Sign in
 
Exchange Server TechCenter > Exchange Server Forums > Anti-virus/Anti-spam > Exchange 2007 AntiSpam Auto Response
Ask a questionAsk a question
Search Forums:
 

AnswerExchange 2007 AntiSpam Auto Response

  • Friday, November 06, 2009 1:23 PMSiegfried H. Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi folks,

    we recently had to implement an AntiSpam filter since we auto replied (Out-Of-Office, Ticketsystem, ...) to Spam mails and therefore got blacklisted. We managed to remove our IP from the Blacklists again, implemented the Exchange 2007 AntiSpam filter and added two Blacklists - SpamHAUS and Spamcop.
    But for a reason I don't know yet the Exchange Server replies to the mails coming from Mailservers which are listed on these Blacklists. So we autorespond to every SpamMail which is coming into the system.
    Furthermore when a SpamMail will be sent with our employees eMail address as SenderAddress, he will also get the Auto response message as soon the SpamMail will be dropped.

    Isn't that a bit senseless?
    Is there a way to disable these auto response messages. As I said, we got blacklisted because we already responded to Spammails before we implemented the AntiSpam filter.
    I would rather prefer to just drop the Connection request without sending this notification.

    Appreciate any help or info !

    Many thanks in advance
    Siegfried

     

Answers

All Replies

  • Friday, November 06, 2009 11:09 PMAlexander ZammitMVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    1
    Sign In to Vote

    Exchagne RBLs does not send auto-responese (NDRs). This filter reject emails without gnerating an NDR.
    When an email is rejected it is up to the sending server to decide whether to generate an NDR.

    To better understand this point please check this article:
    http://www.exchangeinbox.com/article.aspx?i=107

    IMF Tune - Unleash the Full Intelligent Message Filter Power - http://www.windeveloper.com/imftune/
     
  • Sunday, November 08, 2009 7:48 AMSiegfried H. Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    I fully understand how NDRs are working and also the article was very helpful. It just seems curious to me that when we get Spam from a Blacklisted Server our server sends the NDR  saying something like

    #<localserver.domain #5.7.1 SMTP; 550 5.7.1 Recipient not authorized, your IP has been found on a block list> #SMTP#

     
  • Sunday, November 08, 2009 9:34 AMAlexander ZammitMVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    1
    Sign In to Vote
    To make sure I am understanding you right.


    You are receiving spam where both sender and recipient point to your domain. And the spoofed sender is receiving an NDR?


    Open the NDR and have a look at the Received header.

    Start by identifying where is the NDR is coming from. It cannot be the Exchange server running the RBL because as we already said this server is causing a rejection (not the NDR). The NDR could be generated by the previous hop i.e. the last server trying to deliver the spam to the Exchange server were RBL is running.

    IMF Tune - Unleash the Full Intelligent Message Filter Power - http://www.windeveloper.com/imftune/
     
  • Sunday, November 08, 2009 3:17 PMSiegfried H. Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    You are receiving spam where both sender and recipient point to your domain. And the spoofed sender is receiving an NDR?
    That is absolutely correct!

    Here's the complete NDR :

    Delivery has failed to these recipients or distribution lists:

    employee@local.domain
    Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.

    The following organization rejected your message:localserver.local.domain.






    Diagnostic information for administrators:

    Generating server: publicrelay.public.domain

    employee@local.domain
    localserver.local.domain         #<localserver.local.domain #5.7.1 SMTP; 550 5.7.1 Recipient not authorized, your IP has been found on a block list> #SMTP#

    Original message headers:

    Return-Path: < employee@public.domain >
    Received: from [193.39.119.208] (208.119.39.193.in-addr.arpa [193.39.119.208]
     (may be forged))       by     publicrelay.public.domain (8.13.8/8.13.1/SuSE Linux
     0.7) with ESMTP id nA5COo9j026351      for <     employee@public.domain >; Thu,
     5 Nov 2009 12:24:52 GMT
    Message-ID: <     2197F041.23016@public.domain >
    Date: Thu, 5 Nov 2009 14:24:45 +0200
    From: Desalle <     employee@public.domain >
    User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
    MIME-Version: 1.0
    To: < HYPERLINK "mailto:     employee@public.domain





     
  • Tuesday, November 10, 2009 5:58 AMAllen SongMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi,

    As Alexander said, the Exchange RBL occurs on initial connection (SMTP session) which doesn't gernerate the NDR. From the header information, it seems that the NRD was generated by the public.domain server.

    Is it your Exchange server or third party relay server?

    Thanks

    Allen
     
  • Wednesday, November 18, 2009 4:18 PMSiegfried H. Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    It's a third party relay server which forwards the mails to the appropriate Exchange server.
    Only the Exchange server behind the public.domain server holds the RBLs.

    Thanks
    Siegfried