Scan Outgoing Mails for Spam

[ReMad]

Hello

I am Facing some problem with Exchange 2003 being listed sometimes on some Spam checking sites even the Network is secured with Fortinet + Symantec Antiviruses

the Problem is that Fortinet scanns coming mails but not the out mails for spam

the Server is the only one can access the Smtp

is there any free tools or tools with good price to scan the outgoing mails and solve that issue ?

Thank You

[ReMad]

I need to have a strong Software to scan outgoing mails so that no spam is sent from the exchange server

I mean even if some clients have viruses or trojans on their pcs

What to use ?

[+BudMan MVC]

Its rare that a client infection actually uses it email client to send email.. Off the top of the head I can not think of one that does this.. Normally a client infection will send attempt to directly send email, it doesn't go through the email client on the box to send the mail. This is too easy to track!!

I find it highly unlikely that your clients being infected and sending email through your exchange server is the problem to be honest. But if thats the case I would hope that your goal would be to clean the infected machines vs scanning for outgoing spam.

To be honest is more likely that your server is an open relay than your clients being infected - and thats how its getting placed on spam lists. Or if you server is sharing an IP with clients - then sure you IP could be listed due to a clients infection.

Could you explain a bit more about this statement

"the Server is the only one can access the Smtp"

How does email work in your setup.. So your client talk to your server to send mail, the server sends it directly to the other domains, or do you forward your mail to a isp smtp server? So which IP is getting blocked and what mail list?

[Sn00pY]

CopperFasten / SpamTitan - cheap.

[sc302 Veteran]

put a sniffer on your network between your internet gateway and your switch where it connects. find out everything that is communicating on port 25 and monitor the blacklist sites to see when it happened last. don't have them take you off until you have verified where the spam is coming from. pretty easy to determine if you have an exchange server and someone else is sending on port 25 (no one should be other than the exchange server). I would consider GFI's mail essentials or a barracuda spam firewall at your next renewal date and dump your current spam solution (I would go with the barracuda hardware appliance vs a piece of software that you have to load on another device or on your exchange server).

[MrTwister]

Hello

I am Facing some problem with Exchange 2003 being listed sometimes on some Spam checking sites even the Network is secured with Fortinet + Symantec Antiviruses

the Problem is that Fortinet scanns coming mails but not the out mails for spam

the Server is the only one can access the Smtp

is there any free tools or tools with good price to scan the outgoing mails and solve that issue ?

Thank You

You should be able to contact the offending websites and get them to validate that the e-mail being sent is actually valid.

[+BudMan MVC]

You should be able to contact the offending websites and get them to validate that the e-mail being sent is actually valid.

What :blink: :blink:

[MrTwister]

What :blink: :blink:

Spam checking websites. If the e-mails aren't getting through, I thought he may be able to contact the offending sites and let them know it's not spam. Sheesh.

[+BudMan MVC]

So you want him to email the sites blacklisting him and tell them his not sending spam? So they will remove him from the blacklist.

The problem is -- maybe he is ;)

edit: let me reword that -- if he is blacklisted its not "maybe" he is -- it pretty freaking likely that spam is being sent from his IP. If it was not, then he would not be on a blacklist ;)

[MrTwister]

So you want him to email the sites blacklisting him and tell them his not sending spam? So they will remove him from the blacklist.

The problem is -- maybe he is ;)

edit: let me reword that -- if he is blacklisted its not "maybe" he is -- it pretty freaking likely that spam is being sent from his IP. If it was not, then he would not be on a blacklist ;)

Yeah Mr. Know It All. It was just a suggestion. Which is why I suggested contacting the other ISP's.

[random_n]

Exchange 2003 in the default config gets abused for NDR backscatter. Make sure you've turned on recipient filtering, filter recipients that aren't in the directory, and turn on tarpitting to prevent directory harvest attacks. Disabling attachments for NDRs is nice as well, but not as important once you aren't generating them for external recipients.

[+BudMan MVC]

"contacting the other ISP's. "

Again -- What?? :blink: Dude you seem not to have even the faintest idea on what the poster is even talking about.

So you suggest he contact the what hundreds, maybe 1000's of domains using said blacklist(s) And tell them to let his email in anyway even though its blacklisted for sending spam ;)

[ReMad]

Its rare that a client infection actually uses it email client to send email.. Off the top of the head I can not think of one that does this.. Normally a client infection will send attempt to directly send email, it doesn't go through the email client on the box to send the mail. This is too easy to track!!

I find it highly unlikely that your clients being infected and sending email through your exchange server is the problem to be honest. But if thats the case I would hope that your goal would be to clean the infected machines vs scanning for outgoing spam.

To be honest is more likely that your server is an open relay than your clients being infected - and thats how its getting placed on spam lists. Or if you server is sharing an IP with clients - then sure you IP could be listed due to a clients infection.

Could you explain a bit more about this statement

"the Server is the only one can access the Smtp"

How does email work in your setup.. So your client talk to your server to send mail, the server sends it directly to the other domains, or do you forward your mail to a isp smtp server? So which IP is getting blocked and what mail list?

Well , I contacted the Fortinet company and we checked the device

it needed some update and it does scan both incoming and outgoing mails and the filter is on and shouldnt send or receive any

I meant that the Port SMTP isnt allowed for the Clients

only the Mail server

and no , it is not an open relay

Today I found thousands of undelivered messages sent to ebay.org and some others ( Spam Chinese mostly :s ) from inbox of Administrator ( seems Backscatter ! )

some for long time and some for no known reason !

The Server is secured using GFI mail essentials + Symantec AV + Malwarebytes

All are updated and scanning gives no warnings !

What to do !?

Now listed on http://dnsbl.invaluement.com/ivmsip/ !

they dont reply to my emails !

what to do ?

[sc302 Veteran]

my vote is still the sniffer on the network to verify where the issue is coming from. The undeliverables could just be from another computer on your network trying to email out as administrator and you recieving the undeliverables in your administrator account.

Find out what computer is sending the spam and take care of it.

Internet router---------hub---------switch

....................................|

....................................|------computer with sniffer program scanning the traffic between your main switch and the internet

....................................=just placement since the neowin forum doesn't like spaces

[+BudMan MVC]

Backscatter -- you sure? Can you post up some example emails that are sitting in your admin box.

Your best bet to prevent backscatter is not send NDRs, and your exchange server should also be set to not accept any mail in the first place that is not to one of listed users.. So instead of accepting the mail and than not being able to deliver it - so you send a NDR. Give them a reject right at start.

So you disable NDRs and also turn on recipient filtering so that you only accept mail for valid email address in your domain any vs anything@yourdomain

This MS article goes over these filtering. But you can also disable sending NDRs all together. You might also want to look into using a blacklist of your own so you do not accept mail from spammers ;) And then you could prob turn NDRs back on.

http://support.microsoft.com/kb/909005

In Exchange Server 2003 or in Exchange 2000 Server, the Exchange Server queues are filled with many non-delivery reports from the postmaster account because of a reverse non-delivery report attack

NDRs does not always mean backscatter -- If I am using your exchange server as an open relay and feeding it mail to send, then sure lots of mail is not going to be deliverable. You need to verify the source of your issue before you can fix it. Just because you have mail in the admin box since does not mean its actually back scatter spam that is being used against you.

[AstroCreep]

We have a FortiGate as our firewall/NIS/VPN/main-connector solution, and we have it configured to only allow SMTP-out from one IP address on our network. That IP address would be our Exchange server.

We ended up needing to implement that after a situation similar to what you're experiencing.

Do you have any internal MX records? I know we had to set one up for our SharePoint server. Plus there could be other systems on your network that have an SMTP engine installed (it is a simple IIS compnent, after all); someone on your network could have an engine loaded which is relaying messages, which are hitting the gateway. Allowing SMTP from one address on the FortiGate would be a great start. Then run a domain-wide virus-sweep to find & neutralize the zombie.