Exchange 2007 / 2010 Queues Filling Up With Postmaster Mail to Invalid Domains

If you have an Exchange 2007 / 2010 Server and you notice that your queues are filling up with mail for domains that do not seem to be going anywhere and no-one internally has emailed those domains, you need to check to see who it is that is sending these emails.

Open up the Exchange Management Console, then click on the Toolbox, Open the Queue Viewer and then double-click onto a queue that is for a domain that you don’t recognise.

If you see as the Sender, then your server is sending out Non-Delivery Reports back to emails that are received at your server for recipients that don’t exist.

To check your server configuration, please open the Exchange Management Shell and type in the following:

get-recipientfilterconfig | ft RecipientValidationEnabled

You will most likely see the result showing as False, meaning that your server is not filtering Recipients on your server.

The problem with this is that if your server accepts all messages, then tries to deliver them, realises that some are destined for email addresses that don’t exist, your server becomes responsible for sending back a Non-Delivery Report. Now suppose that the email is spam and that the spammer has made-up the sender address. Your server will then be sending a Non-Delivery Report back to either an invalid email address, a valid email address for which the recipient had not sent the email in the first place, or worst of all, a honeypot email address (one that has never been advertised but has been hidden for spammers to find) designed to trap spam mail. If an NDR email arrives at a honeypot address, YOUR mail server will end up getting blacklisted on such sites as Backscatterer.org, causing you problems sending mail to some domains.

How to fix this problem?

Well, if you have an Edge Transport server, simply run the following command in the Exchange Management Shell:

Set-RecipientFilterConfig -RecipientValidationEnabled:$true

This simple command will tell your Exchange server to check the Recipient email address for any inbound email and if the address does not exist on the Exchange Server, it will immediately reject the message, resulting in the sending server becoming responsible for sending a Non-Delivery Report.

If you don’t have an Edge Transport Server – only a Hub Transport Server, you will need to install the Anti-Spam Agents by running the following comand in the Exchange Management Shell:

Exchange 2007:

Install-AntiSpamAgents.ps1

Then, run the above command also in the Exchange Management Shell:

Set-RecipientFilterConfig -RecipientValidationEnabled:$true

Exchange 2010:

Read the following article for how to install the Anti-Spam agents:

http://technet.microsoft.com/en-us/library/bb201691.aspx

then run the Set-RecipientFilterConfig command.

If you find that you have not got Recipient Filtering enabled and have to Enable it by using the command above, please pay a visit to MXToolbox, enter your Mail Server’s IP Address and see if you are Blacklisted on Backscatterer.org (or any other blacklist sites for that matter) and request de-listing if you have fixed the problem.

Advertisements

Prevent Spam Mail From Your Own Domain in Exchange 2007

One of the biggest bug-bears with spam is the spam that comes from (or supposedly comes from) random_username@yourdomain.com or even your_username@yourdomain.com. This is known as spoofed mail and is a common technique that spammers use to try to get mail past Anti-Spam software.

From the Anti-Spam logs on my own server in the last 24-hours, I have received 1,974 emails (out of 17,432 in total) where the sender domain matched the recipient domain. This is about 11.3% of all mail that hit my server, so it is a relatively large problem. Factor that up to a year’s worth of mail and you get 720,510 a year.

To prevent this from happening, you simply need to remove a specific permission that allows anonymous senders to use your internal domain names in the Mail From section of an email. If anyone tries to do this (anonymous users only) they will receive a “550 5.7.1 Client does not have permissions to send as this sender” message.

The syntax to remove the permission should be entered as follows in the Exchange Management Console:

Get-ReceiveConnector “My Internet Receive Connector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

(You need to change the “My Internet Receive Connector” part in the above syntax)

Having run this command successfully, test using Telnet to your mail server from an external computer and see what happens if you try to send mail as one of your internal domain names. You should receive the 550 5.7.1 Message.

N.B. To put the permission back (in case you need to), please run the following:
Get-ReceiveConnector “My Internet Receive Connector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Add-ADPermission

If you have internal photocopiers and other hardware that needs to relay via your Exchange 2007 server and you cannot configure them with a username / password, then removing the above permissions will prevent you from relaying and will cause you problems.

How to prevent Spoofed Emails in Exchange 2003

Spammers use all type of techniques to get their rubbish through to you and one technique that they use is called spoofing, whereby they forge the sender address and use your own email address, or someone@yourdomainname.com as the sender address.

