Asked by:
Quite obvious spam is passing with very low SCL

Question
-
Hello,
On a new Exchange 2016 environment (one mailbox and one edge) i'm receiving an anormal amount of spam.
This spam is quite obvious, but is having very low SCL (between 0-3 usually) when i look into the header.http://i.imgur.com/MDuZp05.png
Spam agents are all enabled, blocklist providers like spamhaus (zen one) and spamcop have been added.
It seems most agent are working (attachment like .zip are correctly renamed, mails containing viagra, casino, etc. are not delivered, etc.), but some obvious spam are going in users mailbox and they start complaining about.
What could it be ? ContentFiltering not working properly ? Other ?
How can we fix it ?Its the first time i'm facing this kind of problems.
Thanks
- Edited by Pierre Chevallier Wednesday, June 7, 2017 4:13 PM
Wednesday, June 7, 2017 4:13 PM
All replies
-
Hi.
I'm use to EOP with rule.
Create White domain list all other to Junk folder. Users check Junk folder and if they found good email forward to special mailbox. I'm add to White list and Allow list.
After 3 mounts you are added 5-10 domain to White list every week.
You can planing your protection.
Antispam and antimalware protection in Exchange 2016
Exchange Online Protection effective rate 95% by default. After make rule and customize filter 99,9%
MCITP, MCSE. Regards, Oleg
- Edited by Oleg.Kovalenko Thursday, June 8, 2017 3:14 PM
Wednesday, June 7, 2017 6:02 PM -
My assumption is you're not on a hybrid scenario, right?
Could you, please share headers from some emails.
Everything that can be automatized, should and must be automatized.
Wednesday, June 7, 2017 7:59 PM -
Hi,
Have you check the messages are come from same domain specific email / IP address ?
Please post out the detailed spam message header as below:
Hope it helps.
Regards,
Jason Chao
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.Thursday, June 8, 2017 9:17 AM -
Hi.
Continue post Jason.Chao.
When you are copy headers. You go to https://testconnectivity.microsoft.com/ and analize this headers.
Analyzing Email Headers in Outlook and OWA
Email Fundamentals: How to Read Email Message Headers
MCITP, MCSE. Regards, Oleg
Thursday, June 8, 2017 3:19 PM -
For EOP don't need make Hybrid Scenario,it's half hybrid scenario.
1. You don't need create outgoing connection to EOP. (recommended, but don't need)
2. You don't have email in Office 365, all email locally on-premise.
This is one services from Office 365, but you can use single without Exchange Online.
MCITP, MCSE. Regards, Oleg
- Edited by Oleg.Kovalenko Thursday, June 8, 2017 3:27 PM
Thursday, June 8, 2017 3:26 PM -
Hi,
Exact, we are not in hybrid scenario.
We currently have : 1 Exchange 2016 and 1 Exchange 2010 in LAN (we are in migration), and 1 Exchange 2016 EDGE in the DMZ, with subscription to the exchange 2016 in lan.
Here are some headers from spam received :
Received: from EXCHANGE.ch-vire.lan (10.0.0.205) by EXCHANGE.ch-vire.lan
(10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384) id 15.1.845.34 via Mailbox Transport; Fri, 9 Jun 2017 09:47:35 +0200
Received: from EXCHANGE.ch-vire.lan (10.0.0.205) by EXCHANGE.ch-vire.lan
(10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384) id 15.1.845.34; Fri, 9 Jun 2017 09:47:35 +0200
Received: from EXCHANGE-EDGE.ch-vire.lan (192.168.249.13) by
EXCHANGE.ch-vire.lan (10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384) id 15.1.845.34 via Frontend Transport; Fri, 9 Jun 2017 09:47:35 +0200
Received: from 148.cafe.sinet.com.kh (37.58.128.116) by
EXCHANGE-EDGE.ch-vire.lan (192.168.249.13) with Microsoft SMTP Server id
15.1.845.34; Fri, 9 Jun 2017 09:46:28 +0200
From: Jerome Mounier <contact@chicago24hlimousine.
com >To: "'bourasseau@ch-vire.fr'" <bourasseau@ch-vire.fr>
Subject: Facture AA-115-RR
Date: Fri, 9 Jun 2017 14:46:26 +0700
Message-ID: <000601d2da1a$fd1b5f00$
f7521d00$@com> MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_
0007_01D2DA2B.C0A42F00" X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AdLaGvy60pTwoymeSASBC60AhxmspQ
== Content-Language: fr
Return-Path: contact@chicago24hlimousine.
com X-MS-Exchange-Organization-
Network-Message-Id: 19ff0017-123a-48a2-3cf7- 08d4af0ba3ba X-MS-Exchange-Organization-
PRD: chicago24hlimousine.com X-MS-Exchange-Organization-
SenderIdResult: TempError Received-SPF: TempError (EXCHANGE-EDGE.ch-vire.lan: error in processing during
lookup of contact@chicago24hlimousine.
com : DNS timeout)X-MS-Exchange-Organization-
SCL: 0 X-MS-Exchange-Organization-
PCL: 2 X-MS-Exchange-Organization-
Antispam-Report: DV:3.3.5705.600;SID: SenderIDStatus TempError;OrigIP:37.58.128.116
X-MS-Exchange-Organization-
AVStamp-Enterprise: 1.0 X-MS-Exchange-Organization-
AuthSource: EXCHANGE-EDGE.ch-vire.lan X-MS-Exchange-Organization-
AuthAs: Anonymous X-MS-Exchange-Transport-
EndToEndLatency: 00:01:07.8963730 Another one :
eceived: from EXCHANGE.ch-vire.lan (10.0.0.205) by EXCHANGE.ch-vire.lan
(10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384) id 15.1.845.34 via Mailbox Transport; Thu, 8 Jun 2017 23:12:33 +0200
Received: from EXCHANGE.ch-vire.lan (10.0.0.205) by EXCHANGE.ch-vire.lan
(10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384) id 15.1.845.34; Thu, 8 Jun 2017 23:12:33 +0200
Received: from EXCHANGE-EDGE.ch-vire.lan (192.168.249.13) by
EXCHANGE.ch-vire.lan (10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384) id 15.1.845.34 via Frontend Transport; Thu, 8 Jun 2017 23:12:33 +0200
Received: from ouuu.thefhloc.com (37.58.128.116) by EXCHANGE-EDGE.ch-vire.lan
(192.168.249.13) with Microsoft SMTP Server id 15.1.845.34; Thu, 8 Jun 2017
23:12:08 +0200
Date: Thu, 8 Jun 2017 16:12:07 -0500
From: Darlene <s.bourasseau576@thefhloc.com>
To: <s.bourasseau@ch-vire.fr>
Subject: Simple Trick to cut Power Bill by 75%
Message-ID: <201706081612_CECA8980@
thefhloc.com >MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="---------=_Part_
98059713_501RY9GJ88.F635PG6=_? :__1862125----" Return-Path: s.bourasseau576@thefhloc.com
X-MS-Exchange-Organization-
Network-Message-Id: 9e8b3720-d5b5-4408-16b1- 08d4aeb3108e X-MS-Exchange-Organization-
PRD: thefhloc.com X-MS-Exchange-Organization-
SenderIdResult: None Received-SPF: None (EXCHANGE-EDGE.ch-vire.lan: s.bourasseau576@thefhloc.com
does not designate permitted sender hosts)
X-MS-Exchange-Organization-
SCL: 2 X-MS-Exchange-Organization-
PCL: 2 X-MS-Exchange-Organization-
Antispam-Report: DV:3.3.5705.600;SID: SenderIDStatus None;OrigIP:37.58.128.116
X-MS-Exchange-Organization-
AVStamp-Enterprise: 1.0 X-MS-Exchange-Organization-
AuthSource: EXCHANGE-EDGE.ch-vire.lan X-MS-Exchange-Organization-
AuthAs: Anonymous X-MS-Exchange-Transport-
EndToEndLatency: 00:00:25.6011804 A third one :
Received: from EXCHANGE.ch-vire.lan (10.0.0.205) by EXCHANGE.ch-vire.lan
(10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384) id 15.1.845.34 via Mailbox Transport; Fri, 9 Jun 2017 00:01:20 +0200
Received: from EXCHANGE.ch-vire.lan (10.0.0.205) by EXCHANGE.ch-vire.lan
(10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384) id 15.1.845.34; Fri, 9 Jun 2017 00:01:19 +0200
Received: from EXCHANGE-EDGE.ch-vire.lan (192.168.249.13) by
EXCHANGE.ch-vire.lan (10.0.0.205) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384) id 15.1.845.34 via Frontend Transport; Fri, 9 Jun 2017 00:01:19 +0200
Received: from mou.mindtcrop.net (37.58.128.116) by EXCHANGE-EDGE.ch-vire.lan
(192.168.249.13) with Microsoft SMTP Server id 15.1.845.34; Fri, 9 Jun 2017
00:01:07 +0200
Date: Thu, 8 Jun 2017 17:01:06 -0500
From: ED_Miracle <Danny@mindtcrop.net>
To: <s.bourasseau@ch-vire.fr>
Subject: Miracle Shake Treats Root Cause of Erectile Dysfunction
Message-ID: <201706081701_CBF782CD@
mindtcrop.net >MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="---------=_Part_
56845243_950TV5ZA79.F069LS7=_? :__1862125----" Return-Path: danny@mindtcrop.net
X-MS-Exchange-Organization-
Network-Message-Id: b23646f6-d304-4efb-f033- 08d4aeb9ddb0 X-MS-Exchange-Organization-
PRD: mindtcrop.net X-MS-Exchange-Organization-
SenderIdResult: None Received-SPF: None (EXCHANGE-EDGE.ch-vire.lan: Danny@mindtcrop.net does not
designate permitted sender hosts)
X-MS-Exchange-Organization-
SCL: 4 X-MS-Exchange-Organization-
PCL: 2 X-MS-Exchange-Organization-
Antispam-Report: DV:3.3.5705.600;SID: SenderIDStatus None;OrigIP:37.58.128.116
X-MS-Exchange-Organization-
AVStamp-Enterprise: 1.0 X-MS-Exchange-Organization-
AuthSource: EXCHANGE-EDGE.ch-vire.lan X-MS-Exchange-Organization-
AuthAs: Anonymous X-MS-Exchange-Transport-
EndToEndLatency: 00:00:13.0751022 Friday, June 9, 2017 8:45 AM -
I checked the headers and there's not much we can work with. The emails are pretty "legitimate" from a technical standpoint.
The only thing we can do for cases like spam #1 is to create a rule that would block the email if header "Received-SPF" includes the word "TempError".
Received-SPF TempError Received-SPF TempError Everything that can be automatized, should and must be automatized.
Friday, June 9, 2017 10:58 AM -
Its done, thanks a lot :)
But for other spams, do you have a solution ?
For information, here is two things i found disturbing, can you help me understanding thoses ?
First : When i run get-antispamtoprblproviders , nothing is shown, where i believe it is supposed to show me my blocklist providers and the amount they blocked, i'm right ?
Here's how they are configured :
IPBlocklistconfig :
And the second strange thing :
When i run get-AntispamTopBLockedSenderIPs , it's sorting me the public IP of my MX record for mail and nothing else.
Is this normal ?
Thanks
- Edited by Pierre Chevallier Friday, June 9, 2017 12:32 PM
Friday, June 9, 2017 12:29 PM -
Get-AntispamTopRBLProviders.ps1 means to Retrieve what RBL block the most. Use that chart before remove a RBL. Some RBL are too strict sometime, but removing it can cause a lot of spam to actually enter. When a user call, it’s the dilemma to accept one email versus what the RBL block. as per: Exchange Server: How to Diagnose Spam Problem so we don't have anything, possibly, because we are not getting spam emails from IP addresses blocked on any RBL.
Which leads me to my final point and to you solving your own issue with the finding of your IP address after running Get-AntispamTopBLockedSenderIPs
Please take a look at the header screenshots:
You can see that all 3 emails come from the same IP address which is your MX server leading to 2 possibilities I can think of, either (1) your MX has been hijacked (not likely), or (2) your MX server is not retaining headers and treating incoming emails as its own, as coming from it directly. These are speculations as I'm not proficient with On Premises infrastructures but something is clearly off with the MX server since we have 3 different domains sending emails from it and that's what we need to address.
Another thing, just to be sure, you got the complete headers directly from the end-user, right?! You did not have them send the .eml or .msg by email so that you retrieve the headers afterwards cause if you send an email as an attachment over email, some of the headers will get stripped off. The best method is to ask the end-user to get the headers as per: Internet message header in Outlook on the Web, OWA and Outlook.com.
Everything that can be automatized, should and must be automatized.
Saturday, June 10, 2017 7:41 AM -
Yeah, thats seem to be something like this.
Header are C/C directly from end user's outlook, these are the original headers, so it is effectively possible that MX is not retaining headers.
How can i correct this ?
Another thing that might help to identify the root cause :
It appears that certain spam are delivered with attachment in .zip, when normally attachment in .zip are supposed to be renamed in .txt.
This rule is working good when i'm doing test with my personal address from internet, so it makes me believe my edge server is treating thoses spam like internal e-mails and is not applying all filters.Monday, June 12, 2017 12:10 PM -
That might be the case but I'm afraid I'm not proficient with on premises infrastructure so I would not know the actual steps you'll need to take.
I pointed you in the right direction based upon the empirical behavior but you'll need to check it yourself, I'm afraid.
Everything that can be automatized, should and must be automatized.
Monday, June 12, 2017 12:21 PM