Forefront Protection 2010 for Exchange Server marking most spam SCL -1 and letting it pass

We have FP 2010 (v 11.0.713.0) for Exchange Server 2010 (both reside on the same box if that matters). Sometime in the last coupe of months, the amount of spam getting through skyrocketed. Of course, to me, that would indicate some change somewhere. I haven't been able to track it down. I've read numerous posts here and tried a variety of things, but I simply can't get it to stop. Granted, I'm neither an Exchange superadmin or an FPE master of trade, so bear with me please.

First thing I noticed was that a TON of spam was coming from domains constructed with a variety and combination of underscores and hyphens. I created a sender-domain filter list to handle that and it seems to be working. I'm filtering for:

*__*@*,*___*@*,*\-\-*@*,*\-\-\-*@*,*_*_*@*,*\-*\-*@*

Now, for the rest of the spam getting through. To me, it would seem like very obvious stuff like:
How Oprah Lost <howoprahlost@fractal234.popsexybody.com> . From what I understand and what I'm reading, it appears that the spam getting through is all getting marked with an SCL -1. Here is an example header:

Received: from fractal234.popsexybody.com (38.121.76.5) by
 email.OURDOMAIN.com (192.168.44.3 THIS IS OUR LAN IP FOR THE EXCH SERVER) with Microsoft SMTP Server id
 14.1.438.0; Wed, 11 Feb 2015 10:47:44 -0500
Date: Wed, 11 Feb 2015 08:54:33 -0700
Bien-Nial: 20200355b59f97bc2b1d6e41931dc765426d132b
To: <myemail@OURDOMAIN.com>
Bis-Marck: b59f97bc2b1d6e41931dc765426d132b
From: How Oprah Lost <howoprahlost@fractal234.popsexybody.com>
Content-Type: multipart/alternative; boundary="20200355"
MIME-Version: 1.0
Subject: How Oprah Dropped 4 Sizes. Special 30% Off Today.
Moun-Ting: 7067031b59f97bc2b1d6e41931dc765426d132b
Message-ID: <b59f97bc2b1d6e41931dc765426d132b.7067031.20200355@fractal234.popsexybody.com>
Return-Path: howoprahlost@fractal234.popsexybody.com
X-MS-Exchange-Organization-AuthSource: OUREXCHANGESERVERNAME.SUBDOMAIN.OURDOMAIN.COM
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: fractal234.popsexybody.com
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (OUREXCHANGESERVERNAME.SUBDOMAIN.OURDOMAIN.COM:
 howoprahlost@fractal234.popsexybody.com does not designate permitted sender
 hosts)
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-Antispam-Report: v=2.1 cv=OO4eg0qB c=1 sm=1 tr=0
 a=qCJGFVaA1fzaSxQ8zXb7tw==:117 a=qCJGFVaA1fzaSxQ8zXb7tw==:17
 a=KdRuVOa1AAAA:8 a=XfBrk5rWAAAA:8 a=0HtSIViG9nkA:10 a=r62mKx9POPts6foioEEA:9
 a=4XpI_ubEG0oA:10 a=aPfxTJr7Be4A:10 a=gd2f-1C48sYA:10 a=NAJQqCe1gegA:10
 a=cCZQZXtQNuk4Tf_iH0EA:9 a=FMzNQcTTHvZ4kECS:21 a=QEXdDO2ut3YA:10
 a=_W_S_7VecoQA:10 a=K-FqxdBlMCgA:10;OrigIP:38.121.76.5;SCL:-1
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0

ANY help would be greatly appreciated!

February 11th, 2015 4:09pm

Hi,

The most common reason we do not filter spam in FPE is that we honor the ms-exch-bypass-anti-spam permission on connectors.

The most common scenario is that the bypass is enabled for anonymous connections.

This is simple to fix with some PowerShell commands to remove the permissions from the connectors.

FPE issue where all spam is missed

Best Regards,

Joyce

Free Windows Admin Tool Kit Click here and download it now
February 12th, 2015 9:19am

Thanks for the reply, but that is something I've tried. When I run the commands on each connector returned, nowhere do I get the bypass permissions. EXAMPLE:


User                : NT AUTHORITY\ANONYMOUS LOGON
Identity            : CAS-EXCH\Internal
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : True
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : NT AUTHORITY\ANONYMOUS LOGON
Identity            : CAS-EXCH\Internal
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : True
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : NT AUTHORITY\ANONYMOUS LOGON
Identity            : CAS-EXCH\Internal
Deny                : False
AccessRights        : {GenericRead}
IsInherited         : True
Properties          :
ChildObjectTypes    :
InheritedObjectType : ms-Exch-Public-MDB
InheritanceType     : Descendents

User                : NT AUTHORITY\ANONYMOUS LOGON
Identity            : CAS-EXCH\Internal
Deny                : False
AccessRights        : {GenericRead}
IsInherited         : True
Properties          :
ChildObjectTypes    :
InheritedObjectType : ms-Exch-Private-MDB
InheritanceType     : Descendents

There are 4 connectors (internal, internet, printers, servers) and each one returns similar results. I see the line: AccessRights        : {ExtendedRight} 

but I don't see the ExtendedRight identified anywhere like in the example page.

February 12th, 2015 12:45pm

Any additional help or suggestions would be greatly appreciated. I'm dying with the amount of spam getting through.

thanks!

Free Windows Admin Tool Kit Click here and download it now
February 17th, 2015 3:11pm
Same problem on Exchange 2007. Not an access rights problem either. Seems to be coming from the MS Anti-Spam providers with the -1 already.
February 20th, 2015 3:34pm
not that I'm glad you are having the same issue, but maybe with some added traffic, we'll get a response on how to address it.
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2015 3:39pm
I was hoping the same. Apparently not.
March 9th, 2015 5:04pm

hey contento, have you seen this?

https://support.microsoft.com/en-us/kb/2276432

going to give this a try tonight. also i am running FPE 2010 Rollup 3 - installing Rollup 4 as well.

Free Windows Admin Tool Kit Click here and download it now
March 18th, 2015 12:37pm

so if I'm reading that correctly, that will have FPE assign a value of SCL0 to all messages deemed to be NOT SPAM. Then Exchange's spam filter will at least have an opportunity to scan them as well, correct?

If that is the case, you have to re-enable the spam filter in Exchange because if I remember correctly, it's disabled by default when you install FPE.

let me know if you have any luck

March 19th, 2015 8:16am

so spam is coming in with SCL 0 now...but is still going to mailboxes. you are prob right that i need to look into enabling Exch spam filters again.

didn't do hotfix last night - scheduled for this weekend.

Free Windows Admin Tool Kit Click here and download it now
March 19th, 2015 5:14pm

updated FPE. nothing's fixed. spam is just coming in as SCL 0 now.

i thought it was a little better over the weekend, but apparently the spammers have off too. it's ramped back up to annoying levels since monday.

i'm stuck - obviously i should be looking for FPE replacement immediately (it's EOL at end of 2015 anyways). but my company was just purchased by another, and i can't get another anti-spam purchase OK'ed because we are transitioning to their mail servers in the next 6-9 months anyways.

March 24th, 2015 10:58am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics