Some recent attacks are using valid users on our system to send spam through Exchange. Could be hacking the user's workstation or grabbing the username and password and then sending through OWA, Outlook or Authenticated SMTP. (And yes I know that ensuring my clients and users don't get hacked are the first priority but in a University environment you don't quite have that kind of control. And yes we are not an open relay.) We'll be using Edge servers soon. Is there something I can monitor in the queue or just run a report of outbound messages per user? Is there a way to enable content filtering of outbound messages for users? We've been investigating on how to enable this but can't get the content filter to scan the internally generated messages. I've tried to set the ContentFilterConfig with InternalMailEnabled to True on the Edge server but since the connector from the Hub server is using "Exchange server" authentication, it bypasses the content filter. I see the test messages when running Get-AgentLog but the content filter is bypassing it. I don't have the exact message right now unfortunately. I've also installed the antispam agents on the Hub servers and enabled the content filter but that doesn't seem to scan the messages either.
On Wed, 19 Mar 2008 23:03:01 -0700, Joe N wrote: >Some recent attacks are using valid users on our system to send spam through >Exchange. Could be hacking the user's workstation or grabbing the username >and password and then sending through OWA, Outlook or Authenticated SMTP. >(And yes I know that ensuring my clients and users don't get hacked are the >first priority but in a University environment you don't quite have that kind >of control. And yes we are not an open relay.) > >We'll be using Edge servers soon. > >Is there something I can monitor in the queue or just run a report of >outbound messages per user? > >Is there a way to enable content filtering of outbound messages for users? >We've been investigating on how to enable this but can't get the content >filter to scan the internally generated messages. I've tried to set the >ContentFilterConfig with InternalMailEnabled to True on the Edge server but >since the connector from the Hub server is using "Exchange server" >authentication, it bypasses the content filter. I see the test messages when >running Get-AgentLog but the content filter is bypassing it. I don't have >the exact message right now unfortunately. > >I've also installed the antispam agents on the Hub servers and enabled the >content filter but that doesn't seem to scan the messages either. The question I have for you is how do you know? What are you monitoring that shows to you there is mail generated from campus devices going to the outside world? There is a ton of advice here but you need to give us more information so we can put the blunderbuss down and get a snipers rifle out for you.
At this point we don't know for sure. Queue's show a few different domains blocking us. The mail-abuse QIL list is the primary RBL though there's a few others but don't list which RBL they're using. Being dynamic I'm not sure how reliable the QIL list is. I understand it could be spoofing but I need to make sure we're doing what we can to prevent outbound spam. "Mark Arnold [MVP]" wrote: > On Wed, 19 Mar 2008 23:03:01 -0700, Joe N > wrote: > > >Some recent attacks are using valid users on our system to send spam through > >Exchange. Could be hacking the user's workstation or grabbing the username > >and password and then sending through OWA, Outlook or Authenticated SMTP. > >(And yes I know that ensuring my clients and users don't get hacked are the > >first priority but in a University environment you don't quite have that kind > >of control. And yes we are not an open relay.) > > > >We'll be using Edge servers soon. > > > >Is there something I can monitor in the queue or just run a report of > >outbound messages per user? > > > >Is there a way to enable content filtering of outbound messages for users? > >We've been investigating on how to enable this but can't get the content > >filter to scan the internally generated messages. I've tried to set the > >ContentFilterConfig with InternalMailEnabled to True on the Edge server but > >since the connector from the Hub server is using "Exchange server" > >authentication, it bypasses the content filter. I see the test messages when > >running Get-AgentLog but the content filter is bypassing it. I don't have > >the exact message right now unfortunately. > > > >I've also installed the antispam agents on the Hub servers and enabled the > >content filter but that doesn't seem to scan the messages either. > > The question I have for you is how do you know? > What are you monitoring that shows to you there is mail generated from > campus devices going to the outside world? > There is a ton of advice here but you need to give us more information > so we can put the blunderbuss down and get a snipers rifle out for > you. >
Two problems then, huh. First find out if anyone has hijacked anything and then square that away. Once traffic is coming from where it's supposed to you will be able to get yourself off the block. no point trying to do that the other way round.
Well I can dig into finding out why we're being listed. Is it possible to apply the content filter to internally generated messages? If not what are some methods to scan outbound messages? "Mark Arnold [MVP]" wrote: > Two problems then, huh. > First find out if anyone has hijacked anything and then square that > away. Once traffic is coming from where it's supposed to you will be > able to get yourself off the block. no point trying to do that the > other way round. >
