pronto 6 Posted September 23, 2021 Share Posted September 23, 2021 Servus Community, For a week now we have been flooded by a spam tsunami and we don't know why. The spam filter on our Exchange servers filters out spam, as we can see from the logs, but there is still a lot of spam arriving in the users' mailboxes. We have already sent over a hundred samples to ESET, but the storm continues. There are mails that should be clearly identified as spam, but the filter lets them through. At first we thought that this would fix by itself in a few days, when ESET reacts with new patterns, but now it takes so long that we have to assume that the problem is in our setup. What actions can we take to get the problem under control? The matter is getting more and more serious, we have users who get over a hundred spam mails per day and there might be serious threats among them. Thank you in advance for your attention Bye Tom Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted September 23, 2021 Administrators Share Posted September 23, 2021 Please raise a support ticket with your local ESET distributor. For antispam to work the server must be able to communicate with ESET's servers on UDP port 53535. Couldn't this be the reason that the communication is blocked? Please carry on as follows: - enable diagnostic logging - receive a spam email that is not recognized - disable diagnostic logging - collect logs with ESET Log Collector and supply the generated archive to technical support along with the unrecogized spam in the eml or msg format. Link to comment Share on other sites More sharing options...
pronto 6 Posted September 23, 2021 Author Share Posted September 23, 2021 1 hour ago, Marcos said: Please raise a support ticket with your local ESET distributor. For antispam to work the server must be able to communicate with ESET's servers on UDP port 53535. Couldn't this be the reason that the communication is blocked? If you haven't changed anything on the network layout, I don't think that's the reason. We haven't changed anything and it was working fine until a week ago. I'm on vacation right now but I'll pass this on to my colleague to check. Thx & Bye Tom Link to comment Share on other sites More sharing options...
pronto 6 Posted September 23, 2021 Author Share Posted September 23, 2021 I've taken a closer look at the this issue with my colleague now and we have some answers but also a few questions. We have two Exchange servers (MTA-1 and MTA-2) and only one (MTA-1) accepts mails from external. While analyzing the ESET logfiles we noticed that the second server (MTA-2) has had an empty logfile for over a week. Obviously, nothing was filtered here, which didn't worry us at first, because everything has to pass through the filter of the first server (MTA-1). Furthermore, we took a closer look at the spam mails that were passed through and noticed that there are no ESET X-tags in the headers of these e-mails. This worried us, because it is obvious that some mails did not pass the filter at all. Days ago we restarted the ESET services on both servers and today we restarted both servers. Now the filters on both servers are working again and since then no spam mail has arrived at least in my mailbox. However, since this time, five to ten unrecognized spam mails would be expected. This is a good sign. This would also answer the question why some spam mails were filtered and others not because the filter on only one server was working. But the question that arises now is, why is the filter on the second server necessary at all, if everything should go through the filter of the other server first? Is there any documentation on how the ESET filters work in an Exchange DAG, or a short explanation that does not go beyond the scope of this post? After all, this final question is on the edge of beeing off topic but the answer would help us at least to understand the issue... Thx & Bye Tom Link to comment Share on other sites More sharing options...
Recommended Posts