Solved

Spam email, how do they get list of AD email account list?

Posted on 2014-04-01
16
622 Views
Last Modified: 2014-06-19
Often, we receive spam emails which send to a group of our AD users. I wonder how they get the list of email addresses. What configuration is necessary in Exchange server to block for them to scan our server for contact list to send spams to?
0
Comment
Question by:crcsupport
  • 8
  • 3
  • 3
  • +1
16 Comments
 
LVL 12

Assisted Solution

by:Imtiaz Hasham
Imtiaz Hasham earned 251 total points
ID: 39970035
There are a lot of methods these people get these pieces of information, one of the things I would recommend you do is to ensure your NDR doesn't go for emails that are non existent on the domain, just drop the email on your server.

More importantly, you can start strengthening your exchange's Antispam services or use a third party service to minimise the amount of spam.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39970063
we use gfi antispam and the spams are detected fine. But I noticed they acutally scan against our email server to get the contact lists. Do they just shoot some kind of brute force scanning to find all email users? NDR is necessary so that outside senders have to know if their emails reached intended users in our company.
I think there should be some sort configuration or settings to prevent such type of scanning in exchange server
0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 166 total points
ID: 39970076
How are you detecting that someone is scanning your email server directly? Unless your email server is directly exposed to the Internet in some way that's pretty unlikely.  A much more common method of obtaining emails for spammers is scanning things like websites, listservers, etc.
0
 
LVL 12

Accepted Solution

by:
Imtiaz Hasham earned 251 total points
ID: 39970098
Unless your AD is exposed to the internet as hypercat says (usually LDAP Port 389), it's highly unlikely that it will be, they can't get your email address.

The problem is some parts of the world, the Data Protection Act is not so strong and email addresses are sold without a problem.

Ensure with GFI you drop emails for addresses non-existent on the domain.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39970106
Because there were a few user accounts with exchange mailbox associated. And I used for only testing purpose. The spams included the email addresses. I think they scan against our exchange server to get all mailbox users.
why is it pretty unlikely? I don't think it's hard to send brute force SMTP handshakes to any exchange server and if it gets response with 250 OK recipient, then, they list it to their spam database. I had this question years back, still couldn't find how exchange server can be protected from such attack. Maybe there's some technique to prevent in firewall, either...
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39970111
All ports are blocked except really basic ports for web
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39970114
And exchange server is 2003, OWA enabled.
0
 
LVL 12

Assisted Solution

by:Imtiaz Hasham
Imtiaz Hasham earned 251 total points
ID: 39970149
If you use a good firewall, it will not allow the same IP to keep sending the commands with brute force.

Also, from Exch2007 onwards, you can use Tarpitting to confuse the server but I am sure for Exch2003, GFI will allow tarpitting.

Moreover, every domain is randomly attacked and email addresses are hit ceremoniously!  The spammers automate the first part of the email address as follows:
Character1: a-z,0-9
Character2:a-z,0-9
and so on.

and bouncebacks are accepted and deleted automatically.  Even a brand new email address is sometimes picked in this list.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 166 total points
ID: 39970177
Exchange 2003 is definitely not as secure as 2007/2010.  Are you certain that you have your Exchange server secured with the proper settings on the Exchange server as well as the firewall?  Again, it's not so much that it would be absolutely impossible, given a flaw in your firewall or the settings on your email server, but very unlikely.  The kind of brute force attack you're describing would be noticeable on your server, especially assuming this is not a large organization.  Also, some spammer would have to target your domain specifically for a brute force attack which again is unlikely unless there's any easy to exploit vulnerability.  If in fact these email addresses were obtained directly from your organization, the other and more likely cause would be that someone in your organization has gotten infected with a bot that copies off their email address list.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 83 total points
ID: 39970565
Just want to pick up on this comment:

"There are a lot of methods these people get these pieces of information, one of the things I would recommend you do is to ensure your NDR doesn't go for emails that are non existent on the domain, just drop the email on your server."

That isn't actually best practise.
Best practise is to NDR the email at the point of delivery using recipient filtering, but ensure that you have tarpit enabled. Otherwise someone could mistype an email address and not know. It doesn't assist spammers to have that configuration, because they will be using a compromised system which can only send email, they aren't interested in receiving it.

Exchange 2003 isn't secure against a directory harvest out of the box.
If you have recipient filtering enabled and did not have the tar pit enabled then you were probably directory harvested:
http://exchange.sembee.info/2003/smtp/filter-unknown.asp

It could also have been a guess - all@ all.staff@ etc are always targeted, as are sales@ info@ etc.

Simon.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39970620
I agree, it's likely it might be one from inside to outside, the contact list went out by infected computers. We have AVG antivirus installed and firewall is set tight on all computers, but...

I said, brute force attack, but I'm not sure if it's really brute force attack sending just a bunch of SMTP handshakes to exchange server, thinking it's the way it has to be, handling thousands of in/out emails.

I went through all settings and spoke to Sonicwall and GFI people, They only recommend to stay update current to IPS and antivirus definition, didn't really get specific help. IPS, Anti-virus, Anti-spyware settings are filtering from high to low, all
Reading tarpit, it seems as it's specifically made for this type of spaming events. But it affects normal mail transaction action as well, so I probably won't use until I test.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39970637
Thank you for the info on directory Harvest
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40142896
This is update for this post.
I accidentally found the answer to my post.
There's a checkbox 'Filter recipients who are not in the Directory'  under Exchange server/Message Delivery/Recipient Filtering . If you click this, spammers can run multiple SMTP commands to the server against dictionary and find legit email addresses. Don't assume spammers send this harvesting commands fast and firewall or security service to detect it. They can change interval, stop, pause, continue anyway they want to make your server to believe it's just incorrectly typed email address.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40144275
You should leave that option enabled, but also make the change for the tarpit. That will stop the directory harvest. Deselecting that option means that your server accepts email for all recipients, whether they exist or not, then bounces them. This is called backscatter and can you get blacklisted. Furthermore it is a huge waste of bandwidth. On my blog I have an example of a client who wasn't using recipient filtering, when we enabled it their internet bandwidth use dropped by over 60%!

Simon.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40145035
So reading more about the option here http://support.microsoft.com/kb/886208

I think spammers don't spend time sending actual thousands of spam emails with generated email addresses from dictionary, but send SMTP command to dig legit names first and record to their spam database.

tarpit also affects all regular email message delivery, our business is trasportation where one or two minute delay is critical for dispatching job, can't use tarpit manually delaying email delivery.

The option is unchecked and it's default option for exchange server.  So I may keep the server unchecked with the filtering option and experiment

Simon, thank you for your advice.  I'll keep eyes on queue to see if that much of NDRs getting filled up. If that happens, I also know someone running harvesting which is good indicator which option I later switch to.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40145258
The delay isn't anything like minutes - a 10 second delay would be more than enough.

You should probably look at something more robust to protect the server, because running an email server without recipient validation enabled is not very wise in my opinion. During the major email malware outbreaks the problem wasn't the volume of messages they generated by all of the rejects due to poorly configured servers.

Exchange 2003 is well past its sell by date and the more modern versions of Exchange are more intelligent with tarpitting.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now