Exchange Server: How to diagnose spam problem

This article is on how to get a clear status of the spam you receive on your Exchange Server

Scenario: A user call-in and told that another user from another company can’t contact him. The email got refused.


Task 1: Investigate to be sure it’s at our door we stop him.

Check the source email

  • Check inside if the answer he got was from us.
    • YES: Skip to Task 2 below
    • NO:
      • Does he use is ISP as a smarthost ?
        • YES:
          • Does it’s is smarthost that refuse to send the email ?
          • That case happen when the smarthost check RBL list to be sure he does not forward from an unsecure source. Most of the time it happen when a site got infected by a malware/virus that mass spam. In that case please check the IP listed in the email. The WAN IP would be blacklisted in RBL. The other company must then ask to be delisted if he eliminated the source of the problem. At this point it’s no longer a problem we can assist with.
        • NO:
          • Do you use an external antispam service?
            • YES:
              • Check the log on your management interface.
            • NO:
              • The DNS from the remote site is properly configured? A bad MX record from the remote DNS server could lead to a mail send error.


Task 2: Get to know the AntiSpam filter rules.

–          Check the source email

  • Check  the error returned.
    • If it’s an error you think it was correct to flag, then advise the user that the remote company must correct something. (He’s on RBL, he relay, he got a bad SCL because of a badly wrote email, etc…)
    • If you are unsure that it was flagged spam for a good reason, check more deeper. Skip to Task 3

–          An example in Exchange 2010;




Task 3: With the rule we check, start to investigate the issue deeper.

–          Check your agent log to see the real cause of the rejection:

  • Issue the powershell command; Get-AgentLog |?{ ($_.p1fromaddress -match “” –or $_.p2fromaddresses -match ” “) -and $_.action –eq “RejectMessage”} (I suggest to redirect the output to a text file (with  > log.txt))
    • In the text file you will log like that in example;
      • Timestamp       : XXXX-XX-XX XX:XX:XX
        SessionId       : XXXXXXXXXXXXXXXX
        IPAddress       : X.X.X.X
        MessageId       :
        P1FromAddress   :
        P2FromAddresses : {}
        Recipients      : {}
        Agent           : Sender Id Agent
        Event           : OnEndOfHeaders
        Action          : RejectMessage
        SmtpResponse    : 550 5.7.1 Missing purported responsible address
        Reason          : MissingPRA
        ReasonData      : No valid PRA
        Diagnostics     :
  • From there diagnose and change your antispam feature if you can.


Task 4: Reporting script.


Get-AntispamFilteringReport.ps1 : Get a general report for what agent block the most.

Get-AntispamSCLHistogram.ps1 : Retrieve a chart with SCL value for spam received.

Get-AntispamTopBlockedSenderDomains.ps1 : Retrive the Top Blocked Sender domains. Don’t forget it can be forged domain. The SenderID antispam feature help us there.

Get-AntispamTopBlockedSenderIPs.ps1 : Retrieve the top IP that send us spam. If you got big number there you can list the IP in a block rule in the antispam feature or block it in the router directly. To prevent a RBL check each time on the IP.

Get-AntispamTopBlockedSenders.ps1 : Retrieve the top sender.

Get-AntispamTopRBLProviders.ps1 : Retrieve what RBL block the most. Use that chart before remove a RBL. Some RBL are too strict sometime, but removing it can cause a lot of spam to actually enter. When a user call, it’s the dilemma to accept one email versus what the RBL block.

Get-AntispamTopRecipients.ps1 : Top users that receive spam.

Apply to

Exchange 2007
Exchange 2010
Exchange 2013


Directory Service: NETLOGON missing after a restore


SYSVOL empty but share existant. NETLOGON share non-existant GPO’s console list all old GPO, but can’t display any detail on all GPO.


First DC (DC#1) in Windows 2003
Second DC (DC#2) in Windows 2008R2
Each are Global Catalogue.
DC#1 is old, no longer in the backup schedule. DC#2 got all FSMO’s role and is the primary DC.
The datastore die. We restore the the system-state from DC#2, and we find ourselft faced with the FAQ that the SYSVOL is empty.
From the tape we found that the SYSVOL was not replicating, so it seem an issue that the SYSVOL does not replicating when you have a 2003 and you DCPROMO an 2008’s DC.

How to

First step done is that;

To complete an authoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
 1.Click Start, and then click Run.
2.In the Open box, type cmd and then press ENTER.
3.In the Command box, type net stop ntfrs.
4.Click Start, and then click Run.
5.In the Open box, type regedit and then press ENTER.
6.Locate the following subkey in the registry:
Backup/RestoreProcess at Startup
7.In the right pane, double click BurFlags.
8.In the Edit DWORD Value dialog box, type D4 and then click OK.
9.Quit Registry Editor, and then switch to the Command box.
10.In the Command box, type net start ntfrs.
11.Quit the Command box.
When the FRS service is restarted, the following actions occur:
•The value for the BurFlags registry key is set back to 0.
•An event 13566 is logged to signal that an authoritative restore is started.
•Files in the reinitialized FRS replicated directories remain unchanged and become authoritative on direct replication. Additionally, the files become indirect replication partners through transitive replication.
•The FRS database is rebuilt based on current file inventory.
•When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.


After that test, the folder was still empty.
So the final test was simple.
I created the scripts folder in the c:windowsSYSVOLSYSVOLdomain.nameSCRIPTS and shared it to NETLOGON and runned : DCGPOFIX
That reset/recreate the default domain policy, and after you just need to erase all old GPO that are still empty in your console.


Thanks everyone !


nb; Article published in the TNWiki there too :