Solved

Need help get rid of SPAM

Posted on 2013-01-21
16
329 Views
Last Modified: 2013-01-23
Dear Everyone,

I am operating an Exchange 2003 environment. Recently I experiencing a bigger spam attack.

I have heard that if I apply a Spoof record in the DNS setting or perform reverse dns using Exchange server it would reduce the SPAM attack.

Do I need to register a Spoof record or do I need to perform reverse DNS on incoming mail with server?
What do you think?
Any other suggestions would be appreciatted.
P.S.: The server is using the newest NOD32 for Exchange for Antispam and etc...
 
Thanks
0
Comment
Question by:agriboy1980
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
16 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 38801320
The solution will depend on the type of attack you had.  What did you see happening?

Did you see lots of messages from Administrator going out to random addresses or did you see lots of messages from random external domain names to random external people?

Either way - have a read of my article and see if anything helps you:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also my other article about getting rid of spam in Exchange 2003 without 3rd party tools:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2527-How-to-prevent-Spoofed-Emails-in-Exchange-2003.html

Alan
0
 

Author Comment

by:agriboy1980
ID: 38801459
Dear Alan,

I have configured the Filtering at Message Delivery propreties.

Do I need to restart any services for the modification to take effect?

Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38801527
Restart the SMTP Service (Simple Mail Transfer Protocol Service) to make sure the changes are put into place immediately.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:agriboy1980
ID: 38802460
Ok.
By the way:
Do you know anything about this so called spoof record?

Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38802534
If you mean an SPF record, then yes.  Visit http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/ and run through the screens.

Alan
0
 

Author Comment

by:agriboy1980
ID: 38805104
Hi,


domain.com.      TXT      "v=spf1 a mx ip4:111.111.111.111 ~all"

If I have a TXT record in my DNS already (mentioned above) how can I check that is functioning properly?
In the provided link  http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
there are some questions I cannot answer for sure, I am just guessing. Is there a detailed explanation for that?
Thanks in advance.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38805160
If you visit http://www.kitterman.com/spf/validate.html

Use the test an SPF record and feed it your SPF record exactly as above without the Quote Marks, then tweak the Mail From / Helo / IP Address and test to see what happens in terms of the Result.
0
 

Author Comment

by:agriboy1980
ID: 38805343
Hi Alan,

I have configured the TarpitTime key as it was mentioned here: http://support.microsoft.com/kb/842851/en-us

Can't find any information yet regarding what would could be the avarage range of this key VALUE?

Now I have set it to 5, but I don't think it is the good value for it.
Can you help?

thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38805502
I would set it to something like 30 seconds.  The idea is to slow spammers down, so 30 seconds should make life much harder for them.

60 would be worse for them - depends on how nasty you are feeling :)

Alan
0
 

Author Comment

by:agriboy1980
ID: 38809279
Ok. I have set it to 60.
If I am right it means if someone is trying to send SPAMs it will wait 60 seconds on my server before it starts the delivery process.

Why should this "nasty" step make SPAMMers life harder?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38809306
No - the tarpit is a delay inserted into the communication between the remote side and your server to slow down the transmission and to give the spammer a hard time.  Without a delay, they can test out addresses on your server and your server will respond immediately with a response e.g., invalid recipient.  With the tarpit set to 60 seconds, it will wait for 60 seconds before sending the Invalid Recipient response, so that means the spammer has to wait a minute between trying out new recipients, thus slowing down their communications and meaning it takes much longer to get anywhere when trying to abuse your server.

A slightly more extensive definition can be found here:

http://en.wikipedia.org/wiki/Tarpit_(networking)

Alan
0
 

Author Comment

by:agriboy1980
ID: 38809457
I've requested that this question be closed as follows:

Accepted answer: 0 points for agriboy1980's comment #a38805343

for the following reason:

Thanks for the detailed help.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38809458
You seem to be accepting your own comment as the solution here, rather than one of my comments, which would reward me for my efforts.

Could you please have another go at closing by accepting one or more of my comments and the solution, unless you didn't intend to award me any points for helping you.

Objecting to the currently intended closure.

Many thanks

Alan
0
 

Author Comment

by:agriboy1980
ID: 38811991
Hi Alan,

Sorry about that, something was wrong with my smartphone, of course you are the one who earned all the points.
By the way before I close this question properly, do you think there is a way to test the appropriate working of this Tarpit solution?

Thanks in advance.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 38812009
Not a problem - closing can be confusing.

You can test the tarpitting via remote telnet tests direct to your server from a command prompt.

http://support.microsoft.com/kb/153119

Alan
0
 

Author Closing Comment

by:agriboy1980
ID: 38813126
Outstanding solution. Thanks.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Find out what you should include to make the best professional email signature for your organization.
how to add IIS SMTP to handle application/Scanner relays into office 365.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question