There are various ways to combat this and in Exchange 2003, you can do the following:

  • Setup Sender Filtering to stop inbound emails that are supposedly from your own domain name.
  • Setup Tarpitting to slow down spammers who try to determine the email addresses that are sitting on your Exchange server.
  • Setup a Sender Policy Framework (SPF) record for your domain.
  • Setup Sender ID filtering to check SPF records for inbound email and reject ones that fail.
  • Setup Recipient Filtering (won’t solve the spoofing problem, but it is highly recommended to set this up too)

To set these various Anti-Spam techniques up, you should first check that you are using Exchange 2003 Service Pack 2 by opening up Exchange System Manager, expanding Servers, then click onto your server and then right-click on your server and choose properties.

The screen that follows should advise you what Service Pack your Exchange Server is on.  If it does not say Service Pack 2, please visit the following link to download and install it:

http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en

If you are already on Exchange 2003 Service Pack 2, then please review the following articles to setup the various Anti-Spam techniques:

Once you have setup the above, you should be free from spoofed emails claiming to come from anyone@yourdomain.com or from your own email address to yourself!

As an alternative to the above, you could simply install some Anti-Spam software and one product that I have been using recently after being recommended it by a Microsoft Exchange MVP is Vamsoft ORF which is currently priced at $239 per server and has drastically reduced the amount of spam that I have been receiving and now my customers who also have Vamsoft, have also seen a dramatic reduction in their spam levels too.  Their website is www.vamsoft.com.

Vamsoft ORF 4.4 Released

The latest incarnation of Vamsoft ORF has been released:

http://bit.ly/biaXTC

Vamsoft 5.0 will be released in Q2 2010 and 4.4 is only an interim release providing support for Exchange 2010, IIS6 SMTP Service for Windows Server 2008/2008 R2 and a blacklist update for Spamhaus CSS.

Why are my Outbound Queues Filling up with Mail that we didn’t send?

If your emails are building up on your Exchange 2003 server and you don’t recognise any of the destination address then you have got a problem and need to resolve it.   To work out what your problem is, please double-click into one of the unknown domain name queues, then click on the Find Now button and then double-click into one of the messages that are returned.

Look at the sender of the message.  If the sender is postmaster@yourdomain.com, you are suffering from a Non Delivery Attack.  If the sender is a random user not in your organisation, then you are suffering from an Authenticated Relay attack.

Non Delivery Attack:

To prevent a Non-Delivery Attack, please turn on Recipient Filtering to reject recipients not in your organisation:

http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

The reason for this is that you are currently accepting messages for anyone at yourcompany, even made up names.  If the recipient does not exist, your server is sending a Non-Delivery Report back to the sending email address and as spammers usually make up the sender address, the email message will not be able to go anywhere as the domain is invalid.  Some of the email addresses that spammers use will be valid email addresses and thus some Non-Delivery report mail will get sent out to people who did not send an email to you in the first place and they will potentially report you as a spammer.  Mail of this type is known as Backscatter and this can get you Blacklisted.  Please see  http://en.wikipedia.org/wiki/Backscatter_(e-mail) for more details.

If you also turn on Recipient Filtering, your server will reject recipients that are not setup on your server and the sending mail server will be responsible for sending a Non Delivery Report, not your server, thus shifting the problem back onto the spammer – http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

Another tool that you can use to slow down spammers is to implement something called Tarpitting which forces a delay into the mail-flow process for anyone sending mail to an invalid address on your server.  This means that anyone targetting your server will spend lots of time waiting for a response from your server, slowing them down – http://support.microsoft.com/kb/842851

Authenticated Relay Attack:

If the sender is not postmaster@yourdomain.com and is some random address, please Open Exchange System Manager and expand Servers> Right-click the Server Name and choose Properties> Select the Diagnostics Logging tab.

In the Services window, select MSExchangeTransport, and in the Categories window increase the logging level for Authentication to maximum.  Once you have done this, keep an eye on your Application Event Logs looking for event ID 1708 and it should soon become apparent which account is being abused.  Once you know which user account is being abused, change the password for that account and then stop and restart the Simple Mail Transfer Protocol Service and then cleanup your queues (The Administrator account is the usual target for spammers).

Cleanup:

A really useful tool to help clear up the queues very quickly is Aquadmcli.exe which can be downloaded from ftp://ftp.microsoft.com/pss/Tools/Exchange%20Support%20Tools/Aqadmcli/aqadmcli.exe

Once downloaded – run from a command prompt and then use the following commands to empty the queue based on the sender address:

delmsg flags=sender,sender=sender@domain.com

To delete ALL messages in your queues, type the following:

delmsg flags=all

A good document to help you cleanup if you don’t like the above idea is – http://www.amset.info/exchange/spam-cleanup.asp

Once you have cleaned up – please return the logging level back to None.