It sounds like you are being backskattered. This is when someone upstream is sending spam and spoofing one of your email addresses. When these get marked as spam or denied because the address does not exist all the failure reports come back to the address that apparently sent it.
The best way to get around this is mave your domain name provider and get them to setup SPF records on your domain which set up rules on where email can originate from. Most antispam products now will run SPF checks on a domain name to make sure that the sender is actually alowed to be the source of an email from that domain. This does not prevent all of these types of incidents but it does totally help.
Sender Policy Framework - Wikipedia, the free encyclopedia
HOWTO - Define an SPF Record
SPF Query Tool
Basicly it is just a text record that goes into your domain name records and defines which servers can send email for that domain. It does not prevent anyone from sending stuff spoofed from your domain but if the reciving server has a modern filter it will check the source of the email and drop it silently if it does not come from one of the sources specified in your domain record.
As long as your reverse DNS records are setup right, link shows up as mail.yourdomain.org in reverse lookup (which it should do anyway to avoid pre-emptive filtering) then it works quite well. Like everything to do with spam it is not full proof as not everyone implements it but it certainly helps.
RabbieBurns (19th March 2011)
thanks, ill have a look at our DNS records on Monday and see if I can add in a SPF
To add futher to SPF Framework, you can use the wizrad in the link below to create your records. MFST will help you for free to a cetain point. Gives you a high level overview for those who are not too technical. Valuable resource for SPF. Bear in mind, creating SPF records need to be looked into. I will not repeat everything as the link below explains well, however be carfeul if you do use 3rd party companies who use Sender Addresses as I have had to implement this for many domains, from a school perspective this may not apply, but I have come across some schools who use 3rd partys.
Also, configuring Exchange for SPF may have an undesirable action. If some companies don't register for SPF then this can cause issues such as email not being delivered to your Exch Org.
Sender ID Home Page
However, i;m still interested in the original post whereby the spam managed to get through. It would be interesting to see the content of one of the messages.
RabbieBurns (20th March 2011)
This is to notify you that you are over your mailbox limit which is 250MB as set by your mailbox manager, you are currently at 257MB, you will not be able to create new e-mail to send or receive messages until you validate your mailbox. To re-validate your account, click here:
@Arthur, what AS service/product are you using?
Correct. AS is anit spam.
Is the AS feature turned on in Exchange?
Email may have been stopped if AS was being used before email hits your Exchange server. Does depend on how the message is structured and the engines/intelligence of the product.
As a test can you forward the original message to firstname.lastname@example.org and also send as an attachment item via Outlook so I can do some tests?
Interesting that you're on LGfL as we are too. We've been getting vast amounts (i.e. between 4000-5000) of emails daily attempting to use our SMTP as a relay. I contacted Synetrix about this and they said they could do nothing about it. In the end I stuck McAfee's Web Shield on our firewall (ISA Server) to intercept it - basically another SMTP server but on the firewall itself. This detects attempted relay mail and junks it. A fairly old program but it works. I'm sure there are better options but this works and the junk never reaches the mail server.
If you want Synetrix to add a DNS record for you to their DNS servers it'll cost you plenty.
@Arthur - I've done some tests and just to give you high level info, the AS service which we are are using instantly blocks the email. So the email doesn't even hit our gateways. I don't happen to have a USB with me today, but I will test within the Exch Org and let you know the results if you're still interested. The link in the content is obvious spam therefore it was blocked even before entering the Exch Org. I suppose it will come down to the products/service you are using.
Does your license cover you for MSFT FPE 2010?
@Arthur - If you deploy FPE then this will be picked up. However, you should really scan your emails for AS before emails enter your Org, maybe at the gateway or better still in the cloud. This may be a little costly but you may get an educational discount, for example, if you use MSFT EHS. I very much doubt Symantec will offer the cloud hygene at discounted rate but I'd call them and ask.
There are currently 1 users browsing this thread. (0 members and 1 guests)