none
Ho to prevent spam from authenticated users? RRS feed

  • Question

  • Hi guys, I'm having some issues lately with users getting their smartphones infected anse sending a lot of spam to external addresses via our exchange system. This leads to blacklisting and mass hysteria... Our antispam system (fortimail) doesn't have a subsmission rate control and MS applies the native one only to SMTP submission it seems.

    What do you do to prevent that kind of trouble? I cannot control user's devices, we let them use their own.

    PS

    Lowering the recipient rate could help but could backfire (prevent legit emails) while spam softwares could easily send more mails with less recipients to avoid being blocked.

    Bye, Dario


    Dario Palermo


    • Edited by Dario Palermo Monday, March 18, 2019 9:42 PM missed the ? in the question
    Monday, March 18, 2019 9:41 PM

Answers

  • Hi Dario,

    Thanks for your update.

    Yes, I know that SPF is not relevant to your situation. I just want to clarify that on-premises Exchange uses those records to detect outbound messages, but they can't totally prevent spam. To address your issue, you might need a more elegant antispam solution.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by Dario Palermo Monday, April 8, 2019 3:16 PM
    Monday, April 8, 2019 9:46 AM
    Moderator

All replies

  • Hi Dario,

    As per my experience, it is difficult to avoid spoofing completely. However, you can try the following methods to alleviate the issue.

    1. Add SPF record to a list of IP addresses which are authorized to send emails from a domain. Or use a dedicated receive connector that limits the IP range to your LAN network. For step-by-step walkthrough, you can refer to How to prevent internal email spoofing in an Exchange organization

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. And the changes made in the above blog is not supported officially by Microsoft.

    2. Add DKIM and DMARC record. There are chances these authorized servers on SPF list can be compromised and spoofed messages can be sent. DKIM is a process through which the recipient domain can validate and ensure that the messages are originated from the actual domain sender and was not spoofed message. 


    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, March 19, 2019 7:54 AM
    Moderator
  • That's not my case... the spam emails are not spoofed because they are sent from the legitimate clients via the valid user account. Even worse, sending devices are user's smartphone and not company's workstations (that have endpoint control suite and such on them).

    Bye


    Dario Palermo

    Tuesday, March 19, 2019 8:30 AM
  • Hi Dario,

    Well. If the spam are coming from infected device, I'd remove mailbox account from the device, disconnect the device from network, change the account password in AD, wipe all contents and settings on the device and reinstall it from scratch. Moreover, I might also change the firewall passes.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams

    Sunday, March 24, 2019 2:52 PM
    Moderator
  • Hi Dawn, thank you for your reply. Your suggestions are all about remediation and not prevention. And some of them I cannot even apply (personal smartphones are not in my management domain so I can only do some of the actions you suggested).

    PS

    Why should I change the firewall passes (passwords?)? They send spam from outside my company network, via public connections to our public-exposed exchange server, using activesync or Outlook on the web.

    bye


    Dario Palermo

    Sunday, March 24, 2019 4:35 PM
  • Hi Dawn, thank you for your reply. Your suggestions are all about remediation and not prevention. And some of them I cannot even apply (personal smartphones are not in my management domain so I can only do some of the actions you suggested).

    PS

    Why should I change the firewall passes (passwords?)? They send spam from outside my company network, via public connections to our public-exposed exchange server, using activesync or Outlook on the web.

    bye


    Dario Palermo

    If this is about prevention then you need to be able to control their mobile devices, otherwise everything you are asking for is remediation. How do the mobile devices become infected? 

    Sunday, March 24, 2019 4:46 PM
  • From my perspective, it's prevention. I need to prevent the spam from being accepted by my server and subsequently sent out (mainly) to external recipient.

    I could have infected users or also deliberately spamming users, that doesn't matter in the end. I would like to control the mail flow even when it's source it's authenticated.

    Ps

    cannot tell how their smartphones became infected, it's their personal devices we're talking about.

    Bye


    Dario Palermo

    Monday, March 25, 2019 8:19 AM
  • Hi Dario,

    As you said, the issue is caused by infected mobile devices, and these message are sent from legitimate clients and valid accounts. Hence, the effective prevention is to prevent the mobile device from being infected.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams

    Thursday, March 28, 2019 4:34 PM
    Moderator
  • Hi Dawn,

    that's your opinion and a very limiting (and highly often unappliable) solution. Every free or paid mail provider has it's own outgoing mail detection systems (for their legitimate and authenticated users) to prevent being a spam source. Outlook 365 has them, Exchange hasn't. Another subtle push from Microsoft towards it's cloud services, probably...

    I'll look into third party antispam solutions (other than the one I've already got today), anyway.

    Bye


    Dario Palermo

    Thursday, March 28, 2019 5:29 PM
  • Hi Dario,

    For Exchange on-premises, SPF and DMARC record can detect the spam source to a certain degree. They are a part of the Exchange antispam. You can create SPF and DMARC records, or use the third party solution for antispam.

    Sender ID

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, April 3, 2019 2:00 AM
    Moderator
  • Hi Dawn

    both SPF and DMARC are irrelevant in this case as the spam travels thru our legitimate exchange servers: the DMARC signature is applied and the SPF record match.

    Probably the only solution is the third party antispam but the lack of basic flow control in Exchange  is astonighing.

    Bye


    Dario Palermo

    Wednesday, April 3, 2019 8:33 AM
  • Hi Dario,

    Thanks for your update.

    Yes, I know that SPF is not relevant to your situation. I just want to clarify that on-premises Exchange uses those records to detect outbound messages, but they can't totally prevent spam. To address your issue, you might need a more elegant antispam solution.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by Dario Palermo Monday, April 8, 2019 3:16 PM
    Monday, April 8, 2019 9:46 AM
    Moderator
  • SPF is a DNS based solution, totally independent from the mail server software, just to be precise.

    Anyway, thanks for the time, it's always nice to receive support or advice even when the problem get not solved.

    I'll mark your latest as answer to this.

    Bye


    Dario Palermo

    Monday, April 8, 2019 3:16 PM
  • Hi Dario

    I have exactly the same problem on my Exchange 2019 server. A BYOD-Mac had been hacked, spammers got all the passwords, which used to send "authenticated spams" using our Exchange Server :-/
    For Sophos UTM which is accepting the mails, from outside, the spams seemed to be too new to be recognize as spams.
    The only thing I can do is to enforce a long and complex password. But it doesn't help, if the spammers get access to that password somehow. Turning off imap/pop/smtp from outside is not possible at the moment.

    On Exchange I've seen two puzzle pieces which could prevent a lot of spam: maximum of E-Mails per hour and limit sending mails from my own country.

    Throttling Policies
    So far I've seen throttling policies which we will apply for all accounts. Each account can have one policy but there can be configured different ones for serveral account usages. This example creates a Throttling Policy named LimitMessagesSent. The user can send messages to maximum 300 recipients every day and 10 messages per minute.

    New-ThrottlingPolicy -Name LimitMessagesSent -RecipientRateLimit 300 -MessageRateLimit 10
    https://community.spiceworks.com/topic/2111252-throttling-msgs-per-minute-by-mailbox-address-in-exchange-2016

    I'm sure, there are other parameters for Throttling Policy to prevent spam, but there are like 1000 parameters...
    https://docs.microsoft.com/en-us/powershell/module/exchange/server-health-and-performance/Set-ThrottlingPolicy?redirectedfrom=MSDN&view=exchange-ps

    Limiting sending to own country or geo-blocking
    I havent found out an elegant way on how to limit accepting pop/impa/smtp only from my own country and not from world wide.
    There is some description on how to block mails - but it seems to be a lot of work and the example is using Exchange 2003
    https://www.slipstick.com/exchange/filtering-email-by-region-in-exchange-server/

    Client Access Rules
    Maybe also Client Access Rules could be used to prevent this kind of spam.
    I can block EAC in a specific Region usting that
    https://www.codetwo.com/admins-blog/how-to-block-external-access-to-exchange-admin-center-in-exchange-2019-via-client-access-rules/
    but unfortunately not SMTP...
    https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules
    https://docs.microsoft.com/en-us/exchange/clients/client-access-rules/client-access-rules?view=exchserver-2019

    Any other suggestions on how to prevent this kind of spam, when spammers get hold on the password?

    Thanks
    Susanne

    P.S.
    There is also my text in German about this problem
    https://social.technet.microsoft.com/Forums/office/de-DE/85791f2d-7566-4711-a951-ccf537722164/gehacktes-mailkonto-versendet-spam-gt-wie-prventiv-verhindern-in-zukunft?forum=exchange_serverde

    Friday, December 20, 2019 11:05 AM
  • In our case, we don't have SMTP/POP3/IMAP enabled and we are over 1700 active users at the moment (and about 1000 that could ask for their company email to be activated), so both solutions (geo-blocking and global throttling) are not viable (global throttling should have limits so large that spam could easily pass).

    However, in our antispam solution we were able to enable per sender email throttling. This at least give us some time to react (sadly most of the incident appears overnight as the spammer softwares are trying to work unnoticed), while we still can hit some spamtrap. And if we do not react promptly and block the user account, the throttling policy will not help at all because the email will eventually be sent.

    bye, Dario


    Dario Palermo

    Friday, December 20, 2019 1:15 PM
  • Hi Dario

    That means your solution is still manual work in order not to get on (too many) blacklists?

    Btw, you can define different Throttling Policies for different users even on Exchange 2013 - seems to be the same in Exchange 2013 as in 2019, when I interpret the doc correctly
    https://docs.microsoft.com/en-us/exchange/change-user-throttling-settings-for-specific-users-exchange-2013-help

    I see, throttling also offers tarpitinterval on Receive connectors - ok, that's a different problem area..
    https://docs.microsoft.com/en-us/exchange/mail-flow/message-rate-limits?view=exchserver-2019

    It would be neat to have a possibility that sending E-Mails from too many different ip-addresses for the same user account could be limited or even blocked, if the distances are way beyond real travel time of "devices", e.g. within a minute or an hour - no one travels thousands of km forth and back...

    Bye
    Susanne

    Friday, December 20, 2019 2:10 PM
  • If I am correct, per sender throttling policies are applied only on smtp connections (I tried that solution and it didn't work if I remember correctly).

    Still, even with that kind of solution, you have to step in at some point as the outgoing email will be accepted, just at a slower rate (and that is what we do on our antispam solution that also send a notice to us mail admins to investigate the situation).

    The point is the lack of an account quarantine feature when the throttling limits are surpassed. I could set up something that gets the alarm from the antispam device and interacts via remote powershell with active directory (giving the right permissions to the service user involved) and probably I'll come up with something in the next few weeks...

    Bye, Dario


    Dario Palermo

    Friday, December 20, 2019 2:40 PM