We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Course Of The Month
5 days, 14 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Exchange 2013 spam
Posted on 2016-08-31
Can someone explain me how to block this king of spam please
It's a spam that came from outside but look like it was send by a user in our domain to another user from our domain
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9 via Mailbox Transport; Tue, 23 Aug 2016 13:53:35 -0400
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9; Tue, 23 Aug 2016 13:53:35 -0400
Received: from mail.mydomain.ca (192.168.xx.xx) by MYSERVEREXCHANGE
(192.168.xx.xx) with Microsoft SMTP Server id 15.0.1076.9 via Frontend
Transport; Tue, 23 Aug 2016 13:53:35 -0400
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.ca (Postfix) with ESMTP id 56D127B81B2
for <accueil@mydomain.ca>; Tue, 23 Aug 2016 13:53:35 -0400 (EDT)
X-MTA-CheckPoint: {57BC8D9F-0-562A8C0-4A0207
X-Control-Analysis: str=0001.0A0B0202.57BC8D9F
Received: from p3plwbeout10-04.prod.phx3.
by mail.mydomain.ca (Postfix) with ESMTP id 2F0977B81A4
for <accueil@mydomain.ca>; Tue, 23 Aug 2016 13:53:35 -0400 (EDT)
Received: from localhost ([97.74.135.154])
by p3plwbeout10-04.prod.phx3.
id ahta1t0013L2auR01htaKy; Tue, 23 Aug 2016 10:53:34 -0700
X-SID: ahta1t0013L2auR01
Received: (qmail 15479 invoked by uid 99); 23 Aug 2016 17:53:34 -0000
Content-Transfer-Encoding:
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 192.64.7.98
User-Agent: Workspace Webmail 6.4.6
Message-ID: <20160823105332.e1852152ce
From: " firstname lastname" <firstname.lastname@mydoma
X-Sender: info@objectifsurveillance.
Reply-To: " firstname lastname" <chiefexecutiveoficer@aol.
To: <accueil@mydomain.ca>
Subject: Bonjour
Date: Tue, 23 Aug 2016 10:53:32 -0700
MIME-Version: 1.0
Return-Path: info@objectifsurveillance.
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Received-SPF: Fail (MYSERVEREXCHANGE.mydomain
firstname.lastname@mydomai
sender) receiver=MYSERVEREXCHANGE.
client-ip=192.168.xx.xx; helo=mail.mydomain.ca;
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
And second
Why these kind of porn spam is not block :)
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9 via Mailbox Transport; Mon, 29 Aug 2016 09:49:29 -0400
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9; Mon, 29 Aug 2016 09:49:29 -0400
Received: from mail.mydomain.ca (192.168.100.253) by MYSERVEREXCHANGE
(192.168.xx.xx) with Microsoft SMTP Server id 15.0.1076.9 via Frontend
Transport; Mon, 29 Aug 2016 09:49:29 -0400
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.ca (Postfix) with ESMTP id 285BB7F0670
for <firstname.lastname@mydoma
X-MTA-CheckPoint: {57C43D69-0-462A8C0-386307
X-Control-Analysis: str=0001.0A0B0208.57C43D69
Received: from server77-68-38-173.live-se
by mail.mydomain.ca (Postfix) with ESMTP id DDA987F0672
for <firstname.lastname@mydoma
Received: by server77-68-38-173.live-se
id B29A0E03836; Mon, 29 Aug 2016 14:49:22 +0100 (BST)
To: <firstname.lastname@mydoma
Subject: Watch Me Put My Whole Fist In My Snatch
X-PHP-Originating-Script: 33:footer12.php(1968) : eval()'d code
Date: Mon, 29 Aug 2016 14:49:22 +0100
From: Diane Martin <diane_martin@fguk.eu>
Message-ID: <6bb3402c9fe12eff2f5b0483e
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_6bb3402c9fe12
Content-Transfer-Encoding:
Return-Path: diane_martin@fguk.eu
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Received-SPF: None (MYSERVEREXCHANGE.mydomain
does not designate permitted sender hosts)
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
None;OrigIP:192.168.100.25
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Thanks for your help
It's a spam that came from outside but look like it was send by a user in our domain to another user from our domain
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9 via Mailbox Transport; Tue, 23 Aug 2016 13:53:35 -0400
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9; Tue, 23 Aug 2016 13:53:35 -0400
Received: from mail.mydomain.ca (192.168.xx.xx) by MYSERVEREXCHANGE
(192.168.xx.xx) with Microsoft SMTP Server id 15.0.1076.9 via Frontend
Transport; Tue, 23 Aug 2016 13:53:35 -0400
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.ca (Postfix) with ESMTP id 56D127B81B2
for <accueil@mydomain.ca>; Tue, 23 Aug 2016 13:53:35 -0400 (EDT)
X-MTA-CheckPoint: {57BC8D9F-0-562A8C0-4A0207
X-Control-Analysis: str=0001.0A0B0202.57BC8D9F
Received: from p3plwbeout10-04.prod.phx3.
