Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

mail enabled public folders getting spammed

Status
Not open for further replies.
hkxuser

hkxuser

IS-IT--Management
Jul 11, 2006
27
0
0
US
Hi all. OK here's my issue. I am running Exchange 2003 SP2. I use intelligent message filtering, recipient filtering, and I run Sunbelt Messaging Ninja (anti-spam product). Spam which is directed at user accounts is successfully blocked 99 percent of the time. We do have a few mail enabled public folders though, and for whatever reason spam gets into these folders like crazy.

Now here's the rub...our spam software never even inspects these messages because the messages are directed at email addresses that do not exist in my organization. So if my domain name is abc.com, these emails will be addressed to joeblow@abc.com, and joeblow is not a valid smtp address in my organization. How or why these things get through is beyond me, since I am using recipient filtering and these emails should be rejected immediately. A phone call to Sunbelt tech support proved fruitless, because they say I first have to figure out why these emails are getting through to my public folders in the first place.

Does anybody have a clue how I can investigate this further? I have 4 public folders which are mail enabled, and they have addresses like accounting@abc.com, sales@abc.com, etc. I've double checked these folders and they all have one valid smtp address, with no other bogus addresses associated with them. Any help would be much appreciated. Thanks!
 
Sort by date Sort by votes
Nick your message was apparently cut off. Can you repost when you have a moment? I'm still struggling with this problem and I could use some help. Thanks!
 
Upvote 0 Downvote
hkxuser said:
our spam software never even inspects these messages because the messages are directed at email addresses that do not exist in my organization.
Click to expand...

I find it hard to believe that they are not getting inspected. ALL email bound for your organization should be going through your messaging hygiene infrastructure. You need to resolve that.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
I agree that it's extremely odd...nevertheless that's exactly what is happening. For whatever reason these emails apparently avoid any kind of inspection by the Exchange server, or the spam software which is running on the exchange server. It's incredibly frustrating.

I've poked around a bit more and here's what I have discovered. I have four mail enabled public folders. Only one of the four receives emails that are to bogus addresses. The other three folders will occasionally get spam, but it's addressed to the valid smtp address for that folder (it gets inspected by my spam software but still gets through). If I try to send mail from my yahoo account to the bogus email address, nothing happens. I get no bounce back (which tells me recipient filtering is working), and I do not see an email from my yahoo account in the public folder.

I have to admit I'm totally stumped so far.
 
Upvote 0 Downvote
Excellent thought, but wouldn't the internet header give that away? When I look at the header, the emails are coming from IP addresses outside my organization. Is it possible that an infected machine could fudge the header and make it appear to come from outside? I'm thinking that's not possible, but I'm no expert on the matter.
 
Upvote 0 Downvote
Just musing out loud here, but it could be that when Ninja was set up, it was provisioned by pulling a list of users and parsing their smtp addresses, rather than via a larger system dump. Maybe one of the setup options gives the installer the opportunity to exclude certain accounts/types of objects for the sake of limiting license use. I know that with some GFI products like FaxMaker and MailArchiver, people are always setting it up to exclude certain accounts to keep the license count down.

I'm 95% sure that the answer to this issue is going to be in your Ninja config, not somewhere else.

ShackDaddy
Shackelford Consulting
 
Upvote 0 Downvote
Well if you are suggesting that the public folders are excluded from scanning by Ninja, that is not the case. The public folders are indeed scanned by the Ninja product. The only requirement is that they are not hidden from the exchange address book (and in my case they are not hidden). As a matter of fact, there are many messages which have been quarantined by Ninja in the public folders. For whatever reason, there are certain messages which are "avoiding" the scan.
 
Upvote 0 Downvote
Well, are some facts for you.

Normal email boxes have a Junk Mail folder that some spam gets put in. Mail-enabled public folders do not. Therefore mail that would normally be set aside that way doesn't get routed anywhere but into the PF.

Another thing: part of the IMF's work is working with Outlook to build a safe-senders list based on who you are sending mail to, and the mail-enabled-PFs don't have this benefit. So the part of the IMF engine that blocks spam based on relationship (or your contacts list, etc.) doesn't even come into play when filtering for the PFs. It doesn't just filter more aggressively, it filters less aggressively since it doesn't have as much information to go on.

Basically, the IMF doesn't filter spam going to mail-enabled PFs.


Ninja is supposed to be able to filter spam for mail-enabled PF's but since IMF's not in the picture, you may have some get through.

ShackDaddy
Shackelford Consulting
 
Upvote 0 Downvote
Also, it could be that the PF folder address is in the BCC of the mails that are being delivered, not in the TO field, so I don't think joeblow@abc.com is really being misrouted to your PFs.

ShackDaddy
Shackelford Consulting
 
Upvote 0 Downvote
Here's a copy of a header from a spam message that slipped through.

Microsoft Mail Internet Headers Version 2.0
Received: from SEATTLE.mydomain.com ([10.10.1.3]) by Server3.mydomain.com with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 23 May 2007 11:38:41 -0700
Return-Path: <bedgrandexcif@grandex.com>
Received: from 66.45.19.31 (HELO mx02.grandex.com)
by mydomain.com with esmtp (.I*Q+(Y3RG73 (-CZ.P)
id ZUGMR7-8*+5<7-5?
for jelley@mydomain.com; Wed, 23 May 2007 18:42:25 -0100
Date: Wed, 23 May 2007 18:42:25 -0100
From: "Xavier Page" <bedgrandexcif@grandex.com>
X-Mailer: The Bat! (v3.51) UNREG / CD5BF9353B3B7091
X-Priority: 3 (Normal)
Message-ID: <628507719.98846933507418@thhebat.net>
To: jelley@mydomain.com
Subject: Melt away pounds with Anatrim
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------B8297444B821A0C5"
X-Spam: Not detected
X-OriginalArrivalTime: 23 May 2007 18:38:41.0898 (UTC) FILETIME=[961D54A0:01C79D69]

------------B8297444B821A0C5
Content-Type: text/plain; charset=windows-1250
Content-Transfer-Encoding: 7bit

------------B8297444B821A0C5
Content-Type: text/html; charset=windows-1250
Content-Transfer-Encoding: 7bit


------------B8297444B821A0C5--



Notice that the message is never scanned by Ninja. jelley@mydomain.com is not a valid SMTP address on my server. Now compare this to a header from a legitimate email sent to me:

Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
X-Ninja-Antispam: Policy 1 - Allowed - Allowed Senders (Global) - 0,0,0 (0)
X-Ninja-AttachmentFiltering: (no action)
Received: from SEATTLE.mydomain.com ([10.10.1.3]) by Server3.mydomain.com with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 24 May 2007 12:30:41 -0700
Received: from exchange2.sunbelt-software.com ([10.2.2.25]) by exchange.sunbelt-software.com with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 24 May 2007 15:34:22 -0400
X-Ninja-PIM: Scanned by Ninja
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C79E39.BF5F381C"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: Ticket ID: 001-00-177852
Date: Thu, 24 May 2007 15:28:46 -0400
Message-ID: <5ECA7F114577634186484375514DBB5113CFD15D@hurricane.ssdcorp.net>
Thread-Topic: Ticket ID: 001-00-177852
Thread-Index: AceeOb/FeuJjqN43QdGERZ4lQ3Ulkw==
From: "Support" <support@sunbelt-software.com>
To: <myname@mydomain.com>
Return-Path: Support@sunbelt-software.com
X-OriginalArrivalTime: 24 May 2007 19:34:22.0559 (UTC) FILETIME=[87B77EF0:01C79E3A]

------_=_NextPart_001_01C79E39.BF5F381C
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

------_=_NextPart_001_01C79E39.BF5F381C
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable


------_=_NextPart_001_01C79E39.BF5F381C--


This next header is from a spam mail that did get detected by Ninja, and was directed at a public folder. This message was sent to a legitimate public folder SMTP address:

