Do you know what do your message tracking logs on the mailbox server look like when this is happening?
I'd bet the profs are sending out relatively few messages with lots of recipients, and the spammers are sending out lots of messages to one or a few recipients. One will generate a lot of submits, and the other relatively few. If that's the case, you may be able to script a periodic check of the mailbox server message tracking logs, and disable any account that's had too many submits in a given time. From: Boggis, Josh [mailto:josh.bog...@uconn.edu] Sent: Friday, January 22, 2010 10:23 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? To be clear, this is the same as normal traffic. This is not being done on an open relay, a user has given out their ID/Password to a phishing scheme, and they are logging in remotely over OWA to send out large amounts of spam. It the same as a professor sending out 5000 mails to an academic group they run. This is where things get tough for me. I am looking for something to distinguish a user who has been compromised and is sending out spam vs a user sending out valid large amounts of email. Oh and I forgot to put in, we are running Exchange 2007. Do have Forefront installed to handle antivirus, and have a few barracuda boxes for spam filtering incoming. From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Friday, January 22, 2010 10:26 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? +1. No port 25 traffic should be allowed out except from the known mail servers. Then all you have to secure is those servers. Carl ________________________________ From: Roger Wright [mailto:rhw...@gmail.com] Sent: Friday, January 22, 2010 9:35 AM To: MS-Exchange Admin Issues Subject: Re: stopping spam from inside server? Have you verified you're not configured as an open relay? Is your firewall only allowing SMTP traffic to/from your Exchange box? Die dulci fruere! Roger Wright ___ Marie von Ebner-Eschenbach<http://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.html> - "Even a stopped clock is right twice a day." On Fri, Jan 22, 2010 at 8:15 AM, Boggis, Josh <josh.bog...@uconn.edu<mailto:josh.bog...@uconn.edu>> wrote: Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who's account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it's a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply. ************************************************************************************************** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **************************************************************************************************