none
Trace spam email RRS feed

  • Question

  • Hi all,

    Currently have an issue with a customer who has a number of spam emails sat in their Outbound Queue.  Can't see anything obvious so far and at a guess think it's possibly a users account thats the cause.  The following is what I belive to be one of the emails.  It shows the sender is blank...

     

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,0,10.61.168.26:25,10.61.168.13:50871,+,,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,1,10.61.168.26:25,10.61.168.13:50871,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,2,10.61.168.26:25,10.61.168.13:50871,>,220 mail.DOMAIN.com,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,3,10.61.168.26:25,10.61.168.13:50871,<,EHLO MAILBOXSERVER.DOMAIN.Local,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,4,10.61.168.26:25,10.61.168.13:50871,>,250-HUBTRANSPORTSERVER.DOMAIN.Local Hello [10.61.168.13],

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,5,10.61.168.26:25,10.61.168.13:50871,>,250-SIZE,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,6,10.61.168.26:25,10.61.168.13:50871,>,250-PIPELINING,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,7,10.61.168.26:25,10.61.168.13:50871,>,250-DSN,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,8,10.61.168.26:25,10.61.168.13:50871,>,250-ENHANCEDSTATUSCODES,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,9,10.61.168.26:25,10.61.168.13:50871,>,250-STARTTLS,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,10,10.61.168.26:25,10.61.168.13:50871,>,250-X-ANONYMOUSTLS,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,11,10.61.168.26:25,10.61.168.13:50871,>,250-AUTH NTLM,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,12,10.61.168.26:25,10.61.168.13:50871,>,250-X-EXPS GSSAPI NTLM,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,13,10.61.168.26:25,10.61.168.13:50871,>,250-8BITMIME,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,14,10.61.168.26:25,10.61.168.13:50871,>,250-BINARYMIME,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,15,10.61.168.26:25,10.61.168.13:50871,>,250-CHUNKING,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,16,10.61.168.26:25,10.61.168.13:50871,>,250-XEXCH50,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,17,10.61.168.26:25,10.61.168.13:50871,>,250 XRDST,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,18,10.61.168.26:25,10.61.168.13:50871,<,X-ANONYMOUSTLS,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,19,10.61.168.26:25,10.61.168.13:50871,>,220 2.0.0 SMTP server ready,

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,20,10.61.168.26:25,10.61.168.13:50871,*,,Sending certificate

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,21,10.61.168.26:25,10.61.168.13:50871,*,CN=HUBTRANSPORTSERVER,Certificate subject

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,22,10.61.168.26:25,10.61.168.13:50871,*,CN=HUBTRANSPORTSERVER,Certificate issuer name

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,23,10.61.168.26:25,10.61.168.13:50871,*,54BEC86E600CBE864957FEE2DB44C020,Certificate serial number

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,24,10.61.168.26:25,10.61.168.13:50871,*,E8C6690B277DC4A3E16BF7CED42183E0DAE5A3B3,Certificate thumbprint

    2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,25,10.61.168.26:25,10.61.168.13:50871,*,HUBTRANSPORTSERVER;HUBTRANSPORTSERVER.DOMAIN.Local,Certificate alternate names

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,26,10.61.168.26:25,10.61.168.13:50871,<,EHLO MAILBOXSERVER.DOMAIN.Local,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,27,10.61.168.26:25,10.61.168.13:50871,>,250-HUBTRANSPORTSERVER.DOMAIN.Local Hello [10.61.168.13],

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,28,10.61.168.26:25,10.61.168.13:50871,>,250-SIZE,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,29,10.61.168.26:25,10.61.168.13:50871,>,250-PIPELINING,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,30,10.61.168.26:25,10.61.168.13:50871,>,250-DSN,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,31,10.61.168.26:25,10.61.168.13:50871,>,250-ENHANCEDSTATUSCODES,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,32,10.61.168.26:25,10.61.168.13:50871,>,250-AUTH NTLM,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,33,10.61.168.26:25,10.61.168.13:50871,>,250-X-EXPS EXCHANGEAUTH GSSAPI NTLM,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,34,10.61.168.26:25,10.61.168.13:50871,>,250-X-EXCHANGEAUTH SHA256,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,35,10.61.168.26:25,10.61.168.13:50871,>,250-8BITMIME,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,36,10.61.168.26:25,10.61.168.13:50871,>,250-BINARYMIME,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,37,10.61.168.26:25,10.61.168.13:50871,>,250-CHUNKING,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,38,10.61.168.26:25,10.61.168.13:50871,>,250-XEXCH50,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,39,10.61.168.26:25,10.61.168.13:50871,>,250 XRDST,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,40,10.61.168.26:25,10.61.168.13:50871,<,X-EXPS EXCHANGEAUTH,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,41,10.61.168.26:25,10.61.168.13:50871,*,SMTPSubmit SMTPSubmitForMLS SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender BypassAntiSpam BypassMessageSizeLimit SMTPSendEXCH50 SMTPAcceptEXCH50 AcceptRoutingHeaders AcceptForestHeaders AcceptOrganizationHeaders SendRoutingHeaders SendForestHeaders SendOrganizationHeaders SendAs,Set Session Permissions

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,42,10.61.168.26:25,10.61.168.13:50871,*,DOMAIN\MAILBOXSERVER$,authenticated

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,43,10.61.168.26:25,10.61.168.13:50871,>,235 <authentication response>,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,44,10.61.168.26:25,10.61.168.13:50871,<,MAIL FROM:<> SIZE=8031,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,45,10.61.168.26:25,10.61.168.13:50871,*,08CDD9CB292563F4;2011-05-14T23:52:54.505Z;1,receiving message

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,46,10.61.168.26:25,10.61.168.13:50871,>,250 2.1.0 Sender OK,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,47,10.61.168.26:25,10.61.168.13:50871,<,RCPT TO:<hgecay@clinicaltrials.gov>,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,48,10.61.168.26:25,10.61.168.13:50871,>,250 2.1.5 Recipient OK,

    2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,49,10.61.168.26:25,10.61.168.13:50871,<,BDAT 8031 LAST,

    2011-05-14T23:52:54.787Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,50,10.61.168.26:25,10.61.168.13:50871,>,250 2.6.0 <b9f64658-210a-4c47-a0ae-c03407241052> Queued mail for delivery,

    2011-05-14T23:52:54.787Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,51,10.61.168.26:25,10.61.168.13:50871,<,QUIT,

    2011-05-14T23:52:54.787Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,52,10.61.168.26:25,10.61.168.13:50871,>,221 2.0.0 Service closing transmission channel,

    2011-05-14T23:52:54.787Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,53,10.61.168.26:25,10.61.168.13:50871,-,,Local

     

    The Default Receive Connector permission groups are set to allow everyone to connect which seems typical when comparing it to other clients (Apart from "Partners").

    Is there any other way of figuring out where these emails are coming from?  Im not even sure if these could be NDR spam?

    Monday, May 16, 2011 2:34 PM

Answers

All replies

  • If the sender is blank it is probably NDR spam. Do you have recipient validation enabled? If not, then you should do, as it will stop NDR spam in its tracks.

    http://exchange.sembee.info/2007/hub/filter-unknown.asp

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by emma.yoyo Monday, May 23, 2011 1:32 AM
    Monday, May 16, 2011 9:21 PM
  • On Mon, 16 May 2011 14:34:02 +0000, Andrew J Palmer wrote:
     
    >
    >
    >Hi all,
    >
    >Currently have an issue with a customer who has a number of spam emails sat in their Outbound Queue. Can't see anything obvious so far and at a guess think it's possibly a users account thats the cause. The following is what I belive to be one of the emails. It shows the sender is blank...
     
    It's a NDR. Do you have recipient filtering enabled? Do you refuse to
    accept e-mail with SMTP addresses that don't exist in your AD forest?
     
    The fact that the local and remote IP addresses are both in the same
    private network is suspicious. Is it your intention to accept SMTP
    e-mail from 10.61.168.13? Are both of those machines Exchange HT
    servers?
     
    [ snip ]
     
    >The Default Receive Connector permission groups are set to allow everyone to connect which seems typical when comparing it to other clients (Apart from "Partners").
    >
    >Is there any other way of figuring out where these emails are coming from? Im not even sure if these could be NDR spam?
     
    It would help to know which IP address belongs to what machine. If
    they're both HT servers then you need the log files from the one
    that's sending the messages. Don't forget the message tracking logs
    and the "SUBMIT" event. If the message originates from a MAPI/RPC
    client there won't be anything in the SMTP log fiel for the
    submission.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by emma.yoyo Monday, May 23, 2011 1:32 AM
    • Unmarked as answer by Andrew J Palmer Monday, May 23, 2011 9:41 AM
    Tuesday, May 17, 2011 1:59 AM
  • Thanks Sambee.  I'll take a look at this.

    Rich, 10.61.168.13 is an Exchange with the Mailbox, CAS and HT roles.  10.61.168.26 is an Exchange with just the HT role.  Email transactions to the outside world will be done by 10.61.168.26.  I'll take a look at the first suggestion and continue investigation should this issue persist.


    Tuesday, May 17, 2011 8:01 AM
  • Sembee's responce resolved this issue for me.

    Thanks.

    Monday, May 23, 2011 9:42 AM