by mail.mydomain.ca (Postfix) with ESMTP id 2F0977B81A4
for <accueil@mydomain.ca>; Tue, 23 Aug 2016 13:53:35 -0400 (EDT)
Received: from localhost ([97.74.135.154])
by p3plwbeout10-04.prod.phx3.
id ahta1t0013L2auR01htaKy; Tue, 23 Aug 2016 10:53:34 -0700
X-SID: ahta1t0013L2auR01
Received: (qmail 15479 invoked by uid 99); 23 Aug 2016 17:53:34 -0000
Content-Transfer-Encoding:
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 192.64.7.98
User-Agent: Workspace Webmail 6.4.6
Message-ID: <20160823105332.e1852152ce
From: " firstname lastname" <firstname.lastname@mydoma
X-Sender: info@objectifsurveillance.
Reply-To: " firstname lastname" <chiefexecutiveoficer@aol.
To: <accueil@mydomain.ca>
Subject: Bonjour
Date: Tue, 23 Aug 2016 10:53:32 -0700
MIME-Version: 1.0
Return-Path: info@objectifsurveillance.
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Received-SPF: Fail (MYSERVEREXCHANGE.mydomain
firstname.lastname@mydomai
sender) receiver=MYSERVEREXCHANGE.
client-ip=192.168.xx.xx; helo=mail.mydomain.ca;
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
And second
Why these kind of porn spam is not block :)
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9 via Mailbox Transport; Mon, 29 Aug 2016 09:49:29 -0400
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9; Mon, 29 Aug 2016 09:49:29 -0400
Received: from mail.mydomain.ca (192.168.100.253) by MYSERVEREXCHANGE
(192.168.xx.xx) with Microsoft SMTP Server id 15.0.1076.9 via Frontend
Transport; Mon, 29 Aug 2016 09:49:29 -0400
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.ca (Postfix) with ESMTP id 285BB7F0670
for <firstname.lastname@mydoma
X-MTA-CheckPoint: {57C43D69-0-462A8C0-386307
X-Control-Analysis: str=0001.0A0B0208.57C43D69
Received: from server77-68-38-173.live-se
by mail.mydomain.ca (Postfix) with ESMTP id DDA987F0672
for <firstname.lastname@mydoma
Received: by server77-68-38-173.live-se
id B29A0E03836; Mon, 29 Aug 2016 14:49:22 +0100 (BST)
To: <firstname.lastname@mydoma
Subject: Watch Me Put My Whole Fist In My Snatch
X-PHP-Originating-Script: 33:footer12.php(1968) : eval()'d code
Date: Mon, 29 Aug 2016 14:49:22 +0100
From: Diane Martin <diane_martin@fguk.eu>
Message-ID: <6bb3402c9fe12eff2f5b0483e
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_6bb3402c9fe12
Content-Transfer-Encoding:
Return-Path: diane_martin@fguk.eu
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Received-SPF: None (MYSERVEREXCHANGE.mydomain
does not designate permitted sender hosts)
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
None;OrigIP:192.168.100.25
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Thanks for your help
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
9-
8
- +3
22 Comments
Active 2 days ago
This is not a direct answer to your question as we do not use and of the anti spam features of Exchange. However, going forward, you may want to consider an external anti-spam and email filtering system. Theses systems will filter your email for Spam, and virus infections. Some will also include archiving and secure messaging as well as a host of other features that you may find useful.
We use Mimecast and have been extremely happy with the service.
We use Mimecast and have been extremely happy with the service.
Yes i know all this but we are using a checkpoint firewall and it's supposed to do this job but it's not doing it's job apparently (i have a ticket open with them)
For now i was trying to block this by exchange
For now i was trying to block this by exchange
Active 1 day ago
Hi,
maybe you can create transport rule to block email with X-MS-Exchange-Organization
There is a good article on how to do it here:
http://markgossa.blogspot.rs/2016/01/block-spoofed-email-exchange-2010-2013-2016-part2.html
Maybe it wont do all the job, but it will help at least a bit.
Regards,
Ivan.
maybe you can create transport rule to block email with X-MS-Exchange-Organization
There is a good article on how to do it here:
http://markgossa.blogspot.rs/2016/01/block-spoofed-email-exchange-2010-2013-2016-part2.html
Maybe it wont do all the job, but it will help at least a bit.
Regards,
Ivan.
Active today
The emails are coming from GoDaddy, and unless you wish to block GoDaddy, you need to implement a spam filter that can look at the body of the email and block it based on characteristics of the email body.
As far as I know, Exchange won't do that.
As far as I know, Exchange won't do that.
But this is the header of a good email
Header Name Header Value
X-MTA-CheckPoint {57C6D116-0-462A8C0-3D8E07
X-Control-Analysis str=0001.0A0B0205.57C6D116
Date Wed, 31 Aug 2016 05:44:05 -0700
From Experts Exchange <noreply@experts-exchange.
To <support@mydomain.ca>
Message-ID <1534115608.0.147264744618
Subject An Expert Comment has been posted: Exchange 2013 spam
MIME-Version 1.0
Content-Type text/html; charset="UTF-8"
Content-Transfer-Encoding quoted-printable
X-Mailer Experts Exchange
Return-Path noreply@experts-exchange.c
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Received-SPF SoftFail (myexchangeserver.mydomain
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
If we look at the Received-SPF it tell us it's SOFTFAIL and it state my internal ip address of my firewall 192.168.xx.xx
Here is my SPF record ive create
mydomain.qc.ca. IN TXT "v=spf1 mx a ip4:EXTERNAL IP ADDRESS OF FIREWALL/32 -all"
mydomain.ca. IN TXT "v=spf1 mx a ip4:EXTERNAL IP ADDRESS OF FIREWALL/32 -all"
Is it supposed to be like that ?
Header Name Header Value
X-MTA-CheckPoint {57C6D116-0-462A8C0-3D8E07
X-Control-Analysis str=0001.0A0B0205.57C6D116
Date Wed, 31 Aug 2016 05:44:05 -0700
From Experts Exchange <noreply@experts-exchange.
To <support@mydomain.ca>
Message-ID <1534115608.0.147264744618
Subject An Expert Comment has been posted: Exchange 2013 spam
MIME-Version 1.0
Content-Type text/html; charset="UTF-8"
Content-Transfer-Encoding quoted-printable
X-Mailer Experts Exchange
Return-Path noreply@experts-exchange.c
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Received-SPF SoftFail (myexchangeserver.mydomain
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
If we look at the Received-SPF it tell us it's SOFTFAIL and it state my internal ip address of my firewall 192.168.xx.xx
Here is my SPF record ive create
mydomain.qc.ca. IN TXT "v=spf1 mx a ip4:EXTERNAL IP ADDRESS OF FIREWALL/32 -all"
mydomain.ca. IN TXT "v=spf1 mx a ip4:EXTERNAL IP ADDRESS OF FIREWALL/32 -all"
Is it supposed to be like that ?
Just as a question (as I have come across this before) - have you installed/activated the Exchange 2013 Anti-Spam agents? If memory serves they don't auto install when you setup Exchange and a number of techies I've spoken to in the past forget they have to install them separately.
If only internal systems send email from your domain (i.e. you have no other external services using your domain for emailing such as websites or scanners in external offices) you could look at disabling smtp-accept-authoritative-
Instructions are here: http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html (I believe it still works with 2013).
Basically this will look at any email it recieves and if it states it's from your internal domain, it will refuse it (as internal emails should be using a different recieve connector).
Exchange's own anti-spam agents are not very good and very limited.
If only internal systems send email from your domain (i.e. you have no other external services using your domain for emailing such as websites or scanners in external offices) you could look at disabling smtp-accept-authoritative-
Instructions are here: http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html (I believe it still works with 2013).
Basically this will look at any email it recieves and if it states it's from your internal domain, it will refuse it (as internal emails should be using a different recieve connector).
Exchange's own anti-spam agents are not very good and very limited.
I use SonicWALL (Dell) email security as my spam filter. Read the steps below and maybe there's a similar feature in Exchange or Checkpoint.
In SonicWALL I create a policy that looks in the email message header.
If the first three octets of the sender's IP address are contained anywhere in the header, then immediately move the message into the spam folder. Don't even bother analyzing it.
The reason I do only the first 3 is because spammers may own an entire class, or a range in that class.
So in your example, if the IP address of the message is 192.64.7.98, I will add "192.64.7." to my list. The spammer may own any of the IPs between 192.64.7.1 and 192.64.7.254
You need to filter against the originating IP - not the IP of a service or device that sits in between and that you have control of.
In SonicWALL I create a policy that looks in the email message header.
If the first three octets of the sender's IP address are contained anywhere in the header, then immediately move the message into the spam folder. Don't even bother analyzing it.
