locked
Message Tracking -- SPAM Detected? RRS feed

  • Question

  • One of our clients recently had their Exchange IP address blocked via DNSBL.  I'm not entirely certain why and have been trying to gather some more information.  I was searching through the Message Tracking for the past 24 hours and see several (not a lot) of messages that appear to be SPAM.  Tellingly, the Sender column lists email addresses that are NOT in the user's domain, such as reply-474@elabs10.com.  I already know the server cannot be used as an external relay, so I'm wondering if an internal computer is infected with something and relaying SPAM through the Exchange server as an authenticated user.

    A couple of questions:

    Does Exchange record the internal IP address of where the email originated?  If so, where is this located?

    Why would Exchange even transmit an email message where the Sender email address is not for any domains handled by Exchange?  This seems like a flaw.  In my example above, the email in question was transmitted successfully even though the sender was listed as reply-474@elabs10.com.

    Thanks for your help!

    Vincent

    Saturday, July 14, 2012 3:46 PM

All replies

  • On Sat, 14 Jul 2012 15:46:17 +0000, AnimeDayDreamer wrote:
     
    >
    >
    >One of our clients recently had their Exchange IP address blocked via DNSBL. I'm not entirely certain why and have been trying to gather some more information. I was searching through the Message Tracking for the past 24 hours and see several (not a lot) of messages that appear to be SPAM. Tellingly, the Sender column lists email addresses that are NOT in the user's domain, such as reply-474@elabs10.com. I already know the server cannot be used as an external relay, so I'm wondering if an internal computer is infected with something and relaying SPAM through the Exchange server as an authenticated user.
    >
    >A couple of questions:
    >
    >Does Exchange record the internal IP address of where the email originated? If so, where is this located?
     
    Not if the message came from a client using RPC. If they used SMTP
    then the SMTP Receive protocol log would have the information.
     
    If you have the message-id and the message came from a RPC client you
    can look for that in the message-id tracking logs on the mailbox
    server. If it came from mailbox there'd be a SUBMIT event for it. The
    mailbox GUID is in the trackong log.
     
    >Why would Exchange even transmit an email message where the Sender email address is not for any domains handled by Exchange? This seems like a flaw.
     
    A flw in the way the server is configured, perhaps.
     
    >In my example above, the email in question was transmitted successfully even though the sender was listed as reply-474@elabs10.com.
     
    Why would a sender's email address that's not in your domain be
    considered suspicious? Don't you receive e-mail from other domains?
     
    What's more important is the destination address. Unless you've
    fiddled around with the default Receive Connector (or added another
    Receive Connector) Exchange won't accept mail from anonymous SMTP
    clients unless it's addressed to a domain in your Accepted Domains
    list.
     
    Do you have an Edge server? If not, does your Hub Transport sever
    receive e-mail from the Internet or from some spam filter (either an
    on-site appliance or an off-site service)? If the HT server's
    receiving mail directly from the Internet have you installed the
    anti-spam agents on the machine? Once you do that (or you have an edge
    server) make sure that you reject any RCPT TO addresses that aren't in
    your AD.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, July 14, 2012 9:37 PM
  • hi,

    any update?

    thanks,


    CastinLu

    TechNet Community Support

    Monday, July 16, 2012 9:17 AM