Exchange Virus?

Printable View

Show 25 post(s) from this thread on one page

19th March 2011, 08:37 AM
SYNACK

It sounds like you are being backskattered. This is when someone upstream is sending spam and spoofing one of your email addresses. When these get marked as spam or denied because the address does not exist all the failure reports come back to the address that apparently sent it.

The best way to get around this is mave your domain name provider and get them to setup SPF records on your domain which set up rules on where email can originate from. Most antispam products now will run SPF checks on a domain name to make sure that the sender is actually alowed to be the source of an email from that domain. This does not prevent all of these types of incidents but it does totally help.
19th March 2011, 08:48 AM
RabbieBurns

Quote:

Originally Posted by SYNACK

It sounds like you are being backskattered. This is when someone upstream is sending spam and spoofing one of your email addresses. When these get marked as spam or denied because the address does not exist all the failure reports come back to the address that apparently sent it.

The best way to get around this is mave your domain name provider and get them to setup SPF records on your domain which set up rules on where email can originate from. Most antispam products now will run SPF checks on a domain name to make sure that the sender is actually alowed to be the source of an email from that domain. This does not prevent all of these types of incidents but it does totally help.

Can you elaborate on the second paragraph? This is happening to us too, but I dont understand your solution.
19th March 2011, 09:08 AM
SYNACK

Quote:

Originally Posted by RabbieBurns

Can you elaborate on the second paragraph? This is happening to us too, but I dont understand your solution.

Sender Policy Framework - Wikipedia, the free encyclopedia
HOWTO - Define an SPF Record
SPF Query Tool

Basicly it is just a text record that goes into your domain name records and defines which servers can send email for that domain. It does not prevent anyone from sending stuff spoofed from your domain but if the reciving server has a modern filter it will check the source of the email and drop it silently if it does not come from one of the sources specified in your domain record.

As long as your reverse DNS records are setup right, link shows up as mail.yourdomain.org in reverse lookup (which it should do anyway to avoid pre-emptive filtering) then it works quite well. Like everything to do with spam it is not full proof as not everyone implements it but it certainly helps.
19th March 2011, 09:12 AM
RabbieBurns

thanks, ill have a look at our DNS records on Monday and see if I can add in a SPF
20th March 2011, 04:40 PM
sukh

Hi

To add futher to SPF Framework, you can use the wizrad in the link below to create your records. MFST will help you for free to a cetain point. Gives you a high level overview for those who are not too technical. Valuable resource for SPF. Bear in mind, creating SPF records need to be looked into. I will not repeat everything as the link below explains well, however be carfeul if you do use 3rd party companies who use Sender Addresses as I have had to implement this for many domains, from a school perspective this may not apply, but I have come across some schools who use 3rd partys.

Also, configuring Exchange for SPF may have an undesirable action. If some companies don't register for SPF then this can cause issues such as email not being delivered to your Exch Org.

Sender ID Home Page

However, i;m still interested in the original post whereby the spam managed to get through. It would be interesting to see the content of one of the messages.

Sukh
20th March 2011, 07:31 PM
arthur231283

Quote:

Originally Posted by sukh

However, i;m still interested in the original post whereby the spam managed to get through. It would be interesting to see the content of one of the messages.

Here is the contents of one of the e-mails that showed up in the users sent items folder:

This is to notify you that you are over your mailbox limit which is 250MB as set by your mailbox manager, you are currently at 257MB, you will not be able to create new e-mail to send or receive messages until you validate your mailbox. To re-validate your account, click here:
Help Desk
20th March 2011, 07:33 PM
arthur231283

Also all the e-mails had the address li@li.com in the To field and had different e-mail addresses in the BCC field
20th March 2011, 09:05 PM
sukh

Hi

@Arthur, what AS service/product are you using?

Sukh
21st March 2011, 07:24 AM
arthur231283

Quote:

Originally Posted by sukh

what AS service/product are you using?

AS?

Anti Spyware: Sophos anti virus includes an anti spyware
Anti Spam: other than the features included with exchange/outlook none
21st March 2011, 08:32 AM
sukh

Correct. AS is anit spam.

Is the AS feature turned on in Exchange?

Email may have been stopped if AS was being used before email hits your Exchange server. Does depend on how the message is structured and the engines/intelligence of the product.

As a test can you forward the original message to info@aiedo.co.uk and also send as an attachment item via Outlook so I can do some tests?

Sukh
21st March 2011, 10:03 AM
timzim

Interesting that you're on LGfL as we are too. We've been getting vast amounts (i.e. between 4000-5000) of emails daily attempting to use our SMTP as a relay. I contacted Synetrix about this and they said they could do nothing about it. In the end I stuck McAfee's Web Shield on our firewall (ISA Server) to intercept it - basically another SMTP server but on the firewall itself. This detects attempted relay mail and junks it. A fairly old program but it works. I'm sure there are better options but this works and the junk never reaches the mail server.
If you want Synetrix to add a DNS record for you to their DNS servers it'll cost you plenty.
21st March 2011, 01:12 PM
arthur231283

Quote:

Originally Posted by sukh

As a test can you forward the original message to info@aiedo.co.uk and also send as an attachment item via Outlook so I can do some tests?

E-mail sent

Thanks
21st March 2011, 05:05 PM
sukh

Hi

@Arthur - I've done some tests and just to give you high level info, the AS service which we are are using instantly blocks the email. So the email doesn't even hit our gateways. I don't happen to have a USB with me today, but I will test within the Exch Org and let you know the results if you're still interested. The link in the content is obvious spam therefore it was blocked even before entering the Exch Org. I suppose it will come down to the products/service you are using.

Does your license cover you for MSFT FPE 2010?

Sukh
22nd March 2011, 07:39 AM
arthur231283

Quote:

Originally Posted by sukh

Does your license cover you for MSFT FPE 2010?

I will have a look into this today but I would assume so, we have the Microsoft Schools agreement so are covered for most products.

I really appreciate you looking into this for me

Arthur
24th March 2011, 09:41 AM
sukh

Hi

@Arthur - If you deploy FPE then this will be picked up. However, you should really scan your emails for AS before emails enter your Org, maybe at the gateway or better still in the cloud. This may be a little costly but you may get an educational discount, for example, if you use MSFT EHS. I very much doubt Symantec will offer the cloud hygene at discounted rate but I'd call them and ask.

Sukh

Show 25 post(s) from this thread on one page