| Author | Messages | |
CrawfordS
Posts:128
 | | 10/24/2008 9:19 PM |
| Sorry about the OT, but usual caveats about the superior intellect of this list apply…
We’ve been hit repeatedly by phishers scamming our users into giving them their credentials to our network. The phishers then use those credentials to send spam as our users from our servers. The end result is we’re (rightfully) added to blacklists and end up with a lot of bouncing emails.
I realize this is a layer 8 problem, but I’m hoping there’s a fairly simple way to create a rule such as “Restrict users to sending only X number of emails per minute” and hopefully an alert if that limit is hit. This would at least let us know if we’ve got someone who’s fallen victim so we can disable their account before too much spam is sent.
Thanks
Scotte
| | | |
| hboogz
Posts:71
| | 10/24/2008 10:02 PM |
| | Spammers don't necessarily need credentials from your users to send mail
posing as users that belong within your organization. And, realistically if
they are actually getting access to their credentials it's safe to say you
have a bigger security problem then just persistent SPAM or phishing
e-mails.
I personally don't know if there is a limit or a way within SMTP to control
how many messages are sent thru based on IP, user, mailbox.
But, may i ask what are you using for a SPAM protection ?
On Fri, Oct 24, 2008 at 9:14 PM, Crawford, Scott <CrawfordS@evangel.edu>wrote:
> Sorry about the OT, but usual caveats about the superior intellect of
> this list apply…
>
>
>
> We've been hit repeatedly by phishers scamming our users into giving them
> their credentials to our network. The phishers then use those credentials to
> send spam as our users from our servers. The end result is we're
> (rightfully) added to blacklists and end up with a lot of bouncing emails.
>
>
>
> I realize this is a layer 8 problem, but I'm hoping there's a fairly simple
> way to create a rule such as "Restrict users to sending only X number of
> emails per minute" and hopefully an alert if that limit is hit. This would
> at least let us know if we've got someone who's fallen victim so we can
> disable their account before too much spam is sent.
>
>
>
> Thanks
>
> Scotte
>
| | | |
| CrawfordS
Posts:128
| | 10/25/2008 12:04 AM |
| Yeah, I agree it’s a big problem, but the biggest pain point right now is spamming and blacklisting.
We’re using Sunbelt’s Ninja
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harry Singh
Sent: Friday, October 24, 2008 9:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
Spammers don't necessarily need credentials from your users to send mail posing as users that belong within your organization. And, realistically if they are actually getting access to their credentials it's safe to say you have a bigger security problem then just persistent SPAM or phishing e-mails.
I personally don't know if there is a limit or a way within SMTP to control how many messages are sent thru based on IP, user, mailbox.
But, may i ask what are you using for a SPAM protection ?
On Fri, Oct 24, 2008 at 9:14 PM, Crawford, Scott <CrawfordS@evangel.edu> wrote:
Sorry about the OT, but usual caveats about the superior intellect of this list apply…
We've been hit repeatedly by phishers scamming our users into giving them their credentials to our network. The phishers then use those credentials to send spam as our users from our servers. The end result is we're (rightfully) added to blacklists and end up with a lot of bouncing emails.
I realize this is a layer 8 problem, but I'm hoping there's a fairly simple way to create a rule such as "Restrict users to sending only X number of emails per minute" and hopefully an alert if that limit is hit. This would at least let us know if we've got someone who's fallen victim so we can disable their account before too much spam is sent.
Thanks
Scotte
| | | |
| nicolasblank
Posts:20
| | 10/25/2008 4:36 AM |
| 1) Suggest you don’t allow authenticated SMTP from the gateway, this is easily achieved with Ex2007 or a raft of other edge services including ISA on the mail edge.
2) The standard MS SMTP stack doesn’t allow you to achieve a number of messages per hour limit, but a number of open source ones do, and nearly all of these can be deployed on a wintel box,
HOWEVER if you’re having authenticated SMTP spam using internal credentials sent from outside your org, as Harry said, you have bigger problems to worry about.
Have you thought of having several vendors/platforms representing your mail flow? i.e. non-ms SMTP stack outward facing, with MS stack inward facing as an example?
What version of Exchange are you using and how is your mail setup?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harry Singh
Sent: 25 October 2008 06:00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
Spammers don't necessarily need credentials from your users to send mail posing as users that belong within your organization. And, realistically if they are actually getting access to their credentials it's safe to say you have a bigger security problem then just persistent SPAM or phishing e-mails.
I personally don't know if there is a limit or a way within SMTP to control how many messages are sent thru based on IP, user, mailbox.
But, may i ask what are you using for a SPAM protection ?
On Fri, Oct 24, 2008 at 9:14 PM, Crawford, Scott <CrawfordS@evangel.edu> wrote:
Sorry about the OT, but usual caveats about the superior intellect of this list apply…
We've been hit repeatedly by phishers scamming our users into giving them their credentials to our network. The phishers then use those credentials to send spam as our users from our servers. The end result is we're (rightfully) added to blacklists and end up with a lot of bouncing emails.
I realize this is a layer 8 problem, but I'm hoping there's a fairly simple way to create a rule such as "Restrict users to sending only X number of emails per minute" and hopefully an alert if that limit is hit. This would at least let us know if we've got someone who's fallen victim so we can disable their account before too much spam is sent.
Thanks
Scotte
| | | |
| bdesmond
Posts:977
| | 10/25/2008 5:15 AM |
| If the creds are blown then having 100 vendors draining his bank account won’t help anymore than just 1.
Exchange isn’t going to do something like this but some SMTP appliance might. The OP is a higher ed customer, that tells me that it’s highly likely that he is exposing his SMTP to the Internet for authenticated connections because he has to support every mail client under the sun, all but one or two of which require SMTP to send mail.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Nicolas Blank
Sent: Saturday, October 25, 2008 3:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
1) Suggest you don’t allow authenticated SMTP from the gateway, this is easily achieved with Ex2007 or a raft of other edge services including ISA on the mail edge.
2) The standard MS SMTP stack doesn’t allow you to achieve a number of messages per hour limit, but a number of open source ones do, and nearly all of these can be deployed on a wintel box,
HOWEVER if you’re having authenticated SMTP spam using internal credentials sent from outside your org, as Harry said, you have bigger problems to worry about.
Have you thought of having several vendors/platforms representing your mail flow? i.e. non-ms SMTP stack outward facing, with MS stack inward facing as an example?
What version of Exchange are you using and how is your mail setup?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harry Singh
Sent: 25 October 2008 06:00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
Spammers don't necessarily need credentials from your users to send mail posing as users that belong within your organization. And, realistically if they are actually getting access to their credentials it's safe to say you have a bigger security problem then just persistent SPAM or phishing e-mails.
I personally don't know if there is a limit or a way within SMTP to control how many messages are sent thru based on IP, user, mailbox.
But, may i ask what are you using for a SPAM protection ?
On Fri, Oct 24, 2008 at 9:14 PM, Crawford, Scott <CrawfordS@evangel.edu<mailto:CrawfordS@evangel.edu>> wrote:
Sorry about the OT, but usual caveats about the superior intellect of this list apply…
We've been hit repeatedly by phishers scamming our users into giving them their credentials to our network. The phishers then use those credentials to send spam as our users from our servers. The end result is we're (rightfully) added to blacklists and end up with a lot of bouncing emails.
I realize this is a layer 8 problem, but I'm hoping there's a fairly simple way to create a rule such as "Restrict users to sending only X number of emails per minute" and hopefully an alert if that limit is hit. This would at least let us know if we've got someone who's fallen victim so we can disable their account before too much spam is sent.
Thanks
Scotte
| | | |
| nicolasblank
Posts:20
| | 10/25/2008 7:05 AM |
| AH! Fair enuf. Having seen the domain name and doing a quick telnet confirms that as well……
Authenticated smtp on the outside, educational institution, paint – bucket……..
Something I’d like to suggest, is quantifying what authenticated SMTP is being used for, since it represents such a large hole…. So if were talking mobile users, what kind, what device, etc. Don’t know about your side of the world, but most wireless vendors and ISP’s provide a client only SMTP stack to relay against for client usage, which means users can send mail from their ISP as the correct domain, without needing to expose yourself for mail relay purposes…… don’t know if that will fit in with this scenario?
A anti spam solution isn’t going to help here, since being a spam relay is going to cause worse problems than extra incoming spam !
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: 25 October 2008 13:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
If the creds are blown then having 100 vendors draining his bank account won’t help anymore than just 1.
Exchange isn’t going to do something like this but some SMTP appliance might. The OP is a higher ed customer, that tells me that it’s highly likely that he is exposing his SMTP to the Internet for authenticated connections because he has to support every mail client under the sun, all but one or two of which require SMTP to send mail.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Nicolas Blank
Sent: Saturday, October 25, 2008 3:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
1) Suggest you don’t allow authenticated SMTP from the gateway, this is easily achieved with Ex2007 or a raft of other edge services including ISA on the mail edge.
2) The standard MS SMTP stack doesn’t allow you to achieve a number of messages per hour limit, but a number of open source ones do, and nearly all of these can be deployed on a wintel box,
HOWEVER if you’re having authenticated SMTP spam using internal credentials sent from outside your org, as Harry said, you have bigger problems to worry about.
Have you thought of having several vendors/platforms representing your mail flow? i.e. non-ms SMTP stack outward facing, with MS stack inward facing as an example?
What version of Exchange are you using and how is your mail setup?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harry Singh
Sent: 25 October 2008 06:00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
Spammers don't necessarily need credentials from your users to send mail posing as users that belong within your organization. And, realistically if they are actually getting access to their credentials it's safe to say you have a bigger security problem then just persistent SPAM or phishing e-mails.
I personally don't know if there is a limit or a way within SMTP to control how many messages are sent thru based on IP, user, mailbox.
But, may i ask what are you using for a SPAM protection ?
On Fri, Oct 24, 2008 at 9:14 PM, Crawford, Scott <CrawfordS@evangel.edu> wrote:
Sorry about the OT, but usual caveats about the superior intellect of this list apply…
We've been hit repeatedly by phishers scamming our users into giving them their credentials to our network. The phishers then use those credentials to send spam as our users from our servers. The end result is we're (rightfully) added to blacklists and end up with a lot of bouncing emails.
I realize this is a layer 8 problem, but I'm hoping there's a fairly simple way to create a rule such as "Restrict users to sending only X number of emails per minute" and hopefully an alert if that limit is hit. This would at least let us know if we've got someone who's fallen victim so we can disable their account before too much spam is sent.
Thanks
Scotte
| | | |
| bdesmond
Posts:977
| | 10/25/2008 7:44 AM |
| Yeah, typically higher ed you see a huge chunk of the mail clients using plain old IMAP/POP and SMTP. If you’re doing student email on the same system you can expect anyone not using the webmail interface there to be IMAP/POP & SMTP. The OP would have to comment on the distribution he has.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Nicolas Blank
Sent: Saturday, October 25, 2008 6:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
AH! Fair enuf. Having seen the domain name and doing a quick telnet confirms that as well……
Authenticated smtp on the outside, educational institution, paint – bucket……..
Something I’d like to suggest, is quantifying what authenticated SMTP is being used for, since it represents such a large hole…. So if were talking mobile users, what kind, what device, etc. Don’t know about your side of the world, but most wireless vendors and ISP’s provide a client only SMTP stack to relay against for client usage, which means users can send mail from their ISP as the correct domain, without needing to expose yourself for mail relay purposes…… don’t know if that will fit in with this scenario?
A anti spam solution isn’t going to help here, since being a spam relay is going to cause worse problems than extra incoming spam !
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: 25 October 2008 13:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
If the creds are blown then having 100 vendors draining his bank account won’t help anymore than just 1.
Exchange isn’t going to do something like this but some SMTP appliance might. The OP is a higher ed customer, that tells me that it’s highly likely that he is exposing his SMTP to the Internet for authenticated connections because he has to support every mail client under the sun, all but one or two of which require SMTP to send mail.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Nicolas Blank
Sent: Saturday, October 25, 2008 3:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
1) Suggest you don’t allow authenticated SMTP from the gateway, this is easily achieved with Ex2007 or a raft of other edge services including ISA on the mail edge.
2) The standard MS SMTP stack doesn’t allow you to achieve a number of messages per hour limit, but a number of open source ones do, and nearly all of these can be deployed on a wintel box,
HOWEVER if you’re having authenticated SMTP spam using internal credentials sent from outside your org, as Harry said, you have bigger problems to worry about.
Have you thought of having several vendors/platforms representing your mail flow? i.e. non-ms SMTP stack outward facing, with MS stack inward facing as an example?
What version of Exchange are you using and how is your mail setup?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harry Singh
Sent: 25 October 2008 06:00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
Spammers don't necessarily need credentials from your users to send mail posing as users that belong within your organization. And, realistically if they are actually getting access to their credentials it's safe to say you have a bigger security problem then just persistent SPAM or phishing e-mails.
I personally don't know if there is a limit or a way within SMTP to control how many messages are sent thru based on IP, user, mailbox.
But, may i ask what are you using for a SPAM protection ?
On Fri, Oct 24, 2008 at 9:14 PM, Crawford, Scott <CrawfordS@evangel.edu<mailto:CrawfordS@evangel.edu>> wrote:
Sorry about the OT, but usual caveats about the superior intellect of this list apply…
We've been hit repeatedly by phishers scamming our users into giving them their credentials to our network. The phishers then use those credentials to send spam as our users from our servers. The end result is we're (rightfully) added to blacklists and end up with a lot of bouncing emails.
I realize this is a layer 8 problem, but I'm hoping there's a fairly simple way to create a rule such as "Restrict users to sending only X number of emails per minute" and hopefully an alert if that limit is hit. This would at least let us know if we've got someone who's fallen victim so we can disable their account before too much spam is sent.
Thanks
Scotte
| | | |
| CrawfordS
Posts:128
| | 10/26/2008 4:53 AM |
| Can you elaborate on number 1? I do have ISA on the edge, but I see in another post, you’re stating that auth smtp is available. Is there some option of ISA I’m missing that would mitigate some of this?
For number 2, are you suggesting an extra smtp box that all mail would flow through to do this counting of messages? Any specific products you have in mind?
I haven’t considered using multiple versions, but I’m open to suggestions.
Exchange 2003 SP2 inside of ISA. 2 servers – 1 for faculty/staff and one for students. I’m assuming you’re asking more than that, but I’m not sure what else you want to know.
Thanks for your help.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Nicolas Blank
Sent: Saturday, October 25, 2008 3:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
1) Suggest you don’t allow authenticated SMTP from the gateway, this is easily achieved with Ex2007 or a raft of other edge services including ISA on the mail edge.
2) The standard MS SMTP stack doesn’t allow you to achieve a number of messages per hour limit, but a number of open source ones do, and nearly all of these can be deployed on a wintel box,
HOWEVER if you’re having authenticated SMTP spam using internal credentials sent from outside your org, as Harry said, you have bigger problems to worry about.
Have you thought of having several vendors/platforms representing your mail flow? i.e. non-ms SMTP stack outward facing, with MS stack inward facing as an example?
What version of Exchange are you using and how is your mail setup?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harry Singh
Sent: 25 October 2008 06:00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Exchange outgoing throttling/monitoring
Spammers don't necessarily need credentials from your users to send mail posing as users that belong within your organization. And, realistically if they are actually getting access to their credentials it's safe to say you have a bigger security problem then just persistent SPAM or phishing e-mails.
I personally don't know if there is a limit or a way within SMTP to control how many messages are sent thru based on IP, user, mailbox.
But, may i ask what are you using for a SPAM protection ?
On Fri, Oct 24, 2008 at 9:14 PM, Crawford, Scott <CrawfordS@evangel.edu> wrote:
Sorry about the OT, but usual caveats about the superior intellect of this list apply…
We've been hit repeatedly by phishers scamming our users into giving them their credentials to our network. The phishers then use those credentials to send spam as our users from our servers. The end result is we're (rightfully) added to blacklists and end up with a lot of bouncing emails.
I realize this is a layer 8 problem, but I'm hoping there's a fairly simple way to create a rule such as "Restrict users to sending only X number of emails per minute" and hopefully an alert if that limit is hit. This would at least let us know if we've got someone who's fallen victim so we can disable their account before too much spam is sent.
Thanks
Scotte
| | | |
|
|