EXPERT RESPONSE
VIEW MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A.
The big loophole you have remaining is your password policy. I know that you are asking yourself "what does that have to do with spam?" Well, as it turns out, a great deal.
If a spammer can compromise a legitimate account in your company, it is possible for them to relay off of your SMTP servers using a SMTP AUTH attack. In simple terms, this means relaying mail (spamming) with a valid, albeit compromised, account.
The best protection against this is a strong password policy with strict enforcement of that policy. You might also consider implementing "passphrases" -- like 'You can't always get what you want' -- as they are easy to remember, yet extremely complex for a brut force attack to crack. Of course, if this has already occurred, then you need to enforce companywide password change, along with the stronger password policy.
I would also recommend that you periodically test your external SMTP host, with a tool such as telnet, to see if you can relay off it. This is important because you don't want to just take your Internet Service Provider's word for it. It is entirely possible that a spammer has hijacked your SMTP domain name and used it for sending out spam. Of course, if they do this, it looks like it came from your SMTP domain.
Doing an NSLookup on the IP address in the header of the spam will reveal, however, that it did not come from your servers. This is very common practice amongst spammers. And sometimes leads to the erroneous reporting of e-mail abuse to your Internet Service Provider. Most Internet Service Provider's will confirm that the mail is indeed from your servers before putting you on notice, but there is always that chance they won't do their due diligence.
MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:
I ran into the same issue. I struggled to find how the spam was getting through for a long time. Finally, I had to call PSS at Microsoft. It turns out that there is an exploit/bug in Exchange 2000 server that spammers can use to send e-mail to nonexistent addresses. When they get the non-delivery report, they modify headers to send spam. The only way to turn it off is to turn off NDRs for the Exchange server.
—Dave K.
Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:
Tip: Passphrases and Exchange security
Reference Center: Spam prevention and management
Chapter Download: Would the real sender please stand up?
|
