RE: internal spam
All very valid points. I'd add to the mix that the OP's endpoint protection strategy probably wants some looking at. If you regularly fall victim to phishing attacks that successfully infect hosts, then spam is one very small part of your worries - DLP and other such issues may be even higher on the agenda. Many avenues to explore depending on budget and impact considerations, but examining in and outbound web traffic would be a good start (cloud services do *real* well here for once!). In fact, I'd recommend it for your SMTP too, but you obviously already have an anti-spam solution, so may not be possible to replace it. Host protection wise, no local admin is top of the pile (and it *can* be done in any size organisation). Whitelisting is a huge win, but can be a challenge depending on how hands on your IT is. HIDS would have prevented the high-rate spam from the host. AV should have worked better! a From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: 25 February 2012 14:11 To: MS-Exchange Admin Issues Subject: RE: internal spam Just an FYI. If you allow OWA to the iinterweb, these scammers have scripts that can spam via compromised accounts also. We've never allowed pop or imap outside but we had 2 accounts compromised and they each sent several thousand emails over a weekend. IIS logs ballooned during the time. Oh and to help with this, we forced said users to re-take our online security awareness training. Funny how word of mouth works better than our training as we've not had an incident in the past 2 years. I didn't really say that did I? ;) From: Sharp, Kevin [mailto:kevin.sh...@usask.ca] Sent: Friday, February 24, 2012 6:38 PM To: MS-Exchange Admin Issues Subject: RE: internal spam The accounts have been compromised...usually via a phishing attempt. So the entire process of the internal attack is with a valid authenticated acct. We have our SMTP services set to be authenticated...the problem is looking for a process that we can use to identify potential accounts that are sending volumes of email and hopefully stop it before the pile of email gets too large. Usually the attack sends thousands of email to valid and nonvalid email addresses...which of course we don't notice until the pile of invalid email starts to pile up. I know..it is comical J. User education has helped, but like any good phishing attack, it only takes one bite to cause this problem. Thanks Kevin From: Mike Tavares [mailto:miketava...@comcast.net] Sent: Friday, February 24, 2012 4:26 PM To: MS-Exchange Admin Issues Subject: Re: internal spam 1 question just to clear up some confusion on my part. Are the actual accounts in question compromised? (as in someone has direct access to the mailboxes on your server?) or just compromised in the since that some spammer/hacker on the outside is spoofing an email address from your company that is a legit address? From: Sharp, Kevin mailto:kevin.sh...@usask.ca Sent: Friday, February 24, 2012 12:19 PM To: MS-Exchange Admin Issues mailto:exchangelist@lyris.sunbelt-software.com Subject: internal spam I'm wondering how people are dealing with compromised accounts in Exchange sending large volumes of email...essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I'm wondering if there is some software or method that might have some more smarts. We've had numerous incidents but so farnot an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I've looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist WARNING: The information in this email and any
RE: internal spam
You need to restrict which boxes are allowed to talk SMTP to your SMTP relays. Should only be your exchange servers and a few other boxes, as needed. It’s worth packet-sniffing the SNMP traffic to these boxes (which will identify the spambots if they’re talking SMTP). You need to find at least one infected box and see exactly what it is doing. Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.uk From: Sharp, Kevin [mailto:kevin.sh...@usask.ca] Sent: 24 February 2012 23:38 To: MS-Exchange Admin Issues Subject: RE: internal spam The accounts have been compromised…usually via a phishing attempt. So the entire process of the internal attack is with a valid authenticated acct. We have our SMTP services set to be authenticated…the problem is looking for a process that we can use to identify potential accounts that are sending volumes of email and hopefully stop it before the pile of email gets too large. Usually the attack sends thousands of email to valid and nonvalid email addresses…which of course we don’t notice until the pile of invalid email starts to pile up. I know..it is comical ☺. User education has helped, but like any good phishing attack, it only takes one bite to cause this problem. Thanks Kevin From: Mike Tavares [mailto:miketava...@comcast.net]mailto:[mailto:miketava...@comcast.net] Sent: Friday, February 24, 2012 4:26 PM To: MS-Exchange Admin Issues Subject: Re: internal spam 1 question just to clear up some confusion on my part. Are the actual accounts in question compromised? (as in someone has direct access to the mailboxes on your server?) or just compromised in the since that some spammer/hacker on the outside is spoofing an email address from your company that is a legit address? From: Sharp, Kevinmailto:kevin.sh...@usask.ca Sent: Friday, February 24, 2012 12:19 PM To: MS-Exchange Admin Issuesmailto:exchangelist@lyris.sunbelt-software.com Subject: internal spam I’m wondering how people are dealing with compromised accounts in Exchange sending large volumes of email…essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I’m wondering if there is some software or method that might have some more smarts. We’ve had numerous incidents but so far….not an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I’ve looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist “Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: internal spam
SMTP, not SNMP.. It’s one of those days… Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.uk From: Randal, Phil [mailto:phil.ran...@hoopleltd.co.uk] Sent: 27 February 2012 12:20 To: MS-Exchange Admin Issues Subject: RE: internal spam You need to restrict which boxes are allowed to talk SMTP to your SMTP relays. Should only be your exchange servers and a few other boxes, as needed. It’s worth packet-sniffing the SNMP traffic to these boxes (which will identify the spambots if they’re talking SMTP). You need to find at least one infected box and see exactly what it is doing. Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.ukmailto:phil.ran...@hoopleltd.co.uk From: Sharp, Kevin [mailto:kevin.sh...@usask.ca]mailto:[mailto:kevin.sh...@usask.ca] Sent: 24 February 2012 23:38 To: MS-Exchange Admin Issues Subject: RE: internal spam The accounts have been compromised…usually via a phishing attempt. So the entire process of the internal attack is with a valid authenticated acct. We have our SMTP services set to be authenticated…the problem is looking for a process that we can use to identify potential accounts that are sending volumes of email and hopefully stop it before the pile of email gets too large. Usually the attack sends thousands of email to valid and nonvalid email addresses…which of course we don’t notice until the pile of invalid email starts to pile up. I know..it is comical ☺. User education has helped, but like any good phishing attack, it only takes one bite to cause this problem. Thanks Kevin From: Mike Tavares [mailto:miketava...@comcast.net]mailto:[mailto:miketava...@comcast.net] Sent: Friday, February 24, 2012 4:26 PM To: MS-Exchange Admin Issues Subject: Re: internal spam 1 question just to clear up some confusion on my part. Are the actual accounts in question compromised? (as in someone has direct access to the mailboxes on your server?) or just compromised in the since that some spammer/hacker on the outside is spoofing an email address from your company that is a legit address? From: Sharp, Kevinmailto:kevin.sh...@usask.ca Sent: Friday, February 24, 2012 12:19 PM To: MS-Exchange Admin Issuesmailto:exchangelist@lyris.sunbelt-software.com Subject: internal spam I’m wondering how people are dealing with compromised accounts in Exchange sending large volumes of email…essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I’m wondering if there is some software or method that might have some more smarts. We’ve had numerous incidents but so far….not an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I’ve looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist “Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage
RE: internal spam
Just an FYI. If you allow OWA to the iinterweb, these scammers have scripts that can spam via compromised accounts also. We’ve never allowed pop or imap outside but we had 2 accounts compromised and they each sent several thousand emails over a weekend. IIS logs ballooned during the time. Oh and to help with this, we forced said users to re-take our online security awareness training. Funny how word of mouth works better than our training as we’ve not had an incident in the past 2 years. I didn’t really say that did I? ;) From: Sharp, Kevin [mailto:kevin.sh...@usask.ca] Sent: Friday, February 24, 2012 6:38 PM To: MS-Exchange Admin Issues Subject: RE: internal spam The accounts have been compromised…usually via a phishing attempt. So the entire process of the internal attack is with a valid authenticated acct. We have our SMTP services set to be authenticated…the problem is looking for a process that we can use to identify potential accounts that are sending volumes of email and hopefully stop it before the pile of email gets too large. Usually the attack sends thousands of email to valid and nonvalid email addresses…which of course we don’t notice until the pile of invalid email starts to pile up. I know..it is comical ☺. User education has helped, but like any good phishing attack, it only takes one bite to cause this problem. Thanks Kevin From: Mike Tavares [mailto:miketava...@comcast.net]mailto:[mailto:miketava...@comcast.net] Sent: Friday, February 24, 2012 4:26 PM To: MS-Exchange Admin Issues Subject: Re: internal spam 1 question just to clear up some confusion on my part. Are the actual accounts in question compromised? (as in someone has direct access to the mailboxes on your server?) or just compromised in the since that some spammer/hacker on the outside is spoofing an email address from your company that is a legit address? From: Sharp, Kevinmailto:kevin.sh...@usask.ca Sent: Friday, February 24, 2012 12:19 PM To: MS-Exchange Admin Issuesmailto:exchangelist@lyris.sunbelt-software.com Subject: internal spam I’m wondering how people are dealing with compromised accounts in Exchange sending large volumes of email…essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I’m wondering if there is some software or method that might have some more smarts. We’ve had numerous incidents but so far….not an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I’ve looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: internal spam
The devil's in the detail? How are the infected boxes sending the emails? Via SMTP? If so, firewall it and configure Exchange SMTP connectors so that only authorised hosts can connect to your email hubs, SMTP relays, and SMTP servers in the outside world.. Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.uk From: Sharp, Kevin [mailto:kevin.sh...@usask.ca] Sent: 24 February 2012 17:20 To: MS-Exchange Admin Issues Subject: internal spam I'm wondering how people are dealing with compromised accounts in Exchange sending large volumes of email...essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I'm wondering if there is some software or method that might have some more smarts. We've had numerous incidents but so farnot an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I've looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: internal spam
Maybe easier said than done if the clients are using POP. From: Randal, Phil [mailto:phil.ran...@hoopleltd.co.uk] Sent: Friday, February 24, 2012 11:30 AM To: MS-Exchange Admin Issues Subject: RE: internal spam The devil's in the detail? How are the infected boxes sending the emails? Via SMTP? If so, firewall it and configure Exchange SMTP connectors so that only authorised hosts can connect to your email hubs, SMTP relays, and SMTP servers in the outside world.. Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.ukmailto:phil.ran...@hoopleltd.co.uk From: Sharp, Kevin [mailto:kevin.sh...@usask.ca]mailto:[mailto:kevin.sh...@usask.ca] Sent: 24 February 2012 17:20 To: MS-Exchange Admin Issues Subject: internal spam I'm wondering how people are dealing with compromised accounts in Exchange sending large volumes of email...essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I'm wondering if there is some software or method that might have some more smarts. We've had numerous incidents but so farnot an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I've looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: internal spam
We're implementing outbound scanning. All the Exchange servers will be sending through our Barracuda units. We rate limit as well and use Return Path to monitor our external MTA addresses. I don't think there's any way to guarantee stopping it, just mitigate as much as possible. From: Sharp, Kevin [mailto:kevin.sh...@usask.ca]mailto:[mailto:kevin.sh...@usask.ca] Sent: 24 February 2012 17:20 To: MS-Exchange Admin Issues Subject: internal spam I'm wondering how people are dealing with compromised accounts in Exchange sending large volumes of email...essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I'm wondering if there is some software or method that might have some more smarts. We've had numerous incidents but so farnot an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I've looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: internal spam
We use a PowerShell script to monitor the tracking logs and are alerted if a user sends a specified number of messages within a specified period of time. Not a perfect solution. I know others do something similar, but in addition to being alerted, disable the user's ability to send messages. Nuno Mota just published a series of articles on preventing auto-reply storms over at MSExchange.org (link is below). They include a script and the use of a transport rule to do this. With some tweaking, these could probably also be applied to cut off email coming from a compromised account. http://www.msexchange.org/articles_tutorials/exchange-server-2010/monitoring-operations/preventing-autoreply-storms-part1.html From: Sharp, Kevin [mailto:kevin.sh...@usask.ca] Sent: Friday, February 24, 2012 11:20 AM To: MS-Exchange Admin Issues Subject: internal spam I'm wondering how people are dealing with compromised accounts in Exchange sending large volumes of email...essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I'm wondering if there is some software or method that might have some more smarts. We've had numerous incidents but so farnot an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I've looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: internal spam
1 question just to clear up some confusion on my part. Are the actual accounts in question compromised? (as in someone has direct access to the mailboxes on your server?) or just compromised in the since that some spammer/hacker on the outside is spoofing an email address from your company that is a legit address? From: Sharp, Kevin Sent: Friday, February 24, 2012 12:19 PM To: MS-Exchange Admin Issues Subject: internal spam I’m wondering how people are dealing with compromised accounts in Exchange sending large volumes of email…essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I’m wondering if there is some software or method that might have some more smarts. We’ve had numerous incidents but so far….not an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I’ve looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: internal spam
The accounts have been compromised…usually via a phishing attempt. So the entire process of the internal attack is with a valid authenticated acct. We have our SMTP services set to be authenticated…the problem is looking for a process that we can use to identify potential accounts that are sending volumes of email and hopefully stop it before the pile of email gets too large. Usually the attack sends thousands of email to valid and nonvalid email addresses…which of course we don’t notice until the pile of invalid email starts to pile up. I know..it is comical ☺. User education has helped, but like any good phishing attack, it only takes one bite to cause this problem. Thanks Kevin From: Mike Tavares [mailto:miketava...@comcast.net] Sent: Friday, February 24, 2012 4:26 PM To: MS-Exchange Admin Issues Subject: Re: internal spam 1 question just to clear up some confusion on my part. Are the actual accounts in question compromised? (as in someone has direct access to the mailboxes on your server?) or just compromised in the since that some spammer/hacker on the outside is spoofing an email address from your company that is a legit address? From: Sharp, Kevinmailto:kevin.sh...@usask.ca Sent: Friday, February 24, 2012 12:19 PM To: MS-Exchange Admin Issuesmailto:exchangelist@lyris.sunbelt-software.com Subject: internal spam I’m wondering how people are dealing with compromised accounts in Exchange sending large volumes of email…essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I’m wondering if there is some software or method that might have some more smarts. We’ve had numerous incidents but so far….not an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I’ve looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
