Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
Forefront not filtering spam or virus in 2010

Answered Forefront not filtering spam or virus in 2010

  • Friday, May 11, 2012 4:41 PM
     
     
    Sign In to Vote
    0

    I have a mixed install right now with a legacy Exchange 2007 environment and a new Exchange 2010 environment with only a few mailboxes on it.  I'm trying to get Forefront Protection for Exchange 2010 working before migrating more then a few mailboxes, but it doesn't seem to be identifying the GTUBE spam test at all.

    To clarify: even though I have 2007, I have configured the mailflow here so that none of the 2007 boxes are in the equation.  I deliver the mail directly to a 2010 hub transport/cas array via telnet 25 and it's going into a mailbox that is also in the 2010 environment.  I have Forefront Protection for Exchange Server installed on the CAS/HUB servers and Forefront Endpoint on the Mailbox servers.  I have also taken the extra step of entering the IP address of my workstation as an external address in Global Settings/Advanced Options and I've verified that the recipient has no whitelisted addresses. 

    Here are the headers -- you'll see it scores SCL -1..

    Received: from test.com (140.232.0.75) by HADDOCK.ad.clarku.edu
     (140.232.254.129) with Microsoft SMTP Server id 14.2.298.4; Fri, 11 May 2012
     12:31:42 -0400
    Subject: Test spam mail (GTUBE)
    From: test <testcom@testcom.net>
    To: Text <its_exch2010_test@clarku.edu>
    MIME-Version: 1.0
    Content-Type: text/plain; charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    Message-ID: <20397e2a-ba24-4cf1-ae38-a1333523c49d@HADDOCK.ad.clarku.edu>
    Return-Path: abennett@test.com
    Date: Fri, 11 May 2012 12:31:42 -0400
    X-MS-Exchange-Organization-AuthSource: HADDOCK.ad.clarku.edu
    X-MS-Exchange-Organization-AuthAs: Internal
    X-MS-Exchange-Organization-AuthMechanism: 10
    X-MS-Exchange-Organization-Antispam-Report: MessageSecurityAntispamBypass
    X-MS-Exchange-Organization-SCL: -1

     

All Replies

  • Friday, May 11, 2012 6:01 PM
     
     
    Sign In to Vote
    0

    Hi,

    for Cloudmark it's essential that the server can access the following urls:

    • cdn-microupdates.cloudmark.com
    • lvc.cloudmark.com
    • tracks.cloudmark.com
    • pki.cloudmark.com

    Make sure that the server can access these urls.

    Greetings

    Christian

    Christian Groebner MVP Forefront

     
  • Friday, May 11, 2012 6:11 PM
     
     
    Sign In to Vote
    0

    Hi,

    I can ping all of those servers from the console and the "Engines" pane of the dashboard has a green check.

     
  • Friday, May 11, 2012 6:35 PM
     
     
    Sign In to Vote
    0

    Hi,

    ok found the problem:

    X-MS-Exchange-Organization-AuthAs: Internal

    The connection is authenticated and so handled as internal. That's why Cloudmark is skipped.

    Greetings

    Christian

    Christian Groebner MVP Forefront

     
  • Friday, May 11, 2012 6:39 PM
     
     
    Sign In to Vote
    0
    I see that, but how?  What's causing it to be authenticated?  I deliver the mail by doing telnet 25 from a linux box, never at any point do I authenticate.  
     
  • Friday, May 11, 2012 7:01 PM
     
     Answered
    Sign In to Vote
    0

    ok, I think I figured it out.  The relevant Receive Connector on the Hub Transport is one called "Allow Relay" that has the IP addresses of the mail relays on it.  It has "Externally Secured" for Authentication and "Exchange Servers" for permission groups -- I think that's causing it to assume all those mail relays are exchange servers and toss everything into the internal trusted bin.  

     
  • Friday, May 11, 2012 8:07 PM
     
     
    Sign In to Vote
    0
    To fix this, I changed the connector to allow Anonymous Users.  Be careful if you do this to use RemoteIPRanges to restrict the connector to only hosts you want to use it or you just created an Open Relay.