Thanks Jim, I just went to a users desk and looked at the source of the email. The answer was option 2. The spam had imbedded user name and password. Thanks again. Dan L. -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Monday, June 23, 2003 10:33 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Spam and getting authentication challenged in outlook http://www.ISAserver.org This will happen when: 1. the mail is HTML-formatted 2. it contains an imbedded link such as http://user:password@http://URL 3. the user opens the mail or views it in the preview pane 4. the ISA is enforcing authenticated policies Here's the deal.. Many spammers have taken to using this as a means of determining success in their efforts. A successful connection to their "bean-counting" web sites means that a human got the mail, since the link was activated. THE GOOD NEWS: is that if ISA is enforcing authentication for outbound requests, this gets stopped at the gate, because ISA (rightly) interprets the request as "give me a connection to "URL" using the specified credentials. Since the credentials are unlikely to match any of your user accounts or their passwords, the request is refused. THE BAD NEWS: The users have to shut down and restart their mail reader, since those credentials are cached for any future connection requests. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Larke, Daniel" <LarkeD@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, June 23, 2003 08:20 Subject: [isalist] Spam and getting authentication challenged in outlook http://www.ISAserver.org Hello, Has anyone seen where people with full access to the internet getting challenged in Outlook when looking at SPAM. The same user has not problem going to any website VIA IE. Another odd thing is when they get challenged, the user name that pops up not their own. In fact it can not be found in our domain. Thanks. Dan ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: larked@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')