locked
Quite obvious spam is passing with very low SCL RRS feed

  • Question

  • Hello,

    On a new Exchange 2016 environment (one mailbox and one edge) i'm receiving an anormal amount of spam.
    This spam is quite obvious, but is having very low SCL (between 0-3 usually) when i look into the header.

    http://i.imgur.com/MDuZp05.png

    Spam agents are all enabled, blocklist providers like spamhaus (zen one) and spamcop have been added.

    It seems most agent are working (attachment like .zip are correctly renamed,  mails containing viagra, casino, etc. are not delivered, etc.), but some obvious spam are going in users mailbox and they start complaining about.

    What could it be ? ContentFiltering not working properly ? Other ?
    How can we fix it ?

    Its the first time i'm facing this kind of problems.

    Thanks


    Wednesday, June 7, 2017 4:13 PM

All replies

  • Hi.

    I'm use to EOP with rule.

    Create White domain list all other to Junk folder. Users check Junk folder and if they found good email forward to special mailbox. I'm add to White list and Allow list. 

    After 3 mounts you are added 5-10 domain to White list every week.  

    You can planing your protection. 

    Antispam and antimalware protection in Exchange 2016

    Exchange Online Protection effective rate 95% by default. After make rule and customize filter 99,9% 


    MCITP, MCSE. Regards, Oleg

    Wednesday, June 7, 2017 6:02 PM
  • My assumption is you're not on a hybrid scenario, right?

    Could you, please share headers from some emails.


    Everything that can be automatized, should and must be automatized.

    Wednesday, June 7, 2017 7:59 PM
  • Hi,

    Have you check the messages are come from same domain specific email / IP address ?

    Please post out the detailed spam message header as below:

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 8, 2017 9:17 AM
  • Hi.

    Continue post Jason.Chao. 

    When you are copy headers. You go to https://testconnectivity.microsoft.com/ and analize this headers.

    Analyzing Email Headers in Outlook and OWA

    Email Fundamentals: How to Read Email Message Headers


    MCITP, MCSE. Regards, Oleg

    Thursday, June 8, 2017 3:19 PM
  • For EOP don't need make Hybrid Scenario,it's half hybrid scenario.

    1. You don't need create outgoing connection to EOP. (recommended, but don't need)

    2. You don't have email in Office 365, all email locally on-premise. 

    This is one services from Office 365, but you can use single without Exchange Online.


    MCITP, MCSE. Regards, Oleg

    Thursday, June 8, 2017 3:26 PM
  • Hi,

    Exact, we are not in hybrid scenario.

    We currently have :  1 Exchange 2016 and 1 Exchange 2010 in LAN (we are in migration), and 1 Exchange 2016 EDGE in the DMZ, with subscription to the exchange 2016 in lan.

    Here are some headers from spam received :

    Received: from EXCHANGE.ch-vire.lan (10.0.0.205) by EXCHANGE.ch-vire.lan

    (10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,

    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.845.34 via Mailbox

    Transport; Fri, 9 Jun 2017 09:47:35 +0200

    Received: from EXCHANGE.ch-vire.lan (10.0.0.205) by EXCHANGE.ch-vire.lan

    (10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,

    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.845.34; Fri, 9 Jun 2017

    09:47:35 +0200

    Received: from EXCHANGE-EDGE.ch-vire.lan (192.168.249.13) by

    EXCHANGE.ch-vire.lan (10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,

    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.845.34 via Frontend

    Transport; Fri, 9 Jun 2017 09:47:35 +0200

    Received: from 148.cafe.sinet.com.kh (37.58.128.116) by

    EXCHANGE-EDGE.ch-vire.lan (192.168.249.13) with Microsoft SMTP Server id

    15.1.845.34; Fri, 9 Jun 2017 09:46:28 +0200

    From: Jerome Mounier <contact@chicago24hlimousine.com>

    To: "'bourasseau@ch-vire.fr'" <bourasseau@ch-vire.fr>

    Subject: Facture AA-115-RR

    Date: Fri, 9 Jun 2017 14:46:26 +0700

    Message-ID: <000601d2da1a$fd1b5f00$f7521d00$@com>

    MIME-Version: 1.0

    Content-Type: multipart/mixed;

                    boundary="----=_NextPart_000_0007_01D2DA2B.C0A42F00"

    X-Mailer: Microsoft Office Outlook 12.0

    Thread-Index: AdLaGvy60pTwoymeSASBC60AhxmspQ==

    Content-Language: fr

    Return-Path: contact@chicago24hlimousine.com

    X-MS-Exchange-Organization-Network-Message-Id: 19ff0017-123a-48a2-3cf7-08d4af0ba3ba

