none
zen.spamhaus.org not rejectin' mail on exchange 2013 edge

    Question

  • Hi guys.

    Need some help with investigation why RBL list on exchange 2013 (zen) did not reject SPAM.

    Spam was sent to a user in our organization although that IP is blacklisted by zen spamhaus:https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a104.243.72.35&run=toolpage

    and if we run on exchange 2013 edge server:

    Test-IpBlockListProvider
    zen.spamhaus.org
    104.243.72.35

    We see that output is: TRUE

    Can someone please explain it to me why this SPAM wasn't rejected and got delivered to our user in organization?

    With best regards


    bostjanc


    Monday, February 29, 2016 3:06 PM

Answers

  • Nope. No load balancer or firewall between EDGE and frontend.
    We have solved this issue with:
    -making more aggressive changes on SCL level when message should be quarantined.

    -We have tracked quarantine mailbox that there are none false positive spams.

    -we have also found out that some of the messages got delivered to users in organization before they were listed on RBL as blacklisted...


    bostjanc

    Thursday, March 3, 2016 10:05 AM

All replies

  • If you have SMTP protocol logging enabled, you might want to verify in the SMTP Receive logs that the blacklisted IP address was actually seen by Exchange, and not some other NAT address or the address of your load balancer.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, February 29, 2016 11:45 PM
    Moderator
  • Ed, can you please provide me some links for SMTP protocol logging check?

    bostjanc

    Tuesday, March 1, 2016 10:28 AM
  • Ed hi.

    ignore my previous question.

    Current logging configuration on recieve and send connectors is shown in Picture bellow.
    We should enable that on recieve connector and then wait for another spam to be delivered to user in our organization, right?
    on which recieve connector?
    If we use EDGE server, should we also enable logging on Edgesync connectors?


    bostjanc


    Tuesday, March 1, 2016 2:24 PM
  • In the future, please post this stuff as text.  It's hard to read those screen shots.

    If your inbound mail comes through an Edge server, that's where you'll have to look. Do you have anything enabled on the Edge that will enforce blacklist blocking?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, March 1, 2016 8:23 PM
    Moderator
  • Hi ED.

    Sorry for the print screens, I wanted to describe problem more briefly.

    So RECIEVE CONNECTOR: Inbound to USA is where I should enable verbose logging?

    I don't know what you mean with: "Do you have anything enabled on the Edge that Will enforce blacklist blocking?"?.

    I have RBL configured (IP-BlockList-Providers). If you are asking me if we have any 3rd party software installed on EDGE the answer is no.
    When we had Exchange 2010 with FOREFRONT we recieved less spam, now exchange 2013 edge with only default settings it's not soo good if we compare it with forefront 2010.

    When we had configured Exchange 2013 EDGE we have also edited ContentFIlter:

    [PS] C:\Windows\system32>Get-ContentFilterConfig

    Name                                  : ContentFilterConfig
    RejectionResponse                     : Message rejected as spam by Content Filtering.
    OutlookEmailPostmarkValidationEnabled : True
    BypassedRecipients                    : {}
    QuarantineMailbox                     : quarantine@domain.com
    SCLRejectThreshold                    : 8
    SCLRejectEnabled                      : True
    SCLDeleteThreshold                    : 9
    SCLDeleteEnabled                      : True
    SCLQuarantineThreshold                : 5
    SCLQuarantineEnabled                  : True

    Get-TransportAgent throws:

    Identity                                           Enabled         Priority
    --------                                           -------         --------
    Address Rewriting Inbound Agent                    True            1
    Edge Rule Agent                                    True            2
    Attachment Filtering Agent                         True            3
    Address Rewriting Outbound Agent                   True            4
    Connection Filtering Agent                         True            5
    Content Filter Agent                               True            6
    Sender Id Agent                                    True            7
    Sender Filter Agent                                True            8
    Recipient Filter Agent                             True            9
    Protocol Analysis Agent                            True            10
    EA DomainKeys Agent                                True            11


    bostjanc

    Wednesday, March 2, 2016 7:05 AM
  • Maybe just to mention if we run: Get-TransportAgent on "FRONT END EXCHANGE2013"
    The output is bellow. we didnt install any antispam agents on frontend, because as far as I undrestand they only need to be on Exchange 2013 EDGE, where mx record is pointing to it.

    Identity                                           Enabled         Priority
    --------                                           -------         --------
    Transport Rule Agent                               True            1
    Malware Agent                                      True            2
    Text Messaging Routing Agent                       True            3
    Text Messaging Delivery Agent                      True            4
    System Probe Drop Smtp Agent                       True            5
    System Probe Drop Routing Agent                    True            6


    bostjanc

    Wednesday, March 2, 2016 7:06 AM
  • Logging has to be enabled on the Edge because it's the server that communicates with outside servers.  Is there something between the Edge server and the Internet that changes the source IP address, such as a load balancer or firewall?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, March 3, 2016 1:31 AM
    Moderator
  • Nope. No load balancer or firewall between EDGE and frontend.
    We have solved this issue with:
    -making more aggressive changes on SCL level when message should be quarantined.

    -We have tracked quarantine mailbox that there are none false positive spams.

    -we have also found out that some of the messages got delivered to users in organization before they were listed on RBL as blacklisted...


    bostjanc

    Thursday, March 3, 2016 10:05 AM