none
Tough Spam

    Question

  • Hey everyone,

    I have an interesting problem with an influx of spam traffic into our Exchange enviroment. We currently have three domains setup as accepted in our Exchange 2010 SP1 enviroment, two of these domains are "legacy" in that we only use alias's within user accounts to accept mail from their old addresses.

    Previously, mail from these domains were being forwarded to our Exchange servers before all three were integrated, so i had relay connectors in place so our Exchange 2010 would accept the mail and deliver it to recipients. Now those servers are out of the mix and its only our Exchange servers, but all of the spam we're seeing is coming from (or rather going TO) these two legacy domains. Now for whatever reason Forefront and TMG are not stopping these spam messages...

    I've been able to curtail the really obvious stuff with subject line and message body filters for key words and phrases, but that only goes so far before false positives, etc start occuring.

    Right now we have Forefront for Exchange and TMG running anti-spam operations, but I feel like I'm missing something because so many messages are getting through, and only from these legacy domains. All of my Forefront and TMG updates are in place as well.

    Any advice? Thanks!!

    Wednesday, February 15, 2012 8:11 PM

Answers

All replies

  • Hi,

    what antispam features do you have configured?

    Is the Cloudmark engine working right and can the server access the following servers over http/https:

    • cdn-microupdates.cloudmark.com
    • lvc.cloudmark.com
    • tracks.cloudmark.com
    • pki.cloudmark.com

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Wednesday, February 15, 2012 9:36 PM
  • Hi,

    what antispam features do you have configured?

    Is the Cloudmark engine working right and can the server access the following servers over http/https:

    • cdn-microupdates.cloudmark.com
    • lvc.cloudmark.com
    • tracks.cloudmark.com
    • pki.cloudmark.com

    Greetings

    Christian


    Christian Groebner MVP Forefront

    I'm using: Content Filtering (Subject Line and Message Body), IP Allow Lists, IP Block Lists, Recipient Filtering, Sender Filtering, Sender ID, Sender Reputation, File Filtering, and Virus Filtering.  

    Cloudmark is working and updated and I can get to the URL's you have listed.

    Thanks!

    Thursday, February 16, 2012 2:50 PM
  • Hi,

    can you post the header of such an email?

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Thursday, February 16, 2012 4:17 PM
  • Hi,

    can you post the header of such an email?

    Greetings

    Christian


    Christian Groebner MVP Forefront


    Received: from mail.contoso.com (10.10.0.100) by
     chsexch1.contoso.com (10.10.0.103) with Microsoft SMTP Server (TLS) id
     14.1.355.2; Thu, 16 Feb 2012 14:26:38 -0500
    Received: from ship.ashguardproducts.com (10.10.128.254) by
     mail.contoso.com (10.10.128.100) with Microsoft SMTP Server id
     14.1.355.2; Thu, 16 Feb 2012 14:25:37 -0500
    To: <wellington@contosolegacy.com>
    MIME-Version: 1.0
    Message-ID: <1893092531@ship.ashguardproducts.com>
    Date: Thu, 16 Feb 2012 14:25:35 -0500
    Subject: Please Confirm Your Deposit of $1500.00 For Today.
    From: Confirmation Request <LoanCenter@ashguardproducts.com>
    Content-Type: text/html; charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: inline
    Return-Path: LoanCenter@ashguardproducts.com
    X-MS-Exchange-Organization-Antispam-Report: v=1.1
     cv=SwAhOgrJABorOWU00hLjQzAsC1WmBojDcK02RH7V/No= c=1 sm=1 a=QpDJRsAyRAoA:10
     a=60twu7O24McA:10 a=kj9zAlcOel0A:10 a=ZwLLxu-4AAAA:8
     a=aSVephguWG9xPF5o_UwA:9 a=CbW1NwDuuUmCkkCfac8A:7 a=CjuIK1q_8ugA:10
     a=_W_S_7VecoQA:10 a=d4uxSTnXtwcOKvx5:21 a=DNX-MfNRmxDCoywS:21
     a=HpAAvcLHHh0Zw7uRqdWCyQ==:117;OrigIP:unavailable;SCL:-1
    X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
    X-MS-Exchange-Organization-SCL: -1
    X-MS-Exchange-Organization-AuthSource: chsextmg1.contoso.com
    X-MS-Exchange-Organization-AuthAs: Anonymous
    Thursday, February 16, 2012 7:39 PM
  • Hi,

    it seems that Cloudmark is not detecting the email as spam because the SCL value is -1.

    "X-MS-Exchange-Organization-SCL: -1"

    What you can do now is submit samples to Cloudmark:

    http://technet.microsoft.com/en-us/library/bb914008.aspx

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Thursday, February 16, 2012 8:21 PM
  • Hi,

    it seems that Cloudmark is not detecting the email as spam because the SCL value is -1.

    "X-MS-Exchange-Organization-SCL: -1"

    What you can do now is submit samples to Cloudmark:

    http://technet.microsoft.com/en-us/library/bb914008.aspx

    Greetings

    Christian


    Christian Groebner MVP Forefront

    I've submitted 25+ samples to the "False Negatives" address listed in that TechNet article. Is there any type of response or time frame I shold be expecting? Is there anything else I can do on my servers?
    Friday, February 17, 2012 7:07 PM
  • I'm having the same issue lately. I have used FPE for almost a year and a half with maybe 1 email every 4 months about spam. Now people are getting hit much harder with clear and obvious spam. I get daily complaints and had to block the whole .info domain.

    I'm just going to subject filter them for now. I wish there were a better way to block them. I wish I could mark the SCL value and let it go to the user's junk mail (we have specific organization requirements).

    I've reported them to the forefront false negatives email address. They still keep coming through. Same stuff each day, different email domain.


     Date: Wed, 15 Feb 2012 20:13:37 -0800
    Message-ID: <MTMyNjk0NDExNTM3MzI0NjU3OWU0ZGNlNDNmODM5N2Y_@support.equality4allcoalition.com>
    From: No More Mortgage Payments <info@equality4allcoalition.com>
    MIME-Version: 1.0
    To: <.....>
    Subject: + Fannie Mae Launches New Refi-Plus Program!
    Content-Type: text/html; charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: inline
    Return-Path: info@equality4allcoalition.com
    X-MS-Exchange-Organization-PRD: equality4allcoalition.com
    Received-SPF: Pass (Internal: domain of info@equality4allcoalition.com
     designates 209.44.108.114 as permitted sender) receiver=Internal;
     client-ip=209.44.108.114; helo=support.equality4allcoalition.com;
    X-MS-Exchange-Organization-Antispam-Report: v=1.1
     cv=u5Ox88IO2AAEqyCwKBSciWmq8XkAz/cY6YV4BYSdshg= c=1 sm=1 a=m98JNQumO2oA:10
     a=J9I81Ufo3WoA:10 a=kj9zAlcOel0A:10 a=HrnwlcHaUTUfdOBtbPj+kg==:17
     a=VIjHqcLWAAAA:8 a=xY0FcIN8aX88WLemMHwA:9 a=-c4foXO0GqN3ixuuJ44A:7
     a=CjuIK1q_8ugA:10 a=_W_S_7VecoQA:10 a=ksnAObh8nlMUxNu2:21
     a=svshSJ3cQy_bO6gZ:21
     a=HrnwlcHaUTUfdOBtbPj+kg==:117;OrigIP:209.44.108.114;SCL:0
    X-MS-Exchange-Organization-SCL: 0
    X-MS-Exchange-Organization-SenderIdResult: PASS
    X-EMS-Proccessed: vksbb0GSmfC5TYeESFnbQA==
    X-EMS-STAMP: fNb4xxYlzq8uik+mB7GhiQ==

    Monday, February 20, 2012 10:14 PM
  • Hi,

    I have similar observations. For a long time ForeFront was very succesfull in filtering-out spam. Recently (last several weeks) I have more and more users that are complaining about many spam messages (1 of them received today 11 spams). The engine is updated, microupdates are received, no warning/errors in Application log. Something has changed in Cloudmark engine? And in fact those messages are obvious spams, nothing sophisitcated.

    Somebody noticed similar behaviour? For me it looks like ForeFront really focuses on fingerprints of spam messages and heuristic is not applied (not taken into consideration). Is there a possibility to increase in ForeFornt "weight" of heuristic?  

    Thanks (below a spam message with headers ;)

    X-Yahoo-Newman-Property: ymail-3

    X-Yahoo-Newman-Id: 416605.31324.bm@omp1032.mail.bf1.yahoo.com
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1331793560; bh=SMWfPU4Sv54aToFwK9FLhrF/77Dh9tuDt/rzYLRyKE8=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=2EItaeFX9DCdCjt0aa6i3bZFJhOh15FeVQjfiul61PQgJQhX1oXshR0yz5rYURtIVzJDrlkFhknyrNN2r7YvJv8mXoNvuP/vvFpT17RCm9xx0E1BWMzsH+Uky0awlp1Y4sHvUb0JYE5yzY0XgX2OBJPumrz9WEraQ94wNNT3xGg=
    X-YMail-OSG: dQLdAxUVM1lYreis7KJFopJvdet1kv0oKk1aOwN0dMF0kDq
     V4JcV5JFZQnS9bQz4A_jmwqTOj_cbnt4IFef5JmeYXtJe4XEGa3wUwvLHj.O
     PuxIVtW_suFxq6cQczza_xztHRremMNgLlvQ7dA1dWXzwSA1NqHCV0I6Sm1L
     qUg1AzmnJuApVVaPolltiWxQNNGNWtWSvS1LQwDK8N0yffnPj07u94jizdQR
     m0tYsMAnMTy95Sx8TMfk8gF80AsEwcK7hrhx3g3KdrpcevqBdgv5G5UyHI9F
     r6q3lqB1SqjydYf86775ovIxGOXGpG99BnZq6qvVCQEQPSaX_Ov6EC9Uxpvz
     BFN1iN5gXhOHPIc8VE7lk55eorl2w1kAVroaX63yjU3cdAdB.aB8KGfFGpzo
     FRLXO9Um75YXhe4y5gBLY5aB0sDjSCkJLi0YBmjW5LCToy4POwyuwkRc7cIV
     .XNo3A2eXL.JCKfFzyxGAFqpfe7RtmjmG2I0dNyttOxJH8rJgycJg9edNn4C
     pNkSv1c1QzrNbycwiNvM563Eyswfyy6H9ubiOPRbFll48mCmZqtH86LJVOEB
     57YvMY1RYH_D3MCRCmd4fsukDcnZhkt6dmqmn6F0HN.qyrBzB9aGj5YT0uyA
     so3TaPdOkKFo2o0HsOVuPRoJM_ix70cYaKj1xe5ilaf0KIgDFuOBI6fhwZ2i
     yqaVLsqk-
    X-RocketYMMF: naomikabi50
    X-Mailer: YahooMailClassic/15.0.5 YahooMailWebService/0.8.116.338427
    Message-ID: <1331793560.78561.YahooMailClassic@web161804.mail.bf1.yahoo.com>
    Date: Wed, 14 Mar 2012 23:39:20 -0700
    From: Stella Jacob <reginaalphonsus@yahoo.co.jp>
    Reply-To: <adelinecollins@ymail.com>
    Subject: FROM MRS STELLA JACOB.
    To: undisclosed recipients:;
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
     boundary="1565830678-433658458-1331793560=:78561"
    Return-Path: reginaalphonsus@yahoo.co.jp
    X-MS-Exchange-Organization-PRD: yahoo.co.jp
    Received-SPF: SoftFail (machine_name: domain of transitioning
     reginaalphonsus@yahoo.co.jp discourages use of 72.30.239.57 as permitted
     sender)
    X-MS-Exchange-Organization-Antispam-Report: v=1.1
     cv=kzIJ7/ay1O7RaBee69d9XFS1toi1ZriF1OYSL7xFy6o= c=1 sm=1 a=KKiOUAaYztQA:10
     a=pgox3mA+Fz7k+OFS5uStPw==:17 a=Oq8SKAJloPN_wkOn8eUA:9 a=QEXdDO2ut3YA:10
     a=hanx3saamfgaY6BT:21 a=T9h0Ffqs2O6cKn7t:21 a=IAzULAb3ZlVv5upL90IA:7
     a=W6hODQ2kCtfxxpqDwEOG8w==:117;OrigIP:72.30.239.57;SCL:0
    X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
    X-MS-Exchange-Organization-SCL: 0
    X-MS-Exchange-Organization-SenderIdResult: SOFTFAIL
    X-MS-Exchange-Organization-AuthSource: machine_name
    X-MS-Exchange-Organization-AuthAs: Anonymous

    FROM MRS STELLA
    JACOB.

