From the category archives:

Anti-spam

Happy New Year, You Just Won a Gazillion Dollars!

January 3, 2011

With the end of holidays comes the beginning of a new year, and this year a new decade. I’ve had a longer semi-vacation in December, and I’m looking forward to the promise of an exciting 2011. The part that I least look forward to is all the Christmas/New Year spam, some of which inevitably makes [...]

Read the full article →

Using Transport Rules to protect your organization from the ‘Here You Have’ Worm

September 10, 2010

The Here You Have worm, also known as Visal.B, has been spreading through network shares and email (more details on Microsoft’s Malware Protection Center web site). When spreading through email, the worm sends itself to your contacts with the following strings in the Subject field and message body: Subject: Here you have Body: Hello: This [...]

Read the full article →

Social Engineering Attack Disguised As Mailbox Quota Message

June 21, 2010

Social engineering is all about psychological attacks— convincing a user to willingly divulge information is much more convenient, in most cases, than actually brute-forcing your way in. Attackers with very little technical sophistication (and perhaps some great social skills) can easily prey upon even the more vigilant users. I would’ve held on to my belief [...]

Read the full article →

Connection Filtering, RBLs and SMTP logs in Exchange 2007/2010

July 27, 2007

Exchange Server 2003′s Connection Filtering feature allows you to block connections from IP addresses explicitly added to the Global Deny List, or drop messages from IP addresses listed on a RBL (Real-Time Blackhole List / Real-Time Block List). Note: The term “RBL” is commonly used to describe DNS Black Lists (DNSBLs), but it’s a trademark [...]

Read the full article →

Why Get-TransportAgent doesn’t agree with the Exchange console

July 6, 2007

You disable a particular anti-spam agent — let’s say the Content Filtering Agent, using the Exchange Management Console (EMC). Figure 1: Disabling a transport “agent” in the Exchange Management Console Next, you use the Get-TransportAgent command to get the status of transport agents — and surprisingly the Content Filter Agent shows up as Enabled! Figure [...]

Read the full article →

Protect users from spam from your own domain in Exchange 2010 and Exchange 2007

May 1, 2007

One of the common complaints from users and many messaging folks is spam received from senders that appear to be from your own domain. SMTP mail is exchanged with anonymous Internet hosts without any authentication. Headers can be and are effortlessly spoofed. Rather than using an unregistered or invalid domain in the From: header, many [...]

Read the full article →

RFC 2821, HELO again: Validating the HELO/EHLO domain

April 19, 2007

RFCs 2821 and 1869 specify the format of HELO/EHLO commands issued by a SMTP client to initiate a SMTP session. RFC 2821 on HELO/EHLO command: 4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO) These commands are used to identify the SMTP client to the SMTP server. The argument field contains the fully-qualified domain name of the [...]

Read the full article →

Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs

April 17, 2007

Exchange 2007 includes a number of anti-spam agents to filter spam. The anti-spam agents log their actions in (anti-spam) agent logs. The default agent log locations: Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\AgentLog Exchange 2007: \Exchange Server\TransportRoles\Logs\AgentLog Agent Log Configuration You can’t change the agent log location. Here are the available config options: Enable/Disable agent log: On transport [...]

Read the full article →

Exchange 2007 Content Filter: How to move messages to Junk Mail folder

February 7, 2007

You’ve setup Exchange Server 2007, and configured the shiny new Content Filter agent (CFA), which is more than just a rewrite of the equally loved and hated Intelligent Message Filter (IMF) from Exchange Server 2003. How do you configure it? Spam Confidence Level (SCL) Thresholds in Exchange 2007/2010 The CFA has the following three thresholds, [...]

Read the full article →

Enabled by default: SMTP Tarpit in Exchange Server 2007

January 9, 2007

From a recent discussion, and something I’ve been wanting to post about for a while: SMTP tarpitting is enabled by default on Receive Connectors in Exchange 2007 (and Exchange 210). What is SMTP tarpitting? It’s the process of introducing a delay in SMTP connections from hosts that are suspected of inappropriate SMTP behavior – for [...]

Read the full article →

← Previous Entries