Solved

Increased SPAM mails -  How to reduce

Posted on 2013-11-27
22
943 Views
Last Modified: 2013-12-12
We seem to have stareted to get increased number of spam emails in the last few days.
Current infrastructure is  
A PIX firewall,  Exchange 2003 SP2 and Kaspersky Security 5.5 for Exchange Server 2003.
We have anti-spam and anti-virus enabled on the Kaspersky.
All clients have Kaspersky Anti-virus with anti-spam feature enabled in outlook.

We have IMS set to SCL rating of 7 - although we know we can change this to improve black list etc. we use emails for alerting and this can stop vital messaging emails.

We are looking to what we can implement in the current environment to help. Be it on Exchange, additional tools, to reduce/minimise these SPAM mails.  
Would appreciate any ideas and thoughts on what we could implement or what we need to change .
Thanks look forward to any suggestions.
0
Comment
Question by:ccfcfc
  • 8
  • 7
  • 4
  • +2
22 Comments
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39680404
Do you implemented SPF ?

http://www.msexchange.org/articles-tutorials/exchange-server-2003/security-message-hygiene/SPF-support-Exchange-freeware.html

or setup your incoming SMTP server to delay 20seconds its common feature

and please check if you don't have little collision with using kaspersky on server and on client. Becouse the same setup with ESET is making sometimes collisions of scanning.
0
 

Author Comment

by:ccfcfc
ID: 39680427
SPF is not the issue as we have SPF in place. We are looking for a product(s) and or setting on our infrastructure that we can introduce into the existing setup as the current environment is not workign as effective as it should.
I gave the current infrastructure hoping someone might suggest an appliance solution or a setting to capture this spam email before, it is sent to the clients within the organisation.
Our SMTP server (exchange ) is not able to deal with this hence my reference to the IMS setting set to a SCL value of 7.
Not sure how setting a delay off 20 seconds on the SMTP will resolve this issue but I will look as this as well.
0
 
LVL 34

Accepted Solution

by:
Dan Craciun earned 500 total points
ID: 39680530
I don't know if they support exchange, but with SpamExperts on my vps with CentOS and Exim I receive way less spam (90-99% less) compared to the former solution (SpamAssasin)

http://www.spamexperts.com/en/enterprises

HTH,
Dan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39680576
Trial Vamsoft ORF Fusion - a brilliant, low-priced product that does away with the vast majority of spam that we used to get.   All our customers use this now and they get little to no spam at all.

www.vamsoft.com

Alan
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39680749
I have to echo the use of Vamsoft ORF. I have that with a number of different users and find it very effective.
However don't take our word for it - you must evaluate before purchase. I have also seen Vamsoft ORF fail at two sites because of the type of messages they receive and we had to go to an alternative product.

The other solution would be to outsource.

If you do buy something, make sure you can upgrade to a version compatible with a newer version of Exchange.

Simon.
0
 

Author Comment

by:ccfcfc
ID: 39680787
I assume by what I have read, this VAMSOFT resides on the Exchange server (in our case 2003 Exchnage SP2) which is on the requirements/support platforms. We have another issue in that, the current DB is 67Gb gettting close to the limitations of Exchange 2003 so need to migrate anyway. But, surely the option of having this SPAM tool on the edge is the prefered option so that mails are delt with before they hit the exchange server.
Our mail server is pretty busy due to the nature of the business already.

The test before you buy is quite neat, assuming it does not trash your current config in the process. A little niggle is the backup/restore and build a 65Gb information store if this happens kinda makes me questions a solution "ON" the actual exchange server itself.
Tapping into the SMTP traffic before it hits the Exchange server seems less dangerous/lower impact ?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39680961
I've never seen Vamsoft mess up an Exchange Server and I'm sure Simon will say the same.

We have installed Vamsoft on dozens of Exchange servers including SBS without a single problem or a single server rebuild being necessary.  I can understand your cautious approach, but rest assured you will be fine.

Alan
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39680977
Exchange sits on the Exchange server, it doesn't actually touch the Exchange configuration. It hooks in to the SMTP service instead.
However if you want to run it on another server then you can. It will run quite happily on a Windows 2003 IIS SMTP server. Configure Recipient Validation to use LDAP and then use it as a smart host for outbound email on the Exchange 2003 server so that it can do its auto whitelisting. I have a client doing that at the moment - they actually use two servers, with a shared SQL server between them.

