Scan Outgoing Mails for Spam

By ReMad
in Smart Home, Network & Security

 Share

Recommended Posts

Mentor

ReMad

Posted
Posted

Hello

I am Facing some problem with Exchange 2003 being listed sometimes on some Spam checking sites even the Network is secured with Fortinet + Symantec Antiviruses

the Problem is that Fortinet scanns coming mails but not the out mails for spam

the Server is the only one can access the Smtp

is there any free tools or tools with good price to scan the outgoing mails and solve that issue ?

Thank You

Link to comment
https://www.neowin.net/forum/topic/873020-scan-outgoing-mails-for-spam/
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Its rare that a client infection actually uses it email client to send email.. Off the top of the head I can not think of one that does this.. Normally a client infection will send attempt to directly send email, it doesn't go through the email client on the box to send the mail. This is too easy to track!!

I find it highly unlikely that your clients being infected and sending email through your exchange server is the problem to be honest. But if thats the case I would hope that your goal would be to clean the infected machines vs scanning for outgoing spam.

To be honest is more likely that your server is an open relay than your clients being infected - and thats how its getting placed on spam lists. Or if you server is sharing an IP with clients - then sure you IP could be listed due to a clients infection.

Could you explain a bit more about this statement

"the Server is the only one can access the Smtp"

How does email work in your setup.. So your client talk to your server to send mail, the server sends it directly to the other domains, or do you forward your mail to a isp smtp server? So which IP is getting blocked and what mail list?

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

put a sniffer on your network between your internet gateway and your switch where it connects. find out everything that is communicating on port 25 and monitor the blacklist sites to see when it happened last. don't have them take you off until you have verified where the spam is coming from. pretty easy to determine if you have an exchange server and someone else is sending on port 25 (no one should be other than the exchange server). I would consider GFI's mail essentials or a barracuda spam firewall at your next renewal date and dump your current spam solution (I would go with the barracuda hardware appliance vs a piece of software that you have to load on another device or on your exchange server).

Enthusiast

MrTwister

Posted
Posted

Hello

I am Facing some problem with Exchange 2003 being listed sometimes on some Spam checking sites even the Network is secured with Fortinet + Symantec Antiviruses

the Problem is that Fortinet scanns coming mails but not the out mails for spam

the Server is the only one can access the Smtp

is there any free tools or tools with good price to scan the outgoing mails and solve that issue ?

Thank You

You should be able to contact the offending websites and get them to validate that the e-mail being sent is actually valid.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

So you want him to email the sites blacklisting him and tell them his not sending spam? So they will remove him from the blacklist.

The problem is -- maybe he is ;)

edit: let me reword that -- if he is blacklisted its not "maybe" he is -- it pretty freaking likely that spam is being sent from his IP. If it was not, then he would not be on a blacklist ;)

Enthusiast

MrTwister

Posted
Posted

So you want him to email the sites blacklisting him and tell them his not sending spam? So they will remove him from the blacklist.

The problem is -- maybe he is ;)

edit: let me reword that -- if he is blacklisted its not "maybe" he is -- it pretty freaking likely that spam is being sent from his IP. If it was not, then he would not be on a blacklist ;)

Yeah Mr. Know It All. It was just a suggestion. Which is why I suggested contacting the other ISP's.

Mentor

random_n

Posted
Posted

Exchange 2003 in the default config gets abused for NDR backscatter. Make sure you've turned on recipient filtering, filter recipients that aren't in the directory, and turn on tarpitting to prevent directory harvest attacks. Disabling attachments for NDRs is nice as well, but not as important once you aren't generating them for external recipients.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

"contacting the other ISP's. "

Again -- What?? :blink: Dude you seem not to have even the faintest idea on what the poster is even talking about.

So you suggest he contact the what hundreds, maybe 1000's of domains using said blacklist(s) And tell them to let his email in anyway even though its blacklisted for sending spam ;)

Mentor

ReMad

Posted
  • Author
Posted

Its rare that a client infection actually uses it email client to send email.. Off the top of the head I can not think of one that does this.. Normally a client infection will send attempt to directly send email, it doesn't go through the email client on the box to send the mail. This is too easy to track!!

I find it highly unlikely that your clients being infected and sending email through your exchange server is the problem to be honest. But if thats the case I would hope that your goal would be to clean the infected machines vs scanning for outgoing spam.

To be honest is more likely that your server is an open relay than your clients being infected - and thats how its getting placed on spam lists. Or if you server is sharing an IP with clients - then sure you IP could be listed due to a clients infection.

Could you explain a bit more about this statement

"the Server is the only one can access the Smtp"

How does email work in your setup.. So your client talk to your server to send mail, the server sends it directly to the other domains, or do you forward your mail to a isp smtp server? So which IP is getting blocked and what mail list?

Well , I contacted the Fortinet company and we checked the device

it needed some update and it does scan both incoming and outgoing mails and the filter is on and shouldnt send or receive any

I meant that the Port SMTP isnt allowed for the Clients

only the Mail server

and no , it is not an open relay

Today I found thousands of undelivered messages sent to ebay.org and some others ( Spam Chinese mostly :s ) from inbox of Administrator ( seems Backscatter ! )

some for long time and some for no known reason !

The Server is secured using GFI mail essentials + Symantec AV + Malwarebytes

All are updated and scanning gives no warnings !

What to do !?

Now listed on http://dnsbl.invaluement.com/ivmsip/ !

they dont reply to my emails !

what to do ?

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

my vote is still the sniffer on the network to verify where the issue is coming from. The undeliverables could just be from another computer on your network trying to email out as administrator and you recieving the undeliverables in your administrator account.

Find out what computer is sending the spam and take care of it.

Internet router---------hub---------switch

....................................|

....................................|------computer with sniffer program scanning the traffic between your main switch and the internet

....................................=just placement since the neowin forum doesn't like spaces

Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

Backscatter -- you sure? Can you post up some example emails that are sitting in your admin box.

Your best bet to prevent backscatter is not send NDRs, and your exchange server should also be set to not accept any mail in the first place that is not to one of listed users.. So instead of accepting the mail and than not being able to deliver it - so you send a NDR. Give them a reject right at start.

So you disable NDRs and also turn on recipient filtering so that you only accept mail for valid email address in your domain any vs anything@yourdomain

This MS article goes over these filtering. But you can also disable sending NDRs all together. You might also want to look into using a blacklist of your own so you do not accept mail from spammers ;) And then you could prob turn NDRs back on.

http://support.microsoft.com/kb/909005

In Exchange Server 2003 or in Exchange 2000 Server, the Exchange Server queues are filled with many non-delivery reports from the postmaster account because of a reverse non-delivery report attack

NDRs does not always mean backscatter -- If I am using your exchange server as an open relay and feeding it mail to send, then sure lots of mail is not going to be deliverable. You need to verify the source of your issue before you can fix it. Just because you have mail in the admin box since does not mean its actually back scatter spam that is being used against you.

Apprentice

AstroCreep

Posted
Posted

We have a FortiGate as our firewall/NIS/VPN/main-connector solution, and we have it configured to only allow SMTP-out from one IP address on our network. That IP address would be our Exchange server.

We ended up needing to implement that after a situation similar to what you're experiencing.

Do you have any internal MX records? I know we had to set one up for our SharePoint server. Plus there could be other systems on your network that have an SMTP engine installed (it is a simple IIS compnent, after all); someone on your network could have an engine loaded which is relaying messages, which are hitting the gateway. Allowing SMTP from one address on the FortiGate would be a great start. Then run a domain-wide virus-sweep to find & neutralize the zombie.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft will finally let you sign in to Edge with a Google account

      By monterxz · Posted

      "it opens up new doors for people who prefer using Edge, but cannot be bothered to configure a Microsoft account" You already have a Microsoft account if you are using Windows 11, because you can't set it up without one.
    • This is how much iPhone 18 Pro could cost after Apple's price hike confirmed

      By Hamid Ganji · Posted

      This is how much iPhone 18 Pro could cost after Apple's price hike confirmed by Hamid Ganji Image via Apple Apple CEO Tim Cook confirmed in a recent interview that the company may have to raise prices on some of its products due to the ongoing memory shortage. While he did not elaborate on the scale of the price hikes, new estimates suggest that Pro iPhone models could become significantly more expensive this fall. The Wall Street Journal and research firm TechInsights have come up with an educated estimate of how much the upcoming iPhone 18 Pro could cost after its launch in September. The estimate is based on current increases in memory and storage chip prices. For starters, the iPhone 18 Pro base model is expected to feature 12GB of RAM and 256GB of internal storage. According to TechInsights estimates, 12GB of DRAM for the iPhone 17 Pro cost Apple $39 last year. However, for the iPhone 18 Pro, the cost of the same amount of DRAM could soar to $145. Likewise, 256GB of flash storage that previously cost $13 could now cost around $51. Producing a base iPhone 17 Pro reportedly cost Apple around $582, but TechInsights estimates that the production cost of the iPhone 18 Pro could rise to $726. If Apple wants to maintain the roughly 47% profit margin it enjoys on the iPhone 17 Pro, the base price of the iPhone 18 Pro would need to reach $1,371. After standard pricing adjustments, customers could end up paying around $1,299 for the base model. However, that may not be the end of the story. As we previously reported, the iPhone 18 Pro is said to feature a variable-aperture lens, which could cost Apple at least 50% more than the current camera system. The estimated $1,299 price tag does not include the additional cost of this upgraded camera hardware. Once that expense is factored in, the base model could cost at least $1,399. A $1,399 price tag for the base iPhone 18 Pro would represent a significant increase over the current $1,099 starting price of the iPhone 17 Pro. If Apple wants to keep its upcoming iPhones competitive, it may need to accept lower profit margins.
    • Rockstar gives last-gen GTA V players free upgrades tomorrow

      By testman · Posted

      Oh man, but what if I have the PS3 version?
    • Floorp 12.15.0

      By Copernic · Posted

      Floorp 12.15.0 by Razvan Serea Floorp is a cutting-edge web browser that combines the trusted foundation of Mozilla's Firefox with a unique Japanese perspective, offering users an exceptional online experience. This open-source browser prioritizes privacy, customization, and security. Floorp is transparent, with no user tracking or data sharing, and it's completely open source. With a strict no-tracking policy and full transparency, your personal information remains private. As an open-source project, Floorp not only shares its source code but also its build environment, inviting users to contribute and build their unique versions. The regular updates, based on Firefox ESR, ensure that you always have the latest features and security enhancements. Floorp key features: Strong Tracking Protection: Floorp offers robust tracking protection, safeguarding users from malicious tracking and fingerprinting on the web. Flexible Layout: Customize Floorp's layout to your heart's content, including moving the tab bar, hiding the title bar, and more for a personalized browsing experience. Switchable Design: Choose from five distinct designs for the Floorp interface, and even switch between OS-specific designs for a unique look Regular Updates: Based on Firefox ESR, Floorp receives updates every four weeks, ensuring up-to-date security even before Firefox's releases. No User Tracking: Floorp prioritizes user privacy by abstaining from collecting personal information, tracking users, or selling user data, with no affiliations with advertising companies. Completely Open Source: The full source code for Floorp is open to the public, allowing transparency and enabling anyone to explore and build their own version. Dual Sidebar: Floorp features a versatile built-in sidebar for webpanels and browsing tools, making it perfect for multitasking and quick access to bookmarks, history, and websites. Flexible Toolbar & Tab Bar: Customize your browser with Tree Style Tabs, vertical tabs, and bookmark bar modifications, catering to both beginners and experts in customization. User-Centric Web Experience: Floorp prioritizes user privacy and collaboratively blocks harmful trackers. Floorp 12.15.0 changelog: Refine appearance of Start top sites and Hub sidebar by @CutterKnife in #2435 Improvement command pallete by @Walkmana-25 in #2429 Fix gesture command by @Walkmana-25 in #2425 Add Mac OS formatting for modifier keys in shortcut editor by @Walkmana-25 in #2424 refactor: bridge as little by @nyanrus in #2416 fix(pwa): follow Firefox 150 ShellService API changes (Bug 1985098) by @Ryosuke-Asano in #2409 feat(notes): Desktop向けThree-Way Merge Sync実装 by @Ryosuke-Asano in #2402 fix(pages-settings): resolve Invalid Hook Call error in SortableContext by @Ryosuke-Asano in #2350 README: fix signpath avatar url by @CutterKnife in #2453 Enhance command palette with new actions by @Walkmana-25 in #2449 feat(split-view): implement tab drop functionality with overlay and new window zone by @Ryosuke-Asano in #2445 fix: restore 'Hide Interface', 'Toggle Navigation Panel', and 'Rest Mode' keyboard shortcuts by @Ryosuke-Asano in #2458 fix: prevent unified extensions panel from closing on bottom navbar (#2079) by @Ryosuke-Asano in #2462 fix: prevent workspace system from overriding SessionStore tab selection on startup by @Ryosuke-Asano in #2461 fix: prevent multi-row tabs from disappearing when sidebar opens website by @Ryosuke-Asano in #2460 fix: prevent private container tab from saving first page to history by @Ryosuke-Asano in #2459 fix: prevent browser close when container tab is the only tab open by @Ryosuke-Asano in #2465 Resolve conflicts for #2467: Add split-view mouse gesture commands by @Ryosuke-Asano in #2472 fix(os-server): auto-generate auth token on enable by @Ryosuke-Asano in #2471 fix(settings): change broken link to Floorp Docs by @regularentropy in #2477 Enhanced search functionality in the command palette — now supports English keywords, Japanese morphological analysis, and hiragana search by @Walkmana-25 in #2470 fix(patches): align Gecko patches with Linux CI runtime by @Ryosuke-Asano in #2482 feat(pwa): add Firefox Container support for PWA apps by @Ryosuke-Asano in #2443 fix(statusbar): add event listener for buttons in status bar by @greeeen-dev in #2484 Download: Floorp 64-bit | 95.0 MB (Open Source) Links: Floorp Website | Github Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Google Gemini co-lead Noam Shazeer is leaving for OpenAI

      By pradeepviswav · Posted

      Google Gemini co-lead Noam Shazeer is leaving for OpenAI by Pradeep Viswanathan Noam Shazeer is best known as one of the co-authors of the 2017 “Attention Is All You Need” paper, which introduced the Transformer architecture that now powers most large language models. He also worked on several major Google AI projects, including LaMDA, before leaving the company in 2021 to co-found Character.AI. He also authored the Sparsely-gated Mixture of Experts (2016) paper, which is popular among the AI community. After falling behind OpenAI and Anthropic a couple of years ago, Google brought Shazeer back in 2024 as part of a major deal with Character.AI. Through this deal, along with Noam, several other researchers returned to Google DeepMind. More recently, he was a vice president of engineering at Google and a technical co-lead for Gemini. Today, Noam Shazeer announced on X that he is leaving Google and joining OpenAI. In his post, Shazeer said it was a difficult decision to move on, adding that he was proud of the Google team and what it had built together. OpenAI CEO Sam Altman welcomed the move with a post of his own, saying Shazeer was one of the people he had most wanted to work with since OpenAI’s early days. Google has made strong progress with Gemini over the past year, closing the gap with OpenAI in several areas. But losing Noam Shazeer is a major talent setback for them, especially after bringing him back less than two years ago by spending a fortune. For OpenAI, the hire adds one of the industry’s most experienced language model researchers to a team that is already pushing ahead with ChatGPT, Codex, and its next generation of frontier models.

  • Recent Achievements

    • Week One Done
      Classifyskilleducation earned a badge
      Week One Done
    • One Month Later
      eurospharma62 earned a badge
      One Month Later
    • Week One Done
      With What earned a badge
      Week One Done
    • Week One Done
      Harris Gilbert earned a badge
      Week One Done
    • One Month Later
      Vincian earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      543
    2. 2
      +Edouard
      171
    3. 3
      PsYcHoKiLLa
      84
    4. 4
      ATLien_0
      64
    5. 5
      neufuse
      64
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!