Fighting spam in an exchange environment
1 / 29

Fighting Spam in an Exchange Environment.


89 views
Uploaded on:
Category: General / Misc
Description
Fighting Spam in an Exchange Environment. Tzahi Kolber IT Supervisor - Polycom Israel. What will we cover:. Problems and Concerns How to Fight Spam Exchange Server 2003 Anti-Spam Features Exchange Server 2007 Anti-spam Features How not to be blocked as spammers. Problems and Concerns.
Transcripts
Slide 1

Battling Spam in an Exchange Environment Tzahi Kolber IT Supervisor - Polycom Israel

Slide 2

What will we cover: Problems and Concerns How to Fight Spam Exchange Server 2003 Anti-Spam Features Exchange Server 2007 Anti-spam Features How not to be hindered as spammers.

Slide 3

Problems and Concerns Unwanted messages are the #1 concern Risk to security and protection and accessibility Phisher tricks, ID and data burglary Spoofing recognized in 95% of phishing assaults Unauthorized hand-off Spam speaks to more than 60% of email movement Hotmail pieces more than 1 billion messages consistently Viruses, Spyware, and Trojans (that can impacts cell phones as well). http://www.messagelabs.com/emailthreats/Low cost of passage, high benefit, and secrecy All the financial matters support the spammer and phisher

Slide 4

How to Fight Spam

Slide 5

Enterprise Requirements for Anti-Spam False positives are essential concern Block at the entryway at whatever point conceivable User never sees it Reduces sway on data transmission. Decreases effect of framework assets on Exchange servers (CPU, I/O, DB size … ) Administration End-to-end arrangements (counting mobiles). Simple to oversee Balance corporate and end-client control

Slide 6

Exchange Server 2003: Anti-Spam Features Connection sifting: where it originated from Sender separating: who sent it Recipient sifting: who it is for Microsoft Exchange Intelligent Message Filter: what it speaks the truth Sender ID: Is the sender is truly the sender? * Restricted Distribution Lists

Slide 7

Message Filtering in Exchange Accept/Deny Lists Information Store Block Lists Recipient Filter Sender Filtering Sender ID Intelligent Message Filter

Slide 8

Message Filtering in Exchange Blocks of all approaching SMTP associations Connection sifting Sender and beneficiary separating Blocks of remaining messages Intelligent Message Filter Blocks of remaining messages AV Scanning Outlook 2003 and Outlook Web Access garbage email Blocks of remaining messages

Slide 9

Outlook 2003 & Outlook Web Access Gateway Server Transport Gateway Server Transport Mailbox Server Store Connection Filtering RBLs SCL Store Threshold User Safe/Blocked Senders Desktop Anti-Virus Sender/Recipient Filtering Attachment Stripping Attachment blocking Spam? Trade IMF SCL User Safe/Blocked Senders Yes No Virus Scanning SCL=Gateway Threshold? Spam? No Yes Inbox Junkmail Filter Action Inbox Junkmail Message Mail stream Internet Antivirus and Attachments Clients Mailbox servers Anti-Spam

Slide 10

Layer 1 - Connection Filtering Check where the mail is originating from Support for numerous Real Time Block List (otherwise called DNS Block List) suppliers Global Accept and Deny Lists Configurable special case list that override the RBL Blocking by IP/subnet

Slide 11

Connection Filtering and SP2 Connection Filtering depends on getting the first sender's IP to run the DNS question on In SP2 New Header parsing algorythm (P2 header) Looks for initially untrusted IP locations of SMTP sender servers Admins need to arrange trusted interior IP door accordingly association sifting can now perform separating inside the perimeter.â 

Slide 12

Sender Filtering Filters messages sent from specific email locations or areas Message accommodation technique is endured Optionally channel messages with clear senders Optionally drop association Note: adding own space to Sender Filter rundown may break rundown administrations

Slide 13

Recipient Filtering (Who It Is For) Filter messages sent to specific email beneficiaries (substantial or invalid) No NDR on the grounds that message is rejected at convention level Designed to battle index collecting assaults ( Tarpitting battles that as well). Related Feature - Restricted circulation listsâ  Allow just verified clients to send to a conveyance rundown Reduces effect of spontaneous email sent to interior just appropriation records

Slide 14

Layer 2 – SMTP Filtering If the approaching association went through the Connection Filtering layer, the following in line is SMTP Filtering Sender and Recipient Filtering Sender : List of disallowed sender email addresses, area location, clear sender Recipient : Directory lookup and Tar setting Sender ID Filtering

Slide 15

Sender ID Comes with SP2 Industry standard system Fight against email space spoofing.â  Verify that every email message starts from the Internet space from which it cases to come in view of the sending server's IP address. See http://www.microsoft.com/mscorp/security/innovations/senderid/default.mspx

Slide 16

Benefits of Sender ID Protect sender’s brand and space names from caricaturing and phishing Receivers approve the starting point of mail More info into spam sifting choice By itself does NOT stop spam

Slide 17

How Does Sender ID Work? Senders distribute IP locations of outbound email servers in DNS through SPF record Receivers figure out which domain(s) to check “Purported dependable domain” got from message body (RFC 2822 headers) “Envelope From” space (RFC 2821 Mail From) Receivers question DNS for the outbound email servers of the picked area and perform area mocking test

Slide 18

Sender ID Framework Message travels one to numerous email servers on the way to beneficiary Look up Sender’s SPF record in DNS Determine PRA or Mail From check Compare PRA to honest to goodness IPs in SPF record or Mail From check Match  positive channel include No match  negative channel info One time: Publish SPF record in DNS No different changes obliged Email sent as ordinary

Slide 19

Limitations Authenticates areas not clients Validates “last hop” not end-to-end (Can not piece email from hand-off). Spammers can enroll their own particular domains… But this guides investigative endeavors Allows for notoriety of spaces - at some point or another will be caught….

Slide 20

Exchange Configuration Set border IP list

Slide 21

Define activity Set it on the SMTP Virtual server

Slide 22

Layer 3 - Content Filtering If a mail thing gets past Recipient Filtering it confronts Content filtering.â  Content Filtering in Exchange depends on Microsoft Research SmartScreen machine learning innovation consolidated into the Intelligent Message Filter (IMF). IMF is presently incorporated to SP2 (Pre-SP2 adaptation ought to be uninstalled before SP2 overhaul). Should be redesigned from Microsoft Update (not Windows Update!!!). http://www.petri.co.il/installing_imf_with_exchange_2003_sp2.htm

Slide 23

How it works Examines messages and gives each a SCL esteem [0-9] Two limits: Gateway and Store Messages with a high SCL quality are sifted at the passage MS IT: More than 30% separated Reduces effect to clients and whatever is left of the base Possibility of SCL store level spam sifting SCL is exchanged as a piece of EXCH50 blob Exposing SCL in Outlook http://blogs.msdn.com/trade/document/2004/05/26/142607.aspx

Slide 24

Messaging Hygiene Architectural Principles Anti-spam MUST be done before against infection Anti-spam SHOULD be ruined inbound mail just Anti-spam sifting SHOULD uproot versus isolate Anti-infection MUST be mail bearing mindful Anti-infection SHOULD uproot versus isolate Generate security notices for tainted ingoing email Anti-infection and Anti-spam frameworks MUST coordinate with Exchange

Slide 25

Restricted Distribution Lists Can acknowledge messages just from Autenticated clients. Advantage: Will not be gotten to from outside to substantial number of beneficiaries. Won't be available from Linux or other SMTP applications (non validated clients)

Slide 26

Exchange 2007 Anti-Spam frameworks. Committed part/server – Edge server part. * Attachment Filtering * Edge Protocol Rules - Filter known content examples in malware transporters and drop the association (Porn, Love, Linux….). * Connection Filtering ( White List was included). Sender and Recipient Filtering (counting Tar Pitting) Safe Sender List – which was designed at Outlook 2003/2007. Sender ID IMF * Are options that were added to the Anti-Spam framework in Exchange 2003 http://www.microsoft.com/trade/assessment/highlights/default.mspx

Slide 27

How NOT to be hindered as spammers. Piece SMTP – TCP/25 outside utilizing FW. Check that you have PTR record in the DNS – same location as the MX record (will stay away from NDR blunders 5.7.1 Access Denied as well) Don’t send messages with clear subject/Sender. Abstain from sending messages to more the 200 beneficiaries in one email. Close your SMTP for transferring. http://www.dnsstuff.com/instruments/dnsreport.ch?domain=domain.com

Slide 28

Some Useful links…… http://www.msexchange.org/instructional exercises/Sender-Recipient-Filtering.html http://www.msexchange.org/instructional exercises/MF005.html http://www.petri.co.il/block_spam_with_exchange_2003.htm http://www.spamcop.net/fom-serve/reserve/345.html http://www.microsoft.com/mscorp/security/content/advancements/senderid/wizard/default.aspx http://www.dnsstuff.com/http://www.microsoft.com/trade/assessment/highlights/default.mspx http://www.petri.co.il/configure_imf_in_exchange_2003_sp2.htm http://www.msexchange.org/instructional exercises/Windows-based-SMTP-Tar-Pitting-Explai