none
Exchange Server 2013 Sending Spam

    Question

  • Hello,

    I recently checked that one of the exchange server (running 2013) I managed is sending SPAM emails. As this time, port 25 is open in the firewall and is directly pointed to my exchange server (that's right no spam filter in the middle).

    The server recently is generating event "External Aggregate Delivery Queue Length (All External Queues) is high".

    When I checked the queue, it looks like my server is sending emails to people outside my organization. At the time of checking, emails like these on my server are around 300+.

    As a temporary fix, I installed Anti-Spam Agents on my exchange Server

    C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\install-AntispamAgents.ps1

    and added my printers to the Internal SMTP address for the spam agents to ignore, the I cleared out the queue by issuing the "Get-Message | Remove-Message" after a few hours, it looks like the issue is still there.

    Any ideas?


    For God, and Country.

    Saturday, November 18, 2017 11:25 PM

All replies

  • Hi,

    From the screenshot we can see that the from address is <>, what’s the message type? DSN or not?

    You might have an open relay.  Check the configuration of your receive connectors.

    Get-ReceiveConnector | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | fl identity, user, extendedrights

    It’s recommended to check the message tracking log to see what’s source server or IP is originating these messages.

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, November 20, 2017 7:23 AM
    Moderator
  • Hi

    Perhaps you should create a separate connector for your printer and it supports secure port then use 587. Perhaps also enable authentication with a valid user account.

    Remember, you need to ensure you Exchange server doesn't get blacklisted if it is just sending out spam. Lock down your Firewall to only accept from your Exchange servers and not anything else.


    Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, November 21, 2017 12:04 PM
    Moderator
  • Hi Jason,

    Here are my results for the powershell command..What Am i looking for?

    Identity       : MY-SERVER01\Default MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Store-Create-Named-Properties}

    Identity       : MY-SERVER01\Default MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Create-Public-Folder}

    Identity       : MY-SERVER01\Default MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights :

    Identity       : MY-SERVER01\Default MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights :

    Identity       : MY-SERVER01\Client Proxy MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Store-Create-Named-Properties}

    Identity       : MY-SERVER01\Client Proxy MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Create-Public-Folder}

    Identity       : MY-SERVER01\Client Proxy MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights :

    Identity       : MY-SERVER01\Client Proxy MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights :

    Identity       : MY-SERVER01\Default Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}

    Identity       : MY-SERVER01\Default Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-SMTP-Submit}

    Identity       : MY-SERVER01\Default Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Accept-Headers-Routing}

    Identity       : MY-SERVER01\Default Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-SMTP-Accept-Any-Sender}

    Identity       : MY-SERVER01\Default Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Store-Create-Named-Properties}

    Identity       : MY-SERVER01\Default Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Create-Public-Folder}

    Identity       : MY-SERVER01\Default Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights :

    Identity       : MY-SERVER01\Default Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights :

    Identity       : MY-SERVER01\Outbound Proxy Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Store-Create-Named-Properties}

    Identity       : MY-SERVER01\Outbound Proxy Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Create-Public-Folder}

    Identity       : MY-SERVER01\Outbound Proxy Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights :

    Identity       : MY-SERVER01\Outbound Proxy Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights :

    Identity       : MY-SERVER01\Client Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Store-Create-Named-Properties}

    Identity       : MY-SERVER01\Client Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Create-Public-Folder}

    Identity       : MY-SERVER01\Client Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights :

    Identity       : MY-SERVER01\Client Frontend MY-SERVER01
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights :

    Identity       : MY-SERVER01\Relay Connector
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}

    Identity       : MY-SERVER01\Relay Connector
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-SMTP-Submit}

    Identity       : MY-SERVER01\Relay Connector
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Accept-Headers-Routing}

    Identity       : MY-SERVER01\Relay Connector
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-SMTP-Accept-Any-Sender}

    Identity       : MY-SERVER01\Relay Connector
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Store-Create-Named-Properties}

    Identity       : MY-SERVER01\Relay Connector
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights : {ms-Exch-Create-Public-Folder}

    Identity       : MY-SERVER01\Relay Connector
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights :

    Identity       : MY-SERVER01\Relay Connector
    User           : NT AUTHORITY\ANONYMOUS LOGON
    ExtendedRights :


    For God, and Country.

    Thursday, November 23, 2017 5:32 AM
  • @Jason,

    I had a received connector named "Relay Connector" that accepts anonymous access with no authentication required. The internal ip of my exchange server was in that relay connector, i removed all but one which belongs to an HP printer.

    Also, I tried to test an email from an email outside the org to my work email. But I fail to see the public IP showing up in there so I'm having problem tracing where the spam emails are coming from.

    NOTE: slim@itfellas.com and mywork@email.com are not real, i just replaced them.

    [PS] C:\Windows\system32>Get-MessageTrackingLog -Start "11/23/2017 00:20" -End "11/23/2017 1:34" | Where-Object {$_.MessageSubject -eq "hi" -and $_.Se
    nder -eq "slim@itfellas.com"} | FL EventID, Source, Sender, Recipients, MessageSubject, ServerIP, ClientIP


    EventId        : DELIVER
    Source         : STOREDRIVER
    Sender         : slim@itfellas.com
    Recipients     : {mywork@email.com}
    MessageSubject : hi
    ServerIp       :
    ClientIp       :

    EventId        : HAREDIRECTFAIL
    Source         : SMTP
    Sender         : slim@itfellas.com
    Recipients     : {mywork@email.com}
    MessageSubject : hi
    ServerIp       :
    ClientIp       :

    EventId        : RECEIVE
    Source         : SMTP
    Sender         : slim@itfellas.com
    Recipients     : {mywork@email.com}
    MessageSubject : hi
    ServerIp       : 192.168.1.10
    ClientIp       : 192.168.1.10

    EventId        : AGENTINFO
    Source         : AGENT
    Sender         : slim@itfellas.com
    Recipients     : {mywork@email.com}
    MessageSubject : hi
    ServerIp       :
    ClientIp       :

    EventId        : SEND
    Source         : SMTP
    Sender         : slim@itfellas.com
    Recipients     : {mywork@email.com}
    MessageSubject : hi
    ServerIp       : 192.168.1.10
    ClientIp       : 192.168.1.10


    For God, and Country.

    Thursday, November 23, 2017 7:39 AM
  • Thanks for your response.

    From the relay connector permissions, it seems fine.

    Do you know the IP address 192.168.1.10? Please scan the server to see if any unknown add-ins.

    Thanks.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, November 24, 2017 8:21 AM
    Moderator
  • That is the internal IP of my exchange server.

    For God, and Country.

    Friday, November 24, 2017 9:49 PM
  • Thanks for your response.

    It seems that the sever submits the messages itself.

    As i've mentioned above make sure there's no unknown software or Add-ins.

    Could you please show me the all details with the command: get-queue <> | fl ? I want to know the message type of the queued messages.

    We can also enable the sender spoofing check with the below command and check the results:

    Get-ReceiveConnector | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Sender"} | Remove-ADPermission

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, November 28, 2017 7:36 AM
    Moderator
  • RunspaceId                       : 9e33544b-8a05-4d9c-a60a-1e91660d90d0
    DeliveryType                     : DnsConnectorDelivery
    NextHopDomain                    : goose-parka-sale.top
    TlsDomain                        :
    NextHopConnector                 : d33970b3-e41d-468d-9cac-2c1250999a77
    Status                           : Retry
    MessageCount                     : 1
    LastError                        : [{LRT=11/30/2017 2:19:12 AM};{LED=441 4.4.1 Error encountered while communicating with primary target IP address: "Failed to connect. Winsock error code: 10060, Win32 error code: 10060." Attempted failover to alternate host, but that did not succeed. Either there
                                       are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 116.196.99.154:25};{FQDN=goose-parka-sale.top};{IP=116.196.99.154}]
    RetryCount                       : 4
    LastRetryTime                    : 11/30/2017 2:19:12 AM
    NextRetryTime                    : 11/30/2017 2:24:33 AM
    DeferredMessageCount             : 0
    LockedMessageCount               : 0
    MessageCountsPerPriority         : {0, 0, 0, 0}
    DeferredMessageCountsPerPriority : {0, 1, 0, 0}
    RiskLevel                        : Normal
    OutboundIPPool                   : 0
    NextHopCategory                  : External
    IncomingRate                     : 0
    OutgoingRate                     : 0
    Velocity                         : 0
    QueueIdentity                    : APAA-DC01\6002
    PriorityDescriptions             : {High, Normal, Low, None}
    Identity                         : APAA-DC01\6002
    IsValid                          : True
    ObjectState                      : New

    For God, and Country.

    Thursday, November 30, 2017 8:27 AM
  • Thanks for your information.

    We can see that the "delivery type" is DSN connector delivery whick means somebody/something send messages to your internal users(the address are not exist) so generate DSN messages and send to the senders(which also not exist domain address) and cause queued up.

    As the suggestions i've mentioned above, it's recommended to do and check the results.

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, December 1, 2017 2:08 AM
    Moderator