RE: Alert and possibly throttle outbound email per user
Exchange 2010's alerting is over a 24 hour period it appears (http://technet.microsoft.com/en-us/library/dd351045.aspx new-throttlepolicy -RecipientRateLimit). It's a good start, so hopefully as administrators we'll be able to configure a set time limit window in a future service pack :) There is a module that will plug into postfix: http://www.policyd.org/tiki-index.php?page=Quotasstructure=Documentation, but unfortunately my Anti-Spam appliance is a turnkey solution (the appliance is built on Postfix) and completely locked down. I've already asked the vendor to add it as a feature request. -Scott -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, July 13, 2010 5:56 PM To: MS-Exchange Admin Issues Subject: Re: Alert and possibly throttle outbound email per user Didn't think you meant difficult, but your suggestion that a 3rd party (or homegrown) app is why I suggested a centralised log collection/analysis tool - IMHO it's something that should be available in an IT environment of any size anyway, and it's just one more task for it to work on. Kurt On Tue, Jul 13, 2010 at 14:34, Michael B. Smith mich...@smithcons.com wrote: Exchange 2010 can give you the instantaneous data, but doesn't provide any BI that comes out of the raw data. Didn't intend to imply that it was hard or difficult - just that it wasn't built-in. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, July 13, 2010 5:26 PM To: MS-Exchange Admin Issues Subject: Re: Alert and possibly throttle outbound email per user On Tue, Jul 13, 2010 at 12:24, Bolser, Scott scott.bol...@childrens.harvard.edu wrote: I’ve been searching around for logical solution to monitor and throttle Exchange accounts if a user has unknowingly given up their username/password in a phishing attack. The typical attack utilizes OWA to start sending SPAM shortly afterwards. Environment is Exchange 2007 SP2. I’m attempting to find a solution that would trigger an alert if a user is sending ‘x’ number of messages in a 30 minute to 1 hour window. Has anyone found a simple solution? Thanks, Scott MBS says a third party app. I wonder if, for instance, nagios/syslog/MOM/OSSEC/OSSIM/whatever can monitor the logs and keep a count of SMTP transactions by IP address and if a threshold is exceeded raise an alarm. Kurt
RE: Alert and possibly throttle outbound email per user
It's going to take an application of some type. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Bolser, Scott [mailto:scott.bol...@childrens.harvard.edu] Sent: Tuesday, July 13, 2010 3:24 PM To: MS-Exchange Admin Issues Subject: Alert and possibly throttle outbound email per user I've been searching around for logical solution to monitor and throttle Exchange accounts if a user has unknowingly given up their username/password in a phishing attack. The typical attack utilizes OWA to start sending SPAM shortly afterwards. Environment is Exchange 2007 SP2. I'm attempting to find a solution that would trigger an alert if a user is sending 'x' number of messages in a 30 minute to 1 hour window. Has anyone found a simple solution? Thanks, Scott
Re: Alert and possibly throttle outbound email per user
On Tue, Jul 13, 2010 at 12:24, Bolser, Scott scott.bol...@childrens.harvard.edu wrote: I’ve been searching around for logical solution to monitor and throttle Exchange accounts if a user has unknowingly given up their username/password in a phishing attack. The typical attack utilizes OWA to start sending SPAM shortly afterwards. Environment is Exchange 2007 SP2. I’m attempting to find a solution that would trigger an alert if a user is sending ‘x’ number of messages in a 30 minute to 1 hour window. Has anyone found a simple solution? Thanks, Scott MBS says a third party app. I wonder if, for instance, nagios/syslog/MOM/OSSEC/OSSIM/whatever can monitor the logs and keep a count of SMTP transactions by IP address and if a threshold is exceeded raise an alarm. Kurt
RE: Alert and possibly throttle outbound email per user
Exchange 2010 can give you the instantaneous data, but doesn't provide any BI that comes out of the raw data. Didn't intend to imply that it was hard or difficult - just that it wasn't built-in. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, July 13, 2010 5:26 PM To: MS-Exchange Admin Issues Subject: Re: Alert and possibly throttle outbound email per user On Tue, Jul 13, 2010 at 12:24, Bolser, Scott scott.bol...@childrens.harvard.edu wrote: I’ve been searching around for logical solution to monitor and throttle Exchange accounts if a user has unknowingly given up their username/password in a phishing attack. The typical attack utilizes OWA to start sending SPAM shortly afterwards. Environment is Exchange 2007 SP2. I’m attempting to find a solution that would trigger an alert if a user is sending ‘x’ number of messages in a 30 minute to 1 hour window. Has anyone found a simple solution? Thanks, Scott MBS says a third party app. I wonder if, for instance, nagios/syslog/MOM/OSSEC/OSSIM/whatever can monitor the logs and keep a count of SMTP transactions by IP address and if a threshold is exceeded raise an alarm. Kurt
RE: Alert and possibly throttle outbound email per user
A scheduled task and a PS script could grab all the Send events with a Source of SMTP from the message tracking logs for the last hour of half hour, tally up the counts per user (hash table), and then send you and email if anybody goes over whatever you set for a warning threshold. -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Tuesday, July 13, 2010 4:34 PM To: MS-Exchange Admin Issues Subject: RE: Alert and possibly throttle outbound email per user Exchange 2010 can give you the instantaneous data, but doesn't provide any BI that comes out of the raw data. Didn't intend to imply that it was hard or difficult - just that it wasn't built-in. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, July 13, 2010 5:26 PM To: MS-Exchange Admin Issues Subject: Re: Alert and possibly throttle outbound email per user On Tue, Jul 13, 2010 at 12:24, Bolser, Scott scott.bol...@childrens.harvard.edu wrote: I’ve been searching around for logical solution to monitor and throttle Exchange accounts if a user has unknowingly given up their username/password in a phishing attack. The typical attack utilizes OWA to start sending SPAM shortly afterwards. Environment is Exchange 2007 SP2. I’m attempting to find a solution that would trigger an alert if a user is sending ‘x’ number of messages in a 30 minute to 1 hour window. Has anyone found a simple solution? Thanks, Scott MBS says a third party app. I wonder if, for instance, nagios/syslog/MOM/OSSEC/OSSIM/whatever can monitor the logs and keep a count of SMTP transactions by IP address and if a threshold is exceeded raise an alarm. Kurt ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **
Re: Alert and possibly throttle outbound email per user
Didn't think you meant difficult, but your suggestion that a 3rd party (or homegrown) app is why I suggested a centralised log collection/analysis tool - IMHO it's something that should be available in an IT environment of any size anyway, and it's just one more task for it to work on. Kurt On Tue, Jul 13, 2010 at 14:34, Michael B. Smith mich...@smithcons.com wrote: Exchange 2010 can give you the instantaneous data, but doesn't provide any BI that comes out of the raw data. Didn't intend to imply that it was hard or difficult - just that it wasn't built-in. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, July 13, 2010 5:26 PM To: MS-Exchange Admin Issues Subject: Re: Alert and possibly throttle outbound email per user On Tue, Jul 13, 2010 at 12:24, Bolser, Scott scott.bol...@childrens.harvard.edu wrote: I’ve been searching around for logical solution to monitor and throttle Exchange accounts if a user has unknowingly given up their username/password in a phishing attack. The typical attack utilizes OWA to start sending SPAM shortly afterwards. Environment is Exchange 2007 SP2. I’m attempting to find a solution that would trigger an alert if a user is sending ‘x’ number of messages in a 30 minute to 1 hour window. Has anyone found a simple solution? Thanks, Scott MBS says a third party app. I wonder if, for instance, nagios/syslog/MOM/OSSEC/OSSIM/whatever can monitor the logs and keep a count of SMTP transactions by IP address and if a threshold is exceeded raise an alarm. Kurt