    GREETINGS IN THE NAME OF OUR LORD JESUS CHRIST.I AM MRS STELLA JACOB FROM SIERA
    LEONE, A WIDOW TO LATE JACOB RICHARD AM 55 YEARS OLD,I AM NOW A NEW CHRISTIAN
    CONVERT,SUFFERING FROM LONG TIME CANCER OF THE BREAST,

    FROM ALL INDICATION MY CONDITION IS REALLY DETERIORATING AND IT IS QUITE
    OBVIOUS THAT I WON'T LIVE MORE THAN 2MONTHS,ACCORDING TO MY DOCTORS,THIS IS
    BECAUSE THE CANCER STAGE HAS GOTTEN TO A VERY WORST STAGE.

    MY LATE HUSBAND AND MY ONLY CHILD DIED LAST FIVE YEARS,HIS DEATH WAS POLITICALY
    MOTIVATED.MY LATE HUSBAND WAS A VERY RICH AND WEALTHY BUSINESS MAN WHO WAS
    RUNING HIS GOLD AND DIAMOND BUSINESS IN SIERA LEONE AND AFTER HIS DEATH,I
    INHERITED ALL HIS BUSINESS AND WEALTH.MY DOCTORS HAS ADVISED ME THAT I MAY NOT
    LIVE FOR MORE THAN 2 MONTHS,SO I NOW DECIDED TO DEVIDE THE PART OF THIS WEALTH,
    TO CONTRIBUTE TO THE DEVELOPMENT OF THE CHURCH IN AFRICA,AMERICA,ASIA,AND
    EUROPE.I COLLECTED YOUR EMAIL ADDRESS DURING MY DESPERATE SEARCH ON THE
    INTERNET AND I PRAYED OVER IT.

    I DECIDED TO DONATE THE SUM OF $18.000.000USD( EIGHTEN MILLION UNITED STATES
    DOLLARS) TO THE LESS PRIVILEDGED BECAUSE I CANNOT TAKE THIS MONEY TO THE
    GRAVE.PLEASE I WANT YOU TO NOTE THAT THIS FUND IS LODGED IN A SECURITY COMPANY
    IN PEOPLE REPUBLIC OF BENIN IN WEST AFRICA WHICH IS THE COUNTRY WHERE I AM
    CURRENTLY RECEIVING TREATMENT.

    ONCE I HEAR FROM YOU,I WILL FORWARD TO YOU ALL THE INFORMATIONS YOU WILL USE TO
    GET THIS FUND RELEASED FROM THE SECURITY COMPANY AND TO BE DELIVER TO YOU.I
    HONESTLY PRAY THAT THIS MONEY WHEN TRANSFERRED TO YOU,WILL BE SURE FOR THE SAID
    PURPOSE,BECAUSE I HAVE COME TO FIND OUT THAT WEALTH ACQUISITION WITHOUT CHRIST
    IS VANITY.MAY THE GRACE OF OUR LORD JESUS THE LOVE OF GOD AND THE FELLOWSHIP OF
    GOD BE WITH YOU AND YOUR FAMILY.

    HOPE TO READ FROM YOU SOON

    YOUR BELOVED SISTER IN CHRIST.

    MRS STELLA JACOB.

    Thursday, March 15, 2012 6:24 PM
  • Hi,

    you should give them some time to process your samples. Creating filters is not an easy thing, because it may affect others and so your samples have to be inspected very carefully.

    The only way to get arround this until Cloudmark has adjusted their filters is to use keyword filters.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Thursday, March 15, 2012 9:16 PM
  • Hi Christian,

    Thanks for your commments. I agree that creating manually additional filters is not the best solution. Number of spam received by users had increased and in most of the cases they are very different. So creating a keyword rule will not help - it can only give false-positives to other 5000 users.

    I verified logs for 3 different users, and it seems that for them FF rejected spam only based on IP blacklist. All other messages (including spam) were accepted - SCL 0. Content filtering engine updates are OK, microupdates are OK - but spam goes through.

    Regards,

    Pawel

    Saturday, March 17, 2012 3:59 PM