bwask
asked on
Exchange 2010 Email server black listed
Hello All,
I have a problem that has been plaguing me for week now. I keep getting black listed. I have sniffers in all the key locations and have been running them for weeks and found nothing. Finally this morning I found something that is getting me closer to a solution. In my Exchange 2010 server Queue Viewer I have 10 or so emails that are trying to be sent from an anonymous source it just shows "<>" in the address field. This is making it very difficult for me to find where this email actually originated from so I can kill the offending machine.
My first question is, is there a more complete log someplace that will show a more detailed display of the connection information so I can track back to the source?
Second, is there a way to block all emails that do not have a sender address?
Thanks for any any help
Eric
I have a problem that has been plaguing me for week now. I keep getting black listed. I have sniffers in all the key locations and have been running them for weeks and found nothing. Finally this morning I found something that is getting me closer to a solution. In my Exchange 2010 server Queue Viewer I have 10 or so emails that are trying to be sent from an anonymous source it just shows "<>" in the address field. This is making it very difficult for me to find where this email actually originated from so I can kill the offending machine.
My first question is, is there a more complete log someplace that will show a more detailed display of the connection information so I can track back to the source?
Second, is there a way to block all emails that do not have a sender address?
Thanks for any any help
Eric
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you don't already have a cloud-based Spam filter set up that allows Outgoing mail routing, I would highly recommend moving to that type of configuration, then block SMTP going out from everything but your Exchange server (and only allow that to go out to the cloud spam filter's IP addresses). Setting things up like that will greatly reduce the number of headaches you'll have with blacklisting.
Messages that show in the queues as being from "<>" are usually NDR messages. This is sometimes an indication that someone is using your Exchange server for sending Backscatter SPAM messages. This, again, would be something that having a cloud-based spam filter would stop. Otherwise, configure your Exchange server to not send NDRs to external recipients (If you want).
Messages that show in the queues as being from "<>" are usually NDR messages. This is sometimes an indication that someone is using your Exchange server for sending Backscatter SPAM messages. This, again, would be something that having a cloud-based spam filter would stop. Otherwise, configure your Exchange server to not send NDRs to external recipients (If you want).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I looked at your link earlier. I do not have an "edge transport" in my EMC 2010 console tree. Am I missing something?
You're probably missing an Edge Transport server. Edge Transport is an Exchange role that is designed to act as a spam filter for Exchange that is not part of the domain. If you don't have Edge Transport, you would need to install the Anti-Spam agents on the Exchange server to enable sender filtering.
Or as Adam suggested get a Cloud-base solution.
AppRiver is a good one.
AppRiver is a good one.
ASKER
We already do block all out going traffic on port 25 accept via are mail server. Since these messages are sitting in the Queue on the actual mail server I can only conclude that somebody has a computer infected that is utilizing their outlook or has their active directory password.
Will the command "Set-SenderFilterConfig -BlankSenderBlockingEnable d $true" work even if I don't have the Anti-Spam agents installed on the Exchange server. I did run it and didn't get an error.
Will the command "Set-SenderFilterConfig -BlankSenderBlockingEnable
It should. See if that gives any joy.
ASKER
Hopefully getting closer, and thanks for the help,
I can see recipient email addresses in some of the log entries in the message tracking log files but no I.P. address.
I'm not seeing in any of these log files which computer the connection was originated from so I can identify the culprit. Is there a log file that would show this?
I can see recipient email addresses in some of the log entries in the message tracking log files but no I.P. address.
I'm not seeing in any of these log files which computer the connection was originated from so I can identify the culprit. Is there a log file that would show this?
ASKER
I'm sorry that previous comment is not worded very well. It looks like I can get originating ip addresses on valid emails but the spam that is showing up in the Message Tracking log file does not have an originating ip address.
ASKER
Here is what I've managed to dig out of the log files.
I have a bad email sitting in my queue right now and I was able to track it down in two different log files.
\Exchange Server\V14\TransportRoles\ Logs\Conne ctivity\CO NNECTLOG20 170228-1.L OG
and
\Exchange Server\V14\TransportRoles\ Logs\Messa geTracking \MSGTRK201 70228-1.LO G
However neither of these files get me any closer to the originating ip address of the infected workstation. Is there a log someplace that will show where this connection originated from?
And thanks for all the help
Eric
I have a bad email sitting in my queue right now and I was able to track it down in two different log files.
\Exchange Server\V14\TransportRoles\
2017-02-28T17:36:31.480Z,08D3CBDBFE30B1EF,SMTP,spam.com,+,DnsConnectorDelivery 62edb849-18ef-4fb4-963b-846e5ec5f77d;QueueLength=2
2017-02-28T17:36:31.542Z,08D3CBDBFE30B1EF,SMTP,spam.com,>,mail7.spam.com[104.168.151.213]
2017-02-28T17:36:32.743Z,08D3CBDBFE30B1EF,SMTP,spam.com,>,Failed connection to 104.168.151.213 (ConnectionRefused:0000274D)[TargetHost:mail7.spam.com|MarkedUnhealthy|FailureCount:11|NextRetryTime:2017-02-28T17:46:32.743Z][TargetIPAddress:104.168.151.213|MarkedUnhealthy|FailureCount:11|NextRetryTime:2017-02-28T17:46:32.743Z]
2017-02-28T17:36:32.743Z,08D3CBDBFE30B1EF,SMTP,spam.com,-,Messages: 0 Bytes: 0 (Retry : Unable to connect)
and
\Exchange Server\V14\TransportRoles\
2017-02-28T17:12:04.699Z,,,,RANGER,ContentConversion,,ROUTING,TRANSFER,3629489,<6d530861589246108e219e91da476af0@RANGER.mydomain.com>,jennifer.taylor@spam.com,,4725,1,,3629488,Automatic reply: Stock and long-store emergency rations for the whole family on the cheap.,khacker@mydomain.com,<>,,Originating,,,,
However neither of these files get me any closer to the originating ip address of the infected workstation. Is there a log someplace that will show where this connection originated from?
And thanks for all the help
Eric
ASKER
Search with the MessageID, you might get a little closer.
Thanks,
Sudeep
Thanks,
Sudeep
ASKER
Yes I did that too, still no ip address to track it back to.
ASKER