Simon.
0
 

Author Comment

by:ccfcfc
ID: 39692075
I seemto have reduced the number of mails via the hardening of SPV and adding "-"  to the record but still getting spam so looks like I need to investigate and test "Vamsoft" on a server mainly to test the install. If I install on our LIVE exchange server and it goes wrong !!!!
Thanks for recommendation
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39692100
It won't go wrong - I've installed it dozens of times and never had a problem.
0
 

Author Comment

by:ccfcfc
ID: 39698373
Alan, I have been trialling with Vamsoft, I can see that the tool works quite well, bu can not see any settings or configurations which suggest the software connects to a server and downloads a database of know spammers. This is not Ideal and would like a tool where the software is able to update its own databases of all the latest spammers out there. I shall keep looking.

Any other recommendations?

thanks
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39698667
You have the DNS Blacklists which you can use such as Barracuda / CBL / UCEPROTECT etc.

If you use a few of those - then that should block known bad IP Addresses (although you will have a few casualties I expect).

Make sure you use the Auto-Sender Whitelist as that adds anyone that internal people email externally to the list so that when they email back, they are trusted and don't go through quite so many checks.

Alan
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39699696
Vamsoft can build its own database, it uses honeypot for that.
What I usually do is let it run for a few days with recipient filtering/validation enabled. Then look through the logs at the list of users being returned as unknown. There will always be a few that have never existed but are always getting email attempts. Add them to the Honeypot. Then if a spammer tries to send spam to those users as part of a wider run, the host gets blocked even for legitimate recipients.

Simon.
0
 

Author Comment

by:ccfcfc
ID: 39700485
SImon,
Thanks for your reply much appreciated.
It seems very labour intensive. Plus, if you look at the mail header, the source IP's/headers are not actually valid and or change. Our current AV/SPam tool identifies them as SPAM but does not do the next step. Kaspersky security for Exchange seems to do the same except the ability to add or learn. It has the ability to download a database both for anti-spam and anti-virus. But it seems recently a new deluge of SPAM mails which come through marked as SPAM (with an attachement) but it relies on the receipient having to action the mail.
Not entirely sure what this "honeypot" does but from what I read it is manual process which based on our current issue you would be constantly modifing it. Unless you can say different. Would appreciate your feedback as you seem happy with the product perhaps we are not understanding the features fully.
Look forward to hearing back from you.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39700557
What are you trying to block specifically?  Files with attachments such as the .zip files that are known to be virus related?

Have you enabled the Greylisting option, which essentially tells emails from unknown users to go away and come back later?

The Honeypot is a list of email addresses that have never existed, but that people email in the hope that the address does exist and is guaranteed that the sender is a spammer.  As a result of hitting a honeypot address, the sending IP Address will get blocked for 24 hours (or whatever you configure it to).

Alan
0
 

Author Comment

by:ccfcfc
ID: 39700569
Alan,
The problem is, although we are getting attachments with ZIP's we use external companies that send ZIP's that are valid.
If you look at the mail header , they seem valid source mails but if you look deeper and see the actual IP record does not match the MX record. It would be a constant battle against these.  We have many un-know/new mails due to the business model.
I have reduced by setting the SPV to hardened and this has reduced obvious spams.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39701172
To get the best from Vamsoft can be quite labour intensive initially. I usually spend an hour a day for a week on a new implementation getting it setup correctly based on the logs.
Once it is running I don't have to do very much with it at all.

Chasing IP addresses is a waste of time.
The key thing is to look at the logs. Ensure that you have the options to record the remote server all setup correctly. For example I have blocked a lot of stuff by rejecting fraud@aexp.com as a sender blacklist.

Simon.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39701199
SPF is also a useful tool (although not everyone publishes an SPF record), but if they do, spoofed emails claiming to come from a domain that has published an SPF record would also get rejected because the sending IP Address isn't published as a permitted sender.

Vamsoft has lots of tools - I use a lot of them and get very good results.  I believe that Simon uses fewer tools, but also had good results.

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39713523
Did you not go with Vamsoft in the end?
0
 

Author Comment

by:ccfcfc
ID: 39713545
Not a the moment. We didn't like the configuration of this application. We would have to maintain this system on a regular basis, which is not what we're looking for. We might come back to it however, should SPAM experts not work.

Kind regards

Anton
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39713698
I don't ever touch my installation of ORF and hardly any spam getting through.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39713703
Well, I hardly did any maintenance on SpamExperts. Just some whitelisting for clients that had issues.
Just be sure to set an email address where you get a daily report on blocked emails. This way you can quickly unblock any false positive.

Regards,
Dan
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now