[THIN] Re: OT: Exchange Server Spamming
- From: "Jeff Durbin" <techlists@xxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 2 Mar 2004 08:28:26 +1300
I'll try that. I did run Spybot S&D, but didn't see anything that looked
suspicious.
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Philip Walley
> Sent: Tuesday, 2 March 2004 4:01 a.m.
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: OT: Exchange Server Spamming
>
> I've seen this same thing on 5.5. What I found when I looked
> into it is = that a 5.5 server can have relaying disabled,
> but you are still able to = submit the mail (they just will
> not go anywhere). You may want to run = something like
> adaware on the server to see if you can find what is =
> generating the emails.=20
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
> Behalf Of Henry Sieff
> Sent: Monday, March 01, 2004 8:50 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: OT: Exchange Server Spamming
>
>
> Well, the "reverse Spam" technique doesn't use just
> ex-employees email addresses, it uses
> randomaddress@xxxxxxxxxx where domain.com is your = domain.
> You could (I suppose) continually add addresses to this list
> as you see them, but this is impractical (to say the least).
>
> Turning off NDR is a possibility, as someone else said, but
> its a little draconian, imo (not that I haven't considered
> it). Bounces are a usueful part of the SMTP, and turning them
> off does break RFC.
>
> The emergence of this technique will probably require some
> form of content-based filtering to combat (I hate spam
> filtering based on = content, but there may be no choice).
>
> Another possibility is to only accept mail from servers on a
> = "white-list".
> There are several companies I have dealt with that forward
> the first = email from either a domain or a mail server to
> the mail admin. The mail admin = can approve either the
> address, the domain, or the server, and only after = that
> will email be accepted for delivery.
>
> Without something like this, there is no technological
> defense against = this technique w/o breaking RFC.
>
> False, tricksy spammers. . .
>
> Henry
>
> > -----Original Message-----
> > From: Dennis van Turnhout [mailto:turnhout@xxxxxxxxxx]
> > Sent: Monday, March 01, 2004 2:29 AM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: OT: Exchange Server Spamming =20 =20
> If it's spam
> >to addresses that used to exist, try this option Works like a charm
> >over here.
> >=20
> > -----
> >=20
> > Black Holes - not just a space thing!
> >=20
> > As users leave your company, you will more than likely
> delete their
> >mailbox after a certain amount of time. It is then common
> for the SMTP
> >address of the departed employee to be added to another
> mailbox, or a
> >public folder, perhaps being monitored by the departed employee's
> >manager. The aim is to make sure that any important business
> email is
> >acknowledged for some amount of time after the user has left.
> >=20
> > Clearly there is a long term issue with this method, since
> eventually,
> >the monitoring of the messages sent to that address will=20 stop.
> >Removing the SMTP address from the organisation will
> obviously not=20
> >stop messages being sent to that address; there are always
> going to be
> >those pesky spam messages, and additionally, your Exchange
> server has
> >to=20 generate a non-delivery report for each message.
> >=20
> > One solution to put the issue out of your mind is to
> implement what is
> >sometimes referred to as the 'black hole' method. This allows your
> >Exchange server to simply delete the messages sent to specific SMTP
> >addresses, whilst at the same time never generating a non-delivery
> >report for these messages.
> >=20
> > Here are the 3 simple steps to implement the black hole method:
> >=20
> > 1. Create a distribution list (Exchange 5.5) or a mail-enabled
> >distribution group (Exchange 2000).
> >=20
> > 2. Make sure that there are NO members in this distribution=20
> >list/group.
> > This is the key part to this tip.
> >=20
> > 3. Add the SMTP addresses of the ex-employees to the distribution
> >list/group. Add them as secondary SMTP addresses in exactly=20 the
> >same way you would for a mailbox.
> >=20
> > Now, when messages are sent to these problematic SMTP addresses,
> >Exchange silently deletes them. No non-delivery reports are
> generated,
> >and the administrator no longer has to be concerned about these
> >messages.
> >=20
> > Try it. It works well!
> >=20
> > Neil Hobson
> >=20
> > -----Original Message-----
> > From: Nick Smith [mailto:nick@xxxxxxxxxxxxxxx]=3D20
> > Sent: maandag 1 maart 2004 08:22
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: OT: Exchange Server Spamming =20 =20
> Jeff - It's
> >being used for Reverse Spam. The idea is that you=20 send
> out a bunch
> >of spam to a server from valid email addresses; your server
> then sends
> >an NDR to the addresses, thus delivering the spam. Swithc
> off NDRs to
> >stop this. NIck =20 -----Original Message-----
> > From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx]=3D3D20
> > Sent: 01 March 2004 05:26
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] OT: Exchange Server Spamming =20 I have a customer
> >with an NT4 Small Business Server with Exchange 5.5 SP4.
> The outbound
> >SMTP queue is filling with undelivered mail, indicating that the
> >server is being used to spam. The server is definitely not an open
> >relay (tested myself and through ORDB.ORG), and doesn't allow *any*
> >SMTP relay. I've found that the outbound queue on this
> server fills up
> >even if it's disconnected from the network, which tells me that the
> >server itself is generating the mail. It's=20 got Norton Antivirus
> >with the latest definitions, and I've scanned it=20 with Trend's
> >online virus scanner. I don't find any viruses at all. I've
> looked at
> >the processes for processes that are using a bunch of CPU time, but
> >don't see anything obvious. Any ideas? TIA. =3D3D20 JD =20
> > ********************************************************
> > This weeks sponsor triCerat Inc.
> > triCerat makes your job easier by offering essential
> applications to
> >eliminate your printing, policy and profile, and your application
> >management problems. http://www.triCerat.com
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or
> Vacation mode
> >use the below link: http://thin.net/citrixlist.cfm =20 =20
> > ********************************************************
> > This weeks sponsor triCerat Inc.
> > triCerat makes your job easier by offering essential
> applications to
> >eliminate your printing, policy and profile, and your application
> >management problems. http://www.triCerat.com=3D20
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or=3D20 set Digest or
> >Vacation mode use the below link:
> > http://thin.net/citrixlist.cfm
> > ********************************************************
> > This weeks sponsor triCerat Inc.
> > triCerat makes your job easier by offering essential
> applications to
> >eliminate your printing, policy and profile, and your application
> >management problems.
> > http://www.triCerat.com=20
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or=20 set Digest
> or Vacation
> >mode use the below link:
> > http://thin.net/citrixlist.cfm
> >=20
> ********************************************************
> This weeks sponsor triCerat Inc.
> triCerat makes your job easier by offering essential
> applications to eliminate your printing, policy and profile,
> and your application management problems.
> http://www.triCerat.com=20
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or=20 set Digest or
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> ********************************************************
> This weeks sponsor triCerat Inc.
> triCerat makes your job easier by offering essential
> applications to eliminate your printing, policy and profile,
> and your application management problems.
> http://www.triCerat.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>
********************************************************
This weeks sponsor triCerat Inc.
triCerat makes your job easier by offering essential
applications to eliminate your printing, policy and profile,
and your application management problems.
http://www.triCerat.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
