Exchange 2003 SPAM and Virus Problem
We are running Exchange 2003 SP2 (on a Win2k3 Server) with Trend Micro Scanmail 7.0 for spam/virus filtering. Trend Micro OfficeScan 7.3 is also running on this server now. The mail clients are a mix of Outlook 2k and 2k3.
I've only been in my position for about 7 months and I've inherited this network configuration. This server is hit by a lot of spam and viruses now. Here is a little back history on the problem. About 2 months after I started here I came in one morning to find our Internet gateway being flooded with traffic. No one could access the Internet. I unplugged the Exchange Server and everything went back to normal. At that time only Scanmail was installed on the Exchange Server for filtering and virus protection (no OfficeScan). I installed OfficeScan and its real time scan identified a worm (I don't remember which one now) in \Program Files\Exchsrvr\Mailroot\vs
I need some help PLEASE!
I've only been in my position for about 7 months and I've inherited this network configuration. This server is hit by a lot of spam and viruses now. Here is a little back history on the problem. About 2 months after I started here I came in one morning to find our Internet gateway being flooded with traffic. No one could access the Internet. I unplugged the Exchange Server and everything went back to normal. At that time only Scanmail was installed on the Exchange Server for filtering and virus protection (no OfficeScan). I installed OfficeScan and its real time scan identified a worm (I don't remember which one now) in \Program Files\Exchsrvr\Mailroot\vs
I need some help PLEASE!
Forgot to mention that when you set up an external smam filter service, best practice is to ONLY accept port 25 email from their IP range. This takes care of alot of CRAP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for all the info..
mcrossland:, I will look into your sugestions. We are thinking about purchasing a Barracuda Filter to go in front of Exchange. What do you think of that idea?
Sembee, I understand Trend shouldn't be scanning \exchsrvr\mailroot but I've been afraid to exclude it because of what happened originally when OfficeScan was not installed on the server.. ScanMail did not stop the problem and the server started spamming.
mcrossland:, I will look into your sugestions. We are thinking about purchasing a Barracuda Filter to go in front of Exchange. What do you think of that idea?
Sembee, I understand Trend shouldn't be scanning \exchsrvr\mailroot but I've been afraid to exclude it because of what happened originally when OfficeScan was not installed on the server.. ScanMail did not stop the problem and the server started spamming.
One of the main reasons that I personally prefer an external spam filter is for bandwidth reasons. The spam never comes through our internet connection. I think Barracuda is an internal server, correct?
ASKER
Yes Barracuda is an internal server..
Never tried it so I'm not the right person to answer that part of the question. :)
I wouldn't necessarily say that an external provider is the solution here. They are not the solution to everything. I have a client who cannot use an external provider because they block too much legitimate email.
If you have already made the investment in the software then you should use that.
Excluding the folders is not a do nothing option. You must do it for Exchange to operate correctly. Otherwise what happens is that the AV software tries to scan the files as Exchange is processing them.
If scanmail didn't catch something then it is not fit for purpose and should be replaced. I always recommend having something different for Exchange AV than what is on the desktops to provide multiple layers of protection.
A barracuda or external service will not help if Trend continues to be incorrectly configured. It is something that they should do automatically - but for some reason do not.
Simon.
If you have already made the investment in the software then you should use that.
Excluding the folders is not a do nothing option. You must do it for Exchange to operate correctly. Otherwise what happens is that the AV software tries to scan the files as Exchange is processing them.
If scanmail didn't catch something then it is not fit for purpose and should be replaced. I always recommend having something different for Exchange AV than what is on the desktops to provide multiple layers of protection.
A barracuda or external service will not help if Trend continues to be incorrectly configured. It is something that they should do automatically - but for some reason do not.
Simon.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Does Exchange with SP2 have a greylist or blacklist filter built in? If so can someone provide a link on how to set it up.
Sembee, do you have a recommendation for Exchange VA?
Thanks again everyone!
Sembee, do you have a recommendation for Exchange VA?
Thanks again everyone!
There is no greylisting support in Exchange 2003 from Microsoft.
I don't recommend blacklists either.
For Exchange level AV, the market leader was Sybari Antigen, now Microsoft Forefront. The other one I have put in to a few sites with success is GFI Mail Security.
You could also look at Grisoft AVG which I believe can be bought standalone. So many of the AV vendors want you to buy a suite.
Simon.
I don't recommend blacklists either.
For Exchange level AV, the market leader was Sybari Antigen, now Microsoft Forefront. The other one I have put in to a few sites with success is GFI Mail Security.
You could also look at Grisoft AVG which I believe can be bought standalone. So many of the AV vendors want you to buy a suite.
Simon.
Another option is an anti-spam add-on for Exchange. We have been using Ninja (formerly iHateSpam) for about three years. It has some rough edges, but I like the new version quite a bit now. It does have an AV plug-in, but I don't even use it. By simply using Ninja to block executable attachments (i.e. those that end in .exe, .bat, .pif etc.) I have not had an infected file get through in months. The new version also does a great job with spam and phishing type messages, catching maybe about 95%. The main downside is the extra load it puts on the server. If you want more specifics please post back.
ASKER
Have any of you used ScanMail for spam/virus filtering? How does it rank against other products?
ASKER
I noticed in the real time ScanMail Filter log it show messages found at SMTP. Does this mean Exchange is accepting email from SMTP? I pasted two examples below.. Please let me know..
4/6/2007 12:08:33 PM - Message from "ha-melody.com@vadivorceat
4/6/2007 12:06:25 PM - Message from "noreply@gearedon.com" found at "SMTP" [total 1 recipient(s)]
4/6/2007 12:08:33 PM - Message from "ha-melody.com@vadivorceat
4/6/2007 12:06:25 PM - Message from "noreply@gearedon.com" found at "SMTP" [total 1 recipient(s)]
I currently use www.postini.com and am very pleased with delivery time. Usually within seconds.
As far as your Exchange system already being compromised, I also layer a virus scanning solution on my Exchange servers that uses multiple scan engines. You can get a free trial which will clean your exchange store at http://www.microsoft.com/antigen/downloads/privacy-exchange-sm.mspx
I have been using Antigen for Exchange for YEARS and it works wonderfully to keep the information store clean of viruses both inbound and outbound. Such a nice product that Microsoft purchased it.