Exchange 2016 anonymous relay ? External spam relay ?

Question

Exchange 2016 anonymous relay ? External spam relay ?

Pero 71

Hello all,

On our exchange server we had spam problem. Today I opened message queue and I see 25000 mails in queue. They were all intended for @Karima ben @harsh.com domains.

And we sent them a lot now we are rate limited by Microsoft domains. I am aware we have to have "anonymous users" on "Default Frontend receive connector to accept mail from internet. We never had problem with content filtering and spam intended for our internal domain.
But how to stop relaying, and why is it even relaying ? How to stop example from picture, AgentLog.

Yuki Sun-MSFT 41,376 Reputation points Moderator

2020-10-12T05:57:39.92+00:00

Hi @Pero ,
As this is a public forum, I'll remove the personal info like IP address and domain name included in your screenshot in order to protect the private information. Please also remember to cover this kind of info if you need to share more details in a reply. Thanks!
Pero 71 Reputation points

2020-10-13T08:02:39.993+00:00

Hi,

Sorry for that.

Accepted answer

2 additional answers

Your answer

Yuki Sun-MSFT 41,376 Reputation points Moderator

2020-10-12T05:57:39.92+00:00

Hi @Pero ,
As this is a public forum, I'll remove the personal info like IP address and domain name included in your screenshot in order to protect the private information. Please also remember to cover this kind of info if you need to share more details in a reply. Thanks!
Pero 71 Reputation points

2020-10-13T08:02:39.993+00:00

Hi,

Sorry for that.

Answer 1

Yuki Sun-MSFT 41,376 Moderator

@Pero ,

Have you modified the default receive connectors or created any custom receive connectors for anonymous relay in your environment before the issue occurred?

As per your concern regarding the "Default Frontend receive connector", would you please run the command below and have a look at the current settings:

Get-ReceiveConnector <ConnectorName> | Format-List name,Enabled,Bindings,RemoteIPRanges,PermissionGroups

Note: Please remove any personal information involved when sharing the output.

Besides, for current situation, agree with Edward that it's highly recommended to set up SPF to help validate outbound email sent from your custom domain. You can also have it setup along with DKIM, DMARC to help prevent spoofing phishing.

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Pero 71 Reputation points

2020-10-13T08:53:54.373+00:00

Hello,

"default receive connector" is not modified in any way. And no. This is setup that was not changed at least one year and all changes we had was for some internal connectors. But problem like i described in first post is something that was happening approx ever 3 month, then we block IP, domain of attacker and wait 3 months for next attack. So most likely we have problem from day 0.

There is one more receive connector "Default ServerName" with role HubTransport. This one like "Default Frontend ServerName" has Anonymous users.
Pero 71 Reputation points

2020-10-13T09:10:04.657+00:00

Here are all receive connectors (we have few internal but they are binded with local addresses).
Yuki Sun-MSFT 41,376 Reputation points Moderator

2020-10-14T07:29:37.437+00:00

Hi @Pero ,

The screenshot you shared indicated that 4 out of the 5 default receive connectors have the "Anonymous users" group. Are these configured for purpose?
As according to the table in this official article, by default only "Default Frontend <ServerName>" has the "Anonymous users" permission group. See output from my lab:
Pero 71 Reputation points

2020-10-16T07:44:20.377+00:00

Are they configured on purpose ? Not by me. I didn't install this server from 0 it my inheritance from previous admins.

But this looks problematic, I will remove "AnnonymousUsers" from all default receive connectorsbut Default Frontend.

Will report back, wish me luck !

Answer 2

Edward van Biljon 6 Volunteer Moderator

Hi

Is your server locked down to send to a smarthost only? On your firewall, do you allow port 25 from anywhere or just the exchange server to your ISP?

Also make sure you have SPF and DMARC setup for your domain.

Pero 71 Reputation points

2020-10-13T08:09:53.527+00:00

Hello,

No it's not locked down to a smarthost. I need to check but I would say port 25 is allowed in/out from anywhere. Why do you ask this ? Is there better practice ?

DMARC and SPF is implemented long time ago.

Answer 3

Pero 71

So I removed "AnnonymousUsers" from:
Client Frontend SrvName
Default SrvName
Outbound Proxy Frontend SrvName

And so far everything looks normal.

Maybe this could save us from next spam attack. I hope.

Thank You

Yuki Sun-MSFT 41,376 Reputation points Moderator

2020-10-19T01:22:46.59+00:00

Glad to hear that :) Hopefully everything can go well!

Share via

Exchange 2016 anonymous relay ? External spam relay ?

2 additional answers

Your answer