none
Mail Spamming from Exchange 2013 server

    Question

  • Hi All,

    I am having an serious issue of mail spamming from my exchange server. The scenario is have 2 Exchange 2013 multirole servers one is Server A (CAS/Mailbox) and Server B (CAS/Mailbox) and most of the remote users that uses POP3 accounts.

    The problem raised when I created relay Frontend connector for POP3 users and received complained that users are not able to send an email to outside domain and receive "unable to relay" error message. Given anonymous users permission on receive connector but the problem still persisted. Used ADSIEDIT utility and in Exchange protocol given authenticated users permission to send email to any domain.

    After restarted the transport service found that Exchange server is generating spam to external domain which caused high volume of email stuck in queue. Checked the spam email in detail and found the proxy outbound Frontend and outbound proxy of Hub Connector on Sever A are generating spam with the source Server B address. Shutdown the Server B and disabled the both outbound proxy connectors in Server A which stopped the spam.

    Can some one guide what is the root cause of this problem and why spam was generating on Exchange server.

    Regards,

    Thanks in Advance.   

    Monday, February 20, 2017 5:15 AM

All replies

  • You shouldn't have made that relay connector, or you should have locked it down to specific IP addresses that can use it with the SourceIPRanges parameter.

    What you should do, in my opinion, is remove the relay connector and instruct your POP and IMAP users to configure their clients to send using port 587 with authentication.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, February 21, 2017 1:03 AM
    Moderator
  • Hi,

    The emails should be spoofing emails that sent from your own domain but not by your email server. Please run below command to remove the extended right ms-Exch-SMTP-Accept-Any-Sender of the receive connector and check the results:

    Get-ReceiveConnector "name of the internet receive connector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Sender"} | Remove-ADPermission

    You can also refer to the following article for detailed steps to prevent spoofed emails:

    Block spoofed email - Part 1 | Exchange 2010 - 2016

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. And the changes made in the above blog is not supported officially by Microsoft.

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 21, 2017 3:13 AM
    Moderator
  • Thanks for your reply,

    Yes, POP users are locked with specific IP of source range to access their emails.

    Please guide which receive connector name should I type in cmdlet highlighted in bold.

    Get-ReceiveConnector "name of the internet receive connector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Sender"} | Remove-ADPermission

    Regards,



    • Edited by Lucky-Hamu Tuesday, February 21, 2017 5:17 AM
    Tuesday, February 21, 2017 5:15 AM
  • Thanks for your response.

    In general, it's default receive connector.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 21, 2017 6:05 AM
    Moderator
  • Thanks for your quick response. I have concern that it will not impact any user and only can stop the Spam?

    Please guide.

    Tuesday, February 21, 2017 6:14 AM
  • It won't affect any user. It blocks the 'users' who use your domain to send messages.

    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 21, 2017 6:37 AM
    Moderator
  • Thanks for you quick response. I will try this cmdlet and let inform you the result.
    Tuesday, February 21, 2017 6:57 AM
  • Thanks will waiting for your results.

    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 22, 2017 3:10 AM
    Moderator
  • Hello Jason,

    Sorry for delay response. I didn't execute the cmdlet but opn default (Hub Transport) receive connector in security settings unchecked the Exchange users for stopping the spam and it worked. But facing again new issue that when started the Server B the remote session and ping response was stopped on server A.

    Test and verified every thing on network but couldn't find the root cause that why Server A session is disconnected when start Server B.

    Please guide.

    Thanks

    Wednesday, February 22, 2017 5:28 AM
  • Thanks for your response and glad to hear it worked.

    For your new issue, please check the services and server components' states are in correct state with following command:

    Get-ServerComponentState

    It's recommended to use Microsoft Network Monitor 3.4 (archive) to analysis the network.

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 24, 2017 9:28 AM
    Moderator
  • Hi Jason,

    Thanks for your update, I will share you the result once run the tool in the environment.

    Regards,

    Monday, February 27, 2017 5:48 AM
  • Hi Jason,

    There was a problem with network drivers on Server B which caused an Exchange server to run properly.

    Finally we removed the Server B from DAG and deleted database copies and again installed Exchange with name of Server C.

    I have a query that how could install self sign certificate to add new server in cert to internal users with local uri and external uri for outlook anywhere.

    Please guide that could accomplish with group policy and don't want to manually install certificate on computers.

    Wednesday, March 1, 2017 10:06 AM
  • Obtain and install a third-party certificate from a provider whose root certificate is trusted by your clients.  That's the main reason that third-party certificates are recommended for Exchange.  Using the self-signed certificate can be a lot of work, especially with mobile devices.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, March 2, 2017 5:22 PM
    Moderator
  • Hello Ed,

    Thanks for your reply. Due to some internal issues unable to purchase third party root certificate and other problem is having that management had strictly ordered that don't install self sign on every computer and try to push through Group Policy.

    Kindly guide that could be possible to install new self sign to add Server C name with internal and external outlook uri.

    Thanks. 

    Friday, March 3, 2017 5:32 AM
  • Thanks for your response.

    I found you've ask the same question in the thread below:

    https://social.technet.microsoft.com/Forums/office/en-US/f3a238b5-9585-47ea-b0ce-c6ecf724296f/exchange-2013-self-sign-certificate?forum=exchangesvrclients

    Please refer to the information in the thread. Thanks.

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, March 4, 2017 6:16 AM
    Moderator