Hello
Since couple of days my External IP is being blocked by 'Spamhaus'/CBL saying my exchange server is sending spam.
Since we have only few users in system, i check there sent box and did not find anything suspicious.
Then i checked MSGTRK log on exchange server.
There i found couple entries which are surely spam, but i do not know how they are coming to exchange server.
Couple of things in logs:
- recipient-address is having my email domain but no such mailbox exist (for e.g -MeierUlf61797@sanketindia.in)
- source says: SMTP and even-id says HAREDIRECFAIL
- sender-address are also not known to me.
- How do i know who is sending this spam out of my exchange
are these are incoming mail or outgoing? If incoming then Spamhaus
following is few records from log:
| #Fields: date-time | source-context | source | event-id | recipient-address | recipient-status | reference | message-subject | sender-address | return-path | directionality | original-client-ip | original-server-ip | custom-data | ||||
| 2016-01-20T12:44:08.748Z | No suitable shadow servers | SMTP | HAREDIRECTFAIL | WinterOskar9047@sanketindia.in | AW: Rechnung Nr.20605838 | Juergen.Lauer@huk-coburg.de | Juergen.Lauer@huk-coburg.de | Incoming | S:DeliveryPriority=Normal;S:AccountForest=sanket.local | ||||||||
| 2016-01-20T12:44:08.858Z | 08D318DF94203457;2016-01-20T12:44:08.716Z;0 | SMTP | RECEIVE | WinterOskar9047@sanketindia.in | AW: Rechnung Nr.20605838 | Juergen.Lauer@huk-coburg.de | Juergen.Lauer@huk-coburg.de | Incoming | 193.201.183.161 | 192.168.2.56 | S:FirstForestHop=mail1.sanket.local;S:ProxiedClientIPAddress=193.201.183.161;S:ProxiedClientHostname=smtp1.huk-coburg.de;S:ProxyHop1=mail1.sanket.local(192.168.2.56);S:DeliveryPriority=Normal;S:AccountForest=sanket.local | ||||||
| 2016-01-20T12:44:08.921Z | Failure | DSN | DSN | Juergen.Lauer@huk-coburg.de | <9da94b51ffb645339e1c7fdbe3454516@SMXRF105.msg.hukrf.de> | Unzustellbar: AW: Rechnung Nr.20605838 | postmaster@sanket.local | <> | Originating | S:DeliveryPriority=Normal;S:OriginalFromAddress=Juergen.Lauer@huk-coburg.de;S:AccountForest=sanket.local | |||||||
| 2016-01-20T12:44:08.921Z | AGENT | AGENTINFO | WinterOskar9047@sanketindia.in | AW: Rechnung Nr.20605838 | Juergen.Lauer@huk-coburg.de | Juergen.Lauer@huk-coburg.de | Incoming | 193.201.183.161 | 192.168.2.56 | S:AMA=SUM|v=0|action=|error=|atch=0;S:AMA=EV|engine=M|v=0|sig=1.213.3458.0|name=|file=;S:CompCost=|AMA=0;S:DeliveryPriority=Normal;S:AccountForest=sanket.local | |||||||
| 2016-01-20T12:44:08.921Z | ROUTING | FAIL | WinterOskar9047@sanketindia.in | '[{LRT=};{LED=550 5.1.1 RESOLVER.ADR.RecipNotFound; not found};{FQDN=};{IP=}]' | <b739d4a0-c35f-4eb0-bee1-336340042baf@mail1.sanket.local> | AW: Rechnung Nr.20605838 | Juergen.Lauer@huk-coburg.de | Juergen.Lauer@huk-coburg.de | Incoming | S:DeliveryPriority=Normal;S:AccountForest=sanket.local | |||||||
| 2016-01-20T12:44:09.090Z | AGENT | AGENTINFO | WinterOskar9047@sanketindia.in | Unzustellbar: AW: Rechnung Nr.20605838 | postmaster@sanket.local | <> | Originating | S:AMA=SUM|v=0|action=|error=|atch=2;S:AMA=EV|engine=M|v=0|sig=1.213.3458.0|name=|file=;S:CompCost=|AMA=0|ETR=0;S:DeliveryPriority=Normal;S:OriginalFromAddress=Juergen.Lauer@huk-coburg.de;S:AccountForest=sanket.local |
