Avatar of Jean-François Guénet
Jean-François Guénet
Flag for Canada asked on

Exchange 2013 spam

Can someone explain me how to block this king of spam please

It's a spam that came from outside but look like it was send by a user in our domain to another user from our domain

Received: from MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) by
 MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) with Microsoft SMTP Server
 (TLS) id 15.0.1076.9 via Mailbox Transport; Tue, 23 Aug 2016 13:53:35 -0400
Received: from MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) by
 MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) with Microsoft SMTP Server
 (TLS) id 15.0.1076.9; Tue, 23 Aug 2016 13:53:35 -0400
Received: from mail.mydomain.ca (192.168.xx.xx) by MYSERVEREXCHANGE
 (192.168.xx.xx) with Microsoft SMTP Server id 15.0.1076.9 via Frontend
 Transport; Tue, 23 Aug 2016 13:53:35 -0400
Received: from localhost (localhost [127.0.0.1])
      by mail.mydomain.ca (Postfix) with ESMTP id 56D127B81B2
      for <accueil@mydomain.ca>; Tue, 23 Aug 2016 13:53:35 -0400 (EDT)
X-MTA-CheckPoint: {57BC8D9F-0-562A8C0-4A0207B6}
X-Control-Analysis: str=0001.0A0B0202.57BC8D9F.0083,ss=1,re=2.100,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
Received: from p3plwbeout10-04.prod.phx3.secureserver.net (p3plsmtp10-04-2.prod.phx3.secureserver.net [97.74.135.188])
      by mail.mydomain.ca (Postfix) with ESMTP id 2F0977B81A4
      for <accueil@mydomain.ca>; Tue, 23 Aug 2016 13:53:35 -0400 (EDT)
Received: from localhost ([97.74.135.154])
      by p3plwbeout10-04.prod.phx3.secureserver.net with bizsmtp
      id ahta1t0013L2auR01htaKy; Tue, 23 Aug 2016 10:53:34 -0700
X-SID: ahta1t0013L2auR01
Received: (qmail 15479 invoked by uid 99); 23 Aug 2016 17:53:34 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 192.64.7.98
User-Agent: Workspace Webmail 6.4.6
Message-ID: <20160823105332.e1852152ce3ce8b6263f1dba7a85bb31.cb26e90684.wbe@email10.godaddy.com>
From: " firstname lastname" <firstname.lastname@mydomain.ca>
X-Sender: info@objectifsurveillance.ca
Reply-To: " firstname lastname" <chiefexecutiveoficer@aol.com>
To: <accueil@mydomain.ca>
Subject: Bonjour
Date: Tue, 23 Aug 2016 10:53:32 -0700
MIME-Version: 1.0
Return-Path: info@objectifsurveillance.ca
X-MS-Exchange-Organization-PRD: mydomain.ca
X-MS-Exchange-Organization-SenderIdResult: Fail
Received-SPF: Fail (MYSERVEREXCHANGE.mydomain.ca: domain of
 firstname.lastname@mydomain.ca does not designate 192.168.xx.xx as permitted
 sender) receiver=MYSERVEREXCHANGE.mydomain.ca;
 client-ip=192.168.xx.xx; helo=mail.mydomain.ca;
X-MS-Exchange-Organization-Network-Message-Id: e32d3cd2-b096-4c9c-9430-08d3cb7e67c8
X-MS-Exchange-Organization-Antispam-Report: ContentFilterConfigBypassedSender
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-AuthSource: MYSERVEREXCHANGE.mydomain.ca
X-MS-Exchange-Organization-AuthAs: Anonymous





And second

Why these kind of porn spam is not block :)

Received: from MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) by
 MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) with Microsoft SMTP Server
 (TLS) id 15.0.1076.9 via Mailbox Transport; Mon, 29 Aug 2016 09:49:29 -0400
Received: from MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) by
 MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) with Microsoft SMTP Server
 (TLS) id 15.0.1076.9; Mon, 29 Aug 2016 09:49:29 -0400
Received: from mail.mydomain.ca (192.168.100.253) by MYSERVEREXCHANGE
 (192.168.xx.xx) with Microsoft SMTP Server id 15.0.1076.9 via Frontend
 Transport; Mon, 29 Aug 2016 09:49:29 -0400
Received: from localhost (localhost [127.0.0.1])
      by mail.mydomain.ca (Postfix) with ESMTP id 285BB7F0670
      for <firstname.lastname@mydomain.ca>; Mon, 29 Aug 2016 09:49:29 -0400 (EDT)
X-MTA-CheckPoint: {57C43D69-0-462A8C0-386307B6}
X-Control-Analysis: str=0001.0A0B0208.57C43D69.0071,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
Received: from server77-68-38-173.live-servers.net (server77-68-38-173.live-servers.net [77.68.38.173])
      by mail.mydomain.ca (Postfix) with ESMTP id DDA987F0672
      for <firstname.lastname@mydomain.ca>; Mon, 29 Aug 2016 09:49:28 -0400 (EDT)
Received: by server77-68-38-173.live-servers.net (Postfix, from userid 33)
      id B29A0E03836; Mon, 29 Aug 2016 14:49:22 +0100 (BST)
To: <firstname.lastname@mydomain.ca>
Subject: Watch Me Put My Whole Fist In My Snatch
X-PHP-Originating-Script: 33:footer12.php(1968) : eval()'d code
Date: Mon, 29 Aug 2016 14:49:22 +0100
From: Diane Martin <diane_martin@fguk.eu>
Message-ID: <6bb3402c9fe12eff2f5b0483ed7be5ae@fguk.eu>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="b1_6bb3402c9fe12eff2f5b0483ed7be5ae"
Content-Transfer-Encoding: 8bit
Return-Path: diane_martin@fguk.eu
X-MS-Exchange-Organization-PRD: fguk.eu
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (MYSERVEREXCHANGE.mydomain.ca: diane_martin@fguk.eu
 does not designate permitted sender hosts)
X-MS-Exchange-Organization-Network-Message-Id: 8d03c9bb-3393-4bbc-c0d1-08d3d0134c87
X-MS-Exchange-Organization-SCL: 3
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus
 None;OrigIP:192.168.100.253
X-MS-Exchange-Organization-AuthSource: MYSERVEREXCHANGE.mydomain.ca
X-MS-Exchange-Organization-AuthAs: Anonymous



Thanks for your help
AntiSpamExchange

Avatar of undefined
Last Comment
John

8/22/2022 - Mon
jhyiesla

This is not a direct answer to your question as we do not use and of the anti spam features of Exchange. However, going forward, you may want to consider an external anti-spam and email filtering system.  Theses systems will filter your email for Spam, and virus infections.  Some will also include archiving and secure messaging as well as a host of other features that you may find useful.

We use Mimecast and have been extremely happy with the service.
Jean-François Guénet

ASKER
Yes i know all this but we are using a checkpoint firewall and it's supposed to do this job but it's not doing it's job apparently (i have a ticket open with them)

For now i was trying to block this by exchange
Ivan

Hi,

maybe you can create transport rule to block email with X-MS-Exchange-Organization-SenderIdResult: Fail.
There is a good article on how to do it here:
http://markgossa.blogspot.rs/2016/01/block-spoofed-email-exchange-2010-2013-2016-part2.html

Maybe it wont do all the job, but it will help at least a bit.

Regards,
Ivan.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
John

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Jean-François Guénet

ASKER
But this is the header of a good email

Header Name      Header Value
X-MTA-CheckPoint      {57C6D116-0-462A8C0-3D8E07B6}
X-Control-Analysis      str=0001.0A0B0205.57C6D116.0183,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
Date      Wed, 31 Aug 2016 05:44:05 -0700
From      Experts Exchange <noreply@experts-exchange.com>
To      <support@mydomain.ca>
Message-ID      <1534115608.0.1472647446185@cron.prod.aws.redsrci.com>
Subject      An Expert Comment has been posted: Exchange 2013 spam
MIME-Version      1.0
Content-Type      text/html; charset="UTF-8"
Content-Transfer-Encoding      quoted-printable
X-Mailer      Experts Exchange
Return-Path      noreply@experts-exchange.com
X-MS-Exchange-Organization-PRD      experts-exchange.com
X-MS-Exchange-Organization-SenderIdResult      SoftFail
Received-SPF      SoftFail (myexchangeserver.mydomain.ca: domain of transitioning noreply@experts-exchange.com discourages use of 192.168.xx.xx as permitted sender)
X-MS-Exchange-Organization-Network-Message-Id      e9d56d2b-3d35-4cc7-af12-08d3d19c7f54
X-MS-Exchange-Organization-SCL      0
X-MS-Exchange-Organization-PCL      2
X-MS-Exchange-Organization-Antispam-Report      DV:3.3.5705.600;SID:SenderIDStatus SoftFail;OrigIP:192.168.xx.xx
X-MS-Exchange-Organization-AuthSource      myexchangeserver.mydomain.ca
X-MS-Exchange-Organization-AuthAs      Anonymous

If we look at the Received-SPF it tell us it's SOFTFAIL and it state my internal ip address of my firewall 192.168.xx.xx


Here is my SPF record ive create

mydomain.qc.ca.  IN TXT "v=spf1 mx a ip4:EXTERNAL IP ADDRESS OF FIREWALL/32 -all"
mydomain.ca.  IN TXT "v=spf1 mx a ip4:EXTERNAL IP ADDRESS OF FIREWALL/32 -all"

Is it supposed to be like that ?
Andy M

Just as a question (as I have come across this before) - have you installed/activated the Exchange 2013 Anti-Spam agents? If memory serves they don't auto install when you setup Exchange and a number of techies I've spoken to in the past forget they have to install them separately.

If only internal systems send email from your domain (i.e. you have no other external services using your domain for emailing such as websites or scanners in external offices) you could look at disabling smtp-accept-authoritative-domain-sender on the default internet recieve connector.

Instructions are here: http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html (I believe it still works with 2013).

Basically this will look at any email it recieves and if it states it's from your internal domain, it will refuse it (as internal emails should be using a different recieve connector).

Exchange's own anti-spam agents are not very good and very limited.
John

Is it supposed to be like that ?   In a quick look, yes, those headers look fine.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
E C

I use SonicWALL (Dell) email security as my spam filter. Read the steps below and maybe there's a similar feature in Exchange or Checkpoint.

In SonicWALL I create a policy that looks in the email message header.
If the first three octets of the sender's IP address are contained anywhere in the header, then immediately move the message into the spam folder. Don't even bother analyzing it.

The reason I do only the first 3 is because spammers may own an entire class, or a range in that class.

So in your example, if the IP address of the message is 192.64.7.98, I will add "192.64.7." to my list. The spammer may own any of the IPs between 192.64.7.1 and 192.64.7.254

You need to filter against the originating IP - not the IP of a service or device that sits in between and that you have control of.
John

Please follow up and do not start a new question. You got good information here. Please continue with this question.
Jean-François Guénet

ASKER
My spam content filtering does not seem to work

2016-09-07T18:56:13.664Z,08D3D74CA076F7F5,192.168.xx.xx:2525,192.168.xx.xx:35274,192.168.xx.xx,<000401d20938$8936bc50$9ba434f0$@videotron.ca>,usermailboxvideotron.ca,usermailboxvideotron.ca;,usermailbox@domain.qc.ca,1,Content Filter Agent,OnEndOfData,AcceptMessage,,SCL,not available: content filtering was bypassed.,,8efdcb93-1511-4bda-7078-08d3d750a3e8,,Incoming

All my email log in spam agent are like this

My server is a standalone exchange server

Name                 : xx
ServerRole           : Mailbox, ClientAccess
Edition              : Enterprise
AdminDisplayVersion  : Version 15.0 (Build 1210.3)
IsClientAccessServer : True

Ive ran those command

& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
Restart-Service MSExchangeTransport

InternalSMTPServers : {192.168.xx.xx}

[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>Get-TransportAgent

Identity                                           Enabled         Priority
--------                                           -------         --------
Transport Rule Agent                               True            1
Malware Agent                                      True            2
Text Messaging Routing Agent                       True            3
Text Messaging Delivery Agent                      True            4
System Probe Drop Smtp Agent                       True            5
System Probe Drop Routing Agent                    True            6
Content Filter Agent                               True            7
Sender Id Agent                                    True            8
Sender Filter Agent                                True            9
Recipient Filter Agent                             True            10
Protocol Analysis Agent                            True            11

Ive add a list of keyword to reject email and if im sending email with one of those words i still received the email

Thanks for helping me
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
John

content filtering was bypassed   Make sure that the addresses are not somehow whitelisted.
Jean-François Guénet

ASKER
The email is not listed in

get-ContentFilterConfig | fl BypassedSenders
get-ContentFilterConfig | fl BypassedSenderDomains
John

Look for another phrase in the email that is unique to how spammers write and put that in the content filter. Try that.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jean-François Guénet

ASKER
im just testing keyword filtering i add the word "sex" and send a email with sex in boddy and subject and i received it so there is something wrong
John

Try a complete phrase if you can. "Sex" is too simple. I do not know your spam engine but that is how I go about it.
Jean-François Guénet

ASKER
Ive tried this

Add-ContentFilterPhrase -Phrase "Free credit report" -Influence BadWord

which came from Microsoft website

https://technet.microsoft.com/en-us/library/bb124135%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396

And it still passed
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
John

There must be something wrong with your spam filtering. I use this method / concept a lot.

Are there spam filter logs you can look at incoming and processing?
Jean-François Guénet

ASKER
Well this log i mention earlier

2016-09-07T18:56:13.664Z,08D3D74CA076F7F5,192.168.xx.xx:2525,192.168.xx.xx:35274,192.168.xx.xx,<000401d20938$8936bc50$9ba434f0$@videotron.ca>,usermailboxvideotron.ca,usermailboxvideotron.ca;,usermailbox@domain.qc.ca,1,Content Filter Agent,OnEndOfData,AcceptMessage,,SCL,not available: content filtering was bypassed.,,8efdcb93-1511-4bda-7078-08d3d750a3e8,,Incoming
John

I assume you are videotron.ca and the sender is domain.qc.ca.

The message says no filtering is happening at all.

So somehow the sender's email address or domain is whitelisted.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jean-François Guénet

ASKER
Ok you were right i tried a different mailbox and it's working fine now

Thanks !
John

You are very welcome and I was happy to help.