Link to home
Start Free TrialLog in
Avatar of crcsupport
crcsupportFlag for United States of America

asked on

Spam email, how do they get list of AD email account list?

Often, we receive spam emails which send to a group of our AD users. I wonder how they get the list of email addresses. What configuration is necessary in Exchange server to block for them to scan our server for contact list to send spams to?
SOLUTION
Avatar of Imtiaz Hasham
Imtiaz Hasham
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of crcsupport

ASKER

we use gfi antispam and the spams are detected fine. But I noticed they acutally scan against our email server to get the contact lists. Do they just shoot some kind of brute force scanning to find all email users? NDR is necessary so that outside senders have to know if their emails reached intended users in our company.
I think there should be some sort configuration or settings to prevent such type of scanning in exchange server
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Because there were a few user accounts with exchange mailbox associated. And I used for only testing purpose. The spams included the email addresses. I think they scan against our exchange server to get all mailbox users.
why is it pretty unlikely? I don't think it's hard to send brute force SMTP handshakes to any exchange server and if it gets response with 250 OK recipient, then, they list it to their spam database. I had this question years back, still couldn't find how exchange server can be protected from such attack. Maybe there's some technique to prevent in firewall, either...
All ports are blocked except really basic ports for web
And exchange server is 2003, OWA enabled.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I agree, it's likely it might be one from inside to outside, the contact list went out by infected computers. We have AVG antivirus installed and firewall is set tight on all computers, but...

I said, brute force attack, but I'm not sure if it's really brute force attack sending just a bunch of SMTP handshakes to exchange server, thinking it's the way it has to be, handling thousands of in/out emails.

I went through all settings and spoke to Sonicwall and GFI people, They only recommend to stay update current to IPS and antivirus definition, didn't really get specific help. IPS, Anti-virus, Anti-spyware settings are filtering from high to low, all
Reading tarpit, it seems as it's specifically made for this type of spaming events. But it affects normal mail transaction action as well, so I probably won't use until I test.
Thank you for the info on directory Harvest
This is update for this post.
I accidentally found the answer to my post.
There's a checkbox 'Filter recipients who are not in the Directory'  under Exchange server/Message Delivery/Recipient Filtering . If you click this, spammers can run multiple SMTP commands to the server against dictionary and find legit email addresses. Don't assume spammers send this harvesting commands fast and firewall or security service to detect it. They can change interval, stop, pause, continue anyway they want to make your server to believe it's just incorrectly typed email address.
You should leave that option enabled, but also make the change for the tarpit. That will stop the directory harvest. Deselecting that option means that your server accepts email for all recipients, whether they exist or not, then bounces them. This is called backscatter and can you get blacklisted. Furthermore it is a huge waste of bandwidth. On my blog I have an example of a client who wasn't using recipient filtering, when we enabled it their internet bandwidth use dropped by over 60%!

Simon.
So reading more about the option here http://support.microsoft.com/kb/886208

I think spammers don't spend time sending actual thousands of spam emails with generated email addresses from dictionary, but send SMTP command to dig legit names first and record to their spam database.

tarpit also affects all regular email message delivery, our business is trasportation where one or two minute delay is critical for dispatching job, can't use tarpit manually delaying email delivery.

The option is unchecked and it's default option for exchange server.  So I may keep the server unchecked with the filtering option and experiment

Simon, thank you for your advice.  I'll keep eyes on queue to see if that much of NDRs getting filled up. If that happens, I also know someone running harvesting which is good indicator which option I later switch to.
The delay isn't anything like minutes - a 10 second delay would be more than enough.

You should probably look at something more robust to protect the server, because running an email server without recipient validation enabled is not very wise in my opinion. During the major email malware outbreaks the problem wasn't the volume of messages they generated by all of the rejects due to poorly configured servers.

Exchange 2003 is well past its sell by date and the more modern versions of Exchange are more intelligent with tarpitting.