Announcement

Collapse
No announcement yet.

Exchange server receiving tons of spam even with port blocked

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange server receiving tons of spam even with port blocked

    I am my server running through spam soap.
    The firewall is only to allow connections from spam soap IP on port 25.
    I turned on the connection filter to allow from spam soap IP's only.

    I am still receiving spam, these are some header examples from the spam messages. Can you give me some ideas how to stop this and where its coming from? Seems like alot come from a .ru address.


    X-MimeOLE: Produced By Microsoft Exchange V6.5
    Received: from mail pickup service by plattsrv.PlattSecurity.local with
    Microsoft SMTPSVC; Fri, 1 Jul 2011 04:52:59 -0700
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----_=_NextPart_009_01CC37E5.6C3EDF80"
    Received: from 64.49.152.136.netsatx.net ([64.49.152.136]) by
    plattsrv.PlattSecurity.local with Microsoft SMTPSVC(6.0.3790.4675); Thu, 16
    Jun 2011 04:52:43 -0700
    Content-Class: urn:content-classes:message
    Subject: =?utf-8?B?0KPRgdGC0LDQvdC+0LLQutCwINC60L7QvdC00LjRhtC40L 7QvdC10YDQvtCyIA==?=
    =?utf-8?B?0LIg0JzQvtGB0LrQstC1INCT0LDRgNCw0L3RgtC40Lg=?=
    Date: Thu, 16 Jun 2011 04:55:53 -0700
    Message-ID: <[email protected]>
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    Thread-Topic: =?utf-8?B?0KPRgdGC0LDQvdC+0LLQutCwINC60L7QvdC00LjRhtC40L 7QvdC10YDQvtCyIA==?=
    =?utf-8?B?0LIg0JzQvtGB0LrQstC1INCT0LDRgNCw0L3RgtC40Lg=?=
    Thread-Index: Lzu9BR4dta545Y432QICmq045Jkw7A==
    From: =?utf-8?B?0JXQstCwINCa0L7QvdC+0LLQsNC70L7QstCw?= <[email protected]>
    To: Chris Souza <[email protected]>


    ================================================== ================


    X-MimeOLE: Produced By Microsoft Exchange V6.5
    Received: from mail pickup service by plattsrv.PlattSecurity.local with
    Microsoft SMTPSVC; Fri, 1 Jul 2011 05:47:08 -0700
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----_=_NextPart_008_01CC37EC.FCCCEE00"
    Received: from 77.79.166.82.static.ufanet.ru ([77.79.166.82]) by
    plattsrv.PlattSecurity.local with Microsoft SMTPSVC(6.0.3790.4675); Thu, 16
    Jun 2011 05:46:41 -0700
    Content-Class: urn:content-classes:message
    Subject: =?utf-8?B?0KHQldCgVNCY0KTQmNCa0JDQotCrINCe0KIgMSDQlNCd0K 8=?=
    Date: Thu, 16 Jun 2011 05:49:47 -0700
    Message-ID: <52184-1650-T[email protected]service-pk.ru}>
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    Thread-Topic: =?utf-8?B?0KHQldCgVNCY0KTQmNCa0JDQotCrINCe0KIgMSDQlNCd0K 8=?=
    Thread-Index: AcwsI3EuCPwZPCOBQjC/6n57dlzCCA==
    From:
    "=?utf-8?B?0KbQldCd0KLQoCDQodCV0KDQotCY0KTQmNCa0JDQptCY0J gg0Jgg0K3QmtCh?=
    =?utf-8?B?0J/QldCg0KLQmNCX0Ks=?=" <[email protected]>
    To: Chris Souza <[email protected]>
    Reply-To:
    "=?utf-8?B?0J7QoNCT0JDQnSDQn9CeINCh0JXQoNCi0JjQpNCY0JrQkN Cm0JjQmCAo0JxP0KE=?=
    =?utf-8?B?0JrQktCQKQ==?=" <[email protected]>
    ================================================== ========

  • #2
    Re: Exchange server receiving tons of spam even with port blocked

    The emails that you have posted are two weeks old. That would tend to point to something still processing the email.
    The top line about going through the mail pickup service means the message has been reprocessed by Exchange.

    Do you see your Spam Soap server in the headers?

    The fact that they have .ru in the headers can be ignored. Spam To, From and CC are always spoofed.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Exchange server receiving tons of spam even with port blocked

      yeah i noticed that they were dated earlier as well.
      No the spam soap headers are not showing.

      Comment


      • #4
        Re: Exchange server receiving tons of spam even with port blocked

        i found they previously had policy patrol on the system.
        I disabled the services and uninstalled the program, i am going to monitor now.

        Comment


        • #5
          Re: Exchange server receiving tons of spam even with port blocked

          macky4546-in your two examples the first hop of the message is your mail host accepting a message from 64.49.152.136:

          Received: from 64.49.152.136.netsatx.net ([64.49.152.136]) by
          plattsrv.PlattSecurity.local with Microsoft SMTPSVC(6.0.3790.4675); Thu, 16
          Jun 2011 04:52:43 -0700

          The RDNS of the IP is:


          Reverse DNS for 64.49.152.136Location: United States [City: Hauppauge, New York]



          Preparation:

          The reverse DNS entry for an IP is found by reversing the IP, adding it to "in-addr.arpa", and looking up the PTR record.

          So, the reverse DNS entry for 64.49.152.136 is found by looking up the PTR record for

          136.152.49.64.in-addr.arpa.

          All DNS requests start by asking the root servers, and they let us know what to do next.

          See How Reverse DNS Lookups Work for more information.



          How I am searching:

          Asking h.root-servers.net for 136.152.49.64.in-addr.arpa PTR record:

          h.root-servers.net says to go to v.arin.net. (zone: 64.in-addr.arpa.)

          Asking v.arin.net. for 136.152.49.64.in-addr.arpa PTR record:

          v.arin.net [63.243.194.2] says to go to ns2.netsatx.net. (zone: 152.49.64.in-addr.arpa.)

          Asking ns2.netsatx.net. for 136.152.49.64.in-addr.arpa PTR record: Reports 64.49.152.136.netsatx.net. [from 207.241.160.34]



          Answer:

          64.49.152.136 PTR record: 64.49.152.136.netsatx.net. [TTL 3600s] [A=None] *ERROR* There is no A record for 64.49.152.136.netsatx.net. (may be negatively cached).

          In this example, the message was delivered directly to your mail server.

          Comment


          • #6
            Re: Exchange server receiving tons of spam even with port blocked

            The second example shows the same, the message was delivered directly to your domain.

            example two-first hop of the message


            Received: from 77.79.166.82.static.ufanet.ru ([77.79.166.82]) by
            plattsrv.PlattSecurity.local with Microsoft SMTPSVC(6.0.3790.4675); Thu, 16
            Jun 2011 05:46:41 -0700

            Reverse DNS for 77.79.166.82Location: Russian Federation (high) [City: Ufa, Bashkortostan]Preparation:The reverse DNS entry for an IP is found by reversing the IP, adding it to "in-addr.arpa", and looking up the PTR record.So, the reverse DNS entry for 77.79.166.82 is found by looking up the PTR record for 82.166.79.77.in-addr.arpa.All DNS requests start by asking the root servers, and they let us know what to do next.See How Reverse DNS Lookups Work for more information.How I am searching:Asking d.root-servers.net for 82.166.79.77.in-addr.arpa PTR record: d.root-servers.net says to go to sec1.apnic.net. (zone: 77.in-addr.arpa.)Asking sec1.apnic.net. for 82.166.79.77.in-addr.arpa PTR record: sec1.apnic.net [202.12.29.59] says to go to ns2.ufanet.ru. (zone: 166.79.77.in-addr.arpa.)Asking ns2.ufanet.ru. for 82.166.79.77.in-addr.arpa PTR record: Reports 77.79.166.82.static.ufanet.ru. [from 81.30.199.67]Answer:77.79.166.82 PTR record: 77.79.166.82.static.ufanet.ru. [TTL 43200s] [A=77.79.166.82]

            So, on the 16th of June 2011, at the time of delivery for these two examples, either there was a set of MX records that directed these messages to your mail server and/or your firewall was not locked down as you stated.

            Comment


            • #7
              Re: Exchange server receiving tons of spam even with port blocked

              Have you tried to contact Spam Soap for assistance?
              Last edited by DuceDuce; 1st July 2011, 19:00.

              Comment

              Working...
              X