RE: stopping spam from inside server?
What Exchange version are you running? From: Boggis, Josh [mailto:josh.bog...@uconn.edu] Sent: Friday, January 22, 2010 7:16 AM To: MS-Exchange Admin Issues Subject: stopping spam from inside server? Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who's account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it's a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply. ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **
RE: stopping spam from inside server?
Deploy some kind of Email hygiene solution to cut out the Spam ? John From: Boggis, Josh [mailto:josh.bog...@uconn.edu] Sent: 22 January 2010 13:16 To: MS-Exchange Admin Issues Subject: stopping spam from inside server? Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who's account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it's a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.clearswift.com **
Re: stopping spam from inside server?
Get a good spam filtering program for your exchange server, Sunbelt's product comes to mind. Get a good anti-virus/anti-malware program that scans your servers and workstations and prevents them from becoming infected. Again, Sunbelt's product comes to mind. Do something a little more proactive than just relying on user education. (Yes sarcasm tags are heavily on for this response). On Fri, Jan 22, 2010 at 7:15 AM, Boggis, Josh josh.bog...@uconn.edu wrote: Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who’s account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it’s a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply. -- Sherry Abercrombie Any sufficiently advanced technology is indistinguishable from magic. Arthur C. Clarke
Re: stopping spam from inside server?
Have you verified you're not configured as an open relay? Is your firewall only allowing SMTP traffic to/from your Exchange box? Die dulci fruere! Roger Wright ___ Marie von Ebner-Eschenbachhttp://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.html - Even a stopped clock is right twice a day. On Fri, Jan 22, 2010 at 8:15 AM, Boggis, Josh josh.bog...@uconn.edu wrote: Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who’s account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it’s a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply.
RE: stopping spam from inside server?
Our web gateway filtering appliances have helped a lot with this, using Trusted Source-our network admin does all the work on these. Doesn't stop everything, but if they are known bad sites, they get blocked when the user clicks on the link(s). -Bonnie From: Boggis, Josh [mailto:josh.bog...@uconn.edu] Sent: 22 January 2010 13:16 To: MS-Exchange Admin Issues Subject: stopping spam from inside server? Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who's account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it's a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.clearswift.com **
RE: stopping spam from inside server?
+1. No port 25 traffic should be allowed out except from the known mail servers. Then all you have to secure is those servers. Carl _ From: Roger Wright [mailto:rhw...@gmail.com] Sent: Friday, January 22, 2010 9:35 AM To: MS-Exchange Admin Issues Subject: Re: stopping spam from inside server? Have you verified you're not configured as an open relay? Is your firewall only allowing SMTP traffic to/from your Exchange box? Die dulci fruere! Roger Wright ___ Marie von Ebner-Eschenbach http://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.html - Even a stopped clock is right twice a day. On Fri, Jan 22, 2010 at 8:15 AM, Boggis, Josh josh.bog...@uconn.edu wrote: Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who's account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it's a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply.
RE: stopping spam from inside server?
To be clear, this is the same as normal traffic. This is not being done on an open relay, a user has given out their ID/Password to a phishing scheme, and they are logging in remotely over OWA to send out large amounts of spam. It the same as a professor sending out 5000 mails to an academic group they run. This is where things get tough for me. I am looking for something to distinguish a user who has been compromised and is sending out spam vs a user sending out valid large amounts of email. Oh and I forgot to put in, we are running Exchange 2007. Do have Forefront installed to handle antivirus, and have a few barracuda boxes for spam filtering incoming. From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Friday, January 22, 2010 10:26 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? +1. No port 25 traffic should be allowed out except from the known mail servers. Then all you have to secure is those servers. Carl From: Roger Wright [mailto:rhw...@gmail.com] Sent: Friday, January 22, 2010 9:35 AM To: MS-Exchange Admin Issues Subject: Re: stopping spam from inside server? Have you verified you're not configured as an open relay? Is your firewall only allowing SMTP traffic to/from your Exchange box? Die dulci fruere! Roger Wright ___ Marie von Ebner-Eschenbachhttp://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.html - Even a stopped clock is right twice a day. On Fri, Jan 22, 2010 at 8:15 AM, Boggis, Josh josh.bog...@uconn.edumailto:josh.bog...@uconn.edu wrote: Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who's account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it's a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply.
RE: stopping spam from inside server?
After hours unusual activity?? John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I, A+, N+, VSP4, VTSP4 From: Boggis, Josh [mailto:josh.bog...@uconn.edu] Sent: Friday, January 22, 2010 11:23 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? To be clear, this is the same as normal traffic. This is not being done on an open relay, a user has given out their ID/Password to a phishing scheme, and they are logging in remotely over OWA to send out large amounts of spam. It the same as a professor sending out 5000 mails to an academic group they run. This is where things get tough for me. I am looking for something to distinguish a user who has been compromised and is sending out spam vs a user sending out valid large amounts of email. Oh and I forgot to put in, we are running Exchange 2007. Do have Forefront installed to handle antivirus, and have a few barracuda boxes for spam filtering incoming. From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Friday, January 22, 2010 10:26 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? +1. No port 25 traffic should be allowed out except from the known mail servers. Then all you have to secure is those servers. Carl From: Roger Wright [mailto:rhw...@gmail.com] Sent: Friday, January 22, 2010 9:35 AM To: MS-Exchange Admin Issues Subject: Re: stopping spam from inside server? Have you verified you're not configured as an open relay? Is your firewall only allowing SMTP traffic to/from your Exchange box? Die dulci fruere! Roger Wright ___ Marie von Ebner-Eschenbachhttp://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.html - Even a stopped clock is right twice a day. On Fri, Jan 22, 2010 at 8:15 AM, Boggis, Josh josh.bog...@uconn.edumailto:josh.bog...@uconn.edu wrote: Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who's account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it's a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply. CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments.
RE: stopping spam from inside server?
Change the professors password. From: Boggis, Josh [mailto:josh.bog...@uconn.edu] Sent: Friday, January 22, 2010 10:23 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? To be clear, this is the same as normal traffic. This is not being done on an open relay, a user has given out their ID/Password to a phishing scheme, and they are logging in remotely over OWA to send out large amounts of spam. It the same as a professor sending out 5000 mails to an academic group they run. This is where things get tough for me. I am looking for something to distinguish a user who has been compromised and is sending out spam vs a user sending out valid large amounts of email. Oh and I forgot to put in, we are running Exchange 2007. Do have Forefront installed to handle antivirus, and have a few barracuda boxes for spam filtering incoming. From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Friday, January 22, 2010 10:26 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? +1. No port 25 traffic should be allowed out except from the known mail servers. Then all you have to secure is those servers. Carl From: Roger Wright [mailto:rhw...@gmail.com] Sent: Friday, January 22, 2010 9:35 AM To: MS-Exchange Admin Issues Subject: Re: stopping spam from inside server? Have you verified you're not configured as an open relay? Is your firewall only allowing SMTP traffic to/from your Exchange box? Die dulci fruere! Roger Wright ___ Marie von Ebner-Eschenbach http://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.ht ml - Even a stopped clock is right twice a day. On Fri, Jan 22, 2010 at 8:15 AM, Boggis, Josh josh.bog...@uconn.edu wrote: Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who's account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it's a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply.
RE: stopping spam from inside server?
You need to spam filter in both directions, then... Phil -- Phil Randal | Networks Engineer NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From: Boggis, Josh [mailto:josh.bog...@uconn.edu] Sent: 22 January 2010 16:23 To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? To be clear, this is the same as normal traffic. This is not being done on an open relay, a user has given out their ID/Password to a phishing scheme, and they are logging in remotely over OWA to send out large amounts of spam. It the same as a professor sending out 5000 mails to an academic group they run. This is where things get tough for me. I am looking for something to distinguish a user who has been compromised and is sending out spam vs a user sending out valid large amounts of email. Oh and I forgot to put in, we are running Exchange 2007. Do have Forefront installed to handle antivirus, and have a few barracuda boxes for spam filtering incoming. From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Friday, January 22, 2010 10:26 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? +1. No port 25 traffic should be allowed out except from the known mail servers. Then all you have to secure is those servers. Carl From: Roger Wright [mailto:rhw...@gmail.com] Sent: Friday, January 22, 2010 9:35 AM To: MS-Exchange Admin Issues Subject: Re: stopping spam from inside server? Have you verified you're not configured as an open relay? Is your firewall only allowing SMTP traffic to/from your Exchange box? Die dulci fruere! Roger Wright ___ Marie von Ebner-Eschenbach http://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.ht ml - Even a stopped clock is right twice a day. On Fri, Jan 22, 2010 at 8:15 AM, Boggis, Josh josh.bog...@uconn.edu wrote: Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who's account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it's a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it.
RE: stopping spam from inside server?
Do you know what do your message tracking logs on the mailbox server look like when this is happening? I'd bet the profs are sending out relatively few messages with lots of recipients, and the spammers are sending out lots of messages to one or a few recipients. One will generate a lot of submits, and the other relatively few. If that's the case, you may be able to script a periodic check of the mailbox server message tracking logs, and disable any account that's had too many submits in a given time. From: Boggis, Josh [mailto:josh.bog...@uconn.edu] Sent: Friday, January 22, 2010 10:23 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? To be clear, this is the same as normal traffic. This is not being done on an open relay, a user has given out their ID/Password to a phishing scheme, and they are logging in remotely over OWA to send out large amounts of spam. It the same as a professor sending out 5000 mails to an academic group they run. This is where things get tough for me. I am looking for something to distinguish a user who has been compromised and is sending out spam vs a user sending out valid large amounts of email. Oh and I forgot to put in, we are running Exchange 2007. Do have Forefront installed to handle antivirus, and have a few barracuda boxes for spam filtering incoming. From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Friday, January 22, 2010 10:26 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? +1. No port 25 traffic should be allowed out except from the known mail servers. Then all you have to secure is those servers. Carl From: Roger Wright [mailto:rhw...@gmail.com] Sent: Friday, January 22, 2010 9:35 AM To: MS-Exchange Admin Issues Subject: Re: stopping spam from inside server? Have you verified you're not configured as an open relay? Is your firewall only allowing SMTP traffic to/from your Exchange box? Die dulci fruere! Roger Wright ___ Marie von Ebner-Eschenbachhttp://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.html - Even a stopped clock is right twice a day. On Fri, Jan 22, 2010 at 8:15 AM, Boggis, Josh josh.bog...@uconn.edumailto:josh.bog...@uconn.edu wrote: Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who's account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it's a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply. ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **
RE: stopping spam from inside server?
Josh. I feel your pain. We had the same problem last summer. Two faculty members replied to the phishing email, gave out their userid and password. I reset their password which stopped the spam. I went into their account and printed the sent email where they had replied to the spammer and gave it to their supervisor. It took a while to find as there were thousands of spam email in their sent items folder. I would not give them the new password until they repeated their required security awareness training. One other thing to check. In one case, the spammer, set up a rule to append the spam junk to any future emails this person sent. In the other case, the spammer created an out of office reply which included their spam crap. So far it hasn't happened again. I think word got out that replying with userid and password was bad. From: Boggis, Josh [mailto:josh.bog...@uconn.edu] Sent: Friday, January 22, 2010 11:23 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? To be clear, this is the same as normal traffic. This is not being done on an open relay, a user has given out their ID/Password to a phishing scheme, and they are logging in remotely over OWA to send out large amounts of spam. It the same as a professor sending out 5000 mails to an academic group they run. This is where things get tough for me. I am looking for something to distinguish a user who has been compromised and is sending out spam vs a user sending out valid large amounts of email. Oh and I forgot to put in, we are running Exchange 2007. Do have Forefront installed to handle antivirus, and have a few barracuda boxes for spam filtering incoming. From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Friday, January 22, 2010 10:26 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? +1. No port 25 traffic should be allowed out except from the known mail servers. Then all you have to secure is those servers. Carl From: Roger Wright [mailto:rhw...@gmail.com] Sent: Friday, January 22, 2010 9:35 AM To: MS-Exchange Admin Issues Subject: Re: stopping spam from inside server? Have you verified you're not configured as an open relay? Is your firewall only allowing SMTP traffic to/from your Exchange box? Die dulci fruere! Roger Wright ___ Marie von Ebner-Eschenbach http://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.ht ml - Even a stopped clock is right twice a day. On Fri, Jan 22, 2010 at 8:15 AM, Boggis, Josh josh.bog...@uconn.edu wrote: Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who's account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it's a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply.