Solved

Spam email, how do they get list of AD email account list?

Posted on 2014-04-01
16
629 Views
Last Modified: 2014-06-19
Often, we receive spam emails which send to a group of our AD users. I wonder how they get the list of email addresses. What configuration is necessary in Exchange server to block for them to scan our server for contact list to send spams to?
0
Comment
Question by:crcsupport
  • 8
  • 3
  • 3
  • +1
16 Comments
 
LVL 12

Assisted Solution

by:Imtiaz Hasham
Imtiaz Hasham earned 251 total points
ID: 39970035
There are a lot of methods these people get these pieces of information, one of the things I would recommend you do is to ensure your NDR doesn't go for emails that are non existent on the domain, just drop the email on your server.

More importantly, you can start strengthening your exchange's Antispam services or use a third party service to minimise the amount of spam.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39970063
we use gfi antispam and the spams are detected fine. But I noticed they acutally scan against our email server to get the contact lists. Do they just shoot some kind of brute force scanning to find all email users? NDR is necessary so that outside senders have to know if their emails reached intended users in our company.
I think there should be some sort configuration or settings to prevent such type of scanning in exchange server
0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 166 total points
ID: 39970076
How are you detecting that someone is scanning your email server directly? Unless your email server is directly exposed to the Internet in some way that's pretty unlikely.  A much more common method of obtaining emails for spammers is scanning things like websites, listservers, etc.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 12

Accepted Solution

by:
Imtiaz Hasham earned 251 total points
ID: 39970098
Unless your AD is exposed to the internet as hypercat says (usually LDAP Port 389), it's highly unlikely that it will be, they can't get your email address.

The problem is some parts of the world, the Data Protection Act is not so strong and email addresses are sold without a problem.

Ensure with GFI you drop emails for addresses non-existent on the domain.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39970106
Because there were a few user accounts with exchange mailbox associated. And I used for only testing purpose. The spams included the email addresses. I think they scan against our exchange server to get all mailbox users.
why is it pretty unlikely? I don't think it's hard to send brute force SMTP handshakes to any exchange server and if it gets response with 250 OK recipient, then, they list it to their spam database. I had this question years back, still couldn't find how exchange server can be protected from such attack. Maybe there's some technique to prevent in firewall, either...
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39970111
All ports are blocked except really basic ports for web
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39970114
And exchange server is 2003, OWA enabled.
0
 
LVL 12

Assisted Solution

by:Imtiaz Hasham
Imtiaz Hasham earned 251 total points
ID: 39970149
If you use a good firewall, it will not allow the same IP to keep sending the commands with brute force.

Also, from Exch2007 onwards, you can use Tarpitting to confuse the server but I am sure for Exch2003, GFI will allow tarpitting.

Moreover, every domain is randomly attacked and email addresses are hit ceremoniously!  The spammers automate the first part of the email address as follows:
Character1: a-z,0-9
Character2:a-z,0-9
and so on.

and bouncebacks are accepted and deleted automatically.  Even a brand new email address is sometimes picked in this list.
0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 166 total points
ID: 39970177
Exchange 2003 is definitely not as secure as 2007/2010.  Are you certain that you have your Exchange server secured with the proper settings on the Exchange server as well as the firewall?  Again, it's not so much that it would be absolutely impossible, given a flaw in your firewall or the settings on your email server, but very unlikely.  The kind of brute force attack you're describing would be noticeable on your server, especially assuming this is not a large organization.  Also, some spammer would have to target your domain specifically for a brute force attack which again is unlikely unless there's any easy to exploit vulnerability.  If in fact these email addresses were obtained directly from your organization, the other and more likely cause would be that someone in your organization has gotten infected with a bot that copies off their email address list.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 83 total points
ID: 39970565
Just want to pick up on this comment:

"There are a lot of methods these people get these pieces of information, one of the things I would recommend you do is to ensure your NDR doesn't go for emails that are non existent on the domain, just drop the email on your server."

That isn't actually best practise.
Best practise is to NDR the email at the point of delivery using recipient filtering, but ensure that you have tarpit enabled. Otherwise someone could mistype an email address and not know. It doesn't assist spammers to have that configuration, because they will be using a compromised system which can only send email, they aren't interested in receiving it.

Exchange 2003 isn't secure against a directory harvest out of the box.
If you have recipient filtering enabled and did not have the tar pit enabled then you were probably directory harvested:
http://exchange.sembee.info/2003/smtp/filter-unknown.asp

It could also have been a guess - all@ all.staff@ etc are always targeted, as are sales@ info@ etc.

Simon.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39970620
I agree, it's likely it might be one from inside to outside, the contact list went out by infected computers. We have AVG antivirus installed and firewall is set tight on all computers, but...

I said, brute force attack, but I'm not sure if it's really brute force attack sending just a bunch of SMTP handshakes to exchange server, thinking it's the way it has to be, handling thousands of in/out emails.

I went through all settings and spoke to Sonicwall and GFI people, They only recommend to stay update current to IPS and antivirus definition, didn't really get specific help. IPS, Anti-virus, Anti-spyware settings are filtering from high to low, all
Reading tarpit, it seems as it's specifically made for this type of spaming events. But it affects normal mail transaction action as well, so I probably won't use until I test.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39970637
Thank you for the info on directory Harvest
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40142896
This is update for this post.
I accidentally found the answer to my post.
There's a checkbox 'Filter recipients who are not in the Directory'  under Exchange server/Message Delivery/Recipient Filtering . If you click this, spammers can run multiple SMTP commands to the server against dictionary and find legit email addresses. Don't assume spammers send this harvesting commands fast and firewall or security service to detect it. They can change interval, stop, pause, continue anyway they want to make your server to believe it's just incorrectly typed email address.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40144275
You should leave that option enabled, but also make the change for the tarpit. That will stop the directory harvest. Deselecting that option means that your server accepts email for all recipients, whether they exist or not, then bounces them. This is called backscatter and can you get blacklisted. Furthermore it is a huge waste of bandwidth. On my blog I have an example of a client who wasn't using recipient filtering, when we enabled it their internet bandwidth use dropped by over 60%!

Simon.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40145035
So reading more about the option here http://support.microsoft.com/kb/886208

I think spammers don't spend time sending actual thousands of spam emails with generated email addresses from dictionary, but send SMTP command to dig legit names first and record to their spam database.

tarpit also affects all regular email message delivery, our business is trasportation where one or two minute delay is critical for dispatching job, can't use tarpit manually delaying email delivery.

The option is unchecked and it's default option for exchange server.  So I may keep the server unchecked with the filtering option and experiment

Simon, thank you for your advice.  I'll keep eyes on queue to see if that much of NDRs getting filled up. If that happens, I also know someone running harvesting which is good indicator which option I later switch to.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40145258
The delay isn't anything like minutes - a 10 second delay would be more than enough.

You should probably look at something more robust to protect the server, because running an email server without recipient validation enabled is not very wise in my opinion. During the major email malware outbreaks the problem wasn't the volume of messages they generated by all of the rejects due to poorly configured servers.

Exchange 2003 is well past its sell by date and the more modern versions of Exchange are more intelligent with tarpitting.
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Are you irritated by repeating emails issue in Microsoft Outlook 2016 after recent update ?  Lets’ see how to resolve and prevent duplicate emails in the Outlook 2016 using some simple techniques.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question