+ Reply to Thread
Results 1 to 12 of 12
  1. Senior Member rsutton's Avatar
    Join Date
    Sep 2007
    Location
    SF Bay Area, Ca
    Posts
    1,015

    Certifications
    83-640, 70-642, 70-662, ICND1
    #1

    Default Exchange 2k3 SPAM

    How do you guys deal with the type of spam where the spammer forges the from field to be the same as the to field? I have this problem at two different companies and they are going to have my balls if I don't fix it soon. =(

    SBS 2k3 & plain ol' Exchange 2k3
    Reply With Quote Quote  

  2. SS
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #2
    I assume they're also not willing to spend any money
    Reply With Quote Quote  

  4. Nidhoggr, the Net Serpent Claymoore's Avatar
    Join Date
    Nov 2007
    Location
    FL
    Posts
    1,622

    Certifications
    AWS Architect, MCSEx3, MCITPx6, MCTSx17
    #3
    Does their mail server have the ability to use Sender Policy Framework (SPF) records for message filtering? You could create and publish SPF reocrds for your domain and they could use those records to filter the spoofed emails.

    http://www.microsoft.com/mscorp/safe...d/default.mspx
    Sender Policy Framework - Wikipedia, the free encyclopedia
    SPF: Project Overview
    Reply With Quote Quote  

  5. Senior Member paintb4707's Avatar
    Join Date
    Sep 2007
    Location
    Long Island, New York
    Posts
    421

    Certifications
    A+, Network+
    #4
    Email Security Software ? Antispam Software - Malware Protection ? Ninja Email Security

    The best Exchange anti-spam software I ever used. We had a huge spam problem here when I first started. I tried GFI Anti-Spam beforehand for a few months. Tweak after tweak after tweak, still about 60% of the spam was getting through. I tried Sunbelt Ninja out of the box and immediately about 95% of it was gone. Sunbelt gives the end-user total control of emails that are tagged as spam by dropping it in a Quarantine folder. They also have the ability to block and allow whatever senders they choose. They claim that the anti-spam has learning capabilities too but not too sure how it works. They suggest that you run the program for a month or two before enabling it.

    Very robust program. Also has individual policies, anti-virus, attachment blocking/scanning, disclaimers, etc. The reporting is great too and the support team is fantastic.

    Note: I do not work for Sunbelt Software
    Last edited by paintb4707; 07-15-2009 at 02:54 PM.
    Reply With Quote Quote  

  6. Senior Member rsutton's Avatar
    Join Date
    Sep 2007
    Location
    SF Bay Area, Ca
    Posts
    1,015

    Certifications
    83-640, 70-642, 70-662, ICND1
    #5
    Thanks for the responses, really helps me think this through.

    One company is using Postini to filter SPAM and it is pretty good but it never seems to catch these emails. Actually have been reading up on SPF (for a totally different reason, also spam related however) and that might be what I have to do.

    Thanks for the input and product recommendation!
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Apr 2006
    Posts
    251

    Certifications
    Security+, CCNA, MCSE 2003: Security
    #6
    I too have used both GFI and Sunbelt and agree with Paint's post.
    Reply With Quote Quote  

  8. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #7
    Quote Originally Posted by rsutton View Post
    One company is using Postini to filter SPAM and it is pretty good but it never seems to catch these emails. Actually have been reading up on SPF (for a totally different reason, also spam related however) and that might be what I have to do. !
    That's one of the best anti-spam services available, have you adjusted the Postini settings to make it more aggressive?
    Reply With Quote Quote  

  9. Senior Member rsutton's Avatar
    Join Date
    Sep 2007
    Location
    SF Bay Area, Ca
    Posts
    1,015

    Certifications
    83-640, 70-642, 70-662, ICND1
    #8
    The user has her Postini junk mail settings configured as "aggresive" for everything. Somehow it still gets through and happens to be rather obscene content.
    Reply With Quote Quote  

  10. Nidhoggr, the Net Serpent Claymoore's Avatar
    Join Date
    Nov 2007
    Location
    FL
    Posts
    1,622

    Certifications
    AWS Architect, MCSEx3, MCITPx6, MCTSx17
    #9
    Quote Originally Posted by rsutton View Post
    The user has her Postini junk mail settings configured as "aggresive" for everything. Somehow it still gets through and happens to be rather obscene content.
    They have probably whitelisted your domain name to make sure that all your email goes through. They could try removing the domain whitelist and use your mail server IP address in the whitelist, or they could remove both and rely on SPF records. Since you have a close working relationship with them, the IP whitelist would probably be faster.

    SPF was created as a reputation model to thwart these kind of spam tactics. The mail may say that it came from you, but if it didn't come from the mail servers listed in your SPF records then it is spam. Works much better than reverse DNS lookups for the mail servers, something that doesn't work at all in 2003. You can configure DNS lookups on 2003, but all it does is add overhead without ever blocking a message.
    Reply With Quote Quote  

  11. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,087

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #10
    we use mailmarshall. it will cost you some money. 3-4 grand!
    you can use IMF that comes with exchange 2003 or as a download I should say, but it is not that great of a spam catcher.
    as far as the spoofing your TO address. spf records will help but
    unfortunately not all Mail/DNS servers use this technology..I get some of that at home, but I would keep looking.....they are spoofing your address that is the issue...try black list providers they help as well..
    Reply With Quote Quote  

  12. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,087

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #11
    rsutton

    Emails are checked against DNS servers. DNS servers house spf records which are the authority to send email from a server...these records list ip address or dns names, authoritative Email servers that can spoof/send email from...

    Emails are checked against the spf record to make sure so and so server can send email from it and of course you have to set up Email servers to accept email from as well..

    but not everyone uses this spf technology. not sure why but they should.
    ----------------------------------------------------------------
    It is good you are getting some advice. mailmarshal is excellet and way easy to use
    but very powerful...I would go with software you can do as a trial and that the techs help set it up on your network as well with you watching of course thru like a webex session. but do the trials for like 60 days that way you can see what it can do. we did that with Mailmarshal and they gave us a 60 day trial and help set it up on our network..after 30 days we loved it...great tech support and all..these are key
    --------------------------------------------------------------------------
    also you can try and have your email go to a proxy email server much like a front-end server where the email is screened before it hits your emails server (backend)
    our front end emails servers at an ISP spam tag emails with a scale rating and
    mailmarshal has the ability to screen the header files of the emails and read the spam tags and we have it store for 30 days any spam tag 5 or greater to a folder where we check if people complain not getting their emails, I just check the spam catcher folder and bam there it is...mailmarshal rocks...that Ninja program look good too!
    ----------------------------------------
    Last edited by itdaddy; 07-16-2009 at 03:48 PM.
    Reply With Quote Quote  

  13. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,145

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); MCSA 2016/2012/2K3/2K; MCSE:S 2K3/2K; MCSE:M 2K3/2K; MCTS:Exch2K7; EMCSA:CLARiiON; Linux+; Security+; A+
    #12
    SPF will help you a lot.

    For a managed solution, we are using MS Forefront Online Security. They charge a subscription rate per mailbox per month (varies depending on how many users), and you really don't have to manage it at all.

    We get virtually zero spoofed emails and spam of any kind (other than the kind people sign up for and forget/didn't realize they signed up for it) is almost non-existant. 99% of all email destined for our domains are spam messages, and Forefront Online does as good or better than any solution I've ever used in the past.
    IT guy since 12/00

    Recent: 1/29/2018 - Passed 70-743 - MCSA 2016 Complete; 1/13/2018 - Passed 70-411 - MCSA 2012 complete
    Working on: Being a better coder, build/test/deploy automation fundamentals
    Future: Renew VCP (due 2/2019), possibly with an adjacent VCP or VCAP
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks