Josh. I feel your pain.
We had the same problem last summer. Two faculty members replied to the phishing email, gave out their userid and password. I reset their password which stopped the spam. I went into their account and printed the sent email where they had replied to the spammer and gave it to their supervisor. It took a while to find as there were thousands of spam email in their sent items folder. I would not give them the new password until they repeated their required security awareness training. One other thing to check. In one case, the spammer, set up a rule to append the spam junk to any future emails this person sent. In the other case, the spammer created an out of office reply which included their spam crap. So far it hasn't happened again. I think word got out that replying with userid and password was bad. From: Boggis, Josh [mailto:[email protected]] Sent: Friday, January 22, 2010 11:23 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? To be clear, this is the same as normal traffic. This is not being done on an open relay, a user has given out their ID/Password to a phishing scheme, and they are logging in remotely over OWA to send out large amounts of spam. It the same as a professor sending out 5000 mails to an academic group they run. This is where things get tough for me. I am looking for something to distinguish a user who has been compromised and is sending out spam vs a user sending out valid large amounts of email. Oh and I forgot to put in, we are running Exchange 2007. Do have Forefront installed to handle antivirus, and have a few barracuda boxes for spam filtering incoming. From: Carl Houseman [mailto:[email protected]] Sent: Friday, January 22, 2010 10:26 AM To: MS-Exchange Admin Issues Subject: RE: stopping spam from inside server? +1. No port 25 traffic should be allowed out except from the known mail servers. Then all you have to secure is those servers. Carl ________________________________ From: Roger Wright [mailto:[email protected]] Sent: Friday, January 22, 2010 9:35 AM To: MS-Exchange Admin Issues Subject: Re: stopping spam from inside server? Have you verified you're not configured as an open relay? Is your firewall only allowing SMTP traffic to/from your Exchange box? Die dulci fruere! Roger Wright ___ Marie von Ebner-Eschenbach <http://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.ht ml> - "Even a stopped clock is right twice a day." On Fri, Jan 22, 2010 at 8:15 AM, Boggis, Josh <[email protected]> wrote: Anyone have any suggestions on anything for stopping what I call internal spam. Users who reply to phishing emails, who's account is then used to send out massive amounts of spam to the world. Because of this massive blast of spam, our mail server gets placed on many block lists, and then I have to spend the day getting us off block lists because of one users who thinks it's a good idea to give out login id, password, home address, favorite ice cream flavor and blood type just because an email asked them to. Any ideas on solutions? User education has proven fruitless, we still get people who reply.
