Solved

Would like to know how to block spam emails on MS Exchange

Posted on 2006-11-26
20
379 Views
Last Modified: 2010-05-18
Hello,
I have MS Exchange 2003 running on Windows 2003 Enterprise.  It has been working great until this morning I saw my spam emails arrived unexpectedly.  I have already setup Intelligent Message Filtering + IP denied or accept under \Global Settings\Message Delivery.  It has been working great before until this morning.  Now it seems that the subject of each email is "Sandra wrote...Mike wrote...James wrote" most of the has "Wrote suffix" on the subject.  I would like to know is there I can filter subject or by keyword on MS Exchange?  FYI--I setup the following:

1.  Block messages on an SCL rating greater than or equal to = 6
2.  When blocking messages = Archive
3.  Move messages on an SCL rating greater or equal to = 5

Please help urgent or any tips would keep MS Exchange in good shape of avoiding spams.

Thank you!
DK
0
Comment
Question by:dykirin
  • 9
  • 8
  • 3
20 Comments
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18016328
Yes you can.  There are a couple of files that you can edit to add certain keywords and an action like add 5 to scl etc.

Here is the article down toward the bottom it explains what files to edit, how to edit them etc.

http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF-v2.html

This is a part of IMF.  Also IMF tune is a great application that adds some more functionality and configuration to IMF.
0
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18016345
Sorry should have added it is called Custom Weighting, you will see it toward the bottom of the article.  Should do exactly what you are looking for.  Also make sure you update your Exchange IMF Definitions, like any other software it needs to be updated, there are two updates per month for it.  Check out Microsoft Update.  Also, if you still cannot combat spam with this, Try a 3rd party application such as Trend Micro Scan Mail Suite or GFI mail security and mail essentials.  IMF is nice, but not an all around solutions.
0
 

Author Comment

by:dykirin
ID: 18016365
Matthew,
Thank you for your quick response.  FYI- I have IMFCompanion and IMFFiltering installed on this server and it has been working great. I'm not expert how to use these utilities.  Could you please give me three example of how to use them to block these tedious spams?  Please give me three easy steps.

Thank zillion!
DK
0
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18016484
GFI is a application installed ontop of exchange it can filter spam and viruses, hopefully you are using some form a virus filter now.  It also allows you to setup custom attachment policies, outbreak settings, custom responses to blocked email's etc. http://www.gfi.com/mes/

Trend Micro is much the same, their scan mail suite allows you to have spam and phishing filtering, virus scanning, attachment polcies.  http://www.trendmicro.com/en/products/email/overview.htm

IMF Tune allows you to customize many of the settings of IMF such as reject and archive, where to archive messages, custom responses to blocked messages, a very simple keyword to SCL mapping feature, which is what you wanted to do to start with.  I have used this a few times in different Exchange enviroments, it really makes IMF configuration easy and adds some features.  http://www.windeveloper.com/imftune/

All of those are paid peices of software, some are licensed per user others per server etc.  You would have to contact a distributor to get pricing.

Your origonal question as to adding custom keywords to filter in IMF can be easily done with existing technology for free.  Here is the example from the article I posted earlier.

First register the message filter dll
regsvr32 Drive_letter:\Program Files\Exchsrvr\bin\MSCFV2\MSExchange.UceContentFilter.dll

Open MSExchange.UceContentFilter.xml located in the directory above and you can add phrases and keywords to that file.

For example the thrid line says look in the body of the email match Tortured with health problems if that happens add 1 to the SCL value.  Same thing for items that are being marked incorrectly as spam you could add a line to match a phrase add lower the scl with a - value.  The type is either body of the message, Subject, or both in regards to where to look for the phrase or keyword.  A simple text editor like notepad can be used to edit the file.

<?xml version="1.0" encoding="UTF-16"?>
<CustomWeightEntries xmlns="http://schemas.microsoft.com/2005/CustomWeight">
     <CustomWeightEntry Type="BODY" Change="1" Text="Tortured with health problems?"/>
     <CustomWeightEntry Type="BODY" Change="-2" Text=" Cigar Sampler and Bonus Gifts for Xmas"/>
     <CustomWeightEntry Type="BODY" Change=”4" Text="Special offer"/>
     <CustomWeightEntry Type="BODY" Change="-7" Text="Gratis piller"/>
     <CustomWeightEntry Type="SUBJECT" Change="MIN" Text="Free Pills"/>
     <CustomWeightEntry Type="BOTH" Change="MAX" Text="Cheap Viagra"/>
</CustomWeightEntries>

Hope this makes a little sense and gives you what you need to add your own keywords to IMF to block spam that is getting through.

This can also help a little
http://msexchangeteam.com/archive/2004/05/26/142607.aspx
This can help you see what SCL values are being assigned to emails through Outlook.  This way you know how much to raise or lower the SCL value in the cutom weights.
And again here is the link to the article about the custom weights.
http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF-v2.html

Good luck,

Matt
0
 

Author Comment

by:dykirin
ID: 18017056
Matthew,
I'm getting this error -> LoadLibrary ("D:\Program") failed - the specified module cannot be found. after ran regsvr32 d:\Program Files\Exchsrvr\bin\MSCFV2\MSExchange.UceContentFilter.dll

If I refer to this path -> d:\Program Files\Exchsrvr\bin\MSCFV2\  I'm seeing two files: *.Dll and *.Dat

1.  MSExchange.UceContentFilter.dat
2.  MSExchange.UceContentFilter.Dll

The two files showing exactly as shown above.  Why letter "D" is in capital letter? Is that normal or something wrong?  Please advise..

When I tried to open the MSExchange.UceContentFilter.Dll file with IE or Notepad I'm seeing garble characters that cannot be read.  By modifying this file able to block attachment files in certain extension?  Please advise...

Regards,
DK

0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 18017129
You have a syntax error there, it should be;

regsvr32 "d:\Program Files\Exchsrvr\bin\MSCFV2\MSExchange.UceContentFilter.dll"

note the ""s

-red
0
 

Author Comment

by:dykirin
ID: 18017169
Now,
I am able to register MSExchange.UceContentFilter.dll but still there is no file with *.XML" or MSExchange.UceContentFilter.xml inside the folder to able editing it.  
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 18017173
Create a new file called MSExchange.UceContentFilter.xml in that directory and build it as displayed by Matt above

-red
0
 

Author Comment

by:dykirin
ID: 18017183
Red,
Thank you so much for all your help.  Can you please give me good example how to create the commands inside the *.XML file if I want to block any emails with "James Wrote:" on the Subject of each emails as well on incoming emails with the attachment called game.zip

Thank you!
DK
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 18017191
Matt has already given you the best instructions for that, anything I add would merely be a repetition :)

I only came along because I was watching this question (as I do all questions in Exchange) and saw a quick syntax problem I could resolve for you.  The majority of the work here was from Matt.

-red
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18018714

<?xml version="1.0" encoding="UTF-16"?>
<CustomWeightEntries xmlns="http://schemas.microsoft.com/2005/CustomWeight">
     <CustomWeightEntry Type="Subject" Change="3" Text="James Wrote:"/>
</CustomWeightEntries>

This would be an example of what you want to do.  The change value you will have to determien what works for you.  Check out the article I posted on how to view the scl value currently assigned through Outlook.  This way you will know how much you need to raise it to get it moved to junk or be blocked at the gateway.  You could always just use a high number to be sure it gets blocked, such as 6 or 7.

Hope this helps.

Matt
0
 

Author Comment

by:dykirin
ID: 18024935
Matthew,
Thank you for all your help.  Before I credit this point to you i need one last help from you.  I am not sure how to block series of spam emails that has subject with "Wrote:"

For example,
I'm getting massive of spam emails that came in with "James wrote:", "Mike Wrote:", "Linda Wrote:", "Steve Wrote:"  which the names always changed but the suffix "Wrote:" stays the same.  Have any ideas how to block using your above tool???  Please advise...

Thanks!
DK
0
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18025523
Sure, you could just use the word wrote in the match statement.  This would possibly cause other messages with the word wrote in the subject to be marked as spam however.  Another thing you could try is see if those messages are coming from a common recpeint.  Such as the same mail server each time.  If so you could simply block that mail server IP address with connection filtering, global accept / deny configuration.  You could then block a single mail server sending nothing but spam.  
0
 

Author Comment

by:dykirin
ID: 18026111
Matthew,
Thanks again for answering my last question.  That is the only thing that I'm afraid it will be blocked all email if I used "Wrote" on the subject filtering.  Also, each email sent to me seems to be a DHCP WAN IP not fixed IP.  I cannot trace back to the domain of the email server after receiving each emails.  What do you mean by "Sure, you could just use the word wrote in the match statement. "?

Do you mean this?

<?xml version="1.0" encoding="UTF-16"?>
<CustomWeightEntries xmlns="http://schemas.microsoft.com/2005/CustomWeight">
     <CustomWeightEntry Type="Subject" Change="7" Text="Wrote:"/>
</CustomWeightEntries>


Regards,
DK
0
 
LVL 10

Accepted Solution

by:
MATTHEW_L earned 125 total points
ID: 18027573
Yes, that is what I mean.  You do have the possibility of blocking other emails with the subject wrote.  What I would suggest is follow the steps in the previous article to determine what the SCL values are coming it at for the emails with wrote in the subject.  For example if they are all coming in at 3, you could set the change to 2 or 3.  This would ensure that those emails get blocked or sent to junk.  Legitimate emails which would typcially come in at 0 would still have 2 or 3 added to them, but it would not be enough to make them to go junk or be blocked based on your current config of gateway archive set to 6 and move to junk set to 5.
0
 

Author Comment

by:dykirin
ID: 18034034
Matthew,
Thank you for all your help. I will try to figure out from here. :) Your feedback help so much.

Thanks again,
DK
0
 

Author Comment

by:dykirin
ID: 18034182
Matthew,
Could you please tell me why IMFCompanion has not filtering any spams since I started using your method? Before I was able to see spam emails coming in the MS Exchange Server.  Please advise..
0
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18034677
When you say see spam emails coming into Microsoft Exchange what do you mean?  Are you saying that since creating the custom weighting you are getting more spam.  Please clarify.
0
 

Author Comment

by:dykirin
ID: 18034741
Matthew,
Please refer to this URL >> http://stoekenbroek.com/imfcompanion/default.htm  I downloaded and installed on my MS Exchange.  I was able to see the SCL and UCE activities prior to configured your suggestion.  Now it seems this utility is not working anymore and I cannot see any real-time or seeing spam emails activity reports.  Before I was able to see what type of spam email there were coming in.  
0
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18036821
Make sure that your gateway config is still set for Archive.  Also go into Drive Letter:\program files\exchsrvr\mailroot\vsi 1\ucearchive make sure there are archived emails in there.  Also make sure that IMF Companion is pointing to that location for the archives.  Are new files being added to that directory as in being archived, check the time stamps.  Also you may try using message tracking to see that messages are being rejected and archived at the gateway.
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now