internal (private) IP's of Exchange servers being blocked by rep

shattuck007 · ‎06-18-2012

Hello:

I have my Exchange 2010 Hub Transport servers configured to use a Send Connector to route all externally bound email through an IronPort c350 in a smarthost configuration. In troubleshooting an Exchange availability issue, I had a look at this applicance's Incoming Mail stats. In those stats, I see where every hour, 16,000 "inbound" emails are supposedly being stopped by Reputation Filtering:

Domain	Rejected	Accepted	Total Attempted	Stopped by Recipient Throttling	Stopped by Reputation Filtering	Stopped as Invalid Recipients	Spam Detected	Virus Detected	Stopped by Content Filter	Total Threat	Marketing	Clean
test.com	0	4	16.2k	0	16.2k	0	0	0	0	16.2k	0	0

If I change the view to IP Address, test.com is broken into my 3 Hub Transport server's IP's:

IP Address	Hostname	DNS Verified	SBRS	Total Attempted	Stopped by Reputation Filtering	Total Threat
10.10.10.51	...ht02p.test.com	No	--	6,426	6,426	6,426
10.10.10.52	...ht03p.test.com	No	--	6,426	6,426	6,426
10.10.10.50	...ht01p.test.com	No	--	4,158	4,158	4,158

If I look into message tracking on my M series and filter by rejected connections, IP address, or any delimiter I can think of, I can't find record of the actual messages that are being stopped.

The Exchange message tracking logs don't reflect any such activity.

I've opened mail_logs on the affected appliance and I don't see anything in there related to these IP's being rejected by reputation filtering.

I've gotten no reports of emails delayed or failing to be delivered.

Insofar as I can tell, this behavior has taken place since I put in the Exchange 2010 Send Connector to the internet.

Do I have a worm run amok on my network, is this a false positive, or can anyone think of anywhere else I could look to find out what this traffic is referring to?

thank you in advance for any assistance.

Tom Foucha · ‎06-20-2012

What most likely is happening is your connection is being throttled because of large volumes of mail. The statistics shows for Reputation Blocking include those connections that are Throttled. You probably want to examine your Mail Flow Policies to make sure that it is 1. a relay policy and 2. that you have allotted enough connections and recipients per message and flow control settings.

KPSN-Services · ‎06-21-2012

I have recently been looking in to something which sounds very similar

Looking at the Incoming Mail report (by IP) I was seeing (IP address and domain info obfuscated):

Sender IP Address	Hostname	DNS Verified	SBRS	Last Sender Group	Total Attempted	Stopped by Reputation Filtering	Stopped as Invalid Recipients	Spam Detected	Virus Detected	Stopped by Content Filter	Total Threat	Marketing	Clean

10.x.x.x	No Domain Information	No	--	0	22.3k	22.3k	0	0	0	0	22.3k	0	0

But this an outgoing exchange server on a relay policy so

1 - shouldn't be seeing mail blocked

2 - should be generating a lot of clean outbound traffic.

3 - should probably be on the "outgoing senders" report rather than the "incoming mail" report anyway. Which it is...

Sender IP Address	Hostname	Spam Detected	Virus Detected	Stopped by Content Filter	Total Threat	Clean	Total Messages

10.x.x.x	unknown domain	0	0	158	158	28.7k	28.8k

We'd also had no reports of mail delay or non-delivery, and this was happening on a Saturday, when we wouldn't have been expecting large quantities of mail from this source.

Eventually tracked this down to a period when the DNS servers hosting the records for the domain which sends mail on this IP were not responding - log entries typically like:

Sat Jun 16 12:12:45 2012 Info: ICID 141750117 RELAY SG VOLUME_RELAYSERVERS match 10.x.x.x SBRS rfc1918

Sat Jun 16 12:12:45 2012 Warning: Received an invalid DNS Response: '' to IP looking up

Sat Jun 16 12:12:45 2012 Info: ICID 141750117 Address: <sender@senderdomain> sender rejected, envelope sender domain could not be resolved

Sat Jun 16 12:12:45 2012 Info: ICID 141750117 close

The repeated retrying of the same messages over a period of around 10 hours added up to the 22.3k rejections.

It looks like in this instance the failure is being recorded under "Incoming Mail" instead of "Outgoing Senders" despite the IP being in a relay sender group.

Hope this helps - maybe a few clues for what to look for in your logs if nothing else.

internal (private) IP's of Exchange servers being blocked by reputation filtering