Microsoft Mail Internet Headers Version 2.0
X-Ninja-Antispam: Policy 1 - Quarantined - Final Score - 0,0,5180 (5180)
X-Ninja-AttachmentFiltering: (no action)
Received: from SEATTLE.mydomain.com ([10.10.1.3]) by Server3.mydomain.com with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 24 May 2007 12:00:21 -0700
Received: from antacid.kinki-kids.com (promptitude.kinki-kids.com [70.206.254.9])
by fiiqmx.net with SMTP id 3QKU8VMMOM
for <user@mydomain.com>; Thu, 24 May 2007 12:03:58 -0800
XAuthentication-Warning: P49-refractory2.YW6w.audrey.omni-host.com (ehlo revelry.geoup.com [84.1.196.176]): pb9jilt set sender to cservice.refl7253915509pp.cm@regions.com using -t
From: "Regions Bank" <cservice.ref33027589526.cm@regions.com>
To: "USER" <user@mydomain.com>
Subject: =?utf-8?Q?[PHISHING]:=20Banking=20Mail=20From=20Regions=20Bank!=20(mess=5Fid:=209017877777986)?=
XAuthentication-Warning: P49-refractory2.YW6w.audrey.omni-host.com (ehlo revelry.geoup.com [84.1.196.176]): pb9jilt set sender to cservice.refl7253915509pp.cm@regions.com using -t
User-Agent: Calypso Version 3.20.01.01 (4)
X-Mailer: Calypso Version 3.20.01.01 (4)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--7HBTOC6M.7.5MS8J7P14"
Return-Path: cservice.ref33027589526.cm@regions.com
Message-ID: <SERVER3OAkK5LqN33HF00000068@Server3.hkx.com>
X-OriginalArrivalTime: 24 May 2007 19:00:21.0431 (UTC) FILETIME=[C71C1470:01C79E35]
Date: 24 May 2007 12:00:21 -0700
X-Priority: 3

----7HBTOC6M.7.5MS8J7P14
Content-Type: text/html
Content-Transfer-Encoding: 7Bit


----7HBTOC6M.7.5MS8J7P14--


Let me know if these headers give you guys a clue as to what's going on. Thanks for all the help!
 
Upvote 0 Downvote
We have two MX records. One of them goes through our old firewall (a Sonicwall device), which then forwards via NAT to our exchange server. The other MX record points to our new firewall (checkpoint) and then forwards via NAT to our exchange server. The sonicwall device is disable at the moment, so our checkpoint box is the working firewall. The checkpoint box was put into operation about 1-2 months ago. Now it's interesting you brought this up, because the checkpoint box does have some sort of SMTP queuing running on it. When we first set up the device we had a problem with inbound mail. Mail would make it to the checkpoint box and then die there. A call to tech support resolved the issue. Could the checkpoint firewall be doing something to certain emails that enables them to slip by spam detection?
 
Upvote 0 Downvote
Is Ninja running right on your main mailserver, or is it running on a separate screening server that is the first stop for mail inbound from the internet?

ShackDaddy
Shackelford Consulting
 
Upvote 0 Downvote
It is running directly on my mail server. With that being the case I don't see how there is any way email can avoid being scanned by Ninja.
 
Upvote 0 Downvote
Yikes. I'd separate those two. Honestly, I'd setup all of the features of SP2 and pull Ninja out of the way. That should greatly reduce all unwanted email.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
I agree with you completely on separating the two. I inherited this configuration. I'm a big believer in having an exchange server do just that..be an exchange server and nothing else. Honestly though, this config has worked quite well for the most part. I'm baffled by this latest problem, but apparently so is everybody else so I'm not alone.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Moved to 365 in cloud, cannot get iPhones default mail app to connect
Replies
2
Views
524
Priyanka_Chauhan
Priyanka_Chauhan
BroBias
  • Locked
  • Question
mailbox databases dismounting frequently without followable reason
Replies
1
Views
539
BroBias
BroBias
fredmartinmaine
  • Locked
  • Question
Exchange Public Folder Db removal / woes
Replies
3
Views
83
ShackDaddy
ShackDaddy
david jackson
  • Locked
  • Question
Extract only the subject and recipients from a mailbox
Replies
0
Views
496
david jackson
david jackson
mdseaman
  • Locked
  • Question
Unable to find freebusy public folder
Replies
0
Views
32
mdseaman
mdseaman

Part and Inventory Search

Sponsor

Back
Top