Trace spam email
Hi all,
Currently have an issue with a customer who has a number of spam emails sat in their Outbound Queue. Can't see anything obvious so far and at a guess think it's possibly a users account thats the cause. The following is what I belive to be one
of the emails. It shows the sender is blank...
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,0,10.61.168.26:25,10.61.168.13:50871,+,,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,1,10.61.168.26:25,10.61.168.13:50871,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,2,10.61.168.26:25,10.61.168.13:50871,>,220 mail.DOMAIN.com,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,3,10.61.168.26:25,10.61.168.13:50871,<,EHLO MAILBOXSERVER.DOMAIN.Local,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,4,10.61.168.26:25,10.61.168.13:50871,>,250-HUBTRANSPORTSERVER.DOMAIN.Local Hello [10.61.168.13],
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,5,10.61.168.26:25,10.61.168.13:50871,>,250-SIZE,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,6,10.61.168.26:25,10.61.168.13:50871,>,250-PIPELINING,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,7,10.61.168.26:25,10.61.168.13:50871,>,250-DSN,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,8,10.61.168.26:25,10.61.168.13:50871,>,250-ENHANCEDSTATUSCODES,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,9,10.61.168.26:25,10.61.168.13:50871,>,250-STARTTLS,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,10,10.61.168.26:25,10.61.168.13:50871,>,250-X-ANONYMOUSTLS,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,11,10.61.168.26:25,10.61.168.13:50871,>,250-AUTH NTLM,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,12,10.61.168.26:25,10.61.168.13:50871,>,250-X-EXPS GSSAPI NTLM,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,13,10.61.168.26:25,10.61.168.13:50871,>,250-8BITMIME,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,14,10.61.168.26:25,10.61.168.13:50871,>,250-BINARYMIME,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,15,10.61.168.26:25,10.61.168.13:50871,>,250-CHUNKING,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,16,10.61.168.26:25,10.61.168.13:50871,>,250-XEXCH50,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,17,10.61.168.26:25,10.61.168.13:50871,>,250 XRDST,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,18,10.61.168.26:25,10.61.168.13:50871,<,X-ANONYMOUSTLS,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,19,10.61.168.26:25,10.61.168.13:50871,>,220 2.0.0 SMTP server ready,
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,20,10.61.168.26:25,10.61.168.13:50871,*,,Sending certificate
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,21,10.61.168.26:25,10.61.168.13:50871,*,CN=HUBTRANSPORTSERVER,Certificate subject
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,22,10.61.168.26:25,10.61.168.13:50871,*,CN=HUBTRANSPORTSERVER,Certificate issuer name
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,23,10.61.168.26:25,10.61.168.13:50871,*,54BEC86E600CBE864957FEE2DB44C020,Certificate serial number
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,24,10.61.168.26:25,10.61.168.13:50871,*,E8C6690B277DC4A3E16BF7CED42183E0DAE5A3B3,Certificate thumbprint
2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,25,10.61.168.26:25,10.61.168.13:50871,*,HUBTRANSPORTSERVER;HUBTRANSPORTSERVER.DOMAIN.Local,Certificate alternate names
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,26,10.61.168.26:25,10.61.168.13:50871,<,EHLO MAILBOXSERVER.DOMAIN.Local,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,27,10.61.168.26:25,10.61.168.13:50871,>,250-HUBTRANSPORTSERVER.DOMAIN.Local Hello [10.61.168.13],
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,28,10.61.168.26:25,10.61.168.13:50871,>,250-SIZE,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,29,10.61.168.26:25,10.61.168.13:50871,>,250-PIPELINING,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,30,10.61.168.26:25,10.61.168.13:50871,>,250-DSN,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,31,10.61.168.26:25,10.61.168.13:50871,>,250-ENHANCEDSTATUSCODES,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,32,10.61.168.26:25,10.61.168.13:50871,>,250-AUTH NTLM,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,33,10.61.168.26:25,10.61.168.13:50871,>,250-X-EXPS EXCHANGEAUTH GSSAPI NTLM,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,34,10.61.168.26:25,10.61.168.13:50871,>,250-X-EXCHANGEAUTH SHA256,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,35,10.61.168.26:25,10.61.168.13:50871,>,250-8BITMIME,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,36,10.61.168.26:25,10.61.168.13:50871,>,250-BINARYMIME,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,37,10.61.168.26:25,10.61.168.13:50871,>,250-CHUNKING,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,38,10.61.168.26:25,10.61.168.13:50871,>,250-XEXCH50,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,39,10.61.168.26:25,10.61.168.13:50871,>,250 XRDST,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,40,10.61.168.26:25,10.61.168.13:50871,<,X-EXPS EXCHANGEAUTH,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,41,10.61.168.26:25,10.61.168.13:50871,*,SMTPSubmit SMTPSubmitForMLS SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender
BypassAntiSpam BypassMessageSizeLimit SMTPSendEXCH50 SMTPAcceptEXCH50 AcceptRoutingHeaders AcceptForestHeaders AcceptOrganizationHeaders SendRoutingHeaders SendForestHeaders SendOrganizationHeaders SendAs,Set Session Permissions
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,42,10.61.168.26:25,10.61.168.13:50871,*,DOMAIN\MAILBOXSERVER$,authenticated
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,43,10.61.168.26:25,10.61.168.13:50871,>,235 <authentication response>,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,44,10.61.168.26:25,10.61.168.13:50871,<,MAIL FROM:<> SIZE=8031,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,45,10.61.168.26:25,10.61.168.13:50871,*,08CDD9CB292563F4;2011-05-14T23:52:54.505Z;1,receiving message
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,46,10.61.168.26:25,10.61.168.13:50871,>,250 2.1.0 Sender OK,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,47,10.61.168.26:25,10.61.168.13:50871,<,RCPT TO:<hgecay@clinicaltrials.gov>,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,48,10.61.168.26:25,10.61.168.13:50871,>,250 2.1.5 Recipient OK,
2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,49,10.61.168.26:25,10.61.168.13:50871,<,BDAT 8031 LAST,
2011-05-14T23:52:54.787Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,50,10.61.168.26:25,10.61.168.13:50871,>,250 2.6.0 <b9f64658-210a-4c47-a0ae-c03407241052> Queued mail for delivery,
2011-05-14T23:52:54.787Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,51,10.61.168.26:25,10.61.168.13:50871,<,QUIT,
2011-05-14T23:52:54.787Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,52,10.61.168.26:25,10.61.168.13:50871,>,221 2.0.0 Service closing transmission channel,
2011-05-14T23:52:54.787Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,53,10.61.168.26:25,10.61.168.13:50871,-,,Local
The Default Receive Connector permission groups are set to allow everyone to connect which seems typical when comparing it to other clients (Apart from "Partners").
Is there any other way of figuring out where these emails are coming from? Im not even sure if these could be NDR spam?
May 16th, 2011 10:39am
If the sender is blank it is probably NDR spam. Do you have recipient validation enabled? If not, then you should do, as it will stop NDR spam in its tracks.
http://exchange.sembee.info/2007/hub/filter-unknown.asp
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2011 5:26pm
On Mon, 16 May 2011 14:34:02 +0000, Andrew J Palmer wrote:
>
>
>Hi all,
>
>Currently have an issue with a customer who has a number of spam emails sat in their Outbound Queue. Can't see anything obvious so far and at a guess think it's possibly a users account thats the cause. The following is what I belive to be one of the
emails. It shows the sender is blank...
It's a NDR. Do you have recipient filtering enabled? Do you refuse to
accept e-mail with SMTP addresses that don't exist in your AD forest?
The fact that the local and remote IP addresses are both in the same
private network is suspicious. Is it your intention to accept SMTP
e-mail from 10.61.168.13? Are both of those machines Exchange HT
servers?
[ snip ]
>The Default Receive Connector permission groups are set to allow everyone to connect which seems typical when comparing it to other clients (Apart from "Partners").
>
>Is there any other way of figuring out where these emails are coming from? Im not even sure if these could be NDR spam?
It would help to know which IP address belongs to what machine. If
they're both HT servers then you need the log files from the one
that's sending the messages. Don't forget the message tracking logs
and the "SUBMIT" event. If the message originates from a MAPI/RPC
client there won't be anything in the SMTP log fiel for the
submission.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
May 16th, 2011 10:05pm
Thanks Sambee. I'll take a look at this.
Rich, 10.61.168.13 is an Exchange with the Mailbox, CAS and HT roles. 10.61.168.26 is an Exchange with just the HT role. Email transactions to the outside world will be done by 10.61.168.26. I'll take a look at the first suggestion and
continue investigation should this issue persist.
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2011 4:06am
Sembee's responce resolved this issue for me.
Thanks.
May 23rd, 2011 5:48am