none
the built-in anti-spam

    Question

  • does the built-in anti-spam of Exchange 2013 works only for incoming emails?

    today i found lots of spam coming from internal users going out. because i have a gateway anti-spam that's why they can't get out. but why Exchange doesn't delete them?

    Sunday, June 26, 2016 12:09 PM

Answers

  • Hi Reno,

    Anti-spam only scans incoming emails originating from the internet over un-authenticated connections by default. Thus this won’t effect any users sending outbound emails or anyone accessing emails over authenticated connections.

    For your question, you can open message leader of one problematic message, then check the value of 5322.From(real send address) match 5321.MailFrom(disguise address). Also, we can use message tracking log or protocol log to check the IP address to find the root cause.
    More details about message tracking log and protocol log, for your reference:
    https://technet.microsoft.com/en-us/library/aa997984(v=exchg.141).aspx
    https://technet.microsoft.com/en-us/library/aa997624%28v=exchg.150%29.aspx


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Monday, June 27, 2016 3:05 AM
    Moderator

All replies

  • does the built-in anti-spam of Exchange 2013 works only for incoming emails?

    today i found lots of spam coming from internal users going out. because i have a gateway anti-spam that's why they can't get out. but why Exchange doesn't delete them?

    Why are internal users sending SPAM? Anti-spam measures typically only check inbound unauthenticated messages. Messages from authenticated users are considered safe for the most part.

    Blog:    Twitter:   

    Sunday, June 26, 2016 12:30 PM
  • Hi Reno,

    Anti-spam only scans incoming emails originating from the internet over un-authenticated connections by default. Thus this won’t effect any users sending outbound emails or anyone accessing emails over authenticated connections.

    For your question, you can open message leader of one problematic message, then check the value of 5322.From(real send address) match 5321.MailFrom(disguise address). Also, we can use message tracking log or protocol log to check the IP address to find the root cause.
    More details about message tracking log and protocol log, for your reference:
    https://technet.microsoft.com/en-us/library/aa997984(v=exchg.141).aspx
    https://technet.microsoft.com/en-us/library/aa997624%28v=exchg.150%29.aspx


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Monday, June 27, 2016 3:05 AM
    Moderator
  • correct. but it happened.
    Wednesday, June 29, 2016 6:27 AM
  • hi Allen,

    i am unable to find the source IP as the servers are behind a load balancer. so what i did is to bypass the load balancer for everyone and waited. when the spam count increased again, i finally found the source IP from the message header alone.

    now everything is back to normal but i'm not going back to using a load balancer. it's more a nuisance than a help.

    regards,

    Rino

    Wednesday, June 29, 2016 6:30 AM