Solved

Exchange 2013 spam

Posted on 2016-08-31
22
113 Views
Last Modified: 2016-09-08
Can someone explain me how to block this king of spam please

It's a spam that came from outside but look like it was send by a user in our domain to another user from our domain

Received: from MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) by
 MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) with Microsoft SMTP Server
 (TLS) id 15.0.1076.9 via Mailbox Transport; Tue, 23 Aug 2016 13:53:35 -0400
Received: from MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) by
 MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) with Microsoft SMTP Server
 (TLS) id 15.0.1076.9; Tue, 23 Aug 2016 13:53:35 -0400
Received: from mail.mydomain.ca (192.168.xx.xx) by MYSERVEREXCHANGE
 (192.168.xx.xx) with Microsoft SMTP Server id 15.0.1076.9 via Frontend
 Transport; Tue, 23 Aug 2016 13:53:35 -0400
Received: from localhost (localhost [127.0.0.1])
      by mail.mydomain.ca (Postfix) with ESMTP id 56D127B81B2
      for <accueil@mydomain.ca>; Tue, 23 Aug 2016 13:53:35 -0400 (EDT)
X-MTA-CheckPoint: {57BC8D9F-0-562A8C0-4A0207B6}
X-Control-Analysis: str=0001.0A0B0202.57BC8D9F.0083,ss=1,re=2.100,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
Received: from p3plwbeout10-04.prod.phx3.secureserver.net (p3plsmtp10-04-2.prod.phx3.secureserver.net [97.74.135.188])
      by mail.mydomain.ca (Postfix) with ESMTP id 2F0977B81A4
      for <accueil@mydomain.ca>; Tue, 23 Aug 2016 13:53:35 -0400 (EDT)
Received: from localhost ([97.74.135.154])
      by p3plwbeout10-04.prod.phx3.secureserver.net with bizsmtp
      id ahta1t0013L2auR01htaKy; Tue, 23 Aug 2016 10:53:34 -0700
X-SID: ahta1t0013L2auR01
Received: (qmail 15479 invoked by uid 99); 23 Aug 2016 17:53:34 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 192.64.7.98
User-Agent: Workspace Webmail 6.4.6
Message-ID: <20160823105332.e1852152ce3ce8b6263f1dba7a85bb31.cb26e90684.wbe@email10.godaddy.com>
From: " firstname lastname" <firstname.lastname@mydomain.ca>
X-Sender: info@objectifsurveillance.ca
Reply-To: " firstname lastname" <chiefexecutiveoficer@aol.com>
To: <accueil@mydomain.ca>
Subject: Bonjour
Date: Tue, 23 Aug 2016 10:53:32 -0700
MIME-Version: 1.0
Return-Path: info@objectifsurveillance.ca
X-MS-Exchange-Organization-PRD: mydomain.ca
X-MS-Exchange-Organization-SenderIdResult: Fail
Received-SPF: Fail (MYSERVEREXCHANGE.mydomain.ca: domain of
 firstname.lastname@mydomain.ca does not designate 192.168.xx.xx as permitted
 sender) receiver=MYSERVEREXCHANGE.mydomain.ca;
 client-ip=192.168.xx.xx; helo=mail.mydomain.ca;
X-MS-Exchange-Organization-Network-Message-Id: e32d3cd2-b096-4c9c-9430-08d3cb7e67c8
X-MS-Exchange-Organization-Antispam-Report: ContentFilterConfigBypassedSender
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-AuthSource: MYSERVEREXCHANGE.mydomain.ca
X-MS-Exchange-Organization-AuthAs: Anonymous





And second

Why these kind of porn spam is not block :)

Received: from MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) by
 MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) with Microsoft SMTP Server
 (TLS) id 15.0.1076.9 via Mailbox Transport; Mon, 29 Aug 2016 09:49:29 -0400
Received: from MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) by
 MYSERVEREXCHANGE.mydomain.ca (192.168.xx.xx) with Microsoft SMTP Server
 (TLS) id 15.0.1076.9; Mon, 29 Aug 2016 09:49:29 -0400
Received: from mail.mydomain.ca (192.168.100.253) by MYSERVEREXCHANGE
 (192.168.xx.xx) with Microsoft SMTP Server id 15.0.1076.9 via Frontend
 Transport; Mon, 29 Aug 2016 09:49:29 -0400
Received: from localhost (localhost [127.0.0.1])
      by mail.mydomain.ca (Postfix) with ESMTP id 285BB7F0670
      for <firstname.lastname@mydomain.ca>; Mon, 29 Aug 2016 09:49:29 -0400 (EDT)
X-MTA-CheckPoint: {57C43D69-0-462A8C0-386307B6}
X-Control-Analysis: str=0001.0A0B0208.57C43D69.0071,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
Received: from server77-68-38-173.live-servers.net (server77-68-38-173.live-servers.net [77.68.38.173])
      by mail.mydomain.ca (Postfix) with ESMTP id DDA987F0672
      for <firstname.lastname@mydomain.ca>; Mon, 29 Aug 2016 09:49:28 -0400 (EDT)
Received: by server77-68-38-173.live-servers.net (Postfix, from userid 33)
      id B29A0E03836; Mon, 29 Aug 2016 14:49:22 +0100 (BST)
To: <firstname.lastname@mydomain.ca>
Subject: Watch Me Put My Whole Fist In My Snatch
X-PHP-Originating-Script: 33:footer12.php(1968) : eval()'d code
Date: Mon, 29 Aug 2016 14:49:22 +0100
From: Diane Martin <diane_martin@fguk.eu>
Message-ID: <6bb3402c9fe12eff2f5b0483ed7be5ae@fguk.eu>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="b1_6bb3402c9fe12eff2f5b0483ed7be5ae"
Content-Transfer-Encoding: 8bit
Return-Path: diane_martin@fguk.eu
X-MS-Exchange-Organization-PRD: fguk.eu
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (MYSERVEREXCHANGE.mydomain.ca: diane_martin@fguk.eu
 does not designate permitted sender hosts)
X-MS-Exchange-Organization-Network-Message-Id: 8d03c9bb-3393-4bbc-c0d1-08d3d0134c87
X-MS-Exchange-Organization-SCL: 3
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus
 None;OrigIP:192.168.100.253
X-MS-Exchange-Organization-AuthSource: MYSERVEREXCHANGE.mydomain.ca
X-MS-Exchange-Organization-AuthAs: Anonymous



Thanks for your help
0
Comment
Question by:jfguenet
22 Comments
 
LVL 28

Expert Comment

by:jhyiesla
ID: 41777973
This is not a direct answer to your question as we do not use and of the anti spam features of Exchange. However, going forward, you may want to consider an external anti-spam and email filtering system.  Theses systems will filter your email for Spam, and virus infections.  Some will also include archiving and secure messaging as well as a host of other features that you may find useful.

We use Mimecast and have been extremely happy with the service.
0
 

Author Comment

by:jfguenet
ID: 41777980
Yes i know all this but we are using a checkpoint firewall and it's supposed to do this job but it's not doing it's job apparently (i have a ticket open with them)

For now i was trying to block this by exchange
0
 
LVL 15

Expert Comment

by:Ivan
ID: 41777989
Hi,

maybe you can create transport rule to block email with X-MS-Exchange-Organization-SenderIdResult: Fail.
There is a good article on how to do it here:
http://markgossa.blogspot.rs/2016/01/block-spoofed-email-exchange-2010-2013-2016-part2.html

Maybe it wont do all the job, but it will help at least a bit.

Regards,
Ivan.
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
ID: 41777990
The emails are coming from GoDaddy, and unless you wish to block GoDaddy, you need to implement a spam filter that can look at the body of the email and block it based on characteristics of the email body.

As far as I know, Exchange won't do that.
0
 

Author Comment

by:jfguenet
ID: 41778007
But this is the header of a good email

Header Name      Header Value
X-MTA-CheckPoint      {57C6D116-0-462A8C0-3D8E07B6}
X-Control-Analysis      str=0001.0A0B0205.57C6D116.0183,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
Date      Wed, 31 Aug 2016 05:44:05 -0700
From      Experts Exchange <noreply@experts-exchange.com>
To      <support@mydomain.ca>
Message-ID      <1534115608.0.1472647446185@cron.prod.aws.redsrci.com>
Subject      An Expert Comment has been posted: Exchange 2013 spam
MIME-Version      1.0
Content-Type      text/html; charset="UTF-8"
Content-Transfer-Encoding      quoted-printable
X-Mailer      Experts Exchange
Return-Path      noreply@experts-exchange.com
X-MS-Exchange-Organization-PRD      experts-exchange.com
X-MS-Exchange-Organization-SenderIdResult      SoftFail
Received-SPF      SoftFail (myexchangeserver.mydomain.ca: domain of transitioning noreply@experts-exchange.com discourages use of 192.168.xx.xx as permitted sender)
X-MS-Exchange-Organization-Network-Message-Id      e9d56d2b-3d35-4cc7-af12-08d3d19c7f54
X-MS-Exchange-Organization-SCL      0
X-MS-Exchange-Organization-PCL      2
X-MS-Exchange-Organization-Antispam-Report      DV:3.3.5705.600;SID:SenderIDStatus SoftFail;OrigIP:192.168.xx.xx
X-MS-Exchange-Organization-AuthSource      myexchangeserver.mydomain.ca
X-MS-Exchange-Organization-AuthAs      Anonymous

If we look at the Received-SPF it tell us it's SOFTFAIL and it state my internal ip address of my firewall 192.168.xx.xx


Here is my SPF record ive create

mydomain.qc.ca.  IN TXT "v=spf1 mx a ip4:EXTERNAL IP ADDRESS OF FIREWALL/32 -all"
mydomain.ca.  IN TXT "v=spf1 mx a ip4:EXTERNAL IP ADDRESS OF FIREWALL/32 -all"

Is it supposed to be like that ?
0
 
LVL 13

Expert Comment

by:Andy M
ID: 41778013
Just as a question (as I have come across this before) - have you installed/activated the Exchange 2013 Anti-Spam agents? If memory serves they don't auto install when you setup Exchange and a number of techies I've spoken to in the past forget they have to install them separately.

If only internal systems send email from your domain (i.e. you have no other external services using your domain for emailing such as websites or scanners in external offices) you could look at disabling smtp-accept-authoritative-domain-sender on the default internet recieve connector.

Instructions are here: http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html (I believe it still works with 2013).

Basically this will look at any email it recieves and if it states it's from your internal domain, it will refuse it (as internal emails should be using a different recieve connector).

Exchange's own anti-spam agents are not very good and very limited.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41778017
Is it supposed to be like that ?   In a quick look, yes, those headers look fine.
0
 
LVL 10

Expert Comment

by:ecarbone
ID: 41778020
I use SonicWALL (Dell) email security as my spam filter. Read the steps below and maybe there's a similar feature in Exchange or Checkpoint.

In SonicWALL I create a policy that looks in the email message header.
If the first three octets of the sender's IP address are contained anywhere in the header, then immediately move the message into the spam folder. Don't even bother analyzing it.

The reason I do only the first 3 is because spammers may own an entire class, or a range in that class.

So in your example, if the IP address of the message is 192.64.7.98, I will add "192.64.7." to my list. The spammer may own any of the IPs between 192.64.7.1 and 192.64.7.254

You need to filter against the originating IP - not the IP of a service or device that sits in between and that you have control of.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41786243
Please follow up and do not start a new question. You got good information here. Please continue with this question.
0
 

Author Comment

by:jfguenet
ID: 41788478
My spam content filtering does not seem to work

2016-09-07T18:56:13.664Z,08D3D74CA076F7F5,192.168.xx.xx:2525,192.168.xx.xx:35274,192.168.xx.xx,<000401d20938$8936bc50$9ba434f0$@videotron.ca>,usermailboxvideotron.ca,usermailboxvideotron.ca;,usermailbox@domain.qc.ca,1,Content Filter Agent,OnEndOfData,AcceptMessage,,SCL,not available: content filtering was bypassed.,,8efdcb93-1511-4bda-7078-08d3d750a3e8,,Incoming

All my email log in spam agent are like this

My server is a standalone exchange server

Name                 : xx
ServerRole           : Mailbox, ClientAccess
Edition              : Enterprise
AdminDisplayVersion  : Version 15.0 (Build 1210.3)
IsClientAccessServer : True

Ive ran those command

& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
Restart-Service MSExchangeTransport

InternalSMTPServers : {192.168.xx.xx}

[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>Get-TransportAgent

Identity                                           Enabled         Priority
--------                                           -------         --------
Transport Rule Agent                               True            1
Malware Agent                                      True            2
Text Messaging Routing Agent                       True            3
Text Messaging Delivery Agent                      True            4
System Probe Drop Smtp Agent                       True            5
System Probe Drop Routing Agent                    True            6
Content Filter Agent                               True            7
Sender Id Agent                                    True            8
Sender Filter Agent                                True            9
Recipient Filter Agent                             True            10
Protocol Analysis Agent                            True            11

Ive add a list of keyword to reject email and if im sending email with one of those words i still received the email

Thanks for helping me
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 90

Expert Comment

by:John Hurst
ID: 41788486
content filtering was bypassed   Make sure that the addresses are not somehow whitelisted.
0
 

Author Comment

by:jfguenet
ID: 41788514
The email is not listed in

get-ContentFilterConfig | fl BypassedSenders
get-ContentFilterConfig | fl BypassedSenderDomains
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41788517
Look for another phrase in the email that is unique to how spammers write and put that in the content filter. Try that.
0
 

Author Comment

by:jfguenet
ID: 41788539
im just testing keyword filtering i add the word "sex" and send a email with sex in boddy and subject and i received it so there is something wrong
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41788541
Try a complete phrase if you can. "Sex" is too simple. I do not know your spam engine but that is how I go about it.
0
 

Author Comment

by:jfguenet
ID: 41788546
Ive tried this

Add-ContentFilterPhrase -Phrase "Free credit report" -Influence BadWord

which came from Microsoft website

https://technet.microsoft.com/en-us/library/bb124135%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396

And it still passed
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41788571
There must be something wrong with your spam filtering. I use this method / concept a lot.

Are there spam filter logs you can look at incoming and processing?
0
 

Author Comment

by:jfguenet
ID: 41788645
Well this log i mention earlier

2016-09-07T18:56:13.664Z,08D3D74CA076F7F5,192.168.xx.xx:2525,192.168.xx.xx:35274,192.168.xx.xx,<000401d20938$8936bc50$9ba434f0$@videotron.ca>,usermailboxvideotron.ca,usermailboxvideotron.ca;,usermailbox@domain.qc.ca,1,Content Filter Agent,OnEndOfData,AcceptMessage,,SCL,not available: content filtering was bypassed.,,8efdcb93-1511-4bda-7078-08d3d750a3e8,,Incoming
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41788691
I assume you are videotron.ca and the sender is domain.qc.ca.

The message says no filtering is happening at all.

So somehow the sender's email address or domain is whitelisted.
0
 

Author Comment

by:jfguenet
ID: 41789820
Ok you were right i tried a different mailbox and it's working fine now

Thanks !
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41789867
You are very welcome and I was happy to help.
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now