Stop Exchange Server sending spam

Nobody likes to see the Exchange Server sending spam. If you have never seen this situation, you are lucky. Hopefully, you will never have to see this, as this can bring a lot of stress and damage to the organization. The ISP will block you from sending emails, and emails will start to deliver to the recipient’s spam folder. In this article, you will learn the steps that you can take to stop the Exchange Server from sending spam.

Table of contents

Introduction

A company was receiving and sending spam messages for weeks. They tried a lot, but it kept sending spam whatever they did. So finally, I was asked if I could have a look into the Exchange Server organization and solve the spam once and for all.

Below are the steps that will help you stop the Exchange Server organization from sending and receiving spam.

Get the best spam filter

This is the most crucial part and the first what you should look into. Look if the spam filter is correctly configured. If not, get a good spam filter and configure that as soon as possible.

Note: The spam filter will help you filter and monitor incoming and outgoing messages. You can identify where the spam messages come from.

I only recommend the SpamBull spam filter:

  • Easy to use
  • Cloud-based (no downtime)
  • All updates are taken care off
  • Incoming and outgoing filtering
  • Create automatic reports
  • Monitor all incoming and outgoing messages
  • No need to spin up a dedicated machine for hygiene solution

Go through the below SpamBull documentation to set incoming and outgoing filtering:

Configure firewall ports

There are incoming and outgoing ports for mail flow. Let’s look at the best way to configure the ports for mail flow protection.

Inbound firewall port

Only allow port 25 from spam filter to Exchange Server. So if you check port 25 from the internet, it should show that it’s closed. Except, when you check port 25 from the spam filter, it should make a connection to the Exchange Server.

It will show that port 25 is closed from the outside world.

Close port 25 from outbound to inbound except for spam filter
  • Sign in to the SpamBull admin center
  • Click on the domain
  • Select Continuity > Network tools > SMTP
  • Fill in the Exchange Server Hostname
  • Click Run

It will show that Exchange Server on port 25 is reachable from the spam filter.

Stop Exchange Server sending spam port 25 open

Outbound firewall port

Only allow port 587 from Exchange Server to the spam filter. This means that you have to configure the send connector on port 587. Port 25 is blocked for everyone else on LAN (internal) to WAN (outside world).

Every mail needs to go through the Exchange Server to the spam filter, and then it will arrive in the recipient’s mail server and, as of last, in the recipient’s mailbox.

Note: I recommend to block port 25 from LAN > WAN in the firewall. This will restrict outgoing mail to stop scammers and malware from sending mail from your IP address. Configure the send connector to use port 587.

Run the Test-NetConnection cmdlet to ensure that outgoing port 25 is blocked and outgoing port 587 is allowed to the spam filter:

  • Run PowerShell as administrator
  • Enter the SpamBull SMTP host (redacted), including port 25

The TcpTestSucceeded in the output shows False.

PS C:\> Test-NetConnection smtp.*********.com -Port 25

ComputerName     : smtp.*********.com
RemoteAddress    : 145.177.12.128
RemotePort       : 25
InterfaceAlias   : Network 192x
SourceAddress    : 192.168.1.52
TcpTestSucceeded : False

Change the port to 587 and run the command.

The TcpTestSucceeded in the output shows True.

PS C:\> Test-NetConnection smtp.*********.com -Port 587


ComputerName     : smtp.*********.com
RemoteAddress    : 128.127.14.117
RemotePort       : 587
InterfaceAlias   : Network 192x
SourceAddress    : 192.168.1.52
TcpTestSucceeded : True

The RemoteAddress in the output can change because the SpamBull spam filter has hundreds of servers deployed in the cloud to protect your domain from spam.

Protect domain with SPF, DKIM, and DMARC

You must have the following three records set up on each domain for maximum protection:

An excellent way to check that SPF, DKIM, and DMARC records are set up for the domain is to use DMARC Domain Checker. Fill in the domain and check the results.

This is the result if your domain is not protected against abuse by phishers and spammers.

Stop Exchange Server sending spam not protected

This is the result when your domain is protected against abuse by phishers and spammers.

Stop Exchange Server sending spam protected

After you check the records, we recommend to send an email to CheckTLS and check the report that is sent back to you. The report explains if the SPF, DKIM, and DMARC authentication methods are set up the way they should.

Read more in the article How to check SPF/DKIM/DMARC are correctly set.

Run Exchange health checker script

Run Exchange Server health check with PowerShell script and see if there are any errors or warnings. If so, fix the errors and warnings.

Update Exchange Server

Always keep your Exchange Server up to date. This means that you need to:

Run security scan on Exchange Server

Start Windows Defender and run a scan. Suppose you have a third-party antivirus/security product, do run that. If there are threats found, inspect and clean them.

Stop Exchange Server sending spam security scan

Conclusion

You learned how to stop Exchange Server from sending spam. It’s important that you carefully go through all the steps. Ensure that the Exchange Server is up to date with the latest Cumulative Update and run a security scan.

Check that you have an excellent spam filter to protect the organization from sending and receiving spam messages. Configure the firewall ports to only communicate with the spam filter and only use incoming on port 25 and outgoing on port 587. Set up SPF, DKIM, and DMARC records to protect the domain.

In my scenario, a mailbox account was compromised, and sending spam to external recipients. Unfortunately, the spam filter that was running was not that great, and it didn’t provide precise monitoring of what was happening. Changing the spam filter with the SpamBull cloud-based spam filter showed me instantly which mailbox was sending spam.

Did you enjoy this article? You may also like Exchange SMTP high availability with Kemp load balancer. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 5 Comments

  1. Hi,
    facing issue with exchange server 2016, spam emails being sent from users’ accounts automatically.
    What I have to do to protect my exchange server? please help.

    Reply

  2. Hello
    I hope you are fine.
    I have a problem with something.
    We have an exchange server within our organization that also sends our mail to the outside world.
    The problem is that the number of our users is not large enough to send emails to Bebirun, but I noticed that 1000 emails were sent from our server that the sender’s name is either unknown or was sent to a strange name.
    I blocked all emails. Now the problem is how these emails are sent and by whom.
    Please help me.
    Thanks Navid Talesh

    Reply

  3. Great article, however I am not using third-party spam filter, but instead EOP, may I know if there is any recommendation for this kind of scenario? Like the port control in your article above?

    Thx

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *