A user from finance sent an email to the wrong user and asks if it's…
Stop Exchange Server sending spam
Nobody likes to see the Exchange Server sending spam. If you have never seen this situation, you are lucky. Hopefully, you will never have to see this, as this can bring a lot of stress and damage to the organization. The ISP will block you from sending emails, and emails will start to deliver to the recipient’s spam folder. In this article, you will learn the steps that you can take to stop the Exchange Server from sending spam.
Table of contents
Introduction
A company was receiving and sending spam messages for weeks. They tried a lot, but it kept sending spam whatever they did. So finally, I was asked if I could have a look into the Exchange Server organization and solve the spam once and for all.
Below are the steps that will help you stop the Exchange Server organization from sending and receiving spam.
Get the best spam filter
This is the most crucial part and the first what you should look into. Look if the spam filter is correctly configured. If not, get a good spam filter and configure that as soon as possible.
Note: The spam filter will help you filter and monitor incoming and outgoing messages. You can identify where the spam messages come from.
I only recommend the SpamBull spam filter:
- Easy to use
- Cloud-based (no downtime)
- All updates are taken care off
- Incoming and outgoing filtering
- Create automatic reports
- Monitor all incoming and outgoing messages
- No need to spin up a dedicated machine for hygiene solution
Go through the below SpamBull documentation to set incoming and outgoing filtering:
- Add domain
- Set up MX records (incoming filtering)
- Create outgoing user
- Set up smart host (outgoing filtering)
Configure firewall ports
There are incoming and outgoing ports for mail flow. Let’s look at the best way to configure the ports for mail flow protection.
Inbound firewall port
Only allow port 25 from spam filter to Exchange Server. So if you check port 25 from the internet, it should show that it’s closed. Except, when you check port 25 from the spam filter, it should make a connection to the Exchange Server.
- Go to Open port Check Tool
- Enter the Exchange Server public IP address and port 25
- Click on Check
It will show that port 25 is closed from the outside world.
- Sign in to the SpamBull admin center
- Click on the domain
- Select Continuity > Network tools > SMTP
- Fill in the Exchange Server Hostname
- Click Run
It will show that Exchange Server on port 25 is reachable from the spam filter.
Outbound firewall port
Only allow port 587 from Exchange Server to the spam filter. This means that you have to configure the send connector on port 587. Port 25 is blocked for everyone else on LAN (internal) to WAN (outside world).
Every mail needs to go through the Exchange Server to the spam filter, and then it will arrive in the recipient’s mail server and, as of last, in the recipient’s mailbox.
Note: I recommend to block port 25 from LAN > WAN in the firewall. This will restrict outgoing mail to stop scammers and malware from sending mail from your IP address. Configure the send connector to use port 587.
Run the Test-NetConnection cmdlet to ensure that outgoing port 25 is blocked and outgoing port 587 is allowed to the spam filter:
- Run PowerShell as administrator
- Enter the SpamBull SMTP host (redacted), including port 25
The TcpTestSucceeded in the output shows False.
PS C:\> Test-NetConnection smtp.*********.com -Port 25
ComputerName : smtp.*********.com
RemoteAddress : 145.177.12.128
RemotePort : 25
InterfaceAlias : Network 192x
SourceAddress : 192.168.1.52
TcpTestSucceeded : False
Change the port to 587 and run the command.
The TcpTestSucceeded in the output shows True.
PS C:\> Test-NetConnection smtp.*********.com -Port 587
ComputerName : smtp.*********.com
RemoteAddress : 128.127.14.117
RemotePort : 587
InterfaceAlias : Network 192x
SourceAddress : 192.168.1.52
TcpTestSucceeded : True
The RemoteAddress in the output can change because the SpamBull spam filter has hundreds of servers deployed in the cloud to protect your domain from spam.
Protect domain with SPF, DKIM, and DMARC
You must have the following three records set up on each domain for maximum protection:
An excellent way to check that SPF, DKIM, and DMARC records are set up for the domain is to use DMARC Domain Checker. Fill in the domain and check the results.
This is the result if your domain is not protected against abuse by phishers and spammers.
This is the result when your domain is protected against abuse by phishers and spammers.
After you check the records, we recommend to send an email to CheckTLS and check the report that is sent back to you. The report explains if the SPF, DKIM, and DMARC authentication methods are set up the way they should.
Read more in the article How to check SPF/DKIM/DMARC are correctly set.
Run Exchange health checker script
Run Exchange Server health check with PowerShell script and see if there are any errors or warnings. If so, fix the errors and warnings.
Update Exchange Server
Always keep your Exchange Server up to date. This means that you need to:
- Install Exchange Cumulative Update
- Install Exchange Security Update (if there are any)
Run security scan on Exchange Server
Start Windows Defender and run a scan. Suppose you have a third-party antivirus/security product, do run that. If there are threats found, inspect and clean them.
Conclusion
You learned how to stop Exchange Server from sending spam. It’s important that you carefully go through all the steps. Ensure that the Exchange Server is up to date with the latest Cumulative Update and run a security scan.
Check that you have an excellent spam filter to protect the organization from sending and receiving spam messages. Configure the firewall ports to only communicate with the spam filter and only use incoming on port 25 and outgoing on port 587. Set up SPF, DKIM, and DMARC records to protect the domain.
In my scenario, a mailbox account was compromised, and sending spam to external recipients. Unfortunately, the spam filter that was running was not that great, and it didn’t provide precise monitoring of what was happening. Changing the spam filter with the SpamBull cloud-based spam filter showed me instantly which mailbox was sending spam.
Did you enjoy this article? You may also like Exchange SMTP high availability with Kemp load balancer. Don’t forget to follow us and share this article.
Hi,
facing issue with exchange server 2016, spam emails being sent from users’ accounts automatically.
What I have to do to protect my exchange server? please help.
The article has step-by-step instructions on how to stop the Exchange Server from sending spam and protect your organization.
Hello
I hope you are fine.
I have a problem with something.
We have an exchange server within our organization that also sends our mail to the outside world.
The problem is that the number of our users is not large enough to send emails to Bebirun, but I noticed that 1000 emails were sent from our server that the sender’s name is either unknown or was sent to a strange name.
I blocked all emails. Now the problem is how these emails are sent and by whom.
Please help me.
Thanks Navid Talesh
It means that spammers are attacking the Exchange Server. This happens when you don’t have a spam filter configured.
I recommend you buy the SpamBull spam filter.
Great article, however I am not using third-party spam filter, but instead EOP, may I know if there is any recommendation for this kind of scenario? Like the port control in your article above?
Thx