RE: Incoming spoofed e-mail issue
In the reverse DNS section of this tool, do I need to check the box? I don't host my external DNS records, so I don't know what PTR records, if any, are out there. Joe Heaton Employment Training Panel -Original Message- From: Troy Meyer [mailto:troy.me...@monacocoach.com] Sent: Thursday, February 19, 2009 8:06 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Although it isn't perfect, this link has been out on the list before and is a good way to generate an SPF if you are wondering where to start. http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wiz ard/ -troy -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Thursday, February 19, 2009 6:52 AM To: MS-Exchange Admin Issues Subject: Re: Incoming spoofed e-mail issue +1. Although impossible to quantify, it can only help your situation. -- ME2 On Wed, Feb 18, 2009 at 7:22 PM, Don Andrews don.andr...@safeway.com wrote: You might consider advertising an SPF record - cheap and little effort. No guarantees except that it lets honest domains that check for it ignore spoofed sends. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Wednesday, February 18, 2009 10:24 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Thomas, I think I've found a way to take care of some of this stuff. I have a Watchguard firewall, which has a feature built in called an SMTP Proxy. Within that, I can set a filter to deny any messages coming from specific domains, or, as in this case, from specific country codes (.pl, .ru, etc). I just put it in place, so I'm hoping it's going to help the issue here. As far as backscatter from within the US, I'm still working on that one... Joe Heaton Employment Training Panel From: Thomas Gonzalez [mailto:tgonza...@girlscouts-swtx.org] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue That's exactly what I'm battling right now Joe...if you look at the header you will see the actual sender / originator. I couldn't give you a correct way how to tackle this issue. But this backscatter has become a pain in the you know what. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Girl Scouts of Southwest Texas. Warning: Although precautions have been taken to make sure no viruses are present in this email, Girl Scouts of Southwest Texas cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
You appear to have a valid PTR at least for the IP this message came from. -Original Message- From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Monday, February 23, 2009 7:47 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue In the reverse DNS section of this tool, do I need to check the box? I don't host my external DNS records, so I don't know what PTR records, if any, are out there. Joe Heaton Employment Training Panel -Original Message- From: Troy Meyer [mailto:troy.me...@monacocoach.com] Sent: Thursday, February 19, 2009 8:06 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Although it isn't perfect, this link has been out on the list before and is a good way to generate an SPF if you are wondering where to start. http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wiz ard/ -troy -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Thursday, February 19, 2009 6:52 AM To: MS-Exchange Admin Issues Subject: Re: Incoming spoofed e-mail issue +1. Although impossible to quantify, it can only help your situation. -- ME2 On Wed, Feb 18, 2009 at 7:22 PM, Don Andrews don.andr...@safeway.com wrote: You might consider advertising an SPF record - cheap and little effort. No guarantees except that it lets honest domains that check for it ignore spoofed sends. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Wednesday, February 18, 2009 10:24 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Thomas, I think I've found a way to take care of some of this stuff. I have a Watchguard firewall, which has a feature built in called an SMTP Proxy. Within that, I can set a filter to deny any messages coming from specific domains, or, as in this case, from specific country codes (.pl, .ru, etc). I just put it in place, so I'm hoping it's going to help the issue here. As far as backscatter from within the US, I'm still working on that one... Joe Heaton Employment Training Panel From: Thomas Gonzalez [mailto:tgonza...@girlscouts-swtx.org] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue That's exactly what I'm battling right now Joe...if you look at the header you will see the actual sender / originator. I couldn't give you a correct way how to tackle this issue. But this backscatter has become a pain in the you know what. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Girl Scouts of Southwest Texas. Warning: Although precautions have been taken to make sure no viruses are present in this email, Girl Scouts of Southwest Texas cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
Thanks Don. So in the creation process, since I only have one IP that should be sending e-mail, I can check the box saying that all the reverse DNS records for my domain resolve to outbound e-mail servers? Or could there be PTR records for my web servers as well? Joe Heaton Employment Training Panel -Original Message- From: Don Andrews [mailto:don.andr...@safeway.com] Sent: Monday, February 23, 2009 8:38 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue You appear to have a valid PTR at least for the IP this message came from. -Original Message- From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Monday, February 23, 2009 7:47 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue In the reverse DNS section of this tool, do I need to check the box? I don't host my external DNS records, so I don't know what PTR records, if any, are out there. Joe Heaton Employment Training Panel -Original Message- From: Troy Meyer [mailto:troy.me...