We help IT Professionals succeed at work.

Exchange 2010 Server - Phishing attack

888 Views
Last Modified: 2018-02-02
We recently had a phishing attack that only harvested one account. This one account then began to SPAM thousands of emails via our OWA. We caught the account and shut it down, but not before we were placed on a Microsoft Blacklist. After about a week and a half, we are now off the list and mail will start flowing in 24-48 hours.

I am looking for best practices to avoid this issue in the future.

1.) Is there a way to limit the amount of email a user can send over a period of time?
2.) Is there a way to find and delete a particular email or attachment from multiple boxes without opening each account?
Comment
Watch Question

Senior Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Jerome Pappy JaySystem Engineer

Commented:
From https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx

The Best Solution :Submit spam, non-spam, and phishing scam messages to Microsoft for analysis

Applies to: Exchange Online, Exchange Online Protection

It can be frustrating when users in your organization receive junk (spam) or phishing scam messages in their inbox, or if they don’t receive a legitimate email message because it’s marked as junk. We’re constantly fine-tuning our spam filters to be more accurate, and you or your end users can help this process by submitting false negative and false positive spam messages to Microsoft for analysis. A false negative is a spam message that should have been but was not identified as spam. A false positive is a legitimate email message that was incorrectly identified as spam.
Submit junk or phishing messages that passed through the spam filters
If you receive a message that passed through the spam filters that and should be classified as junk or a phishing scam, you can submit this false negative message to the Microsoft Spam and Phishing Analysis Teams, who will review the message and add it to the service-wide filters if it meets the classification criteria.
For more spam settings that apply to the whole organization, see Block email spam with the Office 365 spam filter to prevent false negative issues. It contains tips to help prevent false negatives.

You can submit junk email messages in the following ways:
For Outlook users, the primary way to submit junk messages is by using a plug-in known as the Microsoft Junk Email Reporting Add-in for Microsoft Outlook. For information about installing and using this tool, see Junk email reporting add-in for Microsoft Outlook.
For Outlook on the web users, the primary way to submit junk email messages is by using its built-in junk email reporting option. For more information, see Report junk email and phishing scams in Outlook on the web.
You can also use email to submit messages to Microsoft that should be classified as junk or phishing scams as described in the following procedure.

Use email to submit junk (spam) or phishing scam messages to Microsoft
To submit a junk or phishing scam message to Microsoft:
Create a new, blank email.
Address the email to the Microsoft team that reviews messages as follows:
For junk messages, address your email to junk@office365.microsoft.com.
For phishing scam messages, address your email to phish@office365.microsoft.com.
Copy and paste the junk or phishing scam message into that email (as an attachment).
NoteNote:
You can attach multiple messages to the email if you want to. Make sure all the messages are the same type - either phishing scam messages or junk email messages.
Leave the body of the new message empty.
Click Send.

Submit messages that were tagged as junk but should have been allowed through

If a message was incorrectly identified as junk, you can submit this false positive message to the Microsoft Spam Analysis Team, who will evaluate and analyze the message. Depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow the message through.
Admins can review more spam setting information that applies to a whole organization. Take a look at How to help ensure that a message isn't marked as spam. This information is helpful if you have administrator-level control and you want to prevent false positives.
You can submit non-spam messages in the following ways:
If you use the Move message to Junk Email folder action when configuring your content filters (this is the default action), end users can release false positive messages in their Outlook or OWA Junk Email folder.
Outlook users can release false positive messages using the Not Junk right-click menu option. However, they must submit the message to Microsoft via email, as shown in the procedure below.
OWA users can release false positive messages and submit them to Microsoft for analysis using the Mark as not junk action. For more information on how to do this, see Report junk email and phishing scams in Outlook on the web.
If you use the Quarantine message action instead of the Move message to Junk Email folder action when configuring your content filters:
Administrators can release spam-quarantined messages and report them as false positives from the Exchange admin center. For more information, see Find and release quarantined messages as an administrator.
End users can release their own spam-quarantined messages and report them as false positives via:
The Exchange admin center (EAC) user interface. For more information, see Find and release quarantined messages as an end user.
End-user spam notification messages (if they’re enabled by your administrator). For more information about using this feature, see Use end-user spam notifications to release and report spam-quarantined messages.
You can also use email to submit messages to Microsoft that should not be classified as spam. When doing so, be sure to use the steps in the following procedure.
Use email to submit false positive messages
Use the same procedure as described above in Use email to submit junk (spam) or phishing scam messages to Microsoft , but send the email to not_junk@office365.microsoft.com.

The Process for Spam Evaluation and Rules Deployment

The spam analysis team examines messages you submit and adjusts the spam filters to prevent future junk mail. As a result, Office 365 spam filters are constantly refined. Any submitted items are evaluated at the network-wide level. False-positive submissions are examined and assessed for possible rule adjustment to allow future messages through the spam filters. Therefore, notifying the service of false positives and also false negatives (unfiltered spam) is advantageous for you and all customers using the global network. The spam team examines indicators within each submitted message, such as:
From address
Sending IP address
Keywords
Phrases
Frequency of transmission
Other trends and patterns
After reviewing this information, the spam team might make changes to the service’s spam filtering layers. For more information about the spam team, you can watch the English-language only Microsoft Exchange Spam team video.
Spam evaluation is an ongoing process that applies regardless of the originating language or character set. Because a spam message can be vague or even lack text in the subject or message body, the spam team relies on other message characteristics to perform filtering. This means that after the spam team flags a given message as spam and makes the necessary changes to its rule base, that message will be blocked in the future until its characteristics have been modified enough to avoid our filters. New spam rules are deployed continuously. Time frames for rules on individual submissions vary depending on the quantity and quality of submissions. Because new spam rules are set globally for all customers, not all individual spam submissions will result in a new spam rule.

Author

Commented:
Thanks Scott for pointing me to the right path!!!

Additional help found:
1.) Message limits:
Ordered book from Amazon: Exchange Server 2010: Best Practices

2.) Deleting bulk messages on Exchange 2010:
Youtube search: Using the Exchange Management Shell (EMS) to delete messages with cmdlet Search-Mailbox

Thanks!
Matt
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.