Exchange 2016 anonymous relay ? External spam relay ?

Pero 71 Reputation points
2020-10-09T10:15:19.337+00:00

Hello all,

On our exchange server we had spam problem. Today I opened message queue and I see 25000 mails in queue. They were all intended for @Karima ben @harsh.com domains.

And we sent them a lot now we are rate limited by Microsoft domains. I am aware we have to have "anonymous users" on "Default Frontend receive connector to accept mail from internet. We never had problem with content filtering and spam intended for our internal domain.
But how to stop relaying, and why is it even relaying ? How to stop example from picture, AgentLog.

31592-agentlog.png

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,178 questions
{count} votes

Accepted answer
  1. Yuki Sun-MSFT 41,376 Reputation points Moderator
    2020-10-12T07:02:28.827+00:00

    @Pero ,

    Have you modified the default receive connectors or created any custom receive connectors for anonymous relay in your environment before the issue occurred?

    As per your concern regarding the "Default Frontend receive connector", would you please run the command below and have a look at the current settings:

    Get-ReceiveConnector <ConnectorName> | Format-List name,Enabled,Bindings,RemoteIPRanges,PermissionGroups  
    

    Note: Please remove any personal information involved when sharing the output.

    Besides, for current situation, agree with Edward that it's highly recommended to set up SPF to help validate outbound email sent from your custom domain. You can also have it setup along with DKIM, DMARC to help prevent spoofing phishing.


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


2 additional answers

Sort by: Most helpful
  1. Edward van Biljon 6 Reputation points Volunteer Moderator
    2020-10-09T12:20:28.197+00:00

    Hi

    Is your server locked down to send to a smarthost only? On your firewall, do you allow port 25 from anywhere or just the exchange server to your ISP?

    Also make sure you have SPF and DMARC setup for your domain.


  2. Pero 71 Reputation points
    2020-10-16T10:21:52.337+00:00

    So I removed "AnnonymousUsers" from:
    Client Frontend SrvName
    Default SrvName
    Outbound Proxy Frontend SrvName

    And so far everything looks normal.

    Maybe this could save us from next spam attack. I hope.

    Thank You


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.