Allow list and look out for any spam confidence level (SCL) that may have -1 (meaning it is classified as non-spam) for all domains. Also on Transport rule that sets the SCL for all domains especially if there is any exception for the domain set to 0.
Check for any condition-based rule that specify the users, groups, and/or domains for whom to apply this policy. Custom policies always take precedence over the default policy.
I am thinking if there is any list that need to be in sync between EOP and OWA
. By using the directory synchronization tool, the service uses your user’s safe sender list or blocked sender lists the same way as if they were being managed directly on-premises. What this means is that messages sent from Outlook or OWA synced safe senders will pass through the service without being spam filtered, whereas messages sent from synced blocked senders will be marked as spam.https://technet.microsoft.com/en-SG/library/dn133608(v=exchg.150).aspx
Note that it may take up to 3 hours for any changes to your synced safe or blocked senders lists to take effect
ASKER
I eventually figured it out.
While I was restricting mail by IP in the antispam tool, I did not do it at the connector level. Thus, I was as Sembee thought, accepting mail from all servers... a mistake since I have the client setup on EOP.
Once I restricted the IP's to accept mail from on the connector, everything cleared up.
I appreciate your assistance and effort.
Thank you,
Chris
While I was restricting mail by IP in the antispam tool, I did not do it at the connector level. Thus, I was as Sembee thought, accepting mail from all servers... a mistake since I have the client setup on EOP.
Once I restricted the IP's to accept mail from on the connector, everything cleared up.
I appreciate your assistance and effort.
Thank you,
Chris
Do you have your firewall and/or Exchange locked down to only accept email from the filter? If not, that is probably your issue. A spammer has identified your server, realised it is allowing connections and is targeting you directly. That would explain the lack of content in the header - the message is being delivered directly to your server than via MX record lookup.
Simon.