Gordon Tin
asked on
How do i block spam mail which (short period of time) contains valid original client IP (A record)
Dear Sir
Background:
Email Server: Exchange2016
Spam Mail Engine: Symantec Security for Microsoft Exchange "SMSME"
It is noticed that some spam mail can send through our spam engine. After Checking, I realised that some spam mail contains valid "Original Client IP" can send through the spam engine.
(I believe that these spam mails are without MX record and they had only A records from dynamic IP. See Attachment)
See Attachment, the spam is changing email address and Original IP all the time in a systematically.
Question:
Is it any way that I can avoid spam mail (with original client IP) penetrate my spam engine and email Server???????
Is it possible for me to config exchange to block emails without MX record????
Background:
Email Server: Exchange2016
Spam Mail Engine: Symantec Security for Microsoft Exchange "SMSME"
It is noticed that some spam mail can send through our spam engine. After Checking, I realised that some spam mail contains valid "Original Client IP" can send through the spam engine.
(I believe that these spam mails are without MX record and they had only A records from dynamic IP. See Attachment)
See Attachment, the spam is changing email address and Original IP all the time in a systematically.
Question:
Is it any way that I can avoid spam mail (with original client IP) penetrate my spam engine and email Server???????
Is it possible for me to config exchange to block emails without MX record????
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hello,
let say, sometimes not so quite easy, as spam is allways a game between spam protection meachanism and the spamers which try to work around these mechanism. If these meachanism would really work, spam would not be a problem anymore. But they don't. Means you can not completely avoid it.
One of the mechanism are just blacklist. Some of them just check the basic mechanism like David provided, mainly the server registration (IP, reverse IP, SPF etc.) others rely on traffic volume from a single IP. So they observe the network. Also provides by data fetched from their customers. Using Blacklistproviders is one of the major methods to fish out 80 to 90% of spam mails.
The Symantec Antispam should contain such an option as well as Exchange have it.
Possibly already setup by default, beside a few other mechanism.
But as especially the additional mechanism decide, how good or bad they work, it may be also a question of your selected product, what the be able to detect and which additional mechanism they use. And whatyou possible are able on your side to add or change.
All other mechanism, so checking yourself the registration (especially the not so wide spread DKIM) is a method to check the reliability of corporate mail servers, but this has not really an effect as they are usually well configured as they want to send their regular emails out. Every corporate mail server has to fulfill a bunch of conditions to be able to send mail to all targets, as all others have implemented the one or the other protection mechanism. At the end they have to fulfill a combination of all mechanisms used by the target servers, they want to send mais to.
And as corporate servers are usually not used by spamers (with the exception of a few hacked or botnetted servers), you mostly can exclude them.
So, what spammers are doing?
They use providers. They offer their customers also mail gateways to be able to send mails. And every provider is even more strict configured to be able to make sure, customers can send mails to everybody.
But providers allow first at all to change addresses very fast, as assigned addresses to customers are usually dynamic, as well it is easy to create new accounts very fast.
So the major strategy of spammers is to send bulk mails until they are blocked due to the number of mails they sent, and then change the IP on the same provider, take the next account or even the next provider.
They just use the small timeframe until common spam protection mechanism starts to work.
Others they spread their mails over a few hundred mail gateways in the hope, that they are not blocked or it takes longer until they are blocked.
So it depends a little bit from the mechanism of the AntiSpam Gateway, which techniques are used there and which additional services they provide to reduce the ammount of spam. They may be able to raise up the recognition level over the level, what blacklistener can do to filter spam.
The major problem for all Anti-Spam products is, that they should not filter out regular mails. As more restrictive they are, as higher the true / false quote... And checking the 90% filtered mais to see, if there is a true / false detection inside is even much more work than top delete the smal mails out of the left over 10%, which passes the mechanism.
Note that spamming is a bulk action. They send 1 Mio mails out in the hope, that maybe 100.000 are passing the filters. Two days later the same action with a different gateway, two days later the next one.
By the way, that spammers penetrate your antispam gateway is normal. This is the job of the gateway. But your exchange should be mainly only get, what the gateway dosn't fish out.
Using block list providers usually force the gateway to just kill the connection. This elemenates the need of any further action like antivirus or what else. If 80% are just blocked out, the gateway has only to handle the remaining 20%.
let say, sometimes not so quite easy, as spam is allways a game between spam protection meachanism and the spamers which try to work around these mechanism. If these meachanism would really work, spam would not be a problem anymore. But they don't. Means you can not completely avoid it.
One of the mechanism are just blacklist. Some of them just check the basic mechanism like David provided, mainly the server registration (IP, reverse IP, SPF etc.) others rely on traffic volume from a single IP. So they observe the network. Also provides by data fetched from their customers. Using Blacklistproviders is one of the major methods to fish out 80 to 90% of spam mails.
The Symantec Antispam should contain such an option as well as Exchange have it.
Possibly already setup by default, beside a few other mechanism.
But as especially the additional mechanism decide, how good or bad they work, it may be also a question of your selected product, what the be able to detect and which additional mechanism they use. And whatyou possible are able on your side to add or change.
