As email administrators, the transition to IPv6 holds some implications for our systems. Over at our sister blog, TheEmailAdmin, I went over some of the implications for Exchange 2010 when moving to IPv6 . As mentioned there, IP Blacklisting is not supported in Exchange 2010 when using IPv6, and even if it was, it probably would not be very effective.

IPv6 increases the total size of an ip.addr from 32 bits, to 128 bits. As each bit doubles the number ofpossible addresses, the total number of available addresses in the new scheme is 3.4 × 10^38. There are so many more IP addresses in IPv6, that blocking spammers based on their source ip.addr might prove to be unmanageable. Blacklists that block network ranges have already proven to be ineffective, with far more legitimate users impacted than spammers blocked. It should be obvious that systems which depend on IP blacklists are going to have to find an alternative.

With World IPv6 day presenting an opportunity to test the new addressing scheme, you should plan to test alternates to IP blacklists on that day. Here are a few alternatives to investigate, which can be added now to your IPv4 based systems, and should work just as well in IPv6.

Sender Policy Framework (SPF)

If you have read more than one of my posts, then you know I am a huge advocate of SPF records. The only thing IPv6 means for SPF records is that you won’t want to specify ip.addrs. You will still mention your MX records, domain names, etc. You can read more about SPF records here.

Domain Keys Identified Mail (DKIM)

DKIM uses RSA keys, published in DNS, to digitally sign email. A receiving system can lookup the public keys in DNS to determine whether a mail is from its purported domain or not. There’s a great write-up on DKIM here.

Bayesian Filtering

Bayesian filters work on the content of an email, and have no interaction with the source ip.addr of the message at all. The change from IPv4 to IPv6 will be invisible to systems using Bayesian filters. Click here for an overview of them.

IP Reputation

While Exchange 2010 doesn’t currently support this with IPv6, there is no reason to believe that this won’t be addressed in an upcoming service pack or patch, and of course Exchange is not the only game in town. Calculating the reputation of a source address is different from simply blocking email coming from an address on a blacklist, as it takes into account the network, the service provider, and previous messages. There is some great information on IP Reputation in this post.

With IPv6 coming (it’s no longer an IF, it is definitely down to a WHEN) if you are currently dependent upon IP Blacklists, start looking at your alternatives now.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

As World IPv6 Day approaches, it’s time to move off of IP Blacklists

This works because SMTP servers respond to messages addressed to recipients differently. When a sender issues the RCPT TO: command to an MTA for a local addressee, valid addresses generate a “250 2.1.5 Recipient OK”, while invalid addresses generate a “550 5.1.1 User unknown.” The spammer does not actually have to send a message, as a valid email could have multiple recipients. They can run through dozens or even hundreds of addresses, as the MTA will respond until its maximum number of recipients is reached. For many systems, a maximum must be configured… there is no default. 

What does this look like on your system? The most common symptom of a directory harvest attack is when your MTA generates a large number of 550 5.1.1 messages in response to the same MAIL FROM: command. Of course, if you are looking at your logs, the attack has already happened. An effective defense needs to be in place in advance. One of the best ways to defend against directory harvest attacks is to implement SMTP tarpitting.

Named for the naturally occurring lakes of asphalt (bitumen) where prehistoric animals became trapped in the sticky tar, network tarpits are systems configured to trap misbehaving connections. They do this by slowing down responses to a crawl, effectively extending the duration of a conversation on the network from milliseconds to seconds… an eternity in computer time. SMTP Tarpitting is when the MTA recognises that an attack is underway, and responds to further RCPT TO: commands more slowly than normal. Response times for SMTP messages normally take place in fractions of a second, but when the tarpit is active, they can increase to several seconds or even minutes. This behaviour still complies with RFC 821, but greatly increases the amount of time it takes for a directory harvest attack to complete. At best, this can cause an attack to fail from time outs, and at worst, cause them some of the same aggravation they cause you. 

Exchange 2007 and 2010 both support SMTP tarpitting by default, and Exchange 2003 SP1 can be configured to do this as well. Other systems, or Exchange admins who want an extra layer of protection on the edge, can add other packages or implement a product like GFI Mail Essentials to enhance the security of their mail systems with protections including SMTP tarpitting. You can also look at hosted solutions like GFI’s Max MailProtection  to defend against these attacks.

Consult your mail server’s documentation for tar pitting, or look at adding an edge device or a hosted service. When using a tarpit, keep in mind that while you want to slow down a directory harvest attack, you don’t want to slow down the rest of your legitimate inbound email. Make small adjustments in the tarpitting interval until you find your sweet spot, constantly monitoring to ensure your inbound mail does not suffer unnecessary delays.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Using SMTP tarpits to slow down directory harvest attacks

I checked it out and was able to determine why that particular email got marked as Junk email, made a configuration change, and emails have been delivering fine ever since.  The experience left me thinking about some of the ways that perfectly legitimate email might be marked as spam, and the steps that can be taken to avoid those situations.

Flagged as Spam by End User Email Client

An email recipient can flag an email as spam in a number of ways.  If their email client has built-in junk filters then they can simply mark it as junk email in their client and your emails will not reach their inbox.

For businesses with Exchange Server 2007 and Outlook on the desktop this goes a step further due to a feature called Safelist Aggregation.  This feature aggregates each individual user’s personal safelist and blocklist information onto the server itself, so that an email address marked as spam by one user is also blocked for other users.

Unfortunately this can happen when people either forget that they signed up for a particular newsletter or promotion, or they simply decide that they no longer want to receive it, and instead of unsubscribing they mark it as spam.

You can avoid this situation by always making it clear how you acquired a recipient’s email address and how they can go about unsubscribing from your emails.

Submitted as Spam to Email Security Vendor

Most vendors of anti-spam software will accept spam submissions from customers to help them continually update their signature databases for the latest spam emails.  As with the previous point it is not uncommon for people to submit legitimate emails as spam simply because they forgot that they signed up to receive them.

The solution to this is the same, as a vendor is unlikely to update their product to begin treating your emails as spam if you are making it clear that the recipient signed themselves up and can unsubscribe at any time.

Sending from Dynamic IP Address

Because of the problem of spam botnets on the internet many email servers are configured to use block lists that will reject email from ISP customer IP addresses, which are usually dynamically allocated ranges of IP addresses.  The problem here can be twofold – either the IP you have been allocated was previously known to send out some spam, or the IP is within a dynamic IP range that is on a block list, or sometimes both.

The solution to this can be to either acquire static IP addresses from your ISP to run your email server, or to use your ISP as a smart host to relay outbound email from your server to the internet.  Most ISPs offer this service to customers.  Because the smart host IP address is more trusted and less likely to be on a blocklist your emails are more likely to be delivered.

Sending from an Open Relay

Similar to the previous point if your server has been misconfigured or compromised by hackers and is known to be an open relay then you will find your emails getting blocked by anyone using one of the major blocklist providers.

Failing SMTP RFC Requirements

Sometimes email will be treated as spam simply because your server does not meet all of the requirements specified in the SMTP RFC.  I know of at least one major US ISP that outright blocks your IP address if it does not have a correct reverse DNS entry, and getting unblocked means jumping through quite a few hoops.

Failing Anti-spam Framework Requirements

There are several anti-spam frameworks available to email administrators, and although none have become an official standard they are often used by email admins as one of many factors in assessing emails for spam.

Most framework requirements are very simple to implement, and complying with them only improves your chances of successful email delivery so it is worth the time to configure your servers for them.

Sending Spam

This last one might seem obvious but if you have actually sent some spam in the past then the likelihood of future emails being treated as spam is much greater.  Where many companies fall into this trap is when they engage in email marketing and don’t pay attention to the legal and ethical requirements associated with this type of activity.

First and foremost make sure that you are conducting your email campaigns in compliance with any spam legislation in the regions in which you operate.  Secondly remember that spam is often in the eye of the beholder.  You may have legally acquired a person’s email address and sent them marketing emails but if your content is “spammy” to them in any way then it will be treated as such.

As you can see spam is a complex issue not only from the preventative side but also from the deliverability side.  If you spend the time to consider these elements and implement the correct solutions on your servers and within your business you should find yourself able to communicate with your customers via email without fear of messages being blocked.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

7 Ways to Prevent Your Emails Being Blocked as Spam

Botnets and Zombies

Bots or zombies are typically home computers that have been infected with some type of virus or malware, which puts the computer under remote control by a malicious person.  A group of these computers is referred to as a botnet, and is used by a spammer to send out millions of emails containing spam, phishing scams, and computer viruses.

Examples of botnets include the Cutwail and Rustock botnets that are responsible for massive spam attacks around the world.

Because botnets are made up of computers located within ISP customer IP subnets they can often be blocked by using connection filtering to block any SMTP connections from those IP address ranges.  When this fails you have to rely on content filtering to detect the spam content within the messages.

Open Relays

An open relay is a poorly configured email server that allows anyone to relay messages through it to any other destination email address.  Modern email server software is not configured to permit open relay by default, it usually takes human error to cause a server to be configured this way, and there are few genuine reasons to run an open relay especially not one that is open to the internet where it can be abused by spammers.Servers that are found to be open relays are often added to block lists.  This will prevent that server from sending legitimate email as well, so having an open relay in your own network can be detrimental to your own business.

Backscatter

Backscatter spam is caused by a combination of email address spoofing and poorly configured spam defenses on email servers.  When an email server detects spam it may generate a “Non Delivery Report” (NDR) to what it thinks is the originating email address.  Because most spam is from spoofed (or forged) email addresses this means that the person whose email address was spoofed receives the NDR, often containing the original spam content as well.

Backscatter or NDR spam can be difficult to detect and block and not all antispam systems do it very effectively.

Unsecured Wireless Networks and Business Premises

An often forgotten source of spam is poorly secured business networks.  People may assume that business computers would need to be part of a botnet, or that the email server has to be an open relay for spam to originate from business networks.

However some networks are compromised simply because attackers are able to gain physical access to data ports in unsecured sections of the office.  These risks highlight the importance of businesses filtering outgoing email from their networks.

Wireless networks are also a vulnerability for both businesses and homes.  In Australia one state’s police force is considering patrolling neighborhoods for unsecured wireless networks so that they can assist people in securing them and cutting off the opportunity for criminals to use them.

Email Marketers

Not all email marketers are spammers but there are definitely those out there that consider themselves to be genuine marketers as they engage in spam tactics.  This is a problem not only for the incoming spam it causes people to have to deal with, but also means that businesses must be careful when engaging in email marketing not to be labeled as spammers themselves.

There is also the perception that any unwanted commercial email must be spam, but often a person will forget they signed up for a mailing list or simply do not want to receive them anymore and will start treating it as spam instead of simply unsubscribing.

Instant Messaging

Instant messaging is a very useful and productive tool but like any internet communication is also subject to spam.  Malicious users will simply add as many contacts as they can and start sending out links to spam and phishing sites before the messaging service notices them and blocks them.

Instant messaging spam attacks are often successful because it is perceived as a more trusted platform by the end user and also commonly used by people to communicate with other people they have never met, causing them to be less suspicious of messages from unknown contacts.

Social networks

Social networking is one of the most popular online activities today and like instant messaging is used to connect with people all around the world, some of whom a person has never met or even knows very well.   This makes social networks a lucrative hunting ground for spammers who use the personal information people reveal about themselves on social networks to tailor their spam messages.

The personalized content in the spam and phishing messages causes unsuspecting victims to lower their guard and be more trusting, which leads to them falling for the scam that the attacker is using.

Most social network spam and phishing attacks cannot be effectively prevented in any other way than by increasing user awareness of the risks.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

7 Major Sources of Spam on the Internet

Small to Medium Businesses

For small- to medium-sized businesses the decision is simplified to a certain degree, especially for organisations that operate from single premises.  Many of these organisations will operate a single email server such as Microsoft Exchange Server.  When an Exchange-integrated solution is chosen then the anti-spam software is installed on the same server as Microsoft Exchange.

Although this basically eliminates any need to consider the location of the anti-spam system, there is still some consideration that needs to be given to configuration and tuning of the various anti-spam features.  For example, connection filtering should be enabled and assessed first before the more resource-intensive content filtering.  Even though most small businesses do not deal with the volume of email that makes performance difficult to manage, this sort of attention to detail will ensure that an integrated anti-spam system does not adversely impact the performance of the organisation’s email server.

Large Businesses and Enterprises

Large businesses and enterprises typically operate a complex network infrastructure due to two main factors – they operate out of many separate premises across a city, country, or even the world; and they have very large numbers of staff using the email system.  This presents many additional factors when considering the location of the anti-spam system, such as:

• Multiple email entry points for the network;
• Heavily loaded email servers with critical performance/uptime requirements;
• Strict security policies for incoming connections from the internet, including for SMTP;
• Strong focus on lower total cost of ownership (TCO) for systems such as email security.

When these factors are considered in light of the technical features of an anti-spam system the decision can be a complicated one.For example, connection filtering should typically be applied at the first SMTP server within the organisation that accepts incoming internet email.  For large enterprises this can be several servers dispersed around the globe, each with a corresponding MX record in the DNS zone for the organisation’s email domain.  Furthermore, many large enterprises have security policies requiring all incoming connections from the internet (including SMTP) to be accepted by a host in a DMZ instead of the internal network.

Although this would appear to be an easy decision – place the anti-spam server in the DMZ or one in each DMZ where there is an internet connection – the issue then becomes whether or not this location suits other anti-spam features.  For example, prevention of directory harvesting attacks (DHA) usually requires that the anti-spam system perform email address lookups against Active Directory, requiring either that a domain controller be located in the DMZ or the anti-spam server have firewall access to the domain controllers within the internal network.  Each of those options presents its own security challenges, but one or the other must be chosen because moving the DHA detection to a different SMTP hop within the internal LAN undermines the effectiveness of DHA prevention.

Content filtering is another feature that must be considered.  Because content filtering is often used in conjunction with an end user-accessible quarantine store (often a SQL database) it makes sense to perform the content filtering and SQL storage within the internal network where the end users reside, so that end users can access self-service quarantine and relieve some of the administrative burden from the IT department.

However, performing the content filtering on the backend mailbox servers may cause performance problems, because the mailbox servers are then dealing with both a large volume of concurrent user activity as well as the resource-intensive content filtering operations.  An alternative is to perform the content filtering in the DMZ and allow firewall access to the SQL server hosting the quarantine databases, but again this presents further security issues for the organisation to deal with (any open port from the internet or DMZ into the internal network is a potential attack vector, and SQL servers are popular targets for attack).

Making the Decisions

This post does not offer prescriptive guidance for any particular scenario; rather I attempt to highlight the importance of the decision making process for implementation of an anti-spam system within networks of varying complexity.  The best result will be obtained by understanding all of the features of the anti-spam system, the requirements of the business itself, and determining an appropriate model that meets functionality and security requirements of the organisation.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Where to Locate Anti-Spam Servers in Your Network

What still keeps the Exchange journaling system susceptible to attack is the ease of anyone being able to spoof an email.  Being able to compose an email message outside of Microsoft Outlook lets you specify the sender, rather than having Outlook do it. Exchange must authenticate the message, but you can set your display name to anything you want. This can create the illusion that a message was sent by someone else.   A spammer’s daily routine includes using this technique regularly.

When you send an email message using Microsoft Outlook, it combines the sender, subject and body with various SMTP mail delivery control commands. Then Outlook sends out the message to the server. Although isn’t usually practical, a person can actually use the same commands to manually send a message from the command line or from a script without using Microsoft Outlook.

For the cyber criminal, spoofing an email message is only half of the equation. A hacker must also know the email address of the mailbox that’s being used as the journal repository. With these two factors in place, it’s fairly easy for a hacker to sneak a spoofed message into the journaling mailbox.  By changing certain properties of an email (i.e. From, return path,  reply to fields etc.), the bad guys can make an email appear to be from someone other than the actual sender. The result is the email appears to come from a fake email address indicated in the “From” field, when it actually comes from a totally different source.

Other journaling defense methodologies include the protecting Exchange email archives from spoofing attacks. The key component to protecting your archives against these types of attack is a clear understanding that there is a difference between the sender and the display name. The display name is the name the email recipient sees. It has no value in authenticating the user. The user’s true identity is connected to the account’s globally unique identifier (GUID).

Within the same Exchange Server organization an email recipient can be deceived by a  spoofed display name, when an authenticated email user sends a spoofed message to that  email recipient’s mail box. The Exchange server is not fooled. It knows exactly who actually sent the message, because of how the sender was authenticated.

This authentication process is significant, because journaling always sends messages to the designated recipient mail box in a consistent manner regardless of who sent or received the message being placed in the journal mail box. For example, let’s say email user #1 sends a message to email user #2. The Exchange mail server is also set up to journal a copy of the message to a mail box called “Journal”.  In this scenario, email user #1 or email user #2 won’t send the message to the Journal mailbox. The email will be sent to the Exchange hub server. Then the Exchange hub server sends the message as a Microsoft Exchange message on behalf of the message’s original sender.

If we know that all email messages sent to the journaling mailbox are only supposed to be from Microsoft Exchange, some easy steps can be taken to prevent anyone else or any other entity from sending messages to this mail box. Not publishing the mailbox in the directory is one way to do this.

A further step would be to ensure that only the Exchange server can place items into the journaling mail box.  Below is the process for creating a tunneling mechanism only between the Exchange server and the journal mail box. This ensures the journal mail box does not accept email from any outside entity.

1. Open the Exchange Server Management console.
2. Select Recipient Configuration > Mailbox.
3. Right click on the journal mail box and choose Properties from the menu. This causes the console to display the mailbox’s properties sheet.
4. Go to the properties sheet’s “Mail Flow Settings” tab
5. Select the Message Delivery Restrictions option.
6. Click the “Properties” button to display the Message Delivery Restrictions dialog box.  At this point you can require that all senders to this mailbox be authenticated.  You can also choose to accept only specific senders.  For the journal mail box, accept only messages from Microsoft Exchange.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Go Beyond Encryption with a Tunnel

What is Backscatter Spam?

The term “backscatter spam” refers to a spam attack that targets non-existent email addresses and causes email “bounce” messages to be sent to innocent parties.  The “bounce” messages are known as Non-Delivery Reports (NDRs) and are sent by an email server to let the sender know that the message was not delivered.

NDRs are a normal and useful part of the SMTP protocol.  However when NDRs were first envisaged the concept of address spoofing was not considered.  Address spoofing is when a spammer forges the “From” address on a piece of spam they are sending.  This is how backscatter affects innocent parties – even though they didn’t send the spam, they receive the NDR because their email address was forged by the spammer.

Why does Backscatter Occur with Exchange Server 2007?

An Exchange Server 2007 email server will contribute to the backscatter problem simply due to this default configuration.

This check box tells the Exchange server to send NDRs back to any sending domain (note the wildcard * used as the domain name).  Because the message has already been accepted in full and the original SMTP connection from the spam source disconnected, the Exchange server performs a DNS lookup for the MX record (Mail eXchanger) and sends the NDR to that server.

If the spam forged the email address of john.smith[at]contoso.com, then John is the one who receives the NDR.  John also receives a copy of the spam message, which is included with the NDR message.  So although the spammer has not successfully reached the first intended recipient, they have reached John who is now curious as to what email he apparently sent that caused the NDR (this curiosity increases the chance that he will open the spam and maybe click on a link within it).

Preventing Backscatter from Being Sent by Your Exchange Server

The simplest and most obvious way to prevent an Exchange server sending backscatter spam is to uncheck the box for allowing NDRs to be sent to external domains.  Unfortunately this is not the best way to go about doing it.  NDRs are a valid part of the SMTP protocol and serve a genuinely useful purpose.  Imagine if a business partner incorrectly addressed a critical email and received no NDR.  A business could lose money if the mistake is not noticed straight away, which it would be if an NDR was sent back to the sender.  NDRs are necessary and should not be disabled.

The safest way to prevent backscatter from originating from your server is to block the inbound spam to begin with.  Because most spam originates from compromised home computers it therefore usually comes from untrustworthy blocks of IP addresses.  These IP addresses are included in popular RBL databases such as SpamHaus.  With Exchange Server 2007 you can make use of Connection Filtering to look up sending IP addresses in the SpamHaus database and terminate the SMTP connection.

Because the SMTP connection is terminated without accepting the message your Exchange server does not need to send an NDR to the forged sender address.  Furthermore, because the software used by spammers to send out emails from compromised computers does not bother sending NDRs it will not send one to the forged sender either.

Preventing Backscatter from Being Received by Your Exchange Server

Protecting your own Exchange server from receiving backscatter spam is a little more complicated.  Connection Filtering is not useful here, because the NDRs containing the original spam are likely to be coming from trusted IP addresses.

Content filtering is the most effective way of detecting and blocking backscatter spam that is wrapped up in NDR messages.  Exchange Server 2007 has content filtering capabilities, but they are not very effective in dealing with backscatter spam for some reason.

Fortunately the problem has been solved by third party Exchange 2007 spam filters that can block NDR spam. If NDR spam is becoming a problem for your organisation then it is time to evaluate and deploy one of these anti-spam solutions.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Protecting Yourself and Others from Backscatter Spam with Exchange Server 2007

Directory Harvesting

Directory harvesting is a technique spammers use to trick an email server into telling them which email addresses exist in an organisation and which do not.  The spammer bombards the email server with thousands of combinations of common names.  Any test emails that are accepted mean the spammer can be confident that particular email address exists at that domain and can be a target for future spam.  Sometimes the directory harvesting is performed by other parties who then sell the lists of valid email address to spammers.Although email server products such as Microsoft Exchange Server 2007 include some inbuilt directory harvesting protection measures, these usually rely on slowing the attack down (known as tar-pitting).  The best way for an organisation to protect itself from this attack is to implement a quality anti-spam system that includes directory harvesting detection and prevents the attack by cutting off further connections from the attacker.

Address Recycling

Some people find that they begin receiving spam as soon as they are given a new email address.  Although the person did not take any action that would attract spam they nonetheless begin receiving junk emails addressed directly to them.

Often this will occur in organisations, or any email provider for that matter, that recycles email addresses.  Not only does this practice expose the new user to whatever spam the previous person managed to attract, but it also carries other security risks as recently discovered by Livejournal users.

Once an email address is in the hands of spammers there is no way to get it back from them.  The only way to prevent spam from being received once an email address has been exposed is with an anti-spam solution that applies a range of preventative measures such as connection filtering, content filtering, Bayesian detection, and black listing.

Free Online Giveaways

Sometimes regardless of the amount of caution a person normally applies when surfing the web, the lure of a freebie causes them to drop all defences and give away their email address to a website online.  After all, who wouldn’t want a free 15 day supply of the latest miracle weight loss pill?

Sadly these websites are often run by shady affiliate marketers who immediately begin spamming the newly acquired email address with dozens of offers for other scams.  Often times they will sell the email address onto other spammers who will do the same.  Giving away your email address can result in a torrent of spam email thanks to these dodgy operators.

In these cases prevention is the best cure for an organisation trying to reduce their spam volumes.  Educating end users on the risks of giving out your email address to unknown parties can help reduce the number of addresses exposed to spammers in this fashion.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

This is why you get spam emails

That is an alarming, but not surprising statistic.  Spammers have relatively low business expenses.  They only need to harvest an email address database, buy a swarm of virus infected computers to send the emails through, and they are able to pump out millions of spam emails in minutes.

Effective spam prevention costs money.  Just like insuring your property against theft, it would be nice not to have to pay to protect oneself from the evil-doers of the world, but free solutions are simply not as effective as dedicated commercial email security products.  Some businesses would prefer not to pay though, and will give some consideration to not installing an anti-spam system.

What does it cost to NOT prevent spam?

When planning an Exchange server deployment there are formulas used to size the servers and storage that will host the email system.  One of the elements of the formula is the type of mailbox user.  An “average” mailbox user is considered one who sends 10 email messages and receives 40 email messages each day.

Without spam protection that user would receive more like 400 email messages each day, based on the statistic that 90% of global email traffic is spam.  Most end users I speak with already think they receive too much email, so 400 would be an enormous amount to deal with.

Your average end user can recognise most spam email for what it is and delete it accordingly, but that still takes time.  Some spam emails are easier to spot than others, so a generous estimate would be about 5 seconds to assess and delete each spam email.  5 seconds for 360 spam emails is about half an hour of that person’s work time spent dealing with spam each day.  Imagine if you sat down at your computer each morning to sort out your 40 legitimate emails from the 360 spam emails.

For a customer of mine that is a business of about 50 staff the average hourly wage is about $25/hr.  Each day that the business operates without spam protection is $12.50 per employee (1/2 hours x $25), or $625 that it costs the business in lost productivity every day ($12.50 x 50 staff).  The business is open for approximately 230 days each year, which means that spam has just cost them nearly $144,000 for the year just for the time it takes their staff to identify and delete it.

Spam costs your business in lost productivity

The simple calculation above demonstrates one way in which spam can cost your business.  You are paying wages to staff for time spent sorting through spam emails, time that could otherwise be spent servicing your customers and generating revenues.

Before you consider running your email server with no anti-spam protection, or consider running a less effective free solution, take a moment to calculate what it costs your business every day to deal with spam.  You may be surprised just how cost effective an anti-spam solution can be.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Is spam prevention too costly for your business?

How do open relays cause spam?

Open relays are like gold to spammers.  When a spammer knows about an open relay they will use it to send thousands or even millions of spam emails to recipients via the open relay server.  The benefit to the spammer is twofold – they can mask their own location by relaying through another source; and they can leverage the positive reputation of the email server they are relaying through (at least until that reputation is ruined).

What damage can an open relay do to your business?

There are many ways in which an open relay email server can harm your business -

Loss of reputation – if your email server becomes known as a source of spam, particularly if the spammer is sending the email messages to appear to be from your email domain, your business reputation can be tarnished.

Blocked by other email administrators – an email server administrator who sees a large volume of spam emails originating from your email server may add your IP address to their block list.  Some products such as Exchange Server 2007 will automatically block your IP address for a period such as 24 hours if it fails an open relay test.

Blocked by block list providers – an even worse scenario than an individual email server admin blocking your IP address is that your IP address may be added to a block list provider database such as SpamHaus.  Many anti-spam systems are configured to use such block list providers to reduce the administrative burden of managing block lists.  If your IP address is added to one of these databases you may suddenly find all of your customers and business partners unable to receive email from you.  Furthermore, it can take a lot of time and effort to get your IP address removed from these databases.

How is an open relay email server created?

Most email server products are not open relays by default.  There are three common scenarios in which an email server might become an open relay.

Accidental – an email server administrator might accidentally cause a server to become an open relay when they are reconfiguring the server.  For example, the admin might be trying to configure the email server to allow the office scanner to send scanned documents to email addresses.

Deliberate – an attacker that is able to access the email server might deliberately configure it as an open relay and then sell that information to spammers.  The attacker could even be a disgruntled former employee who knows how to access the system, such as this former IT manager.

Malicious software – many trojans and other malware contain code which installs email software on the computer.  If one of these programs is run on a server it may become an open relay.  This is not limited to just email servers.  Web servers and remote access servers that already have access through the corporate firewall are also at risk.

How to test for open relays

The simplest test to perform on your email servers (or any other server that is accessible from the internet) is to run the mail relay test at SpamHelp.org.  This test runs through a series of different relay attempts against your server to cover all of the possible ways in which a spammer might try to relay spam through your servers.

How to reduce the damage an open relay causes

An open relay is only useful to a spammer if it can send emails out to the internet through the firewall and without any content filtering being applied.  To prevent non-email servers from causing damage as open relays always configure your corporate firewall to only allow outbound SMTP traffic from specific email servers.

Email server products such as Exchange Server 2007 include content filtering features but these do not apply to outbound email.  To reduce the impact of an Exchange server that has become an open relay always ensure that the Exchange server must send outbound email via a secured, trusted server running a dedicated email security solution that includes outbound filtering.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Is your email server an open relay?

Despite this effort some businesses fail to also consider filtering outbound emails.  Often the outbound email path bypasses the system that scans incoming emails from the internet, and instead sends the emails directly out to the destination.

Why should we scan and filter outbound email messages?

Outbound email messages should be checked for spam or malicious content because of the risk such content poses to the organization’s reputation.

An organization found to be sending spam or viruses risks:

• Damage to their brand names
• Loss of trust and reputation with customers and business partners
• Being blocked by other email administrators
• Being added to IP block list provider databases such as SpamHaus
• Bandwidth saturation impeding other online communications

How can spam or viruses be sent from our business networks?

I’ve worked with a lot of customers over the last 10 years and it is not uncommon to find more than one of the following weaknesses in their network security:

• Unsecured wireless networks
• No doors or security barriers in offices
• Firewalls that allow any device on the network to sent outbound SMTP
• Email servers that permit any device on the network to relay SMTP

Some of these combinations create very serious security problems.  If I can get access to your network via an unsecured wireless access point, and your email server permits any device on the LAN to relay so that the photocopiers can automatically order more toner from the supplier, then what is to stop me sending spam or virus emails from your network?

A worse scenario is what can potentially be done with a legitimate user account without any of the abovementioned security weaknesses existing.  A disgruntled staff member, or someone who gains access to an unlocked computer in an insecure part of the office, could use those network credentials to send email out of the network.

How do we filter outbound email messages?

Although Exchange Server 2007 contains anti-spam features that can be used to protect an organization from incoming spam, they provide no protection for outgoing threats.  The inbound protection also suffers from some disadvantages such as a lack of Bayesian capabilities, poor reporting, and cumbersome quarantine management.

Combine this with the habit of many email administrators of sending outbound email directly from Exchange to the destination on the internet and the risks become clear.

The solution to this problem is to implement an email security solution into the network.  This carries a dual benefit in that it can be used to filter both inbound and outbound email for the organisation.  The email security solution solves the weaknesses and deficiencies of the built in Exchange Server 2007 anti-spam features as well as provides outbound protection to preserve the reputation of the business.

Always consider outbound filtering when planning your email protection strategy.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The importance of filtering outgoing email in Exchange environments

False positives can affect important business emails and can have a very high cost to the organisation if the email was time sensitive.  False negatives can have a similar impact on the business by annoying or offending end users who receive unwanted spam.  Both situations can also erode the confidence the end users have in the organisation’s email system.

To combat these issues many organisations configure whitelists or blocklists on their anti-spam systems.

What is a Whitelist?

A whitelist is a list of known safe email senders.  Whitelists can be made up of IP addresses, domain names, or email addresses.  In most cases businesses will choose to whitelist domain names of highly trusted customers or suppliers, or email addresses that are the source of critical emails.

As a real world example in one customer I worked with the email address that was the sender of voicemail attachments from the external voicemail system was whitelisted to ensure that the anti-spam system never blocked a voicemail message as a false positive.

Whitelists carry some risks.  For example some domains such as hotmail.com, ebay.com, and paypal.com are frequently forged by spammers sending commercial spam or phishing emails.  If ebay.com was whitelisted it would cause eBay phishing scams to pass through the anti-spam system to end users.

What is a Blocklist?

A blocklist (also sometimes called a blacklist) is the opposite of a whitelist.  Blocklists can also be made up of IP addresses, domain names, and email addresses.  Businesses will choose to blocklist domains or email addresses that are found to always be the source of spam yet sometimes slip through the anti-spam system as a false negative.

In some customer environments I have worked in, the email administrators have chosen to block entire top level domains such as .ru (Russia) and .tw (Taiwan) because the company did no business with anyone in those countries yet constantly received spam, viruses, and phishing emails from those domains.

Blocklists carry some risks as well.  For example even though hotmail.com is often used by spammers blocking the entire hotmail.com domain would prevent any customers or legitimate senders who utilise Hotmail from emailing your business.

How does Exchange Server 2007 manage Whitelists and Blocklists?

Exchange Server 2007 can apply whitelists and blocklists on Edge Transport servers and Hub Transport servers that have the Exchange Server 2007 Anti-Spam components installed.

Whitelists are configured in two places.  Whitelisted IP addresses (or the IP Allow List) are handled by the Connection Filter agent but are not configured at the organisation level.  Instead they are configured on the Edge Transport or Hub Transport servers.  Typically the IP address whitelist is configured on any Transport server that accepts email from the internet.

Whitelisted domains and email addresses are configured on the Content Filtering agent at the organisation level.

Blocklists are also configured in two places.  Blocklisted IP addresses (or IP Block Lists) are similar to whitelists in that they are configured on the individual Transport servers where appropriate.

Blocklisted domains and email addresses are configured on the Sender Filtering agent at the organisation level.

Exchange Server 2007 Safelist Aggregation

Although whitelists and blocklists can be managed at the Exchange organisation and server level there is an additional level of configuration that can be applied.

Outlook clients from version 2003 onwards contain Junk Email controls including the ability to specify safe senders and safe recipients.  This safelist information is stored in the user mailbox and can be optionally pushed to the Active Directory user object.

The Exchange administrator can enable Safelist Aggregation on the Exchange servers, which aggregates all of the safelist information stored in user objects into one list that Transport servers can apply to the entire organisation.  In short this means that if user John added the email address peter@fabrikam.com to his safelist, the Transport server’s Content Filtering agent would consider emails sent by peter@fabrikam.com to be trusted and pass them through to the recipients within the organisation.

Disadvantages of Exchange 2007 Safelist Aggregation

Although Safelist Aggregation may help reduce the number of false positives it carries some disadvantages.

Firstly the default configuration of the Update-Safelist cmdlet on the Exchange servers includes both safe senders and safe recipients data, even though safe recipients data is ignored by the Content Filtering agent.  This can lead to unnecessary replication traffic and storage bloat on the Transport servers.

Also the update process is cumbersome and requires a scheduled task be created on the Exchange server to run the Update-Safelist cmdlet.  There is no functionality within the Exchange management tools to create or manage this schedule.

Finally the default configuration of the Update-Safelist cmdlet includes domain names that end users have marked as safe.  For example, John may have intended to add jane@hotmail.com to his safelist but instead added @hotmail.com as a safe domain.  When this information is aggregated to the Transport servers any spam emails from forged @hotmail.com email addresses will not be blocked by the Content Filtering agent.

Alternatives to Exchange Server 2007 whitelists and blocklists

Despite the value of whitelists and blocklists they can become an administrative burden over time as they are manually managed by the Exchange administrators.  Even though the Exchange Server 2007 Safelist Aggregation feature seeks to alleviate some of this burden it also carries disadvantages and risks.

Dedicated third party email anti-spam solutions feature similar whitelist and blocklist capabilities but present them in a more effective and manageable way.  When considering an anti-spam solution that will provide these capabilities you should look for products that allow end users to participate in the whitelist and blocklist process but also permit administrators full control of the organisation-wide whitelist and blocklist behaviour.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Managing whitelists and blocklists for Exchange Server environments

Each of these features carries a variety of advantages and disadvantages.  A consistent disadvantage across all of them is limited reporting capabilities.

Why do we need reporting for anti-spam systems?

An organization’s anti-spam solution is a critical component of the entire messaging infrastructure.  The objective of an anti-spam solution is to protect the business from malicious and unwanted emails such as spam, viruses, phishing attacks, and inappropriate material, yet still allow genuine business emails to pass through to the intended recipients.

If you read my real world example of content filtering gone wrong you will understand why the email administrators and business stakeholders need to measure the performance of the email and anti-spam systems.

What should we be reporting on to measure anti-spam performance?

Some of the key metrics to report on are:

• How many inbound and outbound emails are sent?
• What is the proportion of valid email to spam email determined by the anti-spam system?
• On what basis are emails being blocked?
• Where is the most spam coming from?
• Who are the most targeted recipients of spam email within our organization?

Using Exchange Server 2007 anti-spam reporting

Exchange Server 2007 ships with several PowerShell scripts that can be used for reporting on anti-spam performance.  These scripts must be executed via the Exchange Management Shell and the output read as text.

The reporting scripts are located in the \Scripts folder in the location you installed the Exchange Server application files on any Hub Transport server.  By default the path is C:\Program Files\Microsoft\Exchange Server\Scripts.

The script files are named:

• get-AntispamFilteringReport.ps1
• get-AntispamSCLHistogram.ps1
• get-AntispamTopBlockedSenderDomains.ps1
• get-AntispamTopBlockedSenderIPs.ps1
• get-AntispamTopBlockedSenders.ps1
• get-AntispamTopRBLProviders.ps1
• get-AntispamTopRecipients.ps1

Each of the scripts queries the appropriate agent log file and calculates the result depending on the parameters passed to the script by the administrator.  For example you can pass a start date and end date to only show results within that time period.

Example: using the get-AntispamFilterReport.ps1 script we can output the total number of blocked or quarantined messages depending on the parameters we choose.

Example: using the get-AntispamSCLHistogram.ps1 script we can output the total number of emails that were calculated for each SCL rating (0-9, where 0 is least likely to be spam and 9 is most likely to be spam).

Example: using the get-AntispamTopBlockedSenderIPs.ps1 script we can see the top 10 IP addresses that sent spam to our Exchange servers.  As responsible email administrators we might follow up on this information by reporting the IP addresses to the ISP or net block owner, or submit them to an RBL provider.

Example: using the get-AntispamTopBlockedSenderDomains.ps1 script we can see which domains were most responsible for spam being sent to our organization.  Although this information is useful it is also often misleading due to address spoofing.  In some cases though it can be an advantage to block certain domains that are frequent sources of spam but clearly not business related (e.g. cheapviagra.com) so that spam emails are blocked based on sending domain rather than the more resource intensive content filtering.

Example: using the get-AntispamTopRBLProviders.ps1 script we can see which of the RBL providers configured for our Connection Filter agent are performing the best.  If the provider that is first used by the agent is underperforming it can be set to a lower priority in favour of a higher performing RBL provider.

Disadvantages of Exchange Server 2007 anti-spam reporting

While each of the anti-spam reporting scripts provided with Exchange Server 2007 is basically useful they are inadequate for most organizations’ reporting needs.  Although some of the key reporting metrics can be retrieved with the scripts, the output is just basic numbers suitable for email administrators but unsuitable for presentation to business stakeholders.

In the real world if I walked into a meeting and handed out a piece of paper with those figures on it I would not get a positive response at all.  If I was to go back and perform some data entry and manipulation to generate colourful charts and a trend analysis it could take a lot of time and is a completely manual process performed each time the report was requested.

Furthermore, the reporting scripts retrieve information from the local server only.  In order to get a complete organization-wide reporting view the scripts must be run on all Hub Transport servers that may have processed spam emails.

How to deliver quality anti-spam performance reports to your organization

To keep administrative costs low and business stakeholders happy an anti-spam solution that includes comprehensive reporting features should be implemented in the environment.

Some of the key features are:

• automatic report generation (e.g. PDF files and emailed reports) including charts, tables and graphs
• both manual and scheduled report execution
• access for both administrators and business stakeholders without granting privileged access to production Exchange servers
• high quality pre-canned reports along with custom report building

When considering an anti-spam solution for your organization you must consider the administrative cost and the limitations of the built-in Exchange Server 2007 anti-spam reporting.

For some more additional information you may also want to read the following blog post: http://techiefixation.blogspot.com/2008/12/fight-e-mail-spam-with-exchange-2007.html with focuses on some of the most important anti-spam features present in Exchange 2007.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Anti-spam reporting for Exchange Server 2007

Why isn’t signature-based content filtering enough?

As a real world example I once deployed an anti-spam solution to a client in the tourism industry.  The chosen product was of good quality and performed well at other client installations, but encountered many problems with the tourism client.

The biggest problem was that the database of spam signatures was treating email with certain characteristics as spam despite these emails being quite legitimate.  The type of characteristics were things like:

• Email sources being in an Asian or European country
• Emails containing “offers” and “deals” with heavy marketing language
• Emails regarding hotels and travel insurance

For many organisations outside of the tourism industry these types of emails would very likely be spam, however for this client these were legitimate business emails getting blocked as spam!  In order to let these emails pass through the spam filter an extensive whitelist of keywords and sender addresses was built, as well as lowering the overall sensitivity of the spam filter.

The end result was a massive administrative overhead in developing and maintaining the whitelist, investigating rejected emails, and releasing quarantined items.  In addition to these costs the end users developed a perception that the email system was unreliable, and also complained loudly about the amount of real spam that was slipping through the less sensitive spam filter.

How does Bayesian spam filtering solve this problem?

For a Bayesian filter to be effective it must first learn about your organisation’s email content.  This achieved by “training” the Bayesian filter with a sample of your regular business emails (usually those sent by the organisation).

The Bayesian filter uses this training process to learn about words, phrases, or names that indicate that a message is less likely to be spam.

As an example, many signature-based spam filters will treat words such as “Viagra” or “Rolex” as indicating a high probability that the email is spam.  But if the words appear in an email message alongside other words, phrases or names that the Bayesian filter has learned are legitimate then it will consider the email to have a lower probability of being spam.  So while “Viagra” email might be spam, it probably isn’t spam if your company manufactures or distributes the product legitimately.

In other words, Bayesian filtering solves the problem of the “one size fits all” approach of signature-based content filtering.

How can Bayesian spam filtering protect Exchange Server 2007?

Exchange Server 2007 ships with anti-spam features included in the product.  Among these is a Content Filter agent that filters spam based on email contents.  The Content Filter agent uses signature-based spam filtering, which is based on a database of spam submissions from Microsoft customers and partners.

Although the Content Filter agent can be effective it often requires constant attention and fine tuning, and has no ability to learn the characteristics of your organisation’s typical email content unliked Bayesian filtering.

Deploying a Bayesian filter in an Exchange Server 2007 environment can be done in a few different ways:

Client based solution

By installing a client-based Bayesian filter solution on each end user computer Bayesian filtering can be utilised.  This approach carries several disadvantages:

• Large administrative effort deploying the client software to all computers
• End user education required on how to “train” the Bayesian filter, as well as the productivity lost in performing the training
• Spam emails are delivered to the end user mailbox before the filtering is applied, wasting server and bandwidth resources

Server based solution

By installing a dedicated server-based Bayesian filter solution in front of the Exchange servers the Bayesian filtering can be performed on email messages before they arrive on the Exchange servers.  However despite that advantage over client-based solutions there are still several advantages:

• Spam emails are fully downloaded to the filtering server before they can be checked for spam content, wasting bandwidth resources.
• Earlier spam checks such as Connection Filtering which can block likely spam based on the sending IP address are not applied first as they should be
• Many of the dedicated Bayesian filter solutions have no features such as reporting or end user quarantine management

Approaching Bayesian filtering for Exchange Server environments

Many organisations that attempt to solve their spam problems with a built in Exchange 2007 spam filter will be dissatisfied with the performance and look for more effective solutions such as Bayesian filtering.

When considering a server-based Bayesian filtering solution the disadvantages listed above should be taken into account.  To get the best improvement over the Exchange Server 2007 anti-spam features organisations should look for a dedicated email security solution that includes a range of protective measures (including Bayesian filtering), as well as advanced features such as end user self service for quarantined items and advanced reporting.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bayesian spam filtering with Exchange Server 2007

The Connection Filter agent is based on the Intelligent Message Filter first introduced in Exchange Server 2003.  The Intelligent Message Filter bases its spam detection on a database of email submissions from Microsoft partners that is used as a basis for heuristic scanning of email content.  A “spam confidence level” (SCL) rating is then assigned to the email message and used to determine whether to classify the message as spam or not.

The SCL rating is a number from 0 to 9 where the higher the number the more likely the email message is spam.

The Content Filter agent assesses the content of email messages after the Connection Filter agent has initially determined whether the sending host should be blocked entirely or not.  The order of priority improves Exchange server performance by removing the most obvious spam based on the sending IP address before the more resource intensive content filtering takes place.

How to configure the Content Filter agent for Exchange Server 2007

The Content Filter agent is enabled by default on Edge Transport servers but must be enabled by an administrator on Hub Transport servers using the “install-antiSpamAgents.ps1″ script that is included with Exchange Server 2007.

The Anti-spam tab now appears in the Hub Transport section of the Exchange Management Console.

Configuring custom word lists

The Content Filter agent can be configured to never block messages containing certain keywords or phrases.  This option is effectively a whitelist of words that when contained within an email message must ensure that the message is not blocked as spam.

Although some organisations will require this functionality most will not.  Using a whitelist in this manner carries the risk that a spam message that happens to contain a whitelisted word will not be blocked.  A message that contains a whitelisted keyword or phrase is assigned an SCL of 0 regardless of whether it contains spam content that would score it higher.

Keywords and phrases can also be configured as a blacklist, which will cause any message containing those words to be blocked as spam.  To block the message as spam the Content Filter agent assigns an SCL of 9 to the message.

Configuring exceptions

The Content Filter agent can be configured to ignore messages sent to certain email addresses within the organisation.  An example would be an important customer service email address.  If the organisation wishes to ensure that no customer service emails are inadvertently blocked as spam then the customer service email address can be added as an exception.

Configuring actions for spam messages

The default Content Filter agent configuration rejects messages with an SCL of 7 or higher.  This configuring will reject the most obvious spam but will more than likely result in many spam messages getting through to user mailboxes.

To configure the Content Filter agent to deal with spam messages we must first understand the three available actions:

• Delete – the message is silently deleted with no notification to the sending host.
• Reject – the message is rejected with a Non Delivery Report to the sending host. The NDR can be customised to a limited degree.
• Quarantine – the message is redirected to a specified email address, usually a special mailbox on the Exchange server.

Delete takes precedence over Reject and Quarantine, and when used must always be set to a higher SCL than Reject or Quarantine.  Reject takes precedence over Quarantine and must also always be set to a higher SCL than Quarantine.

Using the Delete action is risky when combined with blacklisted keywords or phrases.  A legitimate email message that happens to contain a blacklisted word will be deleted with no notification to either the sender or the intended recipient, and with no way of retrieving the message from a quarantine area.  For this reason the blacklisted custom word list should only contain keywords or phrases that the organisation wants to block regardless of the importance of the content of the email message.

The Reject action is most commonly used to handle likely spam but requires constant monitoring and tuning to ensure that it is not producing too many false positives, nor that it is allowing too much spam through to user mailboxes.

Quarantine can be used to store likely spam in a mailbox where it can be retrieved if requested by the end user.

Pros and cons of the Exchange Server 2007 Content Filter agent

The most obvious advantage of the built in Content Filter agent is that is provides content filtering at no additional cost to the business.  However this cost saving may be negated by one or more of the following disadvantages.

• The effectiveness of the content filtering relies on anti-spam signatures released by Microsoft. There is no capability for the Content Filter agent to “learn” about your organisations email content and make better judgements as to what is and isn’t spam.
• When the Reject action is used and a message is rejected it cannot be retrieved from the server by the Exchange administrator.
• When the Quarantine action is used and a message is quarantined neither the sender nor the intended recipient are notified. Crucial time may pass before an important business email is suspected of being quarantined and the Exchange administrator is asked to retrieve it.
• There is no “self service” capability for end users to check and retrieve their own quarantined items. Only a single quarantine mailbox can be used, which raises privacy concerns if end users were given access to it and able to look at quarantined emails that are intended for other recipients.
• Very limited reporting capabilities.

Alternatives to Exchange Server 2007 Content Filter agent

The shortcomings of the Exchange Server 2007 Content Filter agent can be addressed by implementing a more comprehensive email security solution.

A dedicated, quality email security product contains more effective spam content analysis, the ability to “learn” about an organisation’s business emails, greater configurability in how to handle suspected spam emails, end user “self service” to make quarantine management easier for users and less costly for administrators, and detailed reporting features so that system administrators and business stakeholders can see and judge the performance of the email security product.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

How to protect Exchange Server 2007 with Content Filtering

What is the Connection Filter agent?

The Connection Filter agent is a Transport server feature that performs filtering actions based on the IP address of the remote server that is making a connection to the Exchange server.  The Connection Filter agent checks whether the remote IP address is on an IP Allow list, an IP Block list, or on neither and takes action based on the result.

When the Connection Filter agent is enabled it is the first anti-spam agent that assesses any incoming SMTP communication.

This preserves system resources on the Transport server by avoiding the need to accept the entirety of the email message data and perform more thorough content scanning of the message for spam.  The Transport server simply assumes that an email coming from an IP address on an IP Block list is almost certainly going to be spam and terminates the SMTP session before the DATA command is issued.

What is an IP Allow/Block list?

An IP Allow/Block list can be made up of an administrator-defined list of IP addresses or it can come from a third party provider.

Administrator-defined lists typically are used when an Exchange administrator needs to explicitly allow or block a specific IP address, and are assessed first before any third party IP Allow/Block lists.  For example, if a customer’s network has been blacklisted for some reason you can override that by adding their IP address to your IP Allow list.  Similarly if you are receiving spam from an IP address that has not yet been blacklisted you can add the IP address to your IP Block list.

Third party list providers such as SORBS and SpamHAUS provide a service that you can use to look up an IP address and determine whether it is on one of the IP Allow or IP Block lists.  These providers maintain lists of IP addresses of known and suspect spam sources based on actual spam reports, proactive open relay scans, and other likely sources such as ISP customer IP ranges.

Using IP Allow/Block list providers with Exchange Server 2007

Exchange Server 2007 can be configured to query one or more of these lists when the Connection Filter agent is assessing an SMTP connection.  In fact it is recommended to configure more than one provider to improve coverage and ensure that if a list provider is not responding to queries that another provider is checked.

Using IP Block list providers has some disadvantages.  The IP address of a legitimate email server may be inadvertently added to an IP Block list even though they are not sending spam.  From time to time the Exchange administrator may need to explicitly allow one of these IP addresses so that email communication is not disrupted, or contact a list provider to get their own IP address removed from an IP Block list.

Another disadvantage is that each new SMTP connection requires a query sent to the list provider.  If the response is delayed for any reason it can slow down email traffic at the Transport server.  To reduce the impact of this the Exchange server will cache the results of a query for a short period of time so that an IP can continue to be blocked on subsequent attempts without another query being sent to the list provider.

IP Block lists are far more commonly used than IP Allow lists, but IP Allow lists are useful to prevent highly trusted IP addresses from being blocked.

How to configure an IP Block list with Exchange Server 2007

The Exchange anti-spam components are installed by default on Edge Transport servers but must be manually installed on Hub Transport servers by the administrator using the “install-antiSpamAgents.ps1″ script that is included with Exchange Server 2007.

The Anti-spam tab now appears in the Hub Transport section of the Exchange Management Console.  Open the properties of IP Block List Providers and select the Providers tab.

Click Add to configure a new provider.  Here we are configuring SpamHAUS as the IP Block list provider.  Note that you should review the SpamHAUS usage guidelines to verify that your organisation qualifies for free use of this service.

You can configure as many IP Block list providers as you wish and they will be queried in the order that they are listed.  You can also configure exceptions for email addresses within your organisation that you do not want to be filtered.  For example you may choose not to filter email to your postmaster@ email address so that an organisation that is being blocked by your email servers can still report the problem to your Exchange administrator.

Using IP Block list providers with internal Exchange servers

IP address filtering is most commonly applied at the internet-facing Exchange servers, but in some cases your Exchange servers may have another email server that receives internet email first.  The Exchange server must parse the email message headers to determine which IP address is the original source of the email message when performing IP Block list provider queries.

To ensure that the Exchange server can do this you must specify the IP addresses of any email servers within your organisation that would receive internet email before it reaches the Exchange servers.  This is configured in the Global Settings for your Exchange organisation.

Open the properties of the Transport Settings and select the Message Delivery tab.  Select Add and enter the IP address or IP range of the email servers.

Is the Exchange Connection Filter agent enough protection?

The Exchange Connection Filter agent does an acceptable job of blocking spam based on the sender’s IP address but it is by no means a complete anti-spam solution.  Connection filtering is best used in combination with other forms of spam protection such as content filtering.  An effective way to improve Exchange anti-spam protection is to combine inbuilt features of Exchange such as the Connection Filter agent with comprehensive third party email security products that include a greater degree of configurability and more advanced features such as detailed reporting.

Connection Filtering saves time and resources

A correctly configured Connection Filter agent saves the Exchange administrator a lot of time by avoiding the need to manually maintain a large list of blocked and allowed IP addresses.  The Connection Filter agent also reduces server load by rejecting likely spam before it has been transmitted to the Exchange server and without requiring resource-intensive content scanning of the email message.  It is recommended that you always configure the Connection Filter agent on your internet-facing Exchange Transport servers, and consider enhancing your anti-spam protection with third party email security products.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Using IP Block List Providers and the Connection Filter agent in Exchange 2007

A Directory Harvesting Attack normally consists of a basic dictionary attack combining common names and initials together into standard corporate email addresses and then sending a test message to each email address that is generated. For example, the spammer may send a message to john.smith@contoso.com, johns@contoso.com, and jsmith@contoso.com.

The attack relies on invalid email addresses being rejected by the email system either during the SMTP conversation or afterwards via a Delivery Status Notification (DSN). When the spammer receives a rejection the email address is considered invalid and is discarded. When no rejection or DSN is received the email address is considered “live” and is added to a database to later be targeted with spam emails either by the same person or another spammer that they sell the database to.

Email address databases are valuable information for spammers so directory harvesters can make a living by performing these attacks and selling the resulting information.

Aside from the exposure of your corporate email addresses to spammers a Directory Harvest Attack can also cause a performance problem for your internet-facing email servers as the process hundreds of thousands (or even millions) of SMTP connection attempts as the attacker works through every combination in their name dictionary.

How is Exchange Server 2007 vulnerable to Directory Harvesting Attacks?

In many Exchange Server 2007 environments incoming email is received directly by an internet-facing Hub Transport server. By default the transport server will use recipient lookups to notify the connecting host whether an email address is valid or not. When an inbound email is addressed to a recipient that does not exist a “550 5.1.1 User unknown” SMTP response is sent to the connecting host. When an email is addressed to a valid recipient a “250 2.1.5 Recipient OK” SMTP response is sent.

This behaviour complies with the RFCs for SMTP communication, and is important for many email users (if someone sent you an important email but misspelled your email address, you want your email server to notify them of the mistake so they can resend the message).

Though it is useful and important to provide this recipient lookup feedback to sending email servers this is also exactly the behaviour that enables a Directory Harvest Attack to occur.

There are two strategies that can be employed to protect an Exchange server from Directory Harvesting Attacks. The first makes use of an Exchange security feature known as “tarpitting”.

Protecting Exchange Server 2007 with Tarpitting

Tarpitting is a feature of Edge Transport and Hub Transport servers that inserts an artificial delay in the SMTP session before any “550 5.1.1 User unknown” response is sent. This increases the cost and difficulty to the spammer of a Directory Harvesting Attack, by slowing down the rate at which they are able to discover valid and invalid email addresses. This strategy reduces the effectiveness of Directory Harvesting Attacks while still retaining RFC compliance by sending the appropriate responses to incorrectly addressed email messages.

In order for tarpitting to be applied to suspected attacks the Recipient Filter Agent must be active. The Recipient Filter Agent is enabled by default on Edge Transport servers but must be installed by an administrator on Hub Transport servers. Here we see a Hub Transport server with the default transport agents enabled.

To make the Recipient Filter Agent available the administrator installs the Exchange anti-spam components using the “install-AntiSpamAgents.ps1″ script that is included with Exchange Server 2007.

Once the Microsoft Exchange Transport service is restarted the Recipient Filter Agent is now installed and enabled on the Hub Transport server.

When the Recipient Filter Agent is enabled it uses the TarpitInterval configured on the Receive Connector to determine how long to insert a delay for any “550 5.1.1 User unknown” responses to suspected attackers. The default delay is 5 seconds but this can be increased by the administrator.

Although tarpitting increases the cost and difficulty of a Directory Harvesting Attack it is not always going to be effective. If the spammer is patient enough they can put up with the tarpitting delays and still achieve the desired outcome. However tarpitting is a low cost option because it can be implemented on existing Exchange Server 2007 servers with no additional outlay on server hardware or software.

Protecting Exchange Server 2007 with third party products

Often a more effective strategy is to implement a third party email security solution that includes more advanced DHA protection. When a harvest attempt is detected by the security product the sending host is disconnected and then blocked by the server so that it cannot reconnect and continue the attack.

This is more effective than simply slowing down the attack however this strategy will usually involve additional costs of servers and software. This cost is usually justifiable though when you also consider the additional protection that the third party product can provide you from email viruses, spam, and phishing attempts. In the best commercial email security products the configurability and protection are both much greater than what can be provided with the built in features of Exchange Server 2007.

Always consider Directory Harvesting Attacks when protecting your Exchange servers

Directory Harvesting Attacks should not be ignored when assessing the threat landscape for your Exchange server environment. By implementing either the built-in Exchange protection for DHAs or a third party commercial email security product you can reduce both the load on your email servers and the risk of exposure of your corporate email addresses to spammers.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Protecting Exchange Server 2007 from Directory Harvesting Attacks

Change management committees ensure there are standards in system modification procedures. Other administrative committees keep company operating procedures standard. There is much long term value in standardization. This results in efficient company operations that directly impact the company bottom line.

Something as simple as creating an email address should not be exempt from company standardization. Often times this is not the case. I’ve seen companies that allow employees to pick their own email address, use only their first name in the address or change their email address whenever it suits them. The end result makes life very easy for spammers and creates support nightmares for email administrators. Helpdesk calls increase with people complaining about the spam filter not working, because they are receiving tons of spam.

As an email administrator, your role dictates fearlessly stepping up to the plate. Ignoring objections, champion email address naming standards that:

• Maintain a professional company image
• Provides a naming convention everyone follows
• Prevents vanity email addresses from being created by employees
• Are unique, but make it extremely difficult for spam machines to guess
• Makes it easy for current and future administrators to maintain uniformity in creating email addresses

Certainly you have more control if you have the opportunity to implement an email system from the beginning. If you inherit administration of an email system, it’s more difficult to change email addresses. There are ways you can build a case for getting management authorization. Your spam filter logs are excellent tools for presenting reasons why email addresses need to be changed.

Your job is many times harder, if email address naming standards are not implemented and enforced by senior management. It is definitely worth the extra effort.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Vanity Be Thy Email Name

Being blacklisted can temporarily put a chokehold on company communications. It’s like being an innocent person on a spammer wanted flyer in the post office. This situation can have a direct impact on company profits.

Not locking down your server to prevent relaying is not the only reason an email server can be blacklisted. Although there are many reasons, at this moment it’s not important why this happened. What’s important is to quickly coordinate getting your SMTP server off the blacklists.

Right now all company eyes are on you as the email administrator to resolve this “high impact” issue. Despite the yelling and screaming, which can occur from executive powers upstairs, stay calm and focused on getting your email server off the blacklist. This is a serious situation that needs to be resolved expeditiously. Take a deep breath and start contacting the RBL sites.

How to Get Your Email server Removed from a Blacklist

1. Make this a priority task. Every minute counts. Your email senders may start receiving bounce backs, because other servers are rejecting your server’s connection due to DNS/RBL lookups.
2. Identify which RBL sites have your domain/IP address blacklisted.
3. Follow the blacklist site process exactly to request getting your server off the blacklist.
4. Make sure the tonality of your request is polite and humble. Clearly explain no one in your company would deliberately send spam. The goal is to convince the blacklisting site, your company is not in the business of sending spam.
5. Repeat this process with each RBL site, which lists your server.
6. Once the server is off all the blacklists, now you can review with your team what caused this situation. Then implement proactive measures to prevent his from happening again.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Being Blacklisted Can Choke a Company

With the advent of Service Pack 2 for Exchange 2003, a number of anti spam features became available, these include:

• Connection filtering including Allow/Deny IP lists with Real-time block lists
• Sender Filtering
• Recipient Filtering
• Sender ID filtering
• Intelligent Message Filter including Anti-phishing

These features can be enabled globally and controlled per virtual SMTP server. Furthermore, since Exchange supports multiple virtual SMTP servers on an Exchange server, huge amounts of granularity and control became available. Messages could be split amongst incoming and outgoing SMTP stacks, even if only one physical exchange server was present.

As with most spam strategies, a combined approach is needed in order to combat spam. A number of these features are incredibly useful, such as:

Connection Filtering coupled with Real-time block lists cover the well known spam networks and hosts.

Recipient Filtering does not accept email for invalid recipients, greatly reducing the load on an Exchange Server. However this does increase the risk of a directory harvesting attack. Spammers may use dictionaries to generate inbound emails, using NDR’s as a validation mechanism to know which email addresses are valid and which ones are not. Recipient Filtering coupled with Tar Pitting (Microsoft KB article 842851) prevents a number of attacks including NDR flood attacks and lessens the effectiveness of a directory harvesting attack. NDR’s are greatly delayed, since Tar Pitting delays the reply for a 5.x.x conversation.

Intelligent Message Filters are updated regularly and offer intelligent protection by examining email headers, words and other data in the mail to make a classification decision. Based on the classification, email is stamped and deleted, rejected, archived or forwarded to the user. The user may find the mail in their inbox or spam folder based on the classification it carries.

The good news is that this technology is available in every version of Exchange 2003, Standard, Enterprise and SBS. Most businesses on a budget will benefit directly from these features.

The bad news is that as good as it is, it may not be enough.

Due to the very nature of spam and spam protection, spamming techniques are changing and constantly evolving. A number of years ago Real-Time Block Lists were sufficient protection. In my opinion, Exchange should not be exposed directly to the internet and should be protected by another vendor’s solution in order to add another tier and therefore another level of complexity protecting against SPAM attacks.  A multi tiered anti spam approach is required in order to gain a level of protection acceptable to any size organization.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Exchange 2003 SPAM filters – A Really good Start, is it enough?