Possible open mail relay

I am working in a new HIPPA compliant network. I have noticed that we are blocking attempted spammers on our outbound mail filter, in some cases, on a bad day, as many as 50 different IP addresses. While the email filter will bock any sender that is not authenticated I am under the impression that if your Exchange (2016) environment is properly configured we should see zero attempted relays. Am I incorrect in this assumption?
Barry-f4Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
no you are not correct. And Only 50?.... i see 50-80K attempts per month....  so 2-4K per day...
On a server with only 5 domains.    some are just Wild attempts, others are trying use my domain as source..., address...
>90% of all mail on the internet is SPAM....
But you may better be filtering on incoming for only your domain...
Barry-f4Author Commented:
OK, yeah we do block at the firewall once they have been detected so we no longer see them in the outbound mail filter.

thanks
nociSoftware EngineerCommented:
You may want to lookinto spam filtering. in some form.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

timgreen7077Exchange EngineerCommented:
you are correct, the default receive connectors don't allow exchange to be open relays unless you modify them, that's why you don't modify the default connectors. if you create a custom connector then it should be IP specific.

You may want to verify that there is not a virus on any of the computers in your environment that may be acting as a relay for emails.
timgreen7077Exchange EngineerCommented:
You can also see the below link for open relay on exchange and i will paste a quote from the article also:

https://technet.microsoft.com/en-us/library/mt668454(v=exchg.160).aspx


In Exchange Server 2016, you can create a dedicated Receive connector in the Front End Transport service on a Mailbox server that allows anonymous relay from a specific list of internal network hosts. Here are some key considerations for the anonymous relay Receive connector:

You need to create a dedicated Receive connector to specify the network hosts that are allowed to anonymously relay messages, so you can exclude anyone or anything else from using the connector. Don't attempt to add anonymous relay capability to the default Receive connectors that are created by Exchange. Restricting access to the Receive connector is critical, because you don't want to configure the server as an open relay.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Barry-f4Author Commented:
Interesting, the comment from Noci disagrees. he stated that he sees 2-4k relay attempts per day, which seems bizarre to me. I am just trying to understand. I feel that should'nt be seeing any attempts unless as you stated someone on my network has a virus and is working as a relay
timgreen7077Exchange EngineerCommented:
The default connectors are not open relays unless someone modified them and made the open relays, but if that was the case you may see what Noci is seeing, but again its possible there is a infected machine on your network. If that is the case I would suggest implementing a GPO or a firewall rule to block all outbound port 25 traffic other than your exchange servers.
timgreen7077Exchange EngineerCommented:
Go to below link and test to see if your exchange server is an open relay:

https://mxtoolbox.com/diagnostic.aspx
Barry-f4Author Commented:
answered my question
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.