The reason I do only the first 3 is because spammers may own an entire class, or a range in that class.
So in your example, if the IP address of the message is 192.64.7.98, I will add "192.64.7." to my list. The spammer may own any of the IPs between 192.64.7.1 and 192.64.7.254
You need to filter against the originating IP - not the IP of a service or device that sits in between and that you have control of.
Active today
Please follow up and do not start a new question. You got good information here. Please continue with this question.
My spam content filtering does not seem to work
2016-09-07T18:56:13.664Z,0
All my email log in spam agent are like this
My server is a standalone exchange server
Name : xx
ServerRole : Mailbox, ClientAccess
Edition : Enterprise
AdminDisplayVersion : Version 15.0 (Build 1210.3)
IsClientAccessServer : True
Ive ran those command
& $env:ExchangeInstallPath\S
Restart-Service MSExchangeTransport
InternalSMTPServers : {192.168.xx.xx}
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>Get-Tra
Identity Enabled Priority
-------- ------- --------
Transport Rule Agent True 1
Malware Agent True 2
Text Messaging Routing Agent True 3
Text Messaging Delivery Agent True 4
System Probe Drop Smtp Agent True 5
System Probe Drop Routing Agent True 6
Content Filter Agent True 7
Sender Id Agent True 8
Sender Filter Agent True 9
Recipient Filter Agent True 10
Protocol Analysis Agent True 11
Ive add a list of keyword to reject email and if im sending email with one of those words i still received the email
Thanks for helping me
2016-09-07T18:56:13.664Z,0
All my email log in spam agent are like this
My server is a standalone exchange server
Name : xx
ServerRole : Mailbox, ClientAccess
Edition : Enterprise
AdminDisplayVersion : Version 15.0 (Build 1210.3)
IsClientAccessServer : True
Ive ran those command
& $env:ExchangeInstallPath\S
Restart-Service MSExchangeTransport
InternalSMTPServers : {192.168.xx.xx}
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>Get-Tra
Identity Enabled Priority
-------- ------- --------
Transport Rule Agent True 1
Malware Agent True 2
Text Messaging Routing Agent True 3
Text Messaging Delivery Agent True 4
System Probe Drop Smtp Agent True 5
System Probe Drop Routing Agent True 6
Content Filter Agent True 7
Sender Id Agent True 8
Sender Filter Agent True 9
Recipient Filter Agent True 10
Protocol Analysis Agent True 11
Ive add a list of keyword to reject email and if im sending email with one of those words i still received the email
Thanks for helping me
Active today
content filtering was bypassed Make sure that the addresses are not somehow whitelisted.
The email is not listed in
get-ContentFilterConfig | fl BypassedSenders
get-ContentFilterConfig | fl BypassedSenderDomains
get-ContentFilterConfig | fl BypassedSenders
get-ContentFilterConfig | fl BypassedSenderDomains
Active today
Look for another phrase in the email that is unique to how spammers write and put that in the content filter. Try that.
im just testing keyword filtering i add the word "sex" and send a email with sex in boddy and subject and i received it so there is something wrong
Active today
Try a complete phrase if you can. "Sex" is too simple. I do not know your spam engine but that is how I go about it.
Ive tried this
Add-ContentFilterPhrase -Phrase "Free credit report" -Influence BadWord
which came from Microsoft website
https://technet.microsoft.com/en-us/library/bb124135%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396
And it still passed
Add-ContentFilterPhrase -Phrase "Free credit report" -Influence BadWord
which came from Microsoft website
https://technet.microsoft.com/en-us/library/bb124135%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396
And it still passed
Active today
There must be something wrong with your spam filtering. I use this method / concept a lot.
Are there spam filter logs you can look at incoming and processing?
Are there spam filter logs you can look at incoming and processing?
Well this log i mention earlier
2016-09-07T18:56:13.664Z,0
2016-09-07T18:56:13.664Z,0
Active today
I assume you are videotron.ca and the sender is domain.qc.ca.
The message says no filtering is happening at all.
So somehow the sender's email address or domain is whitelisted.
The message says no filtering is happening at all.
So somehow the sender's email address or domain is whitelisted.
Featured Post
Machine learning means Smarter Cybersecurityâ„¢ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This article will help to fix the below error for MS Exchange server 2010
I. Out Of office not working
II. Certificate error "name on the security certificate is invalid or does not match the name of the site"
III. Make Internal URLs and External…
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
This video discusses moving either the default database or any database to a new volume.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online.
The email signature template has been downloaded from:
www.mail-signatures…
Suggested Courses
Course of the Month5 days, 14 hours left to enroll
707 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.