Spoofed email problems

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

How much spam are we talking about here Sparky?

At the end of the day you're always going to get some stuff that gets through.

 

Have a look at the traffic logs on the firewall. They should show you anything that comes in on port 25 and enable you to trace it back. If you get raw logs, make sure you look at the 'real' originating IP - pound to a penny its botnet spam. You won't be able to block this - unfortunately its one of the problems inherent with e-mail. You could try massaging the anti-spam to use something like LDAP authentication for all mail from within the domain (there's no reason for anything that has the internal domain name originating at the gateway - i.e. outside the Exchange environment (presuming thats what they're using) so they should be able to set up some rules to block based on pattern matching in header files or something.

You could try blocking CIDR blocks from countries where the vast majority opf botnet spam originates (Korea, Singapore, Ukraine, Brazil etc). I've just finished converting the Geo-coded IP database from Decimal representations of IPs to dotted-quad in Excel - if you think that might help gimme a shout and I'll email it to you.

What anti-spam solution are they using? Most of the decent ones nowadays work on reputation-based technology instead of the old stalwarts of bayesian analysis and pattern/word matching - if they've put in something which DOESN'T use a reputation-based engine at its heart then they are already fighting a losing battle.

What sort of spam are they getting? Is it pump & dump stock spam? Image based? obfuscated V|@gr@ or C1talis spam? There are some pretty efficient things you can do with Spam Assassin to supplement your paid-for AS solution - you might want to try convincing them to set up an internal relay running Linux & Spam Assassin between the AS box and the Exchange environment - its all about defence in depth nowadays!

 

Sparks

Can you not configure the external mail relay (presumably on the firewall or via the upstream ISP) with a blacklist that drops everything destined TO the internal domain FROM the internal domain? Since internal mail will be handled by Exchange routing there should be no need to enable mail that (allegedly) originates from within the organisation on the gateway.

Alternatively, you could look at implementing digital signatures for the internal mail environment - that won't be easy, but should resolve the problem of spoofed internal mails completely

 

Okay I had a similar problem some time back and fixed it by configuring the outbound spam filter in the smart host.

Note that outward filtering can slow the the performance of the Exchange server considerably due to queue lengths etc.

Also the dns requests for spam checking can significantly affect email performance so a fully functional smart host is really valuable.

Then check for malware on your internal machines, and make sure that web browsing for all clients is locked down to kosher and productive sites only. This is as a PC with elevated permissions and webmail access could bring in something wicked that drops your network badly.

Also check and see if someone has installed their own smtp relay internally, if neccessary get HR to perform the dreaded HR punt on their sorry butts.

This could be the situation, diplomatically check those managers PC's for web settings and make sure they dont have elevated permissions.

Consider also your DNS setup - as a DNS server on the web [such as your ISP's] should not appear in the "ipconfig /all' for the clients. The client access to web should be via the smart host also.