+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 30 of 30
Enterprise Software Thread, Exchange Virus? in Technical; It sounds like you are being backskattered. This is when someone upstream is sending spam and spoofing one of your ...
  1. #16

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,985
    Thank Post
    850
    Thanked 2,652 Times in 2,252 Posts
    Blog Entries
    9
    Rep Power
    764
    It sounds like you are being backskattered. This is when someone upstream is sending spam and spoofing one of your email addresses. When these get marked as spam or denied because the address does not exist all the failure reports come back to the address that apparently sent it.

    The best way to get around this is mave your domain name provider and get them to setup SPF records on your domain which set up rules on where email can originate from. Most antispam products now will run SPF checks on a domain name to make sure that the sender is actually alowed to be the source of an email from that domain. This does not prevent all of these types of incidents but it does totally help.

  2. #17

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,510
    Thank Post
    1,319
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Quote Originally Posted by SYNACK View Post
    It sounds like you are being backskattered. This is when someone upstream is sending spam and spoofing one of your email addresses. When these get marked as spam or denied because the address does not exist all the failure reports come back to the address that apparently sent it.

    The best way to get around this is mave your domain name provider and get them to setup SPF records on your domain which set up rules on where email can originate from. Most antispam products now will run SPF checks on a domain name to make sure that the sender is actually alowed to be the source of an email from that domain. This does not prevent all of these types of incidents but it does totally help.
    Can you elaborate on the second paragraph? This is happening to us too, but I dont understand your solution.

  3. #18

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,985
    Thank Post
    850
    Thanked 2,652 Times in 2,252 Posts
    Blog Entries
    9
    Rep Power
    764
    Quote Originally Posted by RabbieBurns View Post
    Can you elaborate on the second paragraph? This is happening to us too, but I dont understand your solution.
    Sender Policy Framework - Wikipedia, the free encyclopedia
    HOWTO - Define an SPF Record
    SPF Query Tool

    Basicly it is just a text record that goes into your domain name records and defines which servers can send email for that domain. It does not prevent anyone from sending stuff spoofed from your domain but if the reciving server has a modern filter it will check the source of the email and drop it silently if it does not come from one of the sources specified in your domain record.

    As long as your reverse DNS records are setup right, link shows up as mail.yourdomain.org in reverse lookup (which it should do anyway to avoid pre-emptive filtering) then it works quite well. Like everything to do with spam it is not full proof as not everyone implements it but it certainly helps.

  4. Thanks to SYNACK from:

    RabbieBurns (19th March 2011)

  5. #19

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,510
    Thank Post
    1,319
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    thanks, ill have a look at our DNS records on Monday and see if I can add in a SPF

  6. #20

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    To add futher to SPF Framework, you can use the wizrad in the link below to create your records. MFST will help you for free to a cetain point. Gives you a high level overview for those who are not too technical. Valuable resource for SPF. Bear in mind, creating SPF records need to be looked into. I will not repeat everything as the link below explains well, however be carfeul if you do use 3rd party companies who use Sender Addresses as I have had to implement this for many domains, from a school perspective this may not apply, but I have come across some schools who use 3rd partys.

    Also, configuring Exchange for SPF may have an undesirable action. If some companies don't register for SPF then this can cause issues such as email not being delivered to your Exch Org.

    Sender ID Home Page

    However, i;m still interested in the original post whereby the spam managed to get through. It would be interesting to see the content of one of the messages.

    Sukh

  7. Thanks to sukh from:

    RabbieBurns (20th March 2011)

  8. #21
    arthur231283's Avatar
    Join Date
    Sep 2008
    Location
    Dartford
    Posts
    164
    Thank Post
    34
    Thanked 37 Times in 23 Posts
    Rep Power
    18
    Quote Originally Posted by sukh View Post
    However, i;m still interested in the original post whereby the spam managed to get through. It would be interesting to see the content of one of the messages.
    Here is the contents of one of the e-mails that showed up in the users sent items folder:

    This is to notify you that you are over your mailbox limit which is 250MB as set by your mailbox manager, you are currently at 257MB, you will not be able to create new e-mail to send or receive messages until you validate your mailbox. To re-validate your account, click here:
    Help Desk

  9. #22
    arthur231283's Avatar
    Join Date
    Sep 2008
    Location
    Dartford
    Posts
    164
    Thank Post
    34
    Thanked 37 Times in 23 Posts
    Rep Power
    18
    Also all the e-mails had the address li@li.com in the To field and had different e-mail addresses in the BCC field

  10. #23

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    @Arthur, what AS service/product are you using?

    Sukh

  11. #24
    arthur231283's Avatar
    Join Date
    Sep 2008
    Location
    Dartford
    Posts
    164
    Thank Post
    34
    Thanked 37 Times in 23 Posts
    Rep Power
    18
    Quote Originally Posted by sukh View Post
    what AS service/product are you using?
    AS?

    Anti Spyware: Sophos anti virus includes an anti spyware
    Anti Spam: other than the features included with exchange/outlook none

  12. #25

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Correct. AS is anit spam.


    Is the AS feature turned on in Exchange?

    Email may have been stopped if AS was being used before email hits your Exchange server. Does depend on how the message is structured and the engines/intelligence of the product.

    As a test can you forward the original message to info@aiedo.co.uk and also send as an attachment item via Outlook so I can do some tests?

    Sukh

  13. Thanks to sukh from:

    arthur231283 (22nd March 2011)

  14. #26

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    Interesting that you're on LGfL as we are too. We've been getting vast amounts (i.e. between 4000-5000) of emails daily attempting to use our SMTP as a relay. I contacted Synetrix about this and they said they could do nothing about it. In the end I stuck McAfee's Web Shield on our firewall (ISA Server) to intercept it - basically another SMTP server but on the firewall itself. This detects attempted relay mail and junks it. A fairly old program but it works. I'm sure there are better options but this works and the junk never reaches the mail server.
    If you want Synetrix to add a DNS record for you to their DNS servers it'll cost you plenty.

  15. Thanks to timzim from:

    arthur231283 (22nd March 2011)

  16. #27
    arthur231283's Avatar
    Join Date
    Sep 2008
    Location
    Dartford
    Posts
    164
    Thank Post
    34
    Thanked 37 Times in 23 Posts
    Rep Power
    18
    Quote Originally Posted by sukh View Post
    As a test can you forward the original message to info@aiedo.co.uk and also send as an attachment item via Outlook so I can do some tests?
    E-mail sent

    Thanks

  17. #28

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    @Arthur - I've done some tests and just to give you high level info, the AS service which we are are using instantly blocks the email. So the email doesn't even hit our gateways. I don't happen to have a USB with me today, but I will test within the Exch Org and let you know the results if you're still interested. The link in the content is obvious spam therefore it was blocked even before entering the Exch Org. I suppose it will come down to the products/service you are using.

    Does your license cover you for MSFT FPE 2010?

    Sukh

  18. Thanks to sukh from:

    arthur231283 (22nd March 2011)

  19. #29
    arthur231283's Avatar
    Join Date
    Sep 2008
    Location
    Dartford
    Posts
    164
    Thank Post
    34
    Thanked 37 Times in 23 Posts
    Rep Power
    18
    Quote Originally Posted by sukh View Post
    Does your license cover you for MSFT FPE 2010?
    I will have a look into this today but I would assume so, we have the Microsoft Schools agreement so are covered for most products.

    I really appreciate you looking into this for me

    Arthur

  20. #30

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    @Arthur - If you deploy FPE then this will be picked up. However, you should really scan your emails for AS before emails enter your Org, maybe at the gateway or better still in the cloud. This may be a little costly but you may get an educational discount, for example, if you use MSFT EHS. I very much doubt Symantec will offer the cloud hygene at discounted rate but I'd call them and ask.

    Sukh

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. New Virus??
    By tommccann in forum Windows
    Replies: 14
    Last Post: 29th June 2010, 11:08 AM
  2. Virus
    By mhussain in forum Windows
    Replies: 10
    Last Post: 24th May 2010, 09:53 AM
  3. Virus Help
    By gibbo_ap in forum General Chat
    Replies: 3
    Last Post: 22nd May 2010, 11:55 AM
  4. Virus or No Virus?
    By gmiller in forum Mac
    Replies: 8
    Last Post: 24th September 2009, 08:29 AM
  5. New Virus?
    By apeo in forum Windows
    Replies: 8
    Last Post: 10th October 2008, 01:12 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •