Exchange Server: How to diagnose spam problem

Exchange Server: How to diagnose spam problem

This article is on how to get a clear status of the spam you receive on your Exchange Server

Scenario: A user call-in and told that another user from another company can’t contact him. The email got refused.


Task 1: Investigate to be sure it’s at our door we stop him.

Check the source email

  • Check inside if the answer he got was from us.
    • YES: Skip to Task 2 below
    • NO:
      • Does he use is ISP as a smarthost ?
        • YES:
          • Does it’s is smarthost that refuse to send the email ?
          • That case happen when the smarthost check RBL list to be sure he does not forward from an unsecure source. Most of the time it happen when a site got infected by a malware/virus that mass spam. In that case please check the IP listed in the email. The WAN IP would be blacklisted in RBL. The other company must then ask to be delisted if he eliminated the source of the problem. At this point it’s no longer a problem we can assist with.
        • NO:
          • Do you use an external antispam service?
            • YES:
              • Check the log on your management interface.
            • NO:
              • The DNS from the remote site is properly configured? A bad MX record from the remote DNS server could lead to a mail send error.


Task 2: Get to know the AntiSpam filter rules.

-          Check the source email

  • Check  the error returned.
    • If it’s an error you think it was correct to flag, then advise the user that the remote company must correct something. (He’s on RBL, he relay, he got a bad SCL because of a badly wrote email, etc…)
    • If you are unsure that it was flagged spam for a good reason, check more deeper. Skip to Task 3

-          An example in Exchange 2010;




Task 3: With the rule we check, start to investigate the issue deeper.

-          Check your agent log to see the real cause of the rejection:

  • Issue the powershell command; Get-AgentLog |?{ ($_.p1fromaddress -match "" –or $_.p2fromaddresses -match " ") -and $_.action –eq "RejectMessage"} (I suggest to redirect the output to a text file (with  > log.txt))
    • In the text file you will log like that in example;
      • Timestamp       : XXXX-XX-XX XX:XX:XX
        SessionId       : XXXXXXXXXXXXXXXX
        IPAddress       : X.X.X.X
        MessageId       :
        P1FromAddress   :
        P2FromAddresses : {}
        Recipients      : {}
        Agent           : Sender Id Agent
        Event           : OnEndOfHeaders
        Action          : RejectMessage
        SmtpResponse    : 550 5.7.1 Missing purported responsible address
        Reason          : MissingPRA
        ReasonData      : No valid PRA
        Diagnostics     :
  • From there diagnose and change your antispam feature if you can.


Task 4: Reporting script.

Get-AntispamFilteringReport.ps1 : Get a general report for what agent block the most.

Get-AntispamSCLHistogram.ps1 : Retrieve a chart with SCL value for spam received.

Get-AntispamTopBlockedSenderDomains.ps1 : Retrive the Top Blocked Sender domains. Don’t forget it can be forged domain. The SenderID antispam feature help us there.

Get-AntispamTopBlockedSenderIPs.ps1 : Retrieve the top IP that send us spam. If you got big number there you can list the IP in a block rule in the antispam feature or block it in the router directly. To prevent a RBL check each time on the IP.

Get-AntispamTopBlockedSenders.ps1 : Retrieve the top sender.

Get-AntispamTopRBLProviders.ps1 : Retrieve what RBL block the most. Use that chart before remove a RBL. Some RBL are too strict sometime, but removing it can cause a lot of spam to actually enter. When a user call, it’s the dilemma to accept one email versus what the RBL block.

Get-AntispamTopRecipients.ps1 : Top users that receive spam.

Apply to

Exchange 2007
Exchange 2010
Exchange 2013
Leave a Comment
  • Please add 2 and 2 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
  • Yagmoth555 edited Revision 2. Comment: fixing ident :)

Page 1 of 1 (1 items)
Wikis - Comment List
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
  • Yagmoth555 edited Revision 2. Comment: fixing ident :)

Page 1 of 1 (1 items)