Just an FYI. If you allow OWA to the iinterweb, these scammers have scripts that can spam via compromised accounts also. We’ve never allowed pop or imap outside but we had 2 accounts compromised and they each sent several thousand emails over a weekend. IIS logs ballooned during the time. Oh and to help with this, we forced said users to re-take our online security awareness training. Funny how word of mouth works better than our training as we’ve not had an incident in the past 2 years. I didn’t really say that did I? ;)
From: Sharp, Kevin [mailto:[email protected]] Sent: Friday, February 24, 2012 6:38 PM To: MS-Exchange Admin Issues Subject: RE: internal spam The accounts have been compromised…usually via a phishing attempt. So the entire process of the internal attack is with a valid authenticated acct. We have our SMTP services set to be authenticated…the problem is looking for a process that we can use to identify potential accounts that are sending volumes of email and hopefully stop it before the pile of email gets too large. Usually the attack sends thousands of email to valid and nonvalid email addresses…which of course we don’t notice until the pile of invalid email starts to pile up. I know..it is comical ☺. User education has helped, but like any good phishing attack, it only takes one bite to cause this problem. Thanks Kevin From: Mike Tavares [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Friday, February 24, 2012 4:26 PM To: MS-Exchange Admin Issues Subject: Re: internal spam 1 question just to clear up some confusion on my part. Are the actual accounts in question compromised? (as in someone has direct access to the mailboxes on your server?) or just compromised in the since that some spammer/hacker on the outside is spoofing an email address from your company that is a legit address? From: Sharp, Kevin<mailto:[email protected]> Sent: Friday, February 24, 2012 12:19 PM To: MS-Exchange Admin Issues<mailto:[email protected]> Subject: internal spam I’m wondering how people are dealing with compromised accounts in Exchange sending large volumes of email…essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I’m wondering if there is some software or method that might have some more smarts. We’ve had numerous incidents but so far….not an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I’ve looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe exchangelist
