This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Identify outbound spam

I open a thread to the community as official support is very slow to reply.

 

I need a good strategy to face this issue.

We have a client with a lot of users who send messages through an authenticates SMTP server. This server relay messages to a SEA and it is listed as mail delivery server and as Internal Mail Hosts.

It happens the the internal SMTP server send a huge quantity of messages to SEA due to the password has been cracked or a virus in the client of for any other reason.

I have tried to configure an outbond anti-spam filter policy but without success. This morning the issue happened again, and I was obliged to block the sender, but the ip has been already blacklisted.

Can you suggest how to solve this situation? Any where to detect a malicious outgoing mail trend?

Thank you for sharing you comment. Kind regards,

 

Enrico



This thread was automatically locked due to age.
Parents
  • There are a few things to consider:

    #1

    The first is that your exchange is set up as internal relay, so the appliance will not reject mail coming from exchange.  That been said, there is no reason for any user to relay 5-10 or 50 emails per second..  The first thing I would do is message rate throttle ad accounts.. no human will try and send more then 1-2 messages per minute.. https://technet.microsoft.com/en-us/library/bb232205(v=exchg.160).aspx  set it to 5-10 message per minute max.. that way if your work station gets infected and trys to mass mail out.. exchange will drop it.

     

    #2

    Make sure that SMTP authentication is disabled, this would allow anyone with an ad account to relay mail directly to the appliance.   they should be sending mail through exchange then to the appliance.

    if that's checked off remove it. 

     

    #3

    Create some additional / data control rules for your particular environment with various actions, such as reject the message or notify some other email account.

    AV can not be disabled on the appliance, an email sent in any direction will be immediately quarantined.

     

    #4

    Outbound spam checking can only apply content rules to mail, IE: does the word Nigerian and prince appear in this paragraph.. or does that paragraph look like this.. or contain that ..  or match this.   Regardless of the email solution the most effective way of determining if a message is legitimate or spam is via the ip reputation block list data.  

    For example. is IP 1.2.3.4 black listed?  yes / no. 

    In your case no internal ip would ever be black listed.. so this feature is not available on outbound mail. 

    labs uses some very advanced pattern matching, the second they update the rules are updated so its still good to have outbound rules.

     

    #5 make sure your exchange servers (or other infrastructure) that does NOT expressly accept and deliver mail with an MTA is listed as a trusted relay. 

    examples: an upstream email appliance IS a trusted relay .. a firewall that port forwards 25 is NOT.  external ip's should also not be listed..  Anything that is.. is omitted from spam checking. 

     

  • follow what suggested. Option 1 is the best option if your mail delivery chain is:

    internal clients > exchange > sea > external

    Make sure to allow only Exchange on SEA and viceversa. It is really important to use "least of privileges" principle. Also, it is really important to protect all computers with an AV.

    For example, you can restrict that only domain computers with an updated AV and Windows Update ON can send email using a NAC product. If the network is really large, NAC is needed, otherwise you will always play the cat and mouse game.

    Regards

Reply
  • follow what suggested. Option 1 is the best option if your mail delivery chain is:

    internal clients > exchange > sea > external

    Make sure to allow only Exchange on SEA and viceversa. It is really important to use "least of privileges" principle. Also, it is really important to protect all computers with an AV.

    For example, you can restrict that only domain computers with an updated AV and Windows Update ON can send email using a NAC product. If the network is really large, NAC is needed, otherwise you will always play the cat and mouse game.

    Regards

Children
No Data