asked on Exchange 2013 spam
Can someone explain me how to block this king of spam please
It's a spam that came from outside but look like it was send by a user in our domain to another user from our domain
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9 via Mailbox Transport; Tue, 23 Aug 2016 13:53:35 -0400
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9; Tue, 23 Aug 2016 13:53:35 -0400
Received: from mail.mydomain.ca (192.168.xx.xx) by MYSERVEREXCHANGE
(192.168.xx.xx) with Microsoft SMTP Server id 15.0.1076.9 via Frontend
Transport; Tue, 23 Aug 2016 13:53:35 -0400
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.ca (Postfix) with ESMTP id 56D127B81B2
for <accueil@mydomain.ca>; Tue, 23 Aug 2016 13:53:35 -0400 (EDT)
X-MTA-CheckPoint: {57BC8D9F-0-562A8C0-4A0207
X-Control-Analysis: str=0001.0A0B0202.57BC8D9F
Received: from p3plwbeout10-04.prod.phx3.
by mail.mydomain.ca (Postfix) with ESMTP id 2F0977B81A4
for <accueil@mydomain.ca>; Tue, 23 Aug 2016 13:53:35 -0400 (EDT)
Received: from localhost ([97.74.135.154])
by p3plwbeout10-04.prod.phx3.
id ahta1t0013L2auR01htaKy; Tue, 23 Aug 2016 10:53:34 -0700
X-SID: ahta1t0013L2auR01
Received: (qmail 15479 invoked by uid 99); 23 Aug 2016 17:53:34 -0000
Content-Transfer-Encoding:
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 192.64.7.98
User-Agent: Workspace Webmail 6.4.6
Message-ID: <20160823105332.e1852152ce
From: " firstname lastname" <firstname.lastname@mydoma
X-Sender: info@objectifsurveillance.
Reply-To: " firstname lastname" <chiefexecutiveoficer@aol.
To: <accueil@mydomain.ca>
Subject: Bonjour
Date: Tue, 23 Aug 2016 10:53:32 -0700
MIME-Version: 1.0
Return-Path: info@objectifsurveillance.
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Received-SPF: Fail (MYSERVEREXCHANGE.mydomain
firstname.lastname@mydomai
sender) receiver=MYSERVEREXCHANGE.
client-ip=192.168.xx.xx; helo=mail.mydomain.ca;
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
And second
Why these kind of porn spam is not block :)
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9 via Mailbox Transport; Mon, 29 Aug 2016 09:49:29 -0400
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9; Mon, 29 Aug 2016 09:49:29 -0400
Received: from mail.mydomain.ca (192.168.100.253) by MYSERVEREXCHANGE
(192.168.xx.xx) with Microsoft SMTP Server id 15.0.1076.9 via Frontend
Transport; Mon, 29 Aug 2016 09:49:29 -0400
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.ca (Postfix) with ESMTP id 285BB7F0670
for <firstname.lastname@mydoma
X-MTA-CheckPoint: {57C43D69-0-462A8C0-386307
X-Control-Analysis: str=0001.0A0B0208.57C43D69
Received: from server77-68-38-173.live-se
by mail.mydomain.ca (Postfix) with ESMTP id DDA987F0672
for <firstname.lastname@mydoma
Received: by server77-68-38-173.live-se
id B29A0E03836; Mon, 29 Aug 2016 14:49:22 +0100 (BST)
To: <firstname.lastname@mydoma
Subject: Watch Me Put My Whole Fist In My Snatch
X-PHP-Originating-Script: 33:footer12.php(1968) : eval()'d code
Date: Mon, 29 Aug 2016 14:49:22 +0100
From: Diane Martin <diane_martin@fguk.eu>
Message-ID: <6bb3402c9fe12eff2f5b0483e
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_6bb3402c9fe12
Content-Transfer-Encoding:
Return-Path: diane_martin@fguk.eu
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Received-SPF: None (MYSERVEREXCHANGE.mydomain
does not designate permitted sender hosts)
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
None;OrigIP:192.168.100.25
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Thanks for your help
It's a spam that came from outside but look like it was send by a user in our domain to another user from our domain
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9 via Mailbox Transport; Tue, 23 Aug 2016 13:53:35 -0400
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9; Tue, 23 Aug 2016 13:53:35 -0400
Received: from mail.mydomain.ca (192.168.xx.xx) by MYSERVEREXCHANGE
(192.168.xx.xx) with Microsoft SMTP Server id 15.0.1076.9 via Frontend
Transport; Tue, 23 Aug 2016 13:53:35 -0400
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.ca (Postfix) with ESMTP id 56D127B81B2
for <accueil@mydomain.ca>; Tue, 23 Aug 2016 13:53:35 -0400 (EDT)
X-MTA-CheckPoint: {57BC8D9F-0-562A8C0-4A0207
X-Control-Analysis: str=0001.0A0B0202.57BC8D9F
Received: from p3plwbeout10-04.prod.phx3.
by mail.mydomain.ca (Postfix) with ESMTP id 2F0977B81A4
for <accueil@mydomain.ca>; Tue, 23 Aug 2016 13:53:35 -0400 (EDT)
Received: from localhost ([97.74.135.154])
by p3plwbeout10-04.prod.phx3.
id ahta1t0013L2auR01htaKy; Tue, 23 Aug 2016 10:53:34 -0700
X-SID: ahta1t0013L2auR01
Received: (qmail 15479 invoked by uid 99); 23 Aug 2016 17:53:34 -0000
Content-Transfer-Encoding:
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 192.64.7.98
User-Agent: Workspace Webmail 6.4.6
Message-ID: <20160823105332.e1852152ce
From: " firstname lastname" <firstname.lastname@mydoma
X-Sender: info@objectifsurveillance.
Reply-To: " firstname lastname" <chiefexecutiveoficer@aol.
To: <accueil@mydomain.ca>
Subject: Bonjour
Date: Tue, 23 Aug 2016 10:53:32 -0700
MIME-Version: 1.0
Return-Path: info@objectifsurveillance.
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Received-SPF: Fail (MYSERVEREXCHANGE.mydomain
firstname.lastname@mydomai
sender) receiver=MYSERVEREXCHANGE.
client-ip=192.168.xx.xx; helo=mail.mydomain.ca;
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
And second
Why these kind of porn spam is not block :)
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9 via Mailbox Transport; Mon, 29 Aug 2016 09:49:29 -0400
Received: from MYSERVEREXCHANGE.mydomain.
MYSERVEREXCHANGE.mydomain.
(TLS) id 15.0.1076.9; Mon, 29 Aug 2016 09:49:29 -0400
Received: from mail.mydomain.ca (192.168.100.253) by MYSERVEREXCHANGE
(192.168.xx.xx) with Microsoft SMTP Server id 15.0.1076.9 via Frontend
Transport; Mon, 29 Aug 2016 09:49:29 -0400
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.ca (Postfix) with ESMTP id 285BB7F0670
for <firstname.lastname@mydoma
X-MTA-CheckPoint: {57C43D69-0-462A8C0-386307
X-Control-Analysis: str=0001.0A0B0208.57C43D69
Received: from server77-68-38-173.live-se
by mail.mydomain.ca (Postfix) with ESMTP id DDA987F0672
for <firstname.lastname@mydoma
Received: by server77-68-38-173.live-se
id B29A0E03836; Mon, 29 Aug 2016 14:49:22 +0100 (BST)
To: <firstname.lastname@mydoma
Subject: Watch Me Put My Whole Fist In My Snatch
X-PHP-Originating-Script: 33:footer12.php(1968) : eval()'d code
Date: Mon, 29 Aug 2016 14:49:22 +0100
From: Diane Martin <diane_martin@fguk.eu>
Message-ID: <6bb3402c9fe12eff2f5b0483e
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_6bb3402c9fe12
Content-Transfer-Encoding:
Return-Path: diane_martin@fguk.eu
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Received-SPF: None (MYSERVEREXCHANGE.mydomain
does not designate permitted sender hosts)
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
None;OrigIP:192.168.100.25
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Thanks for your help
AntiSpamExchange
Last Comment
John
ASKER
Yes i know all this but we are using a checkpoint firewall and it's supposed to do this job but it's not doing it's job apparently (i have a ticket open with them)
For now i was trying to block this by exchange
For now i was trying to block this by exchange
Hi,
maybe you can create transport rule to block email with X-MS-Exchange-Organization
There is a good article on how to do it here:
http://markgossa.blogspot.rs/2016/01/block-spoofed-email-exchange-2010-2013-2016-part2.html
Maybe it wont do all the job, but it will help at least a bit.
Regards,
Ivan.
maybe you can create transport rule to block email with X-MS-Exchange-Organization
There is a good article on how to do it here:
http://markgossa.blogspot.rs/2016/01/block-spoofed-email-exchange-2010-2013-2016-part2.html
Maybe it wont do all the job, but it will help at least a bit.
Regards,
Ivan.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
But this is the header of a good email
Header Name Header Value
X-MTA-CheckPoint {57C6D116-0-462A8C0-3D8E07
X-Control-Analysis str=0001.0A0B0205.57C6D116
Date Wed, 31 Aug 2016 05:44:05 -0700
From Experts Exchange <noreply@experts-exchange.
To <support@mydomain.ca>
Message-ID <1534115608.0.147264744618
Subject An Expert Comment has been posted: Exchange 2013 spam
MIME-Version 1.0
Content-Type text/html; charset="UTF-8"
Content-Transfer-Encoding quoted-printable
X-Mailer Experts Exchange
Return-Path noreply@experts-exchange.c
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Received-SPF SoftFail (myexchangeserver.mydomain
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
If we look at the Received-SPF it tell us it's SOFTFAIL and it state my internal ip address of my firewall 192.168.xx.xx
Here is my SPF record ive create
mydomain.qc.ca. IN TXT "v=spf1 mx a ip4:EXTERNAL IP ADDRESS OF FIREWALL/32 -all"
mydomain.ca. IN TXT "v=spf1 mx a ip4:EXTERNAL IP ADDRESS OF FIREWALL/32 -all"
Is it supposed to be like that ?
Header Name Header Value
X-MTA-CheckPoint {57C6D116-0-462A8C0-3D8E07
X-Control-Analysis str=0001.0A0B0205.57C6D116
Date Wed, 31 Aug 2016 05:44:05 -0700
From Experts Exchange <noreply@experts-exchange.
To <support@mydomain.ca>
Message-ID <1534115608.0.147264744618
Subject An Expert Comment has been posted: Exchange 2013 spam
MIME-Version 1.0
Content-Type text/html; charset="UTF-8"
Content-Transfer-Encoding quoted-printable
X-Mailer Experts Exchange
Return-Path noreply@experts-exchange.c
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Received-SPF SoftFail (myexchangeserver.mydomain
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
If we look at the Received-SPF it tell us it's SOFTFAIL and it state my internal ip address of my firewall 192.168.xx.xx
Here is my SPF record ive create
mydomain.qc.ca. IN TXT "v=spf1 mx a ip4:EXTERNAL IP ADDRESS OF FIREWALL/32 -all"
mydomain.ca. IN TXT "v=spf1 mx a ip4:EXTERNAL IP ADDRESS OF FIREWALL/32 -all"
Is it supposed to be like that ?
Just as a question (as I have come across this before) - have you installed/activated the Exchange 2013 Anti-Spam agents? If memory serves they don't auto install when you setup Exchange and a number of techies I've spoken to in the past forget they have to install them separately.
If only internal systems send email from your domain (i.e. you have no other external services using your domain for emailing such as websites or scanners in external offices) you could look at disabling smtp-accept-authoritative-
Instructions are here: http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html (I believe it still works with 2013).
Basically this will look at any email it recieves and if it states it's from your internal domain, it will refuse it (as internal emails should be using a different recieve connector).
Exchange's own anti-spam agents are not very good and very limited.
If only internal systems send email from your domain (i.e. you have no other external services using your domain for emailing such as websites or scanners in external offices) you could look at disabling smtp-accept-authoritative-
Instructions are here: http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html (I believe it still works with 2013).
Basically this will look at any email it recieves and if it states it's from your internal domain, it will refuse it (as internal emails should be using a different recieve connector).
Exchange's own anti-spam agents are not very good and very limited.
Is it supposed to be like that ? In a quick look, yes, those headers look fine.
I use SonicWALL (Dell) email security as my spam filter. Read the steps below and maybe there's a similar feature in Exchange or Checkpoint.
In SonicWALL I create a policy that looks in the email message header.
If the first three octets of the sender's IP address are contained anywhere in the header, then immediately move the message into the spam folder. Don't even bother analyzing it.
The reason I do only the first 3 is because spammers may own an entire class, or a range in that class.
So in your example, if the IP address of the message is 192.64.7.98, I will add "192.64.7." to my list. The spammer may own any of the IPs between 192.64.7.1 and 192.64.7.254
You need to filter against the originating IP - not the IP of a service or device that sits in between and that you have control of.
In SonicWALL I create a policy that looks in the email message header.
If the first three octets of the sender's IP address are contained anywhere in the header, then immediately move the message into the spam folder. Don't even bother analyzing it.
The reason I do only the first 3 is because spammers may own an entire class, or a range in that class.
So in your example, if the IP address of the message is 192.64.7.98, I will add "192.64.7." to my list. The spammer may own any of the IPs between 192.64.7.1 and 192.64.7.254
You need to filter against the originating IP - not the IP of a service or device that sits in between and that you have control of.
Please follow up and do not start a new question. You got good information here. Please continue with this question.
ASKER
My spam content filtering does not seem to work
2016-09-07T18:56:13.664Z,0
All my email log in spam agent are like this
My server is a standalone exchange server
Name : xx
ServerRole : Mailbox, ClientAccess
Edition : Enterprise
AdminDisplayVersion : Version 15.0 (Build 1210.3)
IsClientAccessServer : True
Ive ran those command
& $env:ExchangeInstallPath\S
Restart-Service MSExchangeTransport
InternalSMTPServers : {192.168.xx.xx}
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>Get-Tra
Identity Enabled Priority
-------- ------- --------
Transport Rule Agent True 1
Malware Agent True 2
Text Messaging Routing Agent True 3
Text Messaging Delivery Agent True 4
System Probe Drop Smtp Agent True 5
System Probe Drop Routing Agent True 6
Content Filter Agent True 7
Sender Id Agent True 8
Sender Filter Agent True 9
Recipient Filter Agent True 10
Protocol Analysis Agent True 11
Ive add a list of keyword to reject email and if im sending email with one of those words i still received the email
Thanks for helping me
2016-09-07T18:56:13.664Z,0
All my email log in spam agent are like this
My server is a standalone exchange server
Name : xx
ServerRole : Mailbox, ClientAccess
Edition : Enterprise
AdminDisplayVersion : Version 15.0 (Build 1210.3)
IsClientAccessServer : True
Ive ran those command
& $env:ExchangeInstallPath\S
Restart-Service MSExchangeTransport
InternalSMTPServers : {192.168.xx.xx}
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>Get-Tra
Identity Enabled Priority
-------- ------- --------
Transport Rule Agent True 1
Malware Agent True 2
Text Messaging Routing Agent True 3
Text Messaging Delivery Agent True 4
System Probe Drop Smtp Agent True 5
System Probe Drop Routing Agent True 6
Content Filter Agent True 7
Sender Id Agent True 8
Sender Filter Agent True 9
Recipient Filter Agent True 10
Protocol Analysis Agent True 11
Ive add a list of keyword to reject email and if im sending email with one of those words i still received the email
Thanks for helping me
content filtering was bypassed Make sure that the addresses are not somehow whitelisted.
ASKER
The email is not listed in
get-ContentFilterConfig | fl BypassedSenders
get-ContentFilterConfig | fl BypassedSenderDomains
get-ContentFilterConfig | fl BypassedSenders
get-ContentFilterConfig | fl BypassedSenderDomains
Look for another phrase in the email that is unique to how spammers write and put that in the content filter. Try that.
ASKER
im just testing keyword filtering i add the word "sex" and send a email with sex in boddy and subject and i received it so there is something wrong
Try a complete phrase if you can. "Sex" is too simple. I do not know your spam engine but that is how I go about it.
ASKER
Ive tried this
Add-ContentFilterPhrase -Phrase "Free credit report" -Influence BadWord
which came from Microsoft website
https://technet.microsoft.com/en-us/library/bb124135%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396
And it still passed
Add-ContentFilterPhrase -Phrase "Free credit report" -Influence BadWord
which came from Microsoft website
https://technet.microsoft.com/en-us/library/bb124135%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396
And it still passed
There must be something wrong with your spam filtering. I use this method / concept a lot.
Are there spam filter logs you can look at incoming and processing?
Are there spam filter logs you can look at incoming and processing?
ASKER
Well this log i mention earlier
2016-09-07T18:56:13.664Z,0
2016-09-07T18:56:13.664Z,0
I assume you are videotron.ca and the sender is domain.qc.ca.
The message says no filtering is happening at all.
So somehow the sender's email address or domain is whitelisted.
The message says no filtering is happening at all.
So somehow the sender's email address or domain is whitelisted.
ASKER
Ok you were right i tried a different mailbox and it's working fine now
Thanks !
Thanks !
You are very welcome and I was happy to help.
We use Mimecast and have been extremely happy with the service.