@monacocoach.com] Sent: Thursday, February 19, 2009 8:06 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Although it isn't perfect, this link has been out on the list before and is a good way to generate an SPF if you are wondering where to start. http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wiz ard/ -troy -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Thursday, February 19, 2009 6:52 AM To: MS-Exchange Admin Issues Subject: Re: Incoming spoofed e-mail issue +1. Although impossible to quantify, it can only help your situation. -- ME2 On Wed, Feb 18, 2009 at 7:22 PM, Don Andrews don.andr...@safeway.com wrote: You might consider advertising an SPF record - cheap and little effort. No guarantees except that it lets honest domains that check for it ignore spoofed sends. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Wednesday, February 18, 2009 10:24 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Thomas, I think I've found a way to take care of some of this stuff. I have a Watchguard firewall, which has a feature built in called an SMTP Proxy. Within that, I can set a filter to deny any messages coming from specific domains, or, as in this case, from specific country codes (.pl, .ru, etc). I just put it in place, so I'm hoping it's going to help the issue here. As far as backscatter from within the US, I'm still working on that one... Joe Heaton Employment Training Panel From: Thomas Gonzalez [mailto:tgonza...@girlscouts-swtx.org] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue That's exactly what I'm battling right now Joe...if you look at the header you will see the actual sender / originator. I couldn't give you a correct way how to tackle this issue. But this backscatter has become a pain in the you know what. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Girl Scouts of Southwest Texas. Warning: Although precautions have been taken to make sure no viruses are present in this email, Girl Scouts of Southwest Texas cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http
RE: Incoming spoofed e-mail issue
Any IP that SHOULD be allowed to send email directly to external recipients - if your web servers have port 25 open intentionally so they can send directly rather then relaying through your normal email source, they would be blocked by systems checking for SPF records if you don't supply SPF and PTR records for them. -Original Message- From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Monday, February 23, 2009 8:40 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Thanks Don. So in the creation process, since I only have one IP that should be sending e-mail, I can check the box saying that all the reverse DNS records for my domain resolve to outbound e-mail servers? Or could there be PTR records for my web servers as well? Joe Heaton Employment Training Panel -Original Message- From: Don Andrews [mailto:don.andr...@safeway.com] Sent: Monday, February 23, 2009 8:38 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue You appear to have a valid PTR at least for the IP this message came from. -Original Message- From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Monday, February 23, 2009 7:47 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue In the reverse DNS section of this tool, do I need to check the box? I don't host my external DNS records, so I don't know what PTR records, if any, are out there. Joe Heaton Employment Training Panel -Original Message- From: Troy Meyer [mailto:troy.me...@monacocoach.com] Sent: Thursday, February 19, 2009 8:06 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Although it isn't perfect, this link has been out on the list before and is a good way to generate an SPF if you are wondering where to start. http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wiz ard/ -troy -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Thursday, February 19, 2009 6:52 AM To: MS-Exchange Admin Issues Subject: Re: Incoming spoofed e-mail issue +1. Although impossible to quantify, it can only help your situation. -- ME2 On Wed, Feb 18, 2009 at 7:22 PM, Don Andrews don.andr...@safeway.com wrote: You might consider advertising an SPF record - cheap and little effort. No guarantees except that it lets honest domains that check for it ignore spoofed sends. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Wednesday, February 18, 2009 10:24 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Thomas, I think I've found a way to take care of some of this stuff. I have a Watchguard firewall, which has a feature built in called an SMTP Proxy. Within that, I can set a filter to deny any messages coming from specific domains, or, as in this case, from specific country codes (.pl, .ru, etc). I just put it in place, so I'm hoping it's going to help the issue here. As far as backscatter from within the US, I'm still working on that one... Joe Heaton Employment Training Panel From: Thomas Gonzalez [mailto:tgonza...@girlscouts-swtx.org] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue That's exactly what I'm battling right now Joe...if you look at the header you will see the actual sender / originator. I couldn't give you a correct way how to tackle this issue. But this backscatter has become a pain in the you know what. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy
RE: Incoming spoofed e-mail issue
Any IP that SHOULD be allowed to send email directly to external destinations should have them - if your web servers have port 25 open intentionally so they can send directly rather then relaying through your normal email source, they would be blocked by systems checking for SPF records if you don't supply SPF and PTR records for them. -Original Message- From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Monday, February 23, 2009 8:40 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Thanks Don. So in the creation process, since I only have one IP that should be sending e-mail, I can check the box saying that all the reverse DNS records for my domain resolve to outbound e-mail servers? Or could there be PTR records for my web servers as well? Joe Heaton Employment Training Panel -Original Message- From: Don Andrews [mailto:don.andr...@safeway.com] Sent: Monday, February 23, 2009 8:38 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue You appear to have a valid PTR at least for the IP this message came from. -Original Message- From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Monday, February 23, 2009 7:47 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue In the reverse DNS section of this tool, do I need to check the box? I don't host my external DNS records, so I don't know what PTR records, if any, are out there. Joe Heaton Employment Training Panel -Original Message- From: Troy Meyer [mailto:troy.me...@monacocoach.com] Sent: Thursday, February 19, 2009 8:06 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Although it isn't perfect, this link has been out on the list before and is a good way to generate an SPF if you are wondering where to start. http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wiz ard/ -troy -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Thursday, February 19, 2009 6:52 AM To: MS-Exchange Admin Issues Subject: Re: Incoming spoofed e-mail issue +1. Although impossible to quantify, it can only help your situation. -- ME2 On Wed, Feb 18, 2009 at 7:22 PM, Don Andrews don.andr...@safeway.com wrote: You might consider advertising an SPF record - cheap and little effort. No guarantees except that it lets honest domains that check for it ignore spoofed sends. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Wednesday, February 18, 2009 10:24 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Thomas, I think I've found a way to take care of some of this stuff. I have a Watchguard firewall, which has a feature built in called an SMTP Proxy. Within that, I can set a filter to deny any messages coming from specific domains, or, as in this case, from specific country codes (.pl, .ru, etc). I just put it in place, so I'm hoping it's going to help the issue here. As far as backscatter from within the US, I'm still working on that one... Joe Heaton Employment Training Panel From: Thomas Gonzalez [mailto:tgonza...@girlscouts-swtx.org] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue That's exactly what I'm battling right now Joe...if you look at the header you will see the actual sender / originator. I couldn't give you a correct way how to tackle this issue. But this backscatter has become a pain in the you know what. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read
Re: Incoming spoofed e-mail issue
+1. Although impossible to quantify, it can only help your situation. -- ME2 On Wed, Feb 18, 2009 at 7:22 PM, Don Andrews don.andr...@safeway.com wrote: You might consider advertising an SPF record – cheap and little effort. No guarantees except that it lets honest domains that check for it ignore spoofed sends. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Wednesday, February 18, 2009 10:24 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Thomas, I think I've found a way to take care of some of this stuff. I have a Watchguard firewall, which has a feature built in called an SMTP Proxy. Within that, I can set a filter to deny any messages coming from specific domains, or, as in this case, from specific country codes (.pl, .ru, etc). I just put it in place, so I'm hoping it's going to help the issue here. As far as backscatter from within the US, I'm still working on that one… Joe Heaton Employment Training Panel From: Thomas Gonzalez [mailto:tgonza...@girlscouts-swtx.org] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue That's exactly what I'm battling right now Joe…if you look at the header you will see the actual sender / originator. I couldn't give you a correct way how to tackle this issue. But this backscatter has become a pain in the you know what. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Girl Scouts of Southwest Texas. Warning: Although precautions have been taken to make sure no viruses are present in this email, Girl Scouts of Southwest Texas cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
Thomas, I think I've found a way to take care of some of this stuff. I have a Watchguard firewall, which has a feature built in called an SMTP Proxy. Within that, I can set a filter to deny any messages coming from specific domains, or, as in this case, from specific country codes (.pl, .ru, etc). I just put it in place, so I'm hoping it's going to help the issue here. As far as backscatter from within the US, I'm still working on that one... Joe Heaton Employment Training Panel From: Thomas Gonzalez [mailto:tgonza...@girlscouts-swtx.org] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue That's exactly what I'm battling right now Joe...if you look at the header you will see the actual sender / originator. I couldn't give you a correct way how to tackle this issue. But this backscatter has become a pain in the you know what. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Girl Scouts of Southwest Texas. Warning: Although precautions have been taken to make sure no viruses are present in this email, Girl Scouts of Southwest Texas cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
You might consider advertising an SPF record - cheap and little effort. No guarantees except that it lets honest domains that check for it ignore spoofed sends. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Wednesday, February 18, 2009 10:24 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Thomas, I think I've found a way to take care of some of this stuff. I have a Watchguard firewall, which has a feature built in called an SMTP Proxy. Within that, I can set a filter to deny any messages coming from specific domains, or, as in this case, from specific country codes (.pl, .ru, etc). I just put it in place, so I'm hoping it's going to help the issue here. As far as backscatter from within the US, I'm still working on that one... Joe Heaton Employment Training Panel From: Thomas Gonzalez [mailto:tgonza...@girlscouts-swtx.org] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue That's exactly what I'm battling right now Joe...if you look at the header you will see the actual sender / originator. I couldn't give you a correct way how to tackle this issue. But this backscatter has become a pain in the you know what. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Girl Scouts of Southwest Texas. Warning: Although precautions have been taken to make sure no viruses are present in this email, Girl Scouts of Southwest Texas cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
One way would be to look up the IP address ranges associated with those areas and block access to and from them with your firewall. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
That's exactly what I'm battling right now Joe...if you look at the header you will see the actual sender / originator. I couldn't give you a correct way how to tackle this issue. But this backscatter has become a pain in the you know what. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Girl Scouts of Southwest Texas company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
I use MIMEsweeper for SMTP from Clearswift and I can create policies to quarantine when mail comes from *...@mydomain - - - *...@mydomain. I then go a step further as there are cases where some of our services at a colo send in a spoofed fashion that it triggers an allow action based on content. I can also block altogether through settings on what's called the receiver service when it finds spoofed emails. With that being said any chance there are options like that in your Symantec appliance? Sean Donnelly IT Operations Manager tel. (781) 935-6020 x395 fax (781) 998-2682 Service Point USA Document, Print, and Information Management www.servicepointusa.com http://www.servicepointusa.com/ From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 1:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov * This communication is confidential and may contain privileged information intended solely for the named addressee. It may not be used or disclosed except for the purpose for which it has been sent. If you are not the intended recipient, you may not copy or distribute this communication. Unless expressly stated, opinions in this message are those of the individual sender and not of Service Point USA. If you have received this communication in error, please notify Service Point USA by emailing postmas...@servicepointusa.com quoting the sender and delete the message and any attached documents. This footnote confirms that this email message has been swept by MIMEsweeper for Content Security threats, including computer viruses. Service Point USA 150 Presidential Way Ste 210 Woburn, MA 01801 www.servicepointusa.com * ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Incoming spoofed e-mail issue
Incoming SPAM is tackled at the gateway correct? Do your users have individual control over their Blacklists or do you manage that globally? If they manage their own, why not have them blacklist their own address? I know their may be exceptions, but are there any legitimate reasons why incoming mail traversing your gateway should appear to be coming from your domain? - Sean On Tue, Feb 17, 2009 at 9:34 AM, Thomas Gonzalez tgonza...@girlscouts-swtx.org wrote: That's exactly what I'm battling right now Joe…if you look at the header you will see the actual sender / originator. I couldn't give you a correct way how to tackle this issue. But this backscatter has become a pain in the you know what. *From:* Joe Heaton [mailto:jhea...@etp.ca.gov] *Sent:* Tuesday, February 17, 2009 12:30 PM *To:* MS-Exchange Admin Issues *Subject:* Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Girl Scouts of Southwest Texas. Warning: Although precautions have been taken to make sure no viruses are present in this email, Girl Scouts of Southwest Texas cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
I tried this, and there are hundreds, if not thousands of IP ranges associated with .pl domains... Joe Heaton Employment Training Panel From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue One way would be to look up the IP address ranges associated with those areas and block access to and from them with your firewall. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Incoming spoofed e-mail issue
Though specific for ISA, visit http://isaserver.bm/ and read the article entitled 'Country by Country ISA Computer Sets - Courtesy of THOR'. Since we invested the time to implement this, the resultant amount of time we have to invest in combatting SPAM is minimal. FWIW, Michael. On Tue, Feb 17, 2009 at 11:11 AM, Joe Heaton jhea...@etp.ca.gov wrote: I tried this, and there are hundreds, if not thousands of IP ranges associated with .pl domains… Joe Heaton Employment Training Panel *From:* Kim Longenbaugh [mailto:k...@colonialsavings.com] *Sent:* Tuesday, February 17, 2009 10:35 AM *To:* MS-Exchange Admin Issues *Subject:* RE: Incoming spoofed e-mail issue One way would be to look up the IP address ranges associated with those areas and block access to and from them with your firewall. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
Another way is to scan the list below and whack complete A ranges that you don't need. My user base has no need for email from the far east, Latin America for example so I kill APNIC and LAPNIC. RIPE if you want to drop Europe but be careful with that one, that range is chopped up so you will find parts of Message Labs in the middle for example. http://www.iana.org/assignments/ipv4-address-space/ From: Michael White [mailto:mswhite...@gmail.com] Sent: Tuesday, February 17, 2009 2:35 PM To: MS-Exchange Admin Issues Subject: Re: Incoming spoofed e-mail issue Though specific for ISA, visit http://isaserver.bm/ and read the article entitled 'Country by Country ISA Computer Sets - Courtesy of THOR'. Since we invested the time to implement this, the resultant amount of time we have to invest in combatting SPAM is minimal. FWIW, Michael. On Tue, Feb 17, 2009 at 11:11 AM, Joe Heaton jhea...@etp.ca.govmailto:jhea...@etp.ca.gov wrote: I tried this, and there are hundreds, if not thousands of IP ranges associated with .pl domains... Joe Heaton Employment Training Panel From: Kim Longenbaugh [mailto:k...@colonialsavings.commailto:k...@colonialsavings.com] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue One way would be to look up the IP address ranges associated with those areas and block access to and from them with your firewall. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
Yeah, and as one of the other network engineers here pointed out, you could supernet some of the ranges to minimize the number of entries you have to make. From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, February 17, 2009 1:44 PM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Another way is to scan the list below and whack complete A ranges that you don't need. My user base has no need for email from the far east, Latin America for example so I kill APNIC and LAPNIC. RIPE if you want to drop Europe but be careful with that one, that range is chopped up so you will find parts of Message Labs in the middle for example. http://www.iana.org/assignments/ipv4-address-space/ From: Michael White [mailto:mswhite...@gmail.com] Sent: Tuesday, February 17, 2009 2:35 PM To: MS-Exchange Admin Issues Subject: Re: Incoming spoofed e-mail issue Though specific for ISA, visit http://isaserver.bm/ and read the article entitled 'Country by Country ISA Computer Sets - Courtesy of THOR'. Since we invested the time to implement this, the resultant amount of time we have to invest in combatting SPAM is minimal. FWIW, Michael. On Tue, Feb 17, 2009 at 11:11 AM, Joe Heaton jhea...@etp.ca.gov wrote: I tried this, and there are hundreds, if not thousands of IP ranges associated with .pl domains... Joe Heaton Employment Training Panel From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue One way would be to look up the IP address ranges associated with those areas and block access to and from them with your firewall. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
Probably time to invest in a proper anti-spam solution. S From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 2:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.plmailto:*...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
We use Sunbelt's Ninja, product sold by the list host. Besides having great success with Spam, it filters for viruses, encrypted docs, attachment filtering, disclaimers, handles spoofing emails, gives policy controls for filtering levels and give the end users to manage their own lists (Or not, your choice). You could manually block the IP ranges for these countries, but that would be quite tedious to maintain I would imagine over the long term. Greg From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 1:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
Ninja is an excellent email security product requiring minimal administrative effort ( 1 hour/month) and users can easily manage their own quarantines. I've also used it for many years with great success. Another option is to out-source your spam management solution. Google's Postini Message Filtering service is cheap, effective, and easy to manage. Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] Sent: Tuesday, February 17, 2009 2:37 PM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue We use Sunbelt's Ninja, product sold by the list host. Besides having great success with Spam, it filters for viruses, encrypted docs, attachment filtering, disclaimers, handles spoofing emails, gives policy controls for filtering levels and give the end users to manage their own lists (Or not, your choice). You could manually block the IP ranges for these countries, but that would be quite tedious to maintain I would imagine over the long term. Greg From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 1:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
+1 - gateway From: Steve Moffat [mailto:st...@optimum.bm] On Behalf Of Exchange (Sunbelt) Sent: Tuesday, February 17, 2009 12:22 PM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Probably time to invest in a proper anti-spam solution. S From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 2:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
The spoofing alone should fix this particular issue. We definitely do not allow it either. From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] Sent: Tuesday, February 17, 2009 11:37 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue We use Sunbelt's Ninja, product sold by the list host. Besides having great success with Spam, it filters for viruses, encrypted docs, attachment filtering, disclaimers, handles spoofing emails, gives policy controls for filtering levels and give the end users to manage their own lists (Or not, your choice). You could manually block the IP ranges for these countries, but that would be quite tedious to maintain I would imagine over the long term. Greg From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 1:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
I love my 'cuda Thanks, Jake Gardner TTC Network Administrator Ext. 246 From: Steve Moffat [mailto:st...@optimum.bm] On Behalf Of Exchange (Sunbelt) Sent: Tuesday, February 17, 2009 3:22 PM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Probably time to invest in a proper anti-spam solution. S From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 2:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. *** ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
There are DNSBLs that map source IP to country code (ie http://countries.nerd.dk/). I used to use tqmcube.com a couple of years ago, but they have changed their offerings (and domain name). They weren't really a block list, but a cross-reference list. tqmcube, like nerd.dk I mentioned above, used to use return codes specific to ISO country code. So, you get an email from source IP which is checked against an IP-to-country code list. The country code is assigned a return code 127.0.0.xx (10-254) and your server can act based on the return code. I may start working on hosting something like that in April. From: Joe Heaton jhea...@etp.ca.gov Sent: Tuesday, February 17, 2009 12:29 PM To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Subject: RE: Incoming spoofed e-mail issue I tried this, and there are hundreds, if not thousands of IP ranges associated with .pl domains. Joe Heaton Employment Training Panel From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue One way would be to look up the IP address ranges associated with those areas and block access to and from them with your firewall. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
AMEN Brother!!! Unfortunately, I work for the state of California, and still don't know if I'm going to have a job in a couple months... Joe Heaton Employment Training Panel From: Steve Moffat [mailto:st...@optimum.bm] On Behalf Of Exchange (Sunbelt) Sent: Tuesday, February 17, 2009 12:22 PM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Probably time to invest in a proper anti-spam solution. S From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 2:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
I would propose installing something like Ninja in 30-day trial mode. Perhaps when you the benefits are seen the funds may appear to keep it going. Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 5:29 PM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue AMEN Brother!!! Unfortunately, I work for the state of California, and still don't know if I'm going to have a job in a couple months... Joe Heaton Employment Training Panel From: Steve Moffat [mailto:st...@optimum.bm] On Behalf Of Exchange (Sunbelt) Sent: Tuesday, February 17, 2009 12:22 PM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Probably time to invest in a proper anti-spam solution. S From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 2:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
I may do that. The price wasn't really that bad for the number of seats we have. Right now, I'm working through the manual for my Watchguard, trying to set up the SMTP proxy... Joe Heaton Employment Training Panel From: Roger Wright [mailto:rwri...@evatone.com] Sent: Tuesday, February 17, 2009 2:36 PM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue I would propose installing something like Ninja in 30-day trial mode. Perhaps when you the benefits are seen the funds may appear to keep it going. Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 5:29 PM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue AMEN Brother!!! Unfortunately, I work for the state of California, and still don't know if I'm going to have a job in a couple months... Joe Heaton Employment Training Panel From: Steve Moffat [mailto:st...@optimum.bm] On Behalf Of Exchange (Sunbelt) Sent: Tuesday, February 17, 2009 12:22 PM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Probably time to invest in a proper anti-spam solution. S From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 2:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
You will have a job --- but will you get paid for it J David A fellow Californian From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 2:29 PM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue AMEN Brother!!! Unfortunately, I work for the state of California, and still don't know if I'm going to have a job in a couple months... Joe Heaton Employment Training Panel From: Steve Moffat [mailto:st...@optimum.bm] On Behalf Of Exchange (Sunbelt) Sent: Tuesday, February 17, 2009 12:22 PM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue Probably time to invest in a proper anti-spam solution. S From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 2:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Names in the News company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Incoming spoofed e-mail issue
I will work on an Out of Office DNSBL list as well. From: will...@lefkovics.net will...@lefkovics.net Sent: Tuesday, February 17, 2009 2:37 PM To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Subject: RE: Incoming spoofed e-mail issue There are DNSBLs that map source IP to country code (ie http://countries.nerd.dk/). I used to use tqmcube.com a couple of years ago, but they have changed their offerings (and domain name). They weren't really a block list, but a cross-reference list. tqmcube, like nerd.dk I mentioned above, used to use return codes specific to ISO country code. So, you get an email from source IP which is checked against an IP-to-country code list. The country code is assigned a return code 127.0.0.xx (10-254) and your server can act based on the return code. I may start working on hosting something like that in April. From: Joe Heaton jhea...@etp.ca.gov Sent: Tuesday, February 17, 2009 12:29 PM To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Subject: RE: Incoming spoofed e-mail issue I tried this, and there are hundreds, if not thousands of IP ranges associated with .pl domains. Joe Heaton Employment Training Panel From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue One way would be to look up the IP address ranges associated with those areas and block access to and from them with your firewall. From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages claiming to be from the following:, but these messages are actually claiming to be from the user, not what is actually in the header. Is there a different way of filtering these ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
