Viewing the Send Connector Log as recommended in another thread, I noticed some strange domains (Polish domain when nobody here speaks Polish) and thought I'd take a look at the Queue-Viewer in the EMC "Tools". Who could be emailing to these domains? This is what I found (output below). Should I be concerned about these? There is one that refers to a virus. [PS] C:\>get-queue | ft nexthopdomain NextHopDomain ------------- btcentralplus.com airtelbroadband.in telesp.net.br veloxzone.com.br virtua.com.br com.ar ukrtel.net ne.jp as43234.net mailfrom.com com.au gvt.net.br com.tr embarqhsd.net unitymediagroup.de nationalcablenetworks.ru mindstreamsmailer.com iam.net.ma com.pl com.sg as9105.com comcastbusiness.net vdc.vn jasico.si com.tw ac.jp strueres.dk netscope.co.za pghcernseaerxdaf.telestar.ru uoc.es tietoraitti.fi rdsochterishbctmwjtjmitgjidsj.benoitmichels.com rdsochterishbctmwjtjmitgjidsj.telestar.ru cnm.su.se doedel.nl kaa.desy.de acs.ryerson.ca diddlpost.de jaczewski.prv.pl stratford-festival.on.ca jaeger.dk kdmmwahdcihlxcjmoa.telestar.ru ubvkiwhoeujivhjiadwxfa.mc2school.org rcgslgsbgbrbgtkpcsehrbsd.telestar.ru kpmgmail.co.za tiscali.fr starnet.ph lbnibfhblcemhdlbanyscnxr.mc2school.org net-inotel.pl 18992.virus.blogdns.com mjnrbohmincainkgoyrhenma.sohnut.ru bps.cc mtu-net.ru com.gh edu.ua 497.ac 123linko.com adslplus.ch colemanasia.com.ph tataidc.co.in 20433.virus.blogdns.com com.co rcjtlshftvejfthocjtsajra.telestar.ru tmcz.cz pacenet-india.com edu.tw media.pl agendasaude.com.br cosmosbank.com.tw pctips.de foreningssparbanken.se pp.fi com.vn com.bo tjvrybtfvjqctdvahcgtcvxfb.buhrmann.com sk.ca co.il kdfhlsbcekjajh.buhrmann.com sdtvdatrcthjcsetmdhsdtr.sfpavocats.ca spcsdns.net 560.ac tropolys.de 24x7tel.net republika.pl artq.com nifty.com mcbbnojnfebowjendintf.sfpavocats.ca cc-bank.de jellow.nl norcontrol.no jaegermeister.prv.pl kabel-badenwuerttemberg.de ewbl.vlaanderen.be com.cy orpheus.amdahl.com vivozap.com.br net.opel.com g-it.dk dlc.fi marocconnect.net.ma gfk.stockholm.se kgfmojfkfmyhckecikg.buhrmann.com linknetinc.com co.nz telemar.net.br tpssalibandy.fi nbnaaoygpjniniiombeob.mc2school.org pdqmcpipfqggparerepharxlb.benoitmichels.com twins.org.uk tpt.ee folksrevolver.com langnese-iglo.de com.ua tx.us ctbcnetsuper.com.br mpinet.com avenet.fi ipv4ilink.net brasiltelecom.net.br 41.xmbs.jp centerforhighered.com chickenhardworld.com myvzw.com greatchickenhard.com giga.net.tw edcuation.net bestleanman.com email.uophx.edu 29455.virus.blogdns.com spanishphrasebet.com dalumts.dk aster.com.au farlep.net ucdwilegfuaudvpifui.buhrmann.com kblfcmhygltbmphekgmfgammgjkckjk.stertil.de marton.net.pl ttn.com.tw hoffmanrileyarchitects.com com.cn dwnet.com.br pcarp.usp.br mhdotydiotyidnrfmagoua.benoitmichels.com lbljnxfdldnpwildnhoilenygdlbnqx.telestar.ru pd5jwc.myweb.nl seed.net.tw ocplhcqrrdeihidj.lsinter.net kingwhale.com.tw informatica.com.co yahoo.com Submission

Concerned? Maybe. Do you have recipient filtering turned on? If not then it could just be rejects being sent back to spoofed senders. However a list hanging around like that isn't standard behaviour, so would tend to indicate email has been sent to those domains recently. Have you got message tracking enabled? You could see if that shows things. A common posting would be that you have a compromised machine. However I would disagree with that. Most spam trojans will have their own SMTP engine. They will not look to find/use another server to send email out. A corporate system is not the target of most trojan writers because they will be protected. What they are looking for is the clueless home user. The usual cause could be either NDR/NDR spam, or an authenticated relay using a compromised account. NDR/NDR spam is blocked by recipient filtering which is part of the antispam agents in Exchange 2007/2010. Authenticated relaying is usually done through the Client Receive Connector, and would require the second port to be opened, unless you have changed the configuration of course. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Do you have recipient filtering turned on? I'm going to say no, because I never recall doing such a thing. How could I tell? In general, having to manage many things besides Exchange, I try (I try) to keep things simple and change very little from the default settings.

While the default settings allow Exchange to run, they shouldn't be considered anywhere near to optimum. As a bare minimum you should run the Best Practises tool from the Toolbox and correct anything it flags. Recipient Filtering instructions: http://www.amset.info/exchange/filter-unknown2.asp It isn't enabled by default and therefore would cause the list of unknown domains to appear when a spammer does an NDR run using spoofed addresses. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Oh, I've definitely run the EXBPA. It's never signaled anything serious. Certain HDW drivers are more than two years old. 1NIC is not connected (only one adapter is cabled). No "red" alerts, a couple yellow (those above) and lots of blue informational entries. I run the test-* cmdlets too from time to time. ------------------------- BTW, would I gain something from connecting both NICs or not? ------------------------- Lastly. thank you for the link about Recipient Filtering. I can confirm that this was not configured.

Have you got message tracking enabled? You could see if that shows things. Yes... Well, do you mean in Exchange Tools (EMC) with the other Tools there? If so, then yes. It's enabled and I've already used in other contexts. So I'm going to try to see if any messages were actually sent to these domains? I'm looking at the GUI right now and I'm not sure how I'd filter that. I need a complete email address for recipient, right? I can't just enter the domain as in: strangeDomainName.tld ???

Have you got message tracking enabled? You could see if that shows things. Yes... Well, do you mean in Exchange Tools (EMC) with the other Tools there? If so, then yes. It's enabled and I've already used in other contexts. So I'm going to try to see if any messages were actually sent to these domains? I'm looking at the GUI right now and I'm not sure how I'd filter that.

Hi Le Pivert, Per the above information, those seems some spam sender domains, they usually send spam emails to your domain, but the recipeints are not existence in your exchange system, so there are many NDR would be sent to the spam domains. Did you deploy the edge server in you scenario, and there is a feature "Recipient Fileter" could resolve it. Some information for you: http://technet.microsoft.com/en-us/library/bb123891.aspx If I want to check the email exactly, I would check the tracking log to confirm it. Regards! GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Just a follow up to let you guys and other readers now what happened. As suggested elsewhere, I configured Postini to reject all mail UNLESS it is for someone on the list we established with Postini (installing the antispam agents on the Hub Transport server with recipient filtering enabled was another suggestion - or on the Edge server if you have one -we do not). It's like night and day. We went from something like 90 queues to less than 10 and now (just looking) 2! - myserver.mydomain.org - submission Every now and then, another domain appears, but they look legitimate (.edu). Configuring "Accepted Domains" at the Organizational Level under Hub Transport is NOT enough, because spam could be directed to former employees using an accepted domain name after @.