Here is a copy of an email I sent to my IT staff when I arrived at my job. We had the same issues and our ESM queues were just like yours...... Too bad i couldnt get the screen shots in here too.....hope it helps.....
During my relentless battle with Mail Security, I keep stumbling upon more things to check on the exchange server side. Today I came across a few things, which I will describe here:
RBL’s:
Known as real-time blacklists. These are databases maintained to keep a list of known spammers, by ip addresses, DNS, etc. These lists are then distributed either though a subscription service or some are even offered by open-source. Symantec suggested a few ones to check out.
In email security, under policies, then under anti-spam, there is an option for whitelist-blacklist. Here, for whitelist, you can enter in email addresses that will bypass our SCL (spam confidence level) heuristic detection. Blacklist, which I originally though was where you entered in email addresses of people you want to block, is actually not for that. In here is where you enter in a DNS record to connect to an open-source RBL. This adds a huge layer of security because it checks all incoming mail against huge databases maintained by SpamCops.
However today on the phone with Symantec, they said that RBL’s are not working in our version 5.0.3. A new 5.0.4 is due next month and they hope to fix that. However, I found a MS technote describing how to add these RBL DNSBL dns entries directly in exchange.
In exchange system manager, go to global settings, then message delivery, right click, properties, and click on message filtering tab.
When you add a new one, you just name the rule, and enter in the dns entry. (sbl-xbl.spamhaus.org, dnsbl.sorbs.net, etc…) Feel free to check these website out to learn more. Spamhaus.net --sorbs.net.
Since adding these, I’ve seen quite a change in our Symantec event logs.
NDR and Open-Relay
Open Relay is a setting and configuration setup done on exchange servers. It allows your mail servers to send mail for anyone, anywhere, at any time. If this is enabled, obviously spammers can you us to send spam. From what I can tell we are not configured as open-relay, which is good. There is one final test tonight I need to try from home to ensure.
We are, however, victims of a NDR attack. NDR stands for non-delivery report. Spammers send email to bogus accounts on our end. Exchange, by default, accepts all SMTP connections in good faith, and when it realizes that the account does no exist, will send a non-delivery report, along with the original message and attachments, back to the sender. However, spammers are smart enough to spoof their email addresses so that when mail gets bounced back, it doesn’t go to them but yet it goes to another spam victim, but FROM OUR SYSTEM AND POSTMASTER account. The screenshot below is the mail queue from chmail, and its listing all of the bounce emails that its trying to send out. Not good….
I found another article describing how to filter out Non-existent Users where exchange will filter messages if the email address doesn’t exist in active directory. This is stop spammers from sending messages to non-valid addressed, and in turn, cease the bogus mail queues. In system Mgr, right click on msg delivery, properties, then the recipient filtering tab. Enable the checkbox “filter recipients who are not in the directory”.
You then need to enable the Recipient Filter on the SMTP Server.
Still in ESM, Expand Admin Groups, <your admin groups>, Server, <your server>, Protocols, SMTP.
Right click on SMTP Virtual Server and choose Properties.
Click on "Advanced" next to the IP address on the first tab.
With the IP address selected, choose "Edit".
Enable "Apply Recipient Filter".
Click Apply/OK until clear.
The only downside to any of what I did today is that this last feature makes your server vulnerable to directory harvest attacks - which is where the attacker sends commands to your server to find valid addresses. This can be avoided by using a feature known as tar pitting, which slows down the response of your server to these commands making it unviable for the attacker to scan your server.
Tar pitting was previously only available as a hotfix, but is now part of Windows 2003 Service Pack 1.
Here is a KB article on MS
and here is the MS security advisory
I just cant seem to find something for best practices on how long to make the server tarpit timeout settings for…maybe you guys can find something.
I have cleaned out the CHMAIL Queue to get rid of all the bogus stuff, which is done by clicking on each connector’s properties, and then, hit the find now button, then delete ( no NDR) any mails coming from postmaster. There will be legit stuff in here so need to be careful.
Spam should be severly cut down now with these changes, and with mail security running properly.
I’m sure a few things will still be coming through, such as picture and image spam. If we want almost 99.9999% protection, we need to purchase the premium anti-spam add-on through symantec. But what we have going now is definitely a hands-down quantified leap improvement.
