none
blocking blank sender spammer (connecting from overseas client IP) Exchnage 2010

    Question

  • Hi,

    I am experiencing an issue of one overseas IP connecting to my exchange servers and sending huge number of spams with blank sender id..

    1) how do an exchange client connect to my servers without user ID authentication (or do spammers have mechanism to do so?)

    2)where/which log I should check to know which user ID authentication spammer is using ?

    3) still spammers are sending the spam emails (include the money transfer and adulatory spams..) 

    4) NOTE: since 'out of Office auto reply' is mandatory business requirement, I am unable to disable blank sender emails.

    Please suggest how to prevent these type of spams?

    example of message tracking log follows:

    RunspaceId              : 1858bdeb-c7ad-4c8f-826d-b8e010771637
    Timestamp               : 7/31/2016 5:10:05 AM
    ClientIp                     : 24.128.188.200
    ClientHostname        : [192.168.0.106]
    ServerIp                   : My Exchange server HUB IP
    ServerHostname      : My Exchange Hub server
    SourceContext         : 08D38E3DF9AEB7F3;2016-07-31T01:04:31.917Z;0
    ConnectorId             : MyHUbServer\authenthicated internet
    Source                     : SMTP
    EventId                    : RECEIVE
    InternalMessageId    : 34758820
    MessageId               : <79defd66-cf6d-4ba9-be97-7795d23c08bc@TEB-HD-HUB-03.hosting.local>
    Recipients                : {paul.kuah@gmail.com, vadim@manager-erp.com, vani6a@abv.bg, martinrojas@wp.pl, puttersonly@mt
                              s.net, petervillarreal@hotmail.com, opaluch1@wp.pl, adzame@gmail.com, moulins7@postmail.ch, e
                              dytaose@wp.pl, afulei@freemail.hu, teju@live.fr, msjc901@yahoo.com, carlosqmesa@gmail.com, ke
                              vinfonseca70@yahoo.com, d_stanisic@hotmail.com...}
    RecipientStatus         : {}
    TotalBytes               : 2399
    RecipientCount         : 20
    RelatedRecipientAddress :
    Reference                :
    MessageSubject       : RE:Can I Trust You Please?
    Sender                     :
    ReturnPath               : <>
    MessageInfo             : 07I: NTS:
    MessageLatency       :
    MessageLatencyType   : None
    EventData                : {[FirstForestHop, MyHubServer.hosting.local]}

    thanks and regards,

    Sunday, July 31, 2016 6:02 AM

Answers

All replies

  • Obtain a third-party message hygiene appliance, server or cloud service.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Sunday, July 31, 2016 6:54 AM
    Moderator
  • Thanks ED

    I agree, that will a great solution.

    However, I am concerned to know, how did a spammer enter in to my Exchange with 'empty sender ID' and 'empty return path' ??

    Sunday, July 31, 2016 6:58 AM
  • Assuming that your Exchange Server allows anonymous mail from the Internet since you want to receive mail from the Internet since that's how Internet SMTP works, then anyone can send mail to your Exchange server.  I don't know that there was an "empty sender ID" (whatever that means) because I haven't seen a protocol trace.  But even if those are blank, what's the difference between that and a phony reply address?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Sunday, July 31, 2016 7:30 AM
    Moderator
  • Hi EID,

    Actually the problem/scenario is; an internet spammer (from overseas IP) got in to our exchange and sending millions of Spams to the internet IDs like user@yahoo.com, gmail.com, aol.com etc.. with blank sender ID.

    My concern is how did this spammer got in to my Exchange without authentication ??  Or is there a way to find which authenticated ID he used to get in.

    Actually it is an OUT GOING SPAMs issue from our exchange, controlled by an internet spammer..

    (I think you understand wrongly this case as spams incoming issue to our exchange users, which is not..)

    regards,

    Sunday, July 31, 2016 7:59 AM
  • Are you sure of that?  It's more likely that someone is just sending mail with your users as the from address using some other source.  But if you've confirmed that these messages are actually coming from your Exchange server, it can be from an infected host on your own network, a connection from an external host, and/or an open relay condition on your server.

    http://exchange.sembee.info/network/openrelaytest.asp


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Sunday, July 31, 2016 5:06 PM
    Moderator