    X-MS-Exchange-Organization-PRD: chicago24hlimousine.com

    X-MS-Exchange-Organization-SenderIdResult: TempError

    Received-SPF: TempError (EXCHANGE-EDGE.ch-vire.lan: error in processing during

    lookup of contact@chicago24hlimousine.com: DNS timeout)

    X-MS-Exchange-Organization-SCL: 0

    X-MS-Exchange-Organization-PCL: 2

    X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus

    TempError;OrigIP:37.58.128.116

    X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0

    X-MS-Exchange-Organization-AuthSource: EXCHANGE-EDGE.ch-vire.lan

    X-MS-Exchange-Organization-AuthAs: Anonymous

    X-MS-Exchange-Transport-EndToEndLatency: 00:01:07.8963730

    Another one : 

    eceived: from EXCHANGE.ch-vire.lan (10.0.0.205) by EXCHANGE.ch-vire.lan

    (10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,

    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.845.34 via Mailbox

    Transport; Thu, 8 Jun 2017 23:12:33 +0200

    Received: from EXCHANGE.ch-vire.lan (10.0.0.205) by EXCHANGE.ch-vire.lan

    (10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,

    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.845.34; Thu, 8 Jun 2017

    23:12:33 +0200

    Received: from EXCHANGE-EDGE.ch-vire.lan (192.168.249.13) by

    EXCHANGE.ch-vire.lan (10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,

    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.845.34 via Frontend

    Transport; Thu, 8 Jun 2017 23:12:33 +0200

    Received: from ouuu.thefhloc.com (37.58.128.116) by EXCHANGE-EDGE.ch-vire.lan

    (192.168.249.13) with Microsoft SMTP Server id 15.1.845.34; Thu, 8 Jun 2017

    23:12:08 +0200

    Date: Thu, 8 Jun 2017 16:12:07 -0500

    From: Darlene <s.bourasseau576@thefhloc.com>

    To: <s.bourasseau@ch-vire.fr>

    Subject: Simple Trick to cut Power Bill by 75%

    Message-ID: <201706081612_CECA8980@thefhloc.com>

    MIME-Version: 1.0

    Content-Type: multipart/alternative;

                    boundary="---------=_Part_98059713_501RY9GJ88.F635PG6=_?:__1862125----"

    Return-Path: s.bourasseau576@thefhloc.com

    X-MS-Exchange-Organization-Network-Message-Id: 9e8b3720-d5b5-4408-16b1-08d4aeb3108e

    X-MS-Exchange-Organization-PRD: thefhloc.com

    X-MS-Exchange-Organization-SenderIdResult: None

    Received-SPF: None (EXCHANGE-EDGE.ch-vire.lan: s.bourasseau576@thefhloc.com

    does not designate permitted sender hosts)

    X-MS-Exchange-Organization-SCL: 2

    X-MS-Exchange-Organization-PCL: 2

    X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus

    None;OrigIP:37.58.128.116

    X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0

    X-MS-Exchange-Organization-AuthSource: EXCHANGE-EDGE.ch-vire.lan

    X-MS-Exchange-Organization-AuthAs: Anonymous

    X-MS-Exchange-Transport-EndToEndLatency: 00:00:25.6011804

    A third one : 

    Received: from EXCHANGE.ch-vire.lan (10.0.0.205) by EXCHANGE.ch-vire.lan

    (10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,

    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.845.34 via Mailbox

    Transport; Fri, 9 Jun 2017 00:01:20 +0200

    Received: from EXCHANGE.ch-vire.lan (10.0.0.205) by EXCHANGE.ch-vire.lan

    (10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,

    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.845.34; Fri, 9 Jun 2017

    00:01:19 +0200

    Received: from EXCHANGE-EDGE.ch-vire.lan (192.168.249.13) by

    EXCHANGE.ch-vire.lan (10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,

    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.845.34 via Frontend

    Transport; Fri, 9 Jun 2017 00:01:19 +0200

    Received: from mou.mindtcrop.net (37.58.128.116) by EXCHANGE-EDGE.ch-vire.lan

    (192.168.249.13) with Microsoft SMTP Server id 15.1.845.34; Fri, 9 Jun 2017

    00:01:07 +0200

    Date: Thu, 8 Jun 2017 17:01:06 -0500

    From: ED_Miracle <Danny@mindtcrop.net>

    To: <s.bourasseau@ch-vire.fr>

    Subject: Miracle Shake Treats Root Cause of Erectile Dysfunction

    Message-ID: <201706081701_CBF782CD@mindtcrop.net>

    MIME-Version: 1.0

    Content-Type: multipart/alternative;

                    boundary="---------=_Part_56845243_950TV5ZA79.F069LS7=_?:__1862125----"

    Return-Path: danny@mindtcrop.net

    X-MS-Exchange-Organization-Network-Message-Id: b23646f6-d304-4efb-f033-08d4aeb9ddb0

    X-MS-Exchange-Organization-PRD: mindtcrop.net

    X-MS-Exchange-Organization-SenderIdResult: None

    Received-SPF: None (EXCHANGE-EDGE.ch-vire.lan: Danny@mindtcrop.net does not

    designate permitted sender hosts)

    X-MS-Exchange-Organization-SCL: 4

    X-MS-Exchange-Organization-PCL: 2

    X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus

    None;OrigIP:37.58.128.116

    X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0

    X-MS-Exchange-Organization-AuthSource: EXCHANGE-EDGE.ch-vire.lan

    X-MS-Exchange-Organization-AuthAs: Anonymous

    X-MS-Exchange-Transport-EndToEndLatency: 00:00:13.0751022

    Friday, June 9, 2017 8:45 AM
  • I checked the headers and there's not much we can work with. The emails are pretty "legitimate" from a technical standpoint.

    The only thing we can do for cases like spam #1 is to create a rule that would block the email if header "Received-SPF" includes the word "TempError".

    Received-SPF TempError
    Received-SPF TempError

    Everything that can be automatized, should and must be automatized.

    Friday, June 9, 2017 10:58 AM
  • Its done, thanks a lot :)

    But for other spams, do you have a solution ?

    For information, here is two things i found disturbing, can you help me understanding thoses ?

    First : When i run get-antispamtoprblproviders , nothing is shown, where i believe it is supposed to show me my blocklist providers and the amount they blocked, i'm right ?

    Here's how they are configured :

    IPBlocklistconfig : 

    And the second strange thing :

    When i run get-AntispamTopBLockedSenderIPs , it's sorting me the public IP of my MX record for mail and nothing else.


    Is this normal ?

    Thanks


    Friday, June 9, 2017 12:29 PM
  • Get-AntispamTopRBLProviders.ps1 means to Retrieve what RBL block the most. Use that chart before remove a RBL. Some RBL are too strict sometime, but removing it can cause a lot of spam to actually enter. When a user call, it’s the dilemma to accept one email versus what the RBL block. as per: Exchange Server: How to Diagnose Spam Problem so we don't have anything, possibly, because we are not getting spam emails from IP addresses blocked on any RBL.

    Which leads me to my final point and to you solving your own issue with the finding of your IP address after running Get-AntispamTopBLockedSenderIPs

    Please take a look at the header screenshots:

    You can see that all 3 emails come from the same IP address which is your MX server leading to 2 possibilities I can think of, either (1) your MX has been hijacked (not likely), or (2) your MX server is not retaining headers and treating incoming emails as its own, as coming from it directly. These are speculations as I'm not proficient with On Premises infrastructures but something is clearly off with the MX server since we have 3 different domains sending emails from it and that's what we need to address.

    Another thing, just to be sure, you got the complete headers directly from the end-user, right?! You did not have them send the .eml or .msg by email so that you retrieve the headers afterwards cause if you send an email as an attachment over email, some of the headers will get stripped off. The best method is to ask the end-user to get the headers as per: Internet message header in Outlook on the Web, OWA and Outlook.com.


    Everything that can be automatized, should and must be automatized.

    Saturday, June 10, 2017 7:41 AM
  • Yeah, thats seem to be something like this.

    Header are C/C directly from end user's outlook, these are the original headers, so it is effectively possible that MX is not retaining headers.
    How can i correct this ?


    Another thing that might help to identify the root cause : 

    It appears that certain spam are delivered with attachment in .zip, when normally attachment in .zip are supposed to be renamed in .txt.
    This rule is working good when i'm doing test with my personal address from internet, so it makes me believe my edge server is treating thoses spam like internal e-mails and is not applying all filters.

    Monday, June 12, 2017 12:10 PM
  • That might be the case but I'm afraid I'm not proficient with on premises infrastructure so I would not know the actual steps you'll need to take.

    I pointed you in the right direction based upon the empirical behavior but you'll need to check it yourself, I'm afraid.


    Everything that can be automatized, should and must be automatized.

    Monday, June 12, 2017 12:21 PM