The devil's in the detail? How are the infected boxes sending the emails? Via SMTP? If so, firewall it and configure Exchange SMTP connectors so that only authorised hosts can connect to your email hubs, SMTP relays, and SMTP servers in the outside world..
Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.uk From: Sharp, Kevin [mailto:kevin.sh...@usask.ca] Sent: 24 February 2012 17:20 To: MS-Exchange Admin Issues Subject: internal spam I'm wondering how people are dealing with compromised accounts in Exchange sending large volumes of email...essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I'm wondering if there is some software or method that might have some more smarts. We've had numerous incidents but so far....not an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I've looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe exchangelist "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist