Fighting Spam in an Exchange Environment Tzahi Kolber IT Supervisor - Polycom Israel.

Slides:



Advertisements
Similar presentations
EX04: Exchange 2007 Security, Part II Jim McBee
Advertisements

Basic Communication on the Internet:
TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Paul Vanbosterhaut Managing Director, Vircom Europe January 2007 ModusGate™ 4.4 Smart Assurance Gateway Not Just Warmed-over Open Source Technology…
Used by many 100,000s of customers Used by many 10,000,000s of users Processing Billions of s a day Using Thousands of servers Across dozens of.
On-premises Exchange Online Protection Office 365 Directory Sync ADFS (optional) Single sign on Secure mail flow Existing environment.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
IMF Mihály Andó IT-IS 6 November Mihály Andó 2 / 11 6 November 2006 What is IMF? ­ Intelligent Message Filter ­ provides server-side message filtering,
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
FROM RICHARD RODRIGUES JOHN ANIMALU FELIX SHULMAN THE HONORARY MEMBERS OF THE INTERCONTINENTAL GROUP Information security in real business firewall security.
Spam May CS239. Taxonomy (UBE)  Advertisement  Phishing Webpage  Content  Links From: Thrifty Health-Insurance Mailed-By: noticeoption.comReply-To:
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
Security challenges Used by many 100,000s of customers Used by many 10,000,000s of users Processing Billions of s a day Using Thousands of.
Guide to Operating System Security Chapter 10 Security.
Implementing Exchange Server Security Ward Solutions.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
MSG328 Anti-Spam in Exchange2003 Max Ciccotosto Program Manager - Exchange Microsoft Corporation.
Approaches to Fighting Spam in an Exchange Environment Greg Taylor Senior Consultant - MCS.
SIM334. Internet Comprehensive Protection Multi-Engine Antivirus and Multi layered continuously evolving Anti-spam In the Leader’s quadrant in the.
Overview of Exchange 2013 Architecture Transport components shipping with Exchange 2013 Mail Routing Scenarios Transport High Availability SMTP Client.
Anti-Spam & Anti-Virus WiscMail Implementation University of Wisconsin - Madison CSG Workshop September 21, 2004.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.
Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.
SIM309. Connection Analysis (IP-based edge blocks) Reputation Analysis Connection Filtering Protect businesses from receiving –borne viruses.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
1 The Business Case for DomainKeys Identified Mail.
Combating Abuse Brian Nisbet NOC Manager HEAnet.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
Securing Microsoft® Exchange Server 2010
Module 6: Manage and Configure Messaging. Configuring Internet Mail Using Small Business Server (SBS) 2008 Console Configuring Protection Configuring.
Chapter 6: Packet Filtering
Client X CronLab Spam Filter Technical Training Presentation 19/09/2015.
Copyright Microsoft Corp Sunil Uppal Sr. Consultant Microsoft Building a Multi-Layered Security Solution for .
The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .
Exchange Server: Today and Tomorrow Raj Natarajan Infrastructure Architect Enterprise Group Microsoft Australia MSG209.
Module 6 Planning and Deploying Messaging Security.
Norman Protection Powerful and flexible Protection Gateway.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.
Module 7 Planning and Deploying Messaging Compliance.
Messaging Security at Microsoft Eileen Brown IT Evangelist Microsoft UK
Detecting Phishing in s Srikanth Palla Ram Dantu University of North Texas, Denton.
“SaaS secure web and gateways frequently provide efficiency and cost advantages, and a growing number of offerings are delivering an improved.
Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training WatchGuard XCS What’s New in version 10.1.
Security fundamentals Topic 10 Securing the network perimeter.
Security fundamentals Topic 9 Securing internet messaging.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
CERN - IT Department CH-1211 Genève 23 Switzerland t OIS Update on the anti spam system at CERN Pawel Grzywaczewski, CERN IT/OIS HEPIX fall.
Scott Schnoll Senior Content Developer Microsoft Corporation Securing Your Exchange Deployment.
FNAL Central Systems Jack Schmidt, Al Lilianstrom, Ray Pasetes, and Kevin Hill (Fermi National Accelerator Laboratory) Introduction The FNAL .
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
On-premises Exchange Online Protection Office 365 Directory Sync Secure mail flow Existing environment.
Understand Protection LESSON Security Fundamentals.
S ECURITY APPLIANCES Module 2 Unit 2. S ECURE NETWORK TOPOLOGIES A topology is a description of how a computer network is physically or logically organized.
Sender ID: An Overview for Registrars ICANN Vancouver December 1, 2005
TMG Client Protection 6NPS – Session 7.
Real World Advanced Threat Protection
Spam Fighting at CERN 12 January 2019 Emmanuel Ormancey.
Management Suite v2.0 DoubleCheck Manager Management Suite v2.0.
Firewalls Chapter 8.
Fighting SPAM in Exchange Environments
Presentation transcript:

Fighting Spam in an Exchange Environment Tzahi Kolber IT Supervisor - Polycom Israel

What will we cover: Problems and Concerns How to Fight Spam Exchange Server 2003 Anti-Spam Features Exchange Server 2007 Anti-spam Features How not to be blocked as spammers.

Problems and Concerns Unwanted messages are the #1 concern Risk to security and privacy and availability Phisher scams, ID and information theft Spoofing detected in 95% of phishing attacks Unauthorized relay Spam represents more than 60% of traffic Hotmail blocks more than 1 billion messages every day Viruses, Spyware, and Trojans (that can effects mobile devices too). Low cost of entry, high profit, and anonymity All the economics favor the spammer and phisher

How to Fight Spam

False positives are primary concern Block at the gateway whenever possible User never sees it Reduces impact on bandwidth. Reduces impact of system resources on Exchange servers (CPU, I/O, DB size … ) Administration End-to-end solutions (including mobiles). Easy to manage Balance corporate and end-user control Enterprise Requirements for Anti-Spam

Connection filtering: where it came from Sender filtering: who sent it Recipient filtering: who it is for Microsoft Exchange Intelligent Message Filter: what it is about Sender ID: Is the sender is really the sender? * Restricted Distribution Lists Exchange Server 2003: Anti-Spam Features

Message Filtering in Exchange Sender ID Accept/ Deny Lists Block Lists Recipient Filter Sender Filtering Intelligent Message Filter Information Store

Outlook 2003 and Outlook Web Access junk Connection filtering Sender and recipient filtering Intelligent Message Filter Blocks of all incoming SMTP connections Blocks of remaining messages Message Filtering in Exchange AV Scanning

Anti-Spam Antivirus and Attachments Mailbox servers Clients Gateway Server Transport SCL=Gateway Threshold? Exchange IMF Sender/Recipient Filtering Filter Action Connection Filtering RBLs No Yes Gateway Server Transport Attachment Stripping Virus Scanning SCL Mailbox Server Store SCL Store Threshold User Safe/ Blocked Senders Spam? Junkmail Inbox YesNo SCL Outlook 2003 & Outlook Web Access Desktop Anti-Virus Attachment blocking User Safe/Blocked Senders Spam? JunkmailInbox Internet Message Mail flow

Layer 1 - Connection Filtering Check where the mail is coming from Support for multiple Real Time Block List (also known as DNS Block List) providers Global Accept and Deny Lists Configurable exception list that override the RBL Blocking by IP/subnet

Connection Filtering and SP2 Admins need to configure trusted internal IP gateway As a result connection filtering can now perform filtering inside the perimeter. As a result connection filtering can now perform filtering inside the perimeter. Connection Filtering relies on getting the original sender's IP to run the DNS query on In SP2 New Header parsing algorythm (P2 header) Looks for first untrusted IP addresses of SMTP sender servers

Filters messages sent from particular e- mail addresses or domains Message submission method is persisted Optionally filter messages with blank senders Optionally drop connection Note: adding own domain to Sender Filter list may break list services Sender Filtering

Filter messages sent to particular recipients (valid or invalid) No NDR because message is rejected at protocol level Designed to combat directory harvesting attacks (Tarpitting combats that too). Related Feature - Restricted distribution lists Related Feature - Restricted distribution lists Allow only authenticated users to send to a distribution list Reduces impact of unsolicited sent to internal-only distribution lists Recipient Filtering (Who It Is For)

Layer 2 – SMTP Filtering If the incoming connection passed through the Connection Filtering layer, the next in line is SMTP Filtering Sender and Recipient Filtering Sender : List of prohibited sender addresses, domain address, blank sender Recipient : Directory lookup and Tar pitting Sender ID Filtering

Sender ID Comes with SP2 Industry standard framework Fight against domain spoofing. Fight against domain spoofing. Verify that each message originates from the Internet domain from which it claims to come based on the sending server's IP address. See chnologies/senderid/default.mspx chnologies/senderid/default.mspx chnologies/senderid/default.mspx

Benefits of Sender ID Protect sender’s brand and domain names from spoofing and phishing Receivers validate the origin of mail More input into spam filtering decision By itself does NOT stop spam

How Does Sender ID Work?  Senders publish IP addresses of outbound servers in DNS via SPF record  Receivers determine which domain(s) to check  “Purported responsible domain” derived from message body (RFC 2822 headers)  “Envelope From” domain (RFC 2821 Mail From)  Receivers query DNS for the outbound servers of the chosen domain and perform domain spoofing test

One time: Publish SPF record in DNS One time: Publish SPF record in DNS No other changes required No other changes required sent as normal sent as normal Look up Sender’s SPF record in DNS Look up Sender’s SPF record in DNS Determine PRA or Mail From check Determine PRA or Mail From check Compare PRA to legitimate IPs in SPF record or Mail From check Compare PRA to legitimate IPs in SPF record or Mail From check Match  positive filter input Match  positive filter input No match  negative filter input No match  negative filter input Message transits one to many servers en route to receiver Message transits one to many servers en route to receiver Sender ID Framework

Limitations Authenticates domains not users Validates “last hop” not end-to-end (Can not block from relay). Spammers can register their own domains… But this aids investigative efforts Allows for reputation of domains - sooner or later is going to be caught….

Exchange Configuration Set perimeter IP list

Define action Set it on the SMTP Virtual server

Layer 3 - Content Filtering If a mail item gets through Recipient Filtering it faces Content filtering. Content Filtering in Exchange relies on Microsoft Research SmartScreen machine learning technology incorporated into the Intelligent Message Filter (IMF). IMF is now integrated to SP2 (Pre-SP2 version should be uninstalled before SP2 upgrade). Should be updated from Microsoft Update (not Windows Update!!!). _sp2.htm _sp2.htm

How it works Examines messages and gives each an SCL value [0-9] Two thresholds: Gateway and Store Messages with a high SCL value are filtered at the gateway MS IT: More than 30% filtered Reduces impact to users and the rest of the infrastructure Possibility of SCL store level spam filtering SCL is transferred as a part of EXCH50 blob Exposing SCL in Outlook aspx

Anti-spam MUST be done before anti virus Anti-spam SHOULD be done for inbound mail only Anti-spam filtering SHOULD remove vs. quarantine Anti-virus MUST be mail direction aware Anti-virus SHOULD remove vs. quarantine Generate security notifications for infected ingoing Anti-virus and Anti-spam systems MUST integrate with Exchange Messaging Hygiene Architectural Principles

Restricted Distribution Lists Can accept s only from Autenticated users. Benefit: Will not be accessed from outside to large number of recipients. Will not be accessible from Linux or other SMTP applications (non authenticated users)

Dedicated role / server – Edge server role. * Attachment Filtering * Edge Protocol Rules - Filter known text patterns in malware carriers and drop the connection (Porn, Love, Linux….). * Connection Filtering (White List was added). Sender and Recipient Filtering (including Tar Pitting) Safe Sender List – which was configured at Outlook 2003 / Sender ID IMF * Are additions that were added to the Anti-Spam system in Exchange ult.mspx ult.mspx Exchange 2007 Anti-Spam systems.

How NOT to be blocked as spammers. Block SMTP – TCP/25 outside using FW. Verify that you have PTR record in the DNS – same address as the MX record (will avoid NDR errors Access Denied too) Don’t send s with blank subject / Sender. Avoid sending s to more the 200 recipients in one . Close your SMTP for relaying. n.com n.com

Some Useful links…… Filtering.html Filtering.html m m ies/senderid/wizard/default.aspx ies/senderid/wizard/default.aspx fault.mspx fault.mspx 2.htm 2.htm SMTP-Tar-Pitting-Explained.html SMTP-Tