Solved

Spam questions in Exchange

Posted on 2010-08-24
15
958 Views
Last Modified: 2013-11-22
Over the weekend a few users got a bunch of fake emails from Amazon, and some other ourdomain.com "team" that has our domain name on it (as if it's coming from the website "team" of our domain).  The amazon email looked very real, and a few employees started freaking out and calling me saying their amazon account had been compromised.

I am just trying to understand how these spammers get some of our valid email addresses.  I went into the exchange server management console, to message tracking, and looked at one of the amazon emails...  The recipients listed in the message had about 10 emails listed.  Four of them were valid emails of employees in our company, and the other 6 emails where way off track and not valid emails (although the @domain.com part was right).  How did the real email addresses even get on the list?  How do I protect our email accounts better so that these spammers don't know our real email accounts?

Also, in Exchange, the sender just says auto-confirmation@amazon.com.  I know that is not the real address, but how do I see what the real sending address is?

0
Comment
Question by:jbobst
  • 6
  • 4
  • 2
  • +2
15 Comments
 
LVL 4

Assisted Solution

by:mrbrain646
mrbrain646 earned 62 total points
Comment Utility
How did the real email addresses even get on the list?
This is most likely caused by infected computers in and outside your network.
Home users with pop or imap email, Iphones, android phones configured with your email settings.
once they get infected they gather all theose email addresses and use them to spoof and send spam.
How do I protect our email accounts better so that these spammers don't know our real email accounts?
This would be difficult but have outside users use rpc/http or owa. disable pop3 imap.
also use barracuda spam firewall is a good anti spam appliance.

in Exchange, the sender just says auto-confirmation@amazon.com.  I know that is not the real address, but how do I see what the real sending address is?

open the original email in outlook and goto view mentu then options to view the header information.


0
 
LVL 2

Accepted Solution

by:
roarkinc earned 63 total points
Comment Utility
lots going on there.  the real address might not be even available, but the real sending server you can get it by looking at the headers of the message.
spammers are looking for valid email address.  it is called directory harvesting when a spammer sends messages to multiple email addresses and figures out which ones are real by checking your servers response (accepted mail means the account is valid, rejected that the account doesn't exist.)
your best way around spam is of course a spam filter either on the exchange box or on your firewall or a service like postini.
regardless of what spam filter you use, spam will get through.  just like viruses, the spammers figure out a new way to get through and it takes time for the spam filters to learn that and start blocking it.

what version of exchange are you running?  2008 has some spam features built in.
also, you can prevent same getting in from your own domain by changing some settings, but to tell you which, i would need to know if any other server can send mail as your domain, like does your web server send a thank you email for customer sign ups.
0
 
LVL 3

Assisted Solution

by:Dave_LaSalle
Dave_LaSalle earned 63 total points
Comment Utility
There are a myriad of ways, too many to say here.  But as an example: 60% of connections to an email server may be for "Invalid Users"  they just keep guessing.  Other ways are hacked address books of ppl you send mail to from malware and tracking info in html emails then sold on lists.

Fight spam with a good frontend antispam solution.
Recommend: http://www.spamtitan.com/
You can also check for outgoing spam and viruses to protect your company's reputation.
0
 
LVL 1

Author Comment

by:jbobst
Comment Utility
I forgot to mention that we do have the Trend Micro Worry Free Business product for spam on our Exchange server.  It does a fairly good job, but then stuff like this gets in once in awhile...mostly to a select group of users who get the most spam in our company.

We are running Exchange 2003.  Also, we don't have any home users with POP or anything like that.  Just some laptops with cached mode, and some OWA use.  There are a few smart phone users, but I think that is over a secure connection...I think.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 62 total points
Comment Utility
Spammers will target your server and try to harvest the Email Addresses on your server (Directory Harvest Attack) and this is fairly simple to achieve, but you can slow down such an attack from taking a matter of hours to achieve, to taking a number of years by enabling Tar Pitting, which inserts a delay into the responses sent from your server back to the spammer.
Also installing some Good Anti-Spam software that can detect and reject Directory Harvest Attacks is a good idea and if your current software cannot, then it is worthwhile investing in one that can.
To enable Tar Pitting, please have a read of the following:
http://support.microsoft.com/kb/842851
0
 
LVL 2

Expert Comment

by:roarkinc
Comment Utility
tar pitting is a great idea!

your trend micro worry free has an update (about 3-6 months ago i think) that should fix the fake emails from internal addresses.
0
 
LVL 3

Expert Comment

by:Dave_LaSalle
Comment Utility
".mostly to a select group of users who get the most spam in our company."

We have a few users who thought you should click every link in an email that said "To Opt Out - Click Here".  They now receive over 2,000 spam messages a week.  So a little education to your users in this matter could go a long way.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
FYI - Vamsoft ORF - www.vamsoft.com - has built-in Directory Harvest Attack mechanisms and is my preferred Anti-Spam software of choice.  It reduced my spam from 5-6 a week to 5 or 6 a month and protects 95% of my customers servers (one didn't want to miss the odd email from genuine customers with Blacklisted IP Address!!!).
and it only costs $239 per server.
0
 
LVL 1

Author Comment

by:jbobst
Comment Utility
Thanks for all the advice everyone.  As an update, I was looking in my queues this morning on the exchange server, and there were a bunch of emails from "postmaster@mydomain.com" trying to go to bogus email addresses.  I found a microsoft article that said that because I didn't have recipient filtering enabled, that any invalid email address sent to our server will be accepted, then a NDR will try to be sent.  So, I enabled recipient filtering this morning, and cleared out the few messages stuck in the queues.  At this point now, I should go ahead and enable tarpitting, as mentioned by some of you in your posts, right?  How many seconds should I set in the registry for the tarpitting setting?  In the microsoft article, it mentions 5 seconds I think.  Should I do it for a longer value?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Recipient Filtering should definitely be done if not already.
Tar-Pitting will help you fend off spammers trying to run a Directory Harvest Attack and is highly recommended to be setup.
I set Tar-Pitting to 60 seconds on my servers : )
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Check to see if you are listed on Backscatterer.org - www.mxtoolbox.com/blacklists.aspx
If you were sending out NDR's to spammers - you will most likely be listed.
0
 
LVL 1

Author Comment

by:jbobst
Comment Utility
Backscatterer.org reported we were on one list.  I fixed that one.  I will go ahead and set the tar pitting for 60 seconds.  Thanks for the advice!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You are welcome.  No surprises that you were listed - if you have enabled Recipient Filtering - you should be good to get off Backscatterer.org.
Does Trend Micro work well for you in terms of dealing with spam?
0
 
LVL 1

Author Comment

by:jbobst
Comment Utility
It seems to do alright...it's pretty simple and straight forward with regards to setup/maintenance, so that is a plus.  But, stuff still get's through often.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I think any anti-spam software will allow spam through - I guess it just depends on the quantity of the ones that make it past the defenses.
If it is happening often - do take a serious look at Vamsoft ORF - it is absolutely brilliant IMHO and in other EE Exchange Experts opinions.
Check out this blog article:
http://blog.sembee.co.uk/post/Truly-Spectacular-Results-from-Vamsoft-ORF.aspx
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now