Subject: Re: [ms-exchange-l] how to stop a user in our domain sending spam?
We’ve had lots of problems with students (and some faculty and staff) responding to phishing emails with their usernames and passwords. The spammers typically login through our webmail hosts in the middle of the night and generate the spam.
We actively block every phishing email reply address on our mail gateways (we use BorderWare appliances), and I look for responses to every phishing email as well. I also have an AOL feedback loop setup so can see if an account is running amok. I also check the postmaster account daily to be sure we aren’t getting complaints – and our network team monitors the abuse address. If you don’t have these addresses for your domain, set them up.
I examine the headers on every phishing email we receive and forward them to the postmaster and abuse addresses for the server domain that actually sent the mail. These are typically coming from a compromised account on someone else’s system, and frequently have forged from or replyto addresses, so you have to look at the hostnames of the SMTP relay points. Most webmail systems include message headers identifying the IP address of the original connection – rather educational!
When I find an account that has been compromised, either by seeing a reply to a phishing email or finding an account is sending email, the first thing I do is change the account password, and then I make sure the user doesn’t change it back to the same thing (a future password policy will prevent that stupidity!) I log directly into the mailbox as the user and make sure there are no rules – several of the spammers have set rules to automatically delete _all_ incoming mail to the mailbox to hide their tracks, since they typically generate thousands of bounces, and more than a few venomous (really unnecessarily nasty) replies.
For those of you who haven’t seen it – here’s what they do:
1) Access the mailbox and send a test message to some outside address.
2) If possible, change the reply and from addresses for the mailbox to something they have setup, typically a mailbox on gmail, yahoo or hotmail.
3) Change the autosignature to their message.
4) Create the messages one at a time by copying in hundreds of addresses to the bcc: field.
Do the math – in just a couple hundred messages they can send tens of thousands of messages!
We’ve tried to limit the number of recipients – they just send test messages with different numbers of recips until they don’t bounce back! This also messes with Active Directory based distribution lists.
We’ve had some success reducing this problem by doing the following:
1) Repeated announcements that we don’t ask for username and passwords. We don’t need to! It’s amazing how gullible people can be, and they don’t look at reply addresses when they see a message. They also don’t notice misspelling, bad grammar, and internal organizations that don’t exist. The phishers are now starting to use webforms to collect the information.
2) Limit ability to change from and reply addresses. Not as much of a problem for Exchange and OWA, but other webmail clients are VERY flexible, as are most all POP3 and IMAP clients.
3) More announcements that we don’t ask for passwords!
4) Encourage reporting of phishing emails – several key contacts get nearly all of them
5) Aggresive blocking of phishing email replies.
6) Reminders to anyone that gives their password away that we didn’t ask!
I actually haven’t seen much virus generated spam coming from our network. If you have that issue, you should strongly consider closing port 25 outbound on your firewall except from your Exchange servers, and make sure that you don’t allow relay on your mail servers either, except from authenticated SMTP sessions. Definitely make sure that any server with port 25 open to the outside does not have have open relay – that will get you blacklisted.
If you do have virus generated spam coming from your network, strongly consider:
1) Get a campus license for anti-virus software, and a clean access monitoring tool to make sure it gets installed. You can negotiate ridiculously cheap prices for licenses (on the order of $2 per student!)
2) Force Windows Updates to be applied (with exceptions for clients that beg) for all domain computers using group policy
3) Force domain authentication using radius for wireless connections
4) Use an imaging system like Deep Freeze for classroom, lab and library computers to counter open access infections
Most of the botnet networks that generate spam reside on unpatched systems or systems without current or active antivirus.
A link monitoring web proxy system would be useful to stop people from clicking on infected links from spam mail. We don’t have one, yet, and have cleaned lots of “Antivirus 2009″ and the like from our clients.
I hope this helps!
John F. Schroeder
College of Charleston, Charleston SC