none
Spams to all internal users & use of MIME

    Question

  • Hi

    Usually we receive spam mails to internal user IDs (99.9 % of them is blocked by anti spam filters). We are looking a way to avoid getting internal users ids to spammers. Will the TLS or S/MIME implementation helps to achive this? If so, is it required to install a 3rd part integrated CA internally?

    Thanks in advance


    LMS


    Friday, September 06, 2013 1:39 PM

Answers

  • Good advice, but no matter how complex you make your e-mail address the first infected client that sends the contents of the GAL/OAB to a 'bot-net collection site foils your scheme! Even if they only sent the addresses found on e-mail back to the collection point your addresses will eventually be discovered. Obscuring addresses only works for a while.

    --- Rich Matheisen MCSE&I, Exchange MVP

    Saturday, September 07, 2013 3:03 AM

All replies

  • TLS and S/Mime aren't going to help unless you limit who can send email to your users, the problem isn't the server making the users email address available it's the user making it available, sooner or later your going to be blocking legitimate email while attempting to block spam. Most of your spam attacks originate from Scraping emails from address books or the web, and finally from algorithms like knowing a lot are first initial last name and a the domain. Your best defense is a good spam filter which it sounds like you have, the only other thing you could do is only allow email from addresses your users have sent to or addresses in their address book, but in a business world you would not get mail from anyone else which may not be desirable. You could also make the addresses complex so they can't be guessed but this also makes them hard to remember or communicate.
    Saturday, September 07, 2013 12:03 AM
  • Good advice, but no matter how complex you make your e-mail address the first infected client that sends the contents of the GAL/OAB to a 'bot-net collection site foils your scheme! Even if they only sent the addresses found on e-mail back to the collection point your addresses will eventually be discovered. Obscuring addresses only works for a while.

    --- Rich Matheisen MCSE&I, Exchange MVP

    Saturday, September 07, 2013 3:03 AM
  • Thanks Darren and Rich. We are planning to create a new address policy to make the address as firstname.lastname, this is getting delayed due to the Exchange Migration (2003 ->2010).

    I'm confused about Rich's point on "infected client send contents of GAL/OAB", how this happen? Do you mean the infected client responds with and read receipt or the infected client responds with all addresses in GAL? Can you please explain this and how this can be overcome?

    Regards


    LMS

    Saturday, September 07, 2013 6:09 AM
  • I mean that the machine on which the e-mail client resides enumerates the contents of the AD (or the OAB) and sends the resulting SMTP addresses back to the collection point.

    Provided there's a working anti-virus registered on the client the Outlook object model allows the enumeration. Earlier versions of Outlook annoyed the Hell out of people unless you deployed the public folder that allowed the enumeration to happen.

    How can that be overcome? Well, you'd have to have some way of preventing access to infected web sites. Once someone clicks on a link (and sometimes they don't even have to click on anything in a "drive-by" download) the client will install the software. Keeping client AV signatures up-to-date helps, but blocking access to infected sites is much more effective.

    A lot of 'bot-net software uses dictionary or rainbow attacks. If your Internet-facing server allows the RCPT TO address the attacker knows the address is "live".


    --- Rich Matheisen MCSE&I, Exchange MVP

    Saturday, September 07, 2013 9:35 PM