none
Exchange Server 2003: non-dmain email sending Spam msgs through Exchange IP to External IP

    Вопрос

  • My mail external IP now Is blocked because of some strange SPAM i cannot find the PC\IP\User sending those msgs because there is not internal IP or internal ID in the MSG header. the only internal IP i can c is my Exchange server.

     

    please Help


    • Изменено Maen Abbasi 2 февраля 2012 г. 14:53
    2 февраля 2012 г. 14:25

Ответы

  • Hello Maen Abbasi,

     => In E2K3 Server u can enable the IMF for spam

    Global Setting --> message delivery properties -->

    Connection filtering --> we set connection filtering rule

    Spamhaus

    zen.spamhaus.org

    Sender filtering --> we check Archive filtered messages

    Filter messages with blank sender

    Accept messages without notifying sender of filtering

    Intelligent Message Filtering --> We set 7, Archive and 6

    Recipient Filtering --> Filter recipient who are not in directory was checked

    => Default SMTP virtual server -->properties -->

    General --> Advanced --> Edit --> we check all except Apply sender ID filter

    => Done all the settings on Global setting and Default SMTP server

    => Clear the all the SPAM from the queue

    => Stop the SMTP service & rename the Mailroot folder to mailroot.old

    => Checked the queue

    => Ran iisreset

    In the Event Viewer Look for Event ID 1708 – It will give u information about the Affected users.

    IF u find any user or Machine, Scan those PC & If possible reset the Password for that account.

    Do this it will fix your Issue.

     


    EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT


    • Изменено PKT_ 9 февраля 2012 г. 1:47 Mistake done by me
    • Предложено в качестве ответа PKT_ 9 февраля 2012 г. 1:47
    • Помечено в качестве ответа Evan LiuMicrosoft community contributor, Moderator 12 февраля 2012 г. 8:42
    9 февраля 2012 г. 1:46
  • To begin with I would go to one of these sites, enter my public IP there and see which RBLs are listing the IP.
    http://www.mxtoolbox.com/blacklists.aspx
    http://www.robtex.com/
    http://www.dnsbl.info/

    Follow the RBL provider links that give you an explanation of why you are listed. This can help you distinguish between a mis-configuration problem (open relay) and an internal infection.

    If it turns out to be an infected machine you will of course have to make sure AV is properly installed and updated on all machines.

    It will also be helpful to see which machines are connecting to your Exchange server. A network sniffer can be very helpful:
    http://exchangeinbox.com/article.aspx?i=128

     


    IMF Tune - Anti-spam extending the Exchange 2003, 2007, 2010 IMF/Content Filter - http://www.windeveloper.com/imftune/
    3 февраля 2012 г. 8:31

Все ответы

  • To begin with I would go to one of these sites, enter my public IP there and see which RBLs are listing the IP.
    http://www.mxtoolbox.com/blacklists.aspx
    http://www.robtex.com/
    http://www.dnsbl.info/

    Follow the RBL provider links that give you an explanation of why you are listed. This can help you distinguish between a mis-configuration problem (open relay) and an internal infection.

    If it turns out to be an infected machine you will of course have to make sure AV is properly installed and updated on all machines.

    It will also be helpful to see which machines are connecting to your Exchange server. A network sniffer can be very helpful:
    http://exchangeinbox.com/article.aspx?i=128

     


    IMF Tune - Anti-spam extending the Exchange 2003, 2007, 2010 IMF/Content Filter - http://www.windeveloper.com/imftune/
    3 февраля 2012 г. 8:31
  • You should test to see if your server is an open relay, if it is, you should fix it.. 

    I would start by testing you server using an online tool like this one.. 

    Open Relay Test

    Also how do you know it was block because of spam? It can be blocked for many other reasons. 



    MCTS - Gold Certification

    8 февраля 2012 г. 4:53
  • Hello Maen Abbasi,

     => In E2K3 Server u can enable the IMF for spam

    Global Setting --> message delivery properties -->

    Connection filtering --> we set connection filtering rule

    Spamhaus

    zen.spamhaus.org

    Sender filtering --> we check Archive filtered messages

    Filter messages with blank sender

    Accept messages without notifying sender of filtering

    Intelligent Message Filtering --> We set 7, Archive and 6

    Recipient Filtering --> Filter recipient who are not in directory was checked

    => Default SMTP virtual server -->properties -->

    General --> Advanced --> Edit --> we check all except Apply sender ID filter

    => Done all the settings on Global setting and Default SMTP server

    => Clear the all the SPAM from the queue

    => Stop the SMTP service & rename the Mailroot folder to mailroot.old

    => Checked the queue

    => Ran iisreset

    In the Event Viewer Look for Event ID 1708 – It will give u information about the Affected users.

    IF u find any user or Machine, Scan those PC & If possible reset the Password for that account.

    Do this it will fix your Issue.

     


    EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT


    • Изменено PKT_ 9 февраля 2012 г. 1:47 Mistake done by me
    • Предложено в качестве ответа PKT_ 9 февраля 2012 г. 1:47
    • Помечено в качестве ответа Evan LiuMicrosoft community contributor, Moderator 12 февраля 2012 г. 8:42
    9 февраля 2012 г. 1:46