Iniciar sesión
 
InicioBibliotecaAprendizajeDescargaSoporteComunidadForos
Recursos para Profesionales de TI >
Forwarding emails with no spf record to spam mailbox exch 2010

Answered Forwarding emails with no spf record to spam mailbox exch 2010

  • viernes, 13 de enero de 2012 4:14
     
     
    Inicie sesión para votar
    0
    Hi,

    My manager told me that the employees "are too dumb to learn to use the junk mail folder" so i have been forced to manually clear all mail that does not have a SPF record.

    Is there a way to forward all mail with None in the Recieved-SPF header to go to a mailbox? i made a transport rule but that didnt seem to make any difference (we dont have a edge server or anything.) Just a single exch 2010 server & a non internet facing 2003 mailbox server.

    Thanks
    Quote by andhey "hmm ill try it later, i accidentally deleted all my tv shows when trying to delete a word document lmao"
     

Todas las respuestas

  • viernes, 13 de enero de 2012 8:10
     
     
    Inicie sesión para votar
    0
    My manager told me that the employees "are too dumb to learn to use the junk mail folder" so i have been forced to manually clear all mail that does not have a SPF record.

    Is there a way to forward all mail with None in the Recieved-SPF header to go to a mailbox? i made a transport rule but that didnt seem to make any difference (we dont have a edge server or anything.) Just a single exch 2010 server & a non internet facing 2003 mailbox server.

    Just a question, why would you do this ? Using SPF is optional and a given sending domain may decide to adopt/publish an SPF record or not and the latter (no SPF record) doesn't automatically mean that a given message is junk; this in turn means that moving messages from domains not publishing an SPF record to the junkmail folder will result in a whole lof of "false positives" (perfectly legit email considered "spam") and I don't think this is a desired behaviour, especially from the point of view of your users.

    If you have issues related to junk email hitting your users inbox folders and if you are using the native exchange spam filtering, I think you'd better revise the spamfilter settings and ensure they're correct (DNS black and white lists, senderid/SPF checks) and then proceed fine-tuning your SCL values so that emails will automatically be directed to the junk email folder in case they fall inside the "possible spam" range ... or rejected in case they are at or above the "sure spam" value

    my 2 cents

     

     
  • domingo, 15 de enero de 2012 21:59
     
     
    Inicie sesión para votar
    0
    We have zen and spamcop ip blocklists, we are using native spam filtering, the issue is that the spam we are getting scores a SCL of 3, and we often get emails that are just blank with a pdf attatched from customers so anything less than 6 isnt an option unfortunately. We have also updated the filter when the updates have come up.

    And while i would like to do that with the junk mail folder (sensibile option) again my manager believes our users are too stupid, even if i was to send out a how to.. lol

    Basically we have few customers so eventually i will have whitelisted all of the domains, and it would stop people from getting spammed. ive tried doing keywords but they still get through.



    Also is there a MS email address to forward spam to? i.e. to help improve the built in spam filter.
    Quote by andhey "hmm ill try it later, i accidentally deleted all my tv shows when trying to delete a word document lmao"
     
  • domingo, 15 de enero de 2012 22:51
     
     
    Inicie sesión para votar
    0

    Agree with ObiWan. The problem with your plan is that you want to filter emails based on the wrong criteria. I am sure that if you mange to setup such a filter you will remove it very quickly.

    Q> Also is there a MS email address to forward spam to? i.e. to help improve the built in spam filter.
    A> No the built-in Content Filter is not able to do that. The filter follows the latest spam exclusively through MS Updates.

     

    IMF Tune - Anti-spam extending the Exchange 2003, 2007, 2010 IMF/Content Filter - http://www.windeveloper.com/imftune/
     
  • domingo, 15 de enero de 2012 23:05
     
     
    Inicie sesión para votar
    0

    Sorry i am not sure if you understand my question

    I wanted to know if microsoft had an address where people could forward spam to, so that they can catalouge it and improve their built in content filter, then send out updates via windows update.


    And with that specific scenario how would you guys fix it? the SCL of the spam is 3, we arent allowed to use junk mail folders (i know this is stupid but it is not my decision), and so far keywords havent helped much without being too generic.

    The only thing that is consistent with all the spam going through is that it has no SPF record. We have few customers (we are a wholeseller) so within a month i would have all of the domains whitelisted.

    Quote by andhey "hmm ill try it later, i accidentally deleted all my tv shows when trying to delete a word document lmao"
     
  • lunes, 16 de enero de 2012 8:15
     
     Respondida
    Inicie sesión para votar
    1

    I am not aware of such a spam feedback service.


    If your problem is that you cannot use the Junk Folder, and you are willing to use a central mailbox, then have you considered using the Quarantine Mailbox functionality?

    In Exchange 2010, the Content Filter allows you to specify a quarantine threshold. Emails having a rating greater or equal to the specified rating would be routed to the specified address.


    More details on the content Filter:
    http://www.exchangeinbox.com/article.aspx?i=104

    IMF Tune - Anti-spam extending the Exchange 2003, 2007, 2010 IMF/Content Filter - http://www.windeveloper.com/imftune/
    • Propuesto como respuesta Gavin-Zhang martes, 17 de enero de 2012 9:28
    • Marcado como respuesta Gavin-Zhang martes, 07 de febrero de 2012 6:08
    •  
     
  • martes, 17 de enero de 2012 0:59
     
     Respuesta propuesta
    Inicie sesión para votar
    0

    I have that in place,


    If i quarantine all emails with a SCL rating of 3 or higher (to stop the spam that is bypassing the filter) i would have to check every email that reaches us almost.

    I have a scl rating of 7 set for quarantine

    i would like to quarantine all emails from domains without SPF records, and i will whitelist them one by one. we have few customers as we are a wholeseller so this process while tedious can work out.

    Quote by andhey "hmm ill try it later, i accidentally deleted all my tv shows when trying to delete a word document lmao"
    • Propuesto como respuesta Gavin-Zhang martes, 17 de enero de 2012 9:27
    •  
     
  • martes, 17 de enero de 2012 13:22
     
     Respondida
    Inicie sesión para votar
    1

    Ok.

    The only way you can do this SPF rule from within Exchange in your case, is through Hub Transport Rules.

    So your only hope is that to fix the Rule.

    I believe the problem might be that the SPF header is being added by Exchange itself. So maybe the header is not available to the transport rule at the time of processing. However here I am just speculating since I never tried this.

    IMF Tune - Anti-spam extending the Exchange 2003, 2007, 2010 IMF/Content Filter - http://www.windeveloper.com/imftune/
    • Propuesto como respuesta ObiWan jueves, 19 de enero de 2012 7:53
    • Marcado como respuesta Gavin-Zhang martes, 07 de febrero de 2012 6:08
    •  
     
  • martes, 17 de enero de 2012 13:51
     
     
    Inicie sesión para votar
    1
    We have zen and spamcop ip blocklists, we are using native spam filtering, the issue is that the spam we are getting scores a SCL of 3, and we often get emails that are just blank with a pdf attatched from customers so anything less than 6 isnt an option unfortunately. We have also updated the filter when the updates have come up.
    ZEN (spamhaus) and spamcop won't cover you 100% you'll need to add some more DNSBLs and, since you're running exchange 2010 you may use some black and white lists combo to reduce false positives; as for the blank emails with attached PDF files, those shouldn't be a big issue, especially if they come from known senders; in such a case it would be easy to whitelist the sender so allowing the message to get in; getting back to spam filtering, I think that you may find interesting to read this and this and follow the suggestions found there (also see the various links) 
    And while i would like to do that with the junk mail folder (sensibile option) again my manager believes our users are too stupid, even if i was to send out a how to.. lol
    Users can be "educated" to use the tools, as long as whatever tool they use won't be too complex and as long as they'll realize that using it will improve their "computing"; also, keep in mind that properly setting SCL values will mean that "bad emails" will go straight to the users "junkmail" folder, so there isn't so much the users will have to do, set aside having a look at the junk folder from time to time... but they'll learn that quickly if you set things up the right way
    Basically we have few customers so eventually i will have whitelisted all of the domains, and it would stop people from getting spammed.
    Hey, cool idea (NOT) basically you're allowing anyone SPOOFING one of those domains to pump in spam; not exactly a good idea, nor something I'd expect to see on a "live" filtering system; it's just stupid and also means that you didn't take time to fathom the various filtering options and fine tune them; again, you NEED to revise your filtering configuration, to setup the filters to REJECT invalid messages and, in general to better tune your SCL values since the current ones are ... "unreal"
    Also is there a MS email address to forward spam to? i.e. to help improve the built in spam filter.


    No, at least not a public one ... but you may try looking here and here to find some contact informations and pointers, but I strongly doubt Microsoft will follow you with this, again, the approach you're trying to take is totally wrong

    [edit]

    Forgot an important detail; email server make extensive use of DNS; to find out MX which they need to route outbound email, to run SPF checks and to perform DNS whitelist and blacklist checks, this means that you'll need to ensure that the DNS servers your Exchange is using are correctly configured and that they are NOT using forwarders (like OpenDNS or GoogleDNS or even your ISP DNS servers), otherwise your DNSBL queries will FAIL and you'll find yourself with a whole lot of incoming junk email.

     

    • Editado ObiWan martes, 17 de enero de 2012 14:05
    • Editado ObiWan martes, 17 de enero de 2012 14:06
    •  
     
  • martes, 17 de enero de 2012 13:53
     
     
    Inicie sesión para votar
    0

    If i quarantine all emails with a SCL rating of 3 or higher (to stop the spam that is bypassing the filter) i would have to check every email that reaches us almost.

    Man, this is CRAZY ! If you're getting JUNK emails with an SCL score of 3, then your filtering isn't correctly configured so the "backend" SCL checker is letting them through; again, you'll need to carefully revise your filtering and your settings

     

     
  • martes, 17 de enero de 2012 13:56
     
     
    Inicie sesión para votar
    0

    The only way you can do this SPF rule from within Exchange in your case, is through Hub Transport Rules.


    Alexander... are you really suggesting to skip the regular SPF mechanism and try to use SPF for such a kind of totally upset configuration ? Seriously, not only that would pose a load on the server, but it will also create a whole category of issues by itself; I sincerely believe that it would be a far better idea understanding (and I mean REALLY understanding) how spam filtering works and then implementing it the right way instead of trying at all costs to setup some naive solutions which won't solve anything and will only serve to run against a wall

     

     
  • martes, 17 de enero de 2012 17:13
     
     
    Inicie sesión para votar
    0

    I already explained to him that what he wants to do is wrong (see previous posts).

    But if the guy insists in shooting himself in the leg, so be it. This is my philosophy.
    IMF Tune - Anti-spam extending the Exchange 2003, 2007, 2010 IMF/Content Filter - http://www.windeveloper.com/imftune/
     
  • martes, 17 de enero de 2012 22:19
     
     
    Inicie sesión para votar
    0

    l add some more black lists, if we whitelist senders doesnt that mean they will be able to spoof us? I think its fine but you had a go at me about it in your 3rd point.

    RE Junk
    Again i strongly believed that was the way to do things but my manager does not. While i would like everything here to be best practise it is not my organisation, i am just an employee and some decisions are made for me. I am sure that anyone who has worked a job in a lower role can vouch for this. Ideally i would have liked to set a low SCL rating, have the junk go to their mailboxes then they could whitelist the senders themsleves.

    Right now we are using the default DNS servers that come with the 2008 R2 install. I will check if any of those are forwarders.

    And yes that is why i am trying to do a dodgy solution such as that. we are getting spam getting through with a SCL rating of 3-4-5. a fair %age of genuine emails score a rating of 6. The only common factor is a lack of SPF record.

    If i could WEIGHT the non spf emails by say 4 points, that would help greatly.

    And again. It is not my system. I am not responsible. I am just told what to do, If this all backfires (which it probably will as mistakes will be made) my manager will be in trouble for it not me. I am sure a future employer will see this and hopefully they will understand.I have voiced my own concerns and he has told me what to do.

    To be honest, getting 2 spam emails a day, i wouldnt really be worried about it, but the people that get it are higher-ups and they get them at fun times like 2-3am (and tell me off because their phone wakes them) so i have to deal with this seriously.

     

     

    **Edit**

    Example of low SCL rating spam

    3
    ---------

     

    Fw: Current Open Position - ID : S65QQ1458505C..

     

    Hello,

     

    THL, an American luxury goods firm, is currently seeking administrative assistants/sales support representatives within Australia to work from home, to contribute to the sales force and add convenience to our service dedicated to individuals, businesses, and organizations all over the world.

     

    This vacancy focuses on the management of daily, weekly and monthly tasks and special projects pertaining to the sales support for sales in Australia.

     

    Primary responsibilities include:

    - Assisting Company's Sales Department in a support role performing special projects, data entry and other duties as assigned

    - Maintaining tracking spreadsheet for all purchases and payments completed

    - Providing general administrative support including drafting of correspondence, processing purchase orders and expense reports etc.

    - Emailing correspondence on a daily basis

     

    Hours: You can work on a full time or part time position. Your timetable can be flexible.

    For a part time position - you will need to spend on average 3 hours per day, from Monday to Friday.

     

    Salary: Base pay for a part time position is 1,800AUD per month plus 5% commission from each successfully completed deal with a client.

     

    Location: This is a work at home vacancy. All communication will be held online. During training/trial period assistance can be provided by phone.

     

    Requirements: You need to have a PC, Internet access, pre-installed Excel and motivation.

     

    Costs and Fees: There are NO costs involved for our employees.

    All fees related to this vacancy are covered by the company.

     

    Further Hiring Process: Please email your resume to: helen@thl-recruit.com

     

    In your email please state if you are interested in a part-time or a full-time employment. After reviewing the submitted applications we respond to successful applicants only. Then we offer to the successful applicants a position within our company on a trial period basis for one month.

    During this trial period you will be receiving training and online support while working and being paid. By the end of the trial period, the supervisor can recommend continued employment, extension of trial period, or termination. After the trial period your base pay will increase.

     

    Send any questions you may have and your resume to helen@thl-recruit.com

     

    Thank You,

    THL Team.

    ------------

    5

    -----------

     

    Complete HCG Weight Loss Kit 


    #1 Doctor Endorsed HCG. Made in the USA.

     

    Safely Lose 10-15 Pounds in 40 Days - GUARANTEED

     

    ---------------

    5

     

    A technology developed in the Phoenix can used as an alternative for treating common forms of skin cancer. There's now a non-surgical option to consider.

     

    When a woman from Queensland was diagnosed with Basal cell carcinoma, the first option was surgery.

     

    She had a number of surgeries to remove previous lesions including a basal cell carcinoma.

     

    After a new lesion appeared on her right cheek, her doctor adviced an alternative for treating common types of cancer, including the topical application of cannabis extracts.

    Cannabis extracts were applied daily until the surgeon stated that there was no need for surgery since the lesion on her right cheek was gone."

     

    Medical and Health Care Investors

    We are looking for leading medical and health care investors to help provide excellent and efficient medical and health care for our future researches. If you believe you can make a difference in people’s lives, we welcome you to contact us for more information.

     

    For more information, please visit

    http://www.cannabissciencekillscancer.com

     

    Disclaimer: When a patient is deciding what type of treatment they want to pursue, they should talk with their doctor first, about the specific cancer type that they have and discuss the treament course.

     


     
  • miércoles, 18 de enero de 2012 10:40
     
     
    Inicie sesión para votar
    0

    l add some more black lists, if we whitelist senders doesnt that mean they will be able to spoof us? I think its fine but you had a go at me about it in your 3rd point.

    The point is that, if a given domain has no SPF record and you whitelist it, ANYONE may then send emails pretending to be from such a domain (but being spoofed) and such email will get through your filters so, you'll be basically open holes to incoming junk; as for the spam filtering configuration, I already posted links to discussions (also containing links to documents) which should give you enough informations to get started and properly configure your spam filtering, so I won't go over those again, it's just a matter of reading the infos

    RE Junk
    Again i strongly believed that was the way to do things but my manager does not. While i would like everything here to be best practise it is not my organisation, i am just an employee and some decisions are made for me. I am sure that anyone who has worked a shit job can vouch for this. Ideally i would have liked to set a low SCL rating, have the junk go to their mailboxes then they could whitelist the senders themsleves.

    That's not how it should work; may I humbly suggest you to read this ? The overall idea is that, using SCL you'll be able to configure three "zones" for the incoming emails; the "ham" one, that is email being under the lower level, the "uncertain" one, that is email being above the lower level and below the higher one and the "junk" one, that is mail which is for sure spam and should be rejected; message falling inside the "uncertain" zone will land inside the end users "junk mail" folder and the user will then be able to deal with them as they want, that is move them to inbox and "whitelist" them or either delete them... then ok, I simplified it, so, again... read that document, please.
    Right now we are using the default DNS servers that come with the 2008 R2 install. I will check if any of those are forwarders.

    And yes that is why i am trying to do a dodgy solution such as that.


    The "default DNS servers" as you call them are there only if you decide to install them; as for forwarding, to ensure they aren't using any forwarders you'll need to check they're correctly configured for internet resolution; for such a purpose, I suggest you to read this and, while checking or redoing the configuration, to ensure that the forwarders are empty

    As for the spam you posted; posting the body of spam messages is as useful as a bycicle to a fish :) what we need to check those messages are the headers; the body may only be useful to check if it contains URL which may help understanding the type of "junk" (spam, malware, phishing...) but in general, the body isn't useful to track a given spam message and understand why it got through

     

     
  • miércoles, 18 de enero de 2012 22:27
     
     
    Inicie sesión para votar
    0
    That's not how it should work; may I humbly suggest you to read this ? The overall idea is that, using SCL you'll be able to configure three "zones" for the incoming emails; the "ham" one, that is email being under the lower level, the "uncertain" one, that is email being above the lower level and below the higher one and the "junk" one, that is mail which is for sure spam and should be rejected; message falling inside the "uncertain" zone will land inside the end users "junk mail" folder and the user will then be able to deal with them as they want, that is move them to inbox and "whitelist" them or either delete them... then ok, I simplified it, so, again... read that document, please.



    I read that for giggles, and i understand your point. At a previous job i had their 2k3 server set up like that, with 7 for archive 8 for instant delete 5 for junk mail folder. But i have been told that i am not to put mail in people's junk mail folders as "they are too stupid". If i were to do this and argue with my manager again he would revert it and probably fire me IDK... Works great for them but he doesnt care.

    I will review our DNS according to that article.

    It is ovbious that You guys cannot understand the stupid situation i am in, and that my manager cant undersatnd the proper way to go about things so i think i will just have to leave this. The whole point of this request was to implement a hack solution (not hack a solution but a hack of a solution)  because of their stupid managment decisions. I tried doing it with hub transport rules before coming here but i had no such luck.With our 2k3 server it was set to block all non spf email which is probably why we didnt have issues till now.

    If you want the headers i can post them otherwise i would consider this closed. I do appreciate the fact that you replied about 7 times even though I have been throwing your advice to the wind but you must understand i make 0 decisions here, i just implement things that are decided for me. It is not my role to tell managment that it cannot be done or that if we do it it will blow up down the track as i have a manager. If you can help with other ways i would be glad but i cannot use the junk mail folder capacity of the inbuilt spam filter full stop.

    Quote by andhey "hmm ill try it later, i accidentally deleted all my tv shows when trying to delete a word document lmao"
     
  • jueves, 19 de enero de 2012 7:53
     
     Respondida
    Inicie sesión para votar
    0

    I see your point now; given that you've no alternative (that is, no way to PROPERLY set things up), I think your only option is the one proposed by Alexander; I don't like it (and Alexander doesn't either, given what he wrote :D) but if the "boss" wants to screw things that way... let him go, but PLEASE, ensure to have something WRITTEN which will state that you're doing that because the "boss" ordered you to do so, that way, when the "stuff" will hit the fan you won't be the one to blame :)

     

    • Marcado como respuesta Gavin-Zhang martes, 07 de febrero de 2012 6:08
    •  
     
  • jueves, 19 de enero de 2012 7:56
     
     Respondida
    Inicie sesión para votar
    0
    If i quarantine all emails with a SCL rating of 3 or higher (to stop the spam that is bypassing the filter) i would have to check every email that reaches us almost.


    Well... you may use a script; I mean, you may set up exchange to quarantine emails with an SCL rating of 3 (or higher) and then use a script to check the emails, find out the ones to "unblock" and forwaed them to their recipients (inbox); not really efficient but may work.

    [edit]

    Have a look here, it may be possible to configure the exchange 2010 to stamp the status in each received message, at that point, you may use some code to revise the status and take action baded upon the status; in your case you'll probably want to deal with the messages flagged as "neutral" and "none" 

    HTH

     

    • Editado ObiWan jueves, 19 de enero de 2012 8:00
    • Marcado como respuesta Gavin-Zhang martes, 07 de febrero de 2012 6:09
    •