none
Spam and spoffing Fighting RRS feed

  • Question

  • Hello all,

    We had few major outbreaks last weeks. We had queue with more then 600k mail!!  

    Most of this mail are without from address and in picture is one example of it.  We have correct SPF,DKIM,DMARC. And bellow are activated and setup agents. (maybe not correctly setup ??).  

    Today was outbreak with 600k mail in queue. Looking at transport logs mail did not go out (that is only good thing ) but our sender score is low (https://www.senderscore.org) as it can be it is "3". We are fighting thing for weeks now and we got removed from blacklists but for more than one month we are unable to send mail to any Microsoft domains, we don't know what to do anymore. And our sender score is just not going up.  Could it be that all Microsoft rejected mail could be crushing our senders score ??   And I saw in "senders score" that are reject rate is "high" and it is, we are rejecting a tons of spam...Please Help...


    Monday, October 21, 2019 5:34 PM

All replies

  • Hi

    Is your ISP only allowing mail from your IP or multiple IP's? The reputation of your IP has to build up again.

    If you look at MXToolbox, can you see if you not listed on any other blacklists?

    Have you checked your internal lan for a virus/trojan infection that is trying to mass mail out as well?


    Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, October 21, 2019 7:48 PM
    Moderator
  • Hi Pero,

    it seems like your Mail Server IP has been blacklisted. Request if you can whitelist your Mail server Public IP or change the Mail Server Public IP with fresh one. Also if you can monitor below component in your SPAM Filter.

    1. No. of outgoing email from your mail server.
    2. Bandwidth usage in your mail server.
    3. if you do have any open relay with your mail server.

    Looking at the snapshot, i have check the smtp relay of admiral.hr, which i found to be open relay. you need to resolve this ASAP. Below link could be helpful for you.

    https://anishjohnes.wordpress.com/2014/06/25/how-to-find-if-your-exchange-server-is-an-open-relay-what-are-the-steps-to-close-an-open-relay/


    Cheers,
    Aerrow
    Blog: pdhewaju.com.np
    Please remember to mark the replies as answers.

    Tuesday, October 22, 2019 1:03 AM
  • We have range of ips to use but we use only one.  We are on one blacklist 'TRUNCATE', that happen yesterday. 

    Internal lan is not infected. 

    Tuesday, October 22, 2019 6:54 AM
  • Hello,

    so if  I run 

    Get-ReceiveConnector “YourReceiveConnectorName” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

    All incoming mails will come normally and this could solve a ton of problems ??  And that is all I have to do to close open really ?

    Pero 

    Tuesday, October 22, 2019 6:58 AM
  • One more question,  after we close open relay..

    I saw https://docs.microsoft.com/en-us/powershell/module/exchange/mail-flow/set-receiveconnector?view=exchange-ps

    -TarpitInterval   currently default should we change ??

    -RequireEHLODomain  will this protect against spam ??

    -banner, shuld we change default banner (has server name in it) to something else  ??

    Tuesday, October 22, 2019 7:09 AM
  • Hi Pero,

    We helped to cover your personal information in your screenshot, please pay attention next time.

    For receive connectors created by default, you don't have to change any settings.

    You can leave TarpitInterval, RequireEHLODomain, Banner with the default value. Based on my knowlege, RequireEHLODomain just works in the EHLO handshake, it won't help to protect against spam. 

    If you want to create specific receive connectors or configure anonymous relay, you can check these articles about how to create receive connectors:

    Scenarios for custom Receive connectors in Exchange Server

    Allow anonymous relay on Exchange servers

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, October 22, 2019 7:47 AM
    Moderator
  • Thank you very much for covering personal info and for quick response.

    So I run this 

    Get-ReceiveConnector “YourReceiveConnectorName” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

    on

    srvname\default srvname    OR

    srvname\default frontend srvname OR

    srvname\client frontend srvname   OR

    on all realys  ??

    Pero

    Tuesday, October 22, 2019 8:30 AM
  • Did you modify the default receive connectors before? 

    It's not recommended to change settings on default receive connectors, and these default receive connectors are not configure to use open relay.

    If you have modified the default receive connectors or created other receive connectors to use open relay, you can check with the following command:

    Get-ReceiveConnector | Get-ADPermission -User "NT Authority\Anonymous Logon" | Where-Object {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Recipient"} | Format-List Identity,ExtendedRights

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, October 22, 2019 9:00 AM
    Moderator
  • No, i did not modify anything on default receive connectors.

    Command gave me this output...

    Identity       : HVMSEXCH01\Local Relay Service
    ExtendedRights : {ms-Exch-SMTP-Accept-Any-Recipient}

    So this is the open relay making most of the problems or ??

    Tuesday, October 22, 2019 11:36 AM
  • so i did like you told me Lydia Zhou.

    Get-ReceiveConnector “Local Relay Service” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

    So i hope all my relays are closed now. Is there any way to run some more checks to be sure ??

    Of course, now when I run command bellow I get nothing:

    Get-ReceiveConnector | Get-ADPermission -User "NT Authority\Anonymous Logon" | Where-Object {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Recipient"} | Format-List Identity,ExtendedRights


    Wednesday, October 23, 2019 6:20 AM
  • Hello,

    I have few more questions.  Relay in my case was used for internal services and it has scoping for internal IP addresses.  But even with scoping it was still open relay ?

     We have sender Id agent turned on.  When I want to pass internal services like printers or reporting mail or similar i add this ip with Set-TransportConfig –InternalSMTPServers 192.168.x.x    Is this sender Id good choice for security ??

    Thank you very much,

    Pero

    Wednesday, October 23, 2019 9:14 AM
  • Hello all,

    Me again... So if we go on beginning of the story.  

    How to stop messages without "from address" and source DSN ??  They are still coming in the queue.

    Thursday, October 24, 2019 5:36 AM
  • Hi Pero,

    You can also configure the Sender Filter agent to block inbound messages that don't specify a sender and domain in the MAIL FROM SMTP command. This setting helps to prevent NDR attacks on the Exchange server. You can check this for more information about Sender Filter agent: Sender filtering

    For these spam messages in your Exchange, you can use Queue Viewer to remove messages from queues. For reference: Remove messages from queues

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, October 24, 2019 9:14 AM
    Moderator
  • [PS] C:\Windows\system32>Get-SenderFilterConfig | Format-List BlankSenderBlockingEnabled
    BlankSenderBlockingEnabled : True

    It is turned On entire time, senderID is turned on for external sources only as Microsoft best practise.

    Why do we still get this messages with no "from" ??

    Thursday, October 24, 2019 12:24 PM
  • Hi Pero,

    you can check open relay status from this webpage.

    https://mxtoolbox.com/diagnostic.aspx


    Cheers,
    Aerrow
    Blog: pdhewaju.com.np
    Please remember to mark the replies as answers.

    Thursday, October 24, 2019 12:58 PM
  • It says,

    May be an open relay!

    Session Transcript:
    Connecting to 192.xxx.xxx.xxx

    220 mail.domain.hr Domain E-Mail System [672 ms]
    EHLO keeper-us-east-1c.mxtoolbox.com
    250-mail.domain.hr Hello [18.205.72.90]
    250-SIZE 37748736
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-AUTH NTLM
    250-8BITMIME
    250-BINARYMIME
    250 CHUNKING [734 ms]
    MAIL FROM:<supertool@mxtoolbox.com>
    250 2.1.0 Sender OK [719 ms]
    RCPT TO:<test@mxtoolboxsmtpdiag.com>
    250 2.1.5 Recipient OK [734 ms]

    LookupServer 4437ms

    More Information About Smtp Open Relay

    During our diagnostics we attempt to simulate sending a message to a fake email address; test@example.com. We do this to try to detect if your server is an open relay, which means that it accepts mail to domains for which it is not responsible and then passes it along to the proper server. Your server responded with a 200 accepted code to our RCPT TO command. THIS DOES NOT MEAN YOU ARE OPERATING AN OPEN RELAY, only that you may be an open relay.

    How to be sure ??  Thank you

    Thursday, October 24, 2019 1:27 PM
  • Hi,

    From the screenshot about "Get-TransportAgent" you provided in the question, your Sender Filter agent is disabled. Please use the following command to double-check if Sender Filter agent is enabled:

    Get-SenderFilterConfig | Format-List Enabled

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, October 29, 2019 1:42 AM
    Moderator
  • Enable-TransportAgent -Identity "Sender Filter Agent"

    Returns: True

    after that i run:

    Enable-TransportAgent -Identity "Sender Filter Agent" and restarted transport service.

    What is purpuse of this agent ??

    Wednesday, October 30, 2019 7:55 AM
  • It seems to be the NDR attack for your issues about plenty of spams. The  Sender Filter agent can be set to prevent NDR attacks. Though you enabled BlankSenderBlockingEnabled, you didn't enable Sender Filter Agent before.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, November 1, 2019 10:04 AM
    Moderator
  • BlankSenderBlocking is now enabled  together with  Sender Filter Agent.

    We still see now and then few mails in queue with source NDR but looks good now.

    Thank you

    Tuesday, November 5, 2019 7:50 AM
  • You can monitor the queue for some days to make sure there are no emails with empty sender address. It's great that you can get help from above suggestion.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, November 6, 2019 2:04 PM
    Moderator
  • Hello,

    So we had another attack.   First Two images shows results while attack was active. (queue was full, like 100k and more, image is just sample) .  After we added rule to exchange (block subject and domain etc.) and we blocked ip on network..but this is temporally solution... 

    Thursday, November 7, 2019 8:47 AM
  • You can configure the send filter agent to block specific senders and domains:

    Set-SenderFilterConfig -BlockedSenders <sender1,sender2...> -BlockedDomains <domain1,domain2...>

    For reference: Use the Exchange Management Shell to configure blocked senders and domains for sender filtering

    Additionally, I noticed that none of the recipients are users in your organization, am I right?

    Since the open relay was disabled before, no external users should relay emails through the Exchange server. Please check again and make sure no applications or services generate these spams in your organization.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, November 11, 2019 4:57 PM
    Moderator