After sending an email, we frequently receive an automated mail in reply, such as Out Of Office messages, informing us that the intended recipient is out on vacation or traveling. Other messages would have informed us that the message is queued for delivery, or just cannot be delivered at all, due to the recipient not being available.

Some organizations aggressively respond to these types of messages without mercy by informing real-time blacklisting services, marking such emails as spam. This can possibly cause a well intentioned corporate policy to blacklist the responding organization, causing a resulting loss of reputation and business. Most businesses list email services as more important than phone services – any outage in mail can be crippling for business.

To find a balance between using auto responder messages with the risk of being blacklisted versus not using auto responders altogether is tricky. A number of companies, including a large number of fortune 500 companies responsible for originating huge amount of mail traffic, allow Out Of Office messages to leave their network, on the basis that the original sender would like to be informed on the status of the received mail, especially if the recipient is travelling and cannot reply.

Another approach used especially in the legal sector is to allow Out Of Office functionality, but internally only, so that internal senders are informed of recipient mail status. However, these messages may not leave the corporate firewall.

List mail users, who may have subscribed to a commercial list service such as yahoo groups or other similar services, may be familiar with receiving an Out Of Office message from someone in a company they may not have heard of. This kind of mail becomes classified as spam rather quickly, since it is unwanted and unsolicited.

In my opinion, well managed auto responders as well as the educated users using them, may add enormous value in terms of informing a sender of an alternative person or manager to redirect their mail to. Both mail server and client software today allows intelligent filtering of mail, along with the setting up of rules for managing incoming and outgoing mail, as well as managing who a auto responder may send mail to.

Proper auto responder management may be the right balance to strike, keeping the blacklist knee jerk response at bay, as well as allowing well intentioned corporate and private mail users to benefit.

SMTP auth attacks are on the rise again. What does this mean?

Exchange and many other messaging servers support authenticated SMTP, meaning the use of a username/password combination in order to send mail. Spammers can then use a closed relay, i.e. a mail server that should not be sending mail on anyone else’s behalf except for the owning organization, and use the authentication mechanism to relay spam. This is a really popular kind of attack, since servers that have been locked down to every other kind of relay attack, now are wide open for exploitation.

How does it work?
Spammers use a technique know as brute force dictionary attacks, meaning that thousands of combinations of usernames and passwords are generated in order to guess which combination may work for your server, pretty similar to picking a lock. Once a valid combination is found, spammers can then use a previously locked down server to send out spam.

How can this attack be made visible?
Regular monitoring of mail queues. Any mail queues which contain mail items which obviously do not originate from known recipients inside the org, especially in high volumes are a giveaway, especially combined with a recent black listing on several real-time block lists.

How can it be prevented?
Separate incoming and outgoing Virtual SMTP Servers, and switch off SMTP authentication on the internet facing SMTP stack. Switch on diagnostics logging and watch out for –auth and –transport events which don’t originate from the inside of the organization.  Change users password which have been compromised and watch for similar events. Ensure that guest accounts are disabled and that strong passwords are enabled for all users and service accounts.

Even better, put something else in front of Exchange to absorb incoming SMTP mail, which does not support the use of SMTP authentication and combines it with a number of other anti spam filters. Since Exchange by nature is fantastically feature rich, however, unless Exchange is secured properly it may be best to not have Exchange be internet facing. Multi level and multi vendor protection is often the best approach to securing against spam attacks, along with regular monitoring and a well thought out configuration, most known spam attacks, including SMTP auth attacks, can be prevented.

Messenger spam started off with windows alerts being pushed to the surprised users desktops. Pop-ups would appear on user’s desktops with the advertisement information. Users would have no control and no ability to block or opt out, since they had not given permission in the first place.

How did it work? NetBIOS and RPC ports were left open, allowing spammers free access to systems, both home based or otherwise, and with the advent of broadband, thousands of advertising opportunities opened. Poorly secured network connections allowed access to the Windows Messenger service, a service originally designed for administrators to send messages to users about network related issues to be abused. Messages sent this way, would be nearly untraceable, anonymous and annoying.

Spam messages often included telephone numbers and web site addresses; however the original advertiser would not be blamed for the intrusion into user’s machines, since they would have outsourced the advertising to a spammer specializing in this space.

Spam traffic, including SMTP traffic accounts for a huge proportion of today’s internet traffic. Worms and robots which gather information for spammers, include traditional spam bots trawling websites for usable email information, however even more sinister are robots which probe thousands of internet connected networks every day, seeking to find open ports to inject advertising messages.

Instant Messaging clients, including MSN, Yahoo, Google, Jabber, etc, have all at one point in time been targets of attack, forcing the owners to tighten up security in order to protect users. Since malware and spyware take advantage of the same Windows Messenger Service and IM ports which allow unwanted advertising to be propagated, much has been achieved with personal firewalls.

Corporate networks will benefit from ensuring that NetBIOS and RPC based ports are locked down, as well as logging IM based traffic. Infesting in intelligent firewalls such as Microsoft’s ISA server and federating the Instant Messaging traffic sent and received, using enterprise IM products, not only greatly reduces IM spam, but offers a level of control not previously possible to the network administrator.

Due to the huge range of Windows Versions available in the world today, messenger spam is still being reported across the globe. Network administrators can protect their users from the Windows Messenger Service attack by ensuring that the service is stopped and disabled in the control panel if not required by the business, as well as installing a firewall capable of blocking this and other kinds of messenger spam attacks.

Even though Exchange 2007 has been released for a while, I thought it would be worthwhile spending a moment on Exchange 2003 spam features, especially due to the large amounts of Small Business Server users still on SBS 2003 with Exchange 2003.

With the advent of Service Pack 2 for Exchange 2003, a number of anti spam features became available, these include:

• Connection filtering including Allow/Deny IP lists with Real-time block lists
• Sender Filtering
• Recipient Filtering
• Sender ID filtering
• Intelligent Message Filter including Anti-phishing

These features can be enabled globally and controlled per virtual SMTP server. Furthermore, since Exchange supports multiple virtual SMTP servers on an Exchange server, huge amounts of granularity and control became available. Messages could be split amongst incoming and outgoing SMTP stacks, even if only one physical exchange server was present.

As with most spam strategies, a combined approach is needed in order to combat spam. A number of these features are incredibly useful, such as:

Connection Filtering coupled with Real-time block lists cover the well known spam networks and hosts.

Recipient Filtering does not accept email for invalid recipients, greatly reducing the load on an Exchange Server. However this does increase the risk of a directory harvesting attack. Spammers may use dictionaries to generate inbound emails, using NDR’s as a validation mechanism to know which email addresses are valid and which ones are not. Recipient Filtering coupled with Tar Pitting (Microsoft KB article 842851) prevents a number of attacks including NDR flood attacks and lessens the effectiveness of a directory harvesting attack. NDR’s are greatly delayed, since Tar Pitting delays the reply for a 5.x.x conversation.

Intelligent Message Filters are updated regularly and offer intelligent protection by examining email headers, words and other data in the mail to make a classification decision. Based on the classification, email is stamped and deleted, rejected, archived or forwarded to the user. The user may find the mail in their inbox or spam folder based on the classification it carries.

The good news is that this technology is available in every version of Exchange 2003, Standard, Enterprise and SBS. Most businesses on a budget will benefit directly from these features.

The bad news is that as good as it is, it may not be enough.

Due to the very nature of spam and spam protection, spamming techniques are changing and constantly evolving. A number of years ago Real-Time Block Lists were sufficient protection. In my opinion, Exchange should not be exposed directly to the internet and should be protected by another vendor’s solution in order to add another tier and therefore another level of complexity protecting against SPAM attacks.  A multi tiered anti spam approach is required in order to gain a level of protection acceptable to any size organization.