[THIN] Re: OT: Exchange Server Spamming

• From: "Philip Walley" <philip.walley@xxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Mon, 1 Mar 2004 09:01:20 -0600

I've seen this same thing on 5.5. What I found when I looked into it is =
that a 5.5 server can have relaying disabled, but you are still able to =
submit the mail (they just will not go anywhere). You may want to run =
something like adaware on the server to see if you can find what is =
generating the emails.=20

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Henry Sieff
Sent: Monday, March 01, 2004 8:50 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: OT: Exchange Server Spamming


Well, the "reverse Spam" technique doesn't use just ex-employees email
addresses, it uses randomaddress@xxxxxxxxxx where domain.com is your =
domain.
You could (I suppose) continually add addresses to this list as you see
them, but this is impractical (to say the least).

Turning off NDR is a possibility, as someone else said, but its a little
draconian, imo (not that I haven't considered it). Bounces are a usueful
part of the SMTP, and turning them off does break RFC.

The emergence of this technique will probably require some form of
content-based filtering to combat (I hate spam filtering based on =
content,
but there may be no choice).

Another possibility is to only accept mail from servers on a =
"white-list".
There are several companies I have dealt with that forward the first =
email
from either a domain or a mail server to the mail admin. The mail admin =
can
approve either the address, the domain, or the server, and only after =
that
will email be accepted for delivery.

Without something like this, there is no technological defense against =
this
technique w/o breaking RFC.

False, tricksy spammers. . .

Henry

> -----Original Message-----
> From: Dennis van Turnhout [mailto:turnhout@xxxxxxxxxx]
> Sent: Monday, March 01, 2004 2:29 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: OT: Exchange Server Spamming
>=20
>=20
> If it's spam to addresses that used to exist, try this option
> Works like a charm over here.
>=20
> -----
>=20
> Black Holes - not just a space thing!
>=20
> As users leave your company, you will more than likely delete their
> mailbox after a certain amount of time. It is then common for the SMTP
> address of the departed employee to be added to another mailbox, or a
> public folder, perhaps being monitored by the departed employee's
> manager. The aim is to make sure that any important business email is
> acknowledged for some amount of time after the user has left.
>=20
> Clearly there is a long term issue with this method, since eventually,
> the monitoring of the messages sent to that address will=20
> stop. Removing
> the SMTP address from the organisation will obviously not=20
> stop messages
> being sent to that address; there are always going to be those pesky
> spam messages, and additionally, your Exchange server has to=20
> generate a
> non-delivery report for each message.
>=20
> One solution to put the issue out of your mind is to implement what is
> sometimes referred to as the 'black hole' method. This allows your
> Exchange server to simply delete the messages sent to specific SMTP
> addresses, whilst at the same time never generating a non-delivery
> report for these messages.
>=20
> Here are the 3 simple steps to implement the black hole method:
>=20
> 1. Create a distribution list (Exchange 5.5) or a mail-enabled
> distribution group (Exchange 2000).
>=20
> 2. Make sure that there are NO members in this distribution=20
> list/group.
> This is the key part to this tip.
>=20
> 3. Add the SMTP addresses of the ex-employees to the distribution
> list/group. Add them as secondary SMTP addresses in exactly=20
> the same way
> you would for a mailbox.
>=20
> Now, when messages are sent to these problematic SMTP addresses,
> Exchange silently deletes them. No non-delivery reports are generated,
> and the administrator no longer has to be concerned about these
> messages.
>=20
> Try it. It works well!
>=20
> Neil Hobson
>=20
> -----Original Message-----
> From: Nick Smith [mailto:nick@xxxxxxxxxxxxxxx]=3D20
> Sent: maandag 1 maart 2004 08:22
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: OT: Exchange Server Spamming
>=20
>=20
> Jeff - It's being used for Reverse Spam. The idea is that you=20
> send out a
> bunch of spam to a server from valid email addresses; your server then
> sends an NDR  to the addresses, thus delivering the spam. Swithc off
> NDRs to stop this. NIck
>=20
> -----Original Message-----
> From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx]=3D3D20
> Sent: 01 March 2004 05:26
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] OT: Exchange Server Spamming
>=20
> I have a customer with an NT4 Small Business Server with Exchange 5.5
> SP4. The outbound SMTP queue is filling with undelivered mail,
> indicating that the server is being used to spam. The server is
> definitely not an open relay (tested myself and through ORDB.ORG), and
> doesn't allow *any* SMTP relay. I've found that the outbound queue on
> this server fills up even if it's disconnected from the network, which
> tells me that the server itself is generating the mail. It's=20
> got Norton
> Antivirus with the latest definitions, and I've scanned it=20
> with Trend's
> online virus scanner. I don't find any viruses at all. I've looked at
> the processes for processes that are using a bunch of CPU time, but
> don't see anything obvious. Any ideas? TIA. =3D3D20 JD
>=20
> ********************************************************
> This weeks sponsor triCerat Inc.
> triCerat makes your job easier by offering essential applications to
> eliminate your printing, policy and profile, and your application
> management problems. http://www.triCerat.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
> use the below link: http://thin.net/citrixlist.cfm
>=20
>=20
> ********************************************************
> This weeks sponsor triCerat Inc.
> triCerat makes your job easier by offering essential applications to
> eliminate your printing, policy and profile, and your application
> management problems. http://www.triCerat.com=3D20
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or=3D20
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> ********************************************************
> This weeks sponsor triCerat Inc.
> triCerat makes your job easier by offering essential
> applications to eliminate your printing, policy and profile,
> and your application management problems.
> http://www.triCerat.com=20
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or=20
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>=20
********************************************************
This weeks sponsor triCerat Inc.
triCerat makes your job easier by offering essential
applications to eliminate your printing, policy and profile,
and your application management problems.
http://www.triCerat.com=20
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This weeks sponsor triCerat Inc.
triCerat makes your job easier by offering essential
applications to eliminate your printing, policy and profile,
and your application management problems.
http://www.triCerat.com 
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

• Follow-Ups:
  • [THIN] Re: OT: Exchange Server Spamming
    • From: Jeff Durbin

Other related posts:

• » [THIN] OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming

1. Home
2. thin
3. Archive
4. 03-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---