All other mechanism, so checking yourself the registration (especially the not so wide spread DKIM) is a method to check the reliability of corporate mail servers, but this has not really an effect as they are usually well configured as they want to send their regular emails out. Every corporate mail server has to fulfill a bunch of conditions to be able to send mail to all targets, as all others have implemented the one or the other protection mechanism. At the end they have to fulfill a combination of all mechanisms used by the target servers, they want to send mais to.
And as corporate servers are usually not used by spamers (with the exception of a few hacked or botnetted servers), you mostly can exclude them.
So, what spammers are doing?
They use providers. They offer their customers also mail gateways to be able to send mails. And every provider is even more strict configured to be able to make sure, customers can send mails to everybody.
But providers allow first at all to change addresses very fast, as assigned addresses to customers are usually dynamic, as well it is easy to create new accounts very fast.
So the major strategy of spammers is to send bulk mails until they are blocked due to the number of mails they sent, and then change the IP on the same provider, take the next account or even the next provider.
They just use the small timeframe until common spam protection mechanism starts to work.
Others they spread their mails over a few hundred mail gateways in the hope, that they are not blocked or it takes longer until they are blocked.
So it depends a little bit from the mechanism of the AntiSpam Gateway, which techniques are used there and which additional services they provide to reduce the ammount of spam. They may be able to raise up the recognition level over the level, what blacklistener can do to filter spam.
The major problem for all Anti-Spam products is, that they should not filter out regular mails. As more restrictive they are, as higher the true / false quote... And checking the 90% filtered mais to see, if there is a true / false detection inside is even much more work than top delete the smal mails out of the left over 10%, which passes the mechanism.
Note that spamming is a bulk action. They send 1 Mio mails out in the hope, that maybe 100.000 are passing the filters. Two days later the same action with a different gateway, two days later the next one.
By the way, that spammers penetrate your antispam gateway is normal. This is the job of the gateway. But your exchange should be mainly only get, what the gateway dosn't fish out.
Using block list providers usually force the gateway to just kill the connection. This elemenates the need of any further action like antivirus or what else. If 80% are just blocked out, the gateway has only to handle the remaining 20%.
You will need some solution that not only blocks by IP, but on the content with a bayes scoring system... That way "spammy" looking mails can get caught easier, and after they get caught and bayes scored, the same email from a different address will aso get caught..
Lets say, there a two type of spammers, the professional ones and the "marketing" spammers.
The last group are companies, where you ordered something and then you get mails every day nevertheless you never ordered any information. As theses are companies, they usually respect to sign out from such mailing lists in a way. For them, common procedures may also work but signing out is the most effective way just to recognize, that you don't want to have them.
Professional spammers, you can not catch by IP Blocking as they change the IP within hours, possibly in minutes. They try to work around any common restriction and spam is as old as email exists. Not in todays dimension, but I just cleaned a bit my software repositories and found some antispam gateways from the year 2000.
And on the other side, the bulk mail software solutions get more and more intelligent to work around all tricks, the antispam vendors implement into their software.
This is the game, and there is no way to really filter out all spam by 100%
The question is what is an aceptable number of spam you can accept.
Short time attacks you can temporary stop by IP Blocks or similar lists. But this helps only some hours, maybe days.
The effect will be that this list gets longer and longer until you will recognize that also (usually) reliable IP Addresses will be on that list and true / false reactions may rise up.
You may inspect your antispam gateway to get an impression, how effective it works. They usually have statistics how many mails are blocked and how many passed the gateway. I would say everything above 95% is a good value.
Some gateways catch more, others less and some of them or just not very efficient due to configuration.
The last group are companies, where you ordered something and then you get mails every day nevertheless you never ordered any information. As theses are companies, they usually respect to sign out from such mailing lists in a way. For them, common procedures may also work but signing out is the most effective way just to recognize, that you don't want to have them.
Professional spammers, you can not catch by IP Blocking as they change the IP within hours, possibly in minutes. They try to work around any common restriction and spam is as old as email exists. Not in todays dimension, but I just cleaned a bit my software repositories and found some antispam gateways from the year 2000.
And on the other side, the bulk mail software solutions get more and more intelligent to work around all tricks, the antispam vendors implement into their software.
This is the game, and there is no way to really filter out all spam by 100%
The question is what is an aceptable number of spam you can accept.
Short time attacks you can temporary stop by IP Blocks or similar lists. But this helps only some hours, maybe days.
The effect will be that this list gets longer and longer until you will recognize that also (usually) reliable IP Addresses will be on that list and true / false reactions may rise up.
You may inspect your antispam gateway to get an impression, how effective it works. They usually have statistics how many mails are blocked and how many passed the gateway. I would say everything above 95% is a good value.
Some gateways catch more, others less and some of them or just not very efficient due to configuration.
ASKER
Dear All
It is noticed that Content Agent/sender ID Agent/sender filter agent/receipient filter agent/protocol analysis agent are not previous installed on the Exchange 2016. After I installed these agent, the spam emails are effectively filtered by SPF.
It is noticed that Content Agent/sender ID Agent/sender filter agent/receipient filter agent/protocol analysis agent are not previous installed on the Exchange 2016. After I installed these agent, the spam emails are effectively filtered by SPF.
@Gordon, Glad you got this working!
https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-on-mailbox-servers?view=exchserver-2019
And you can block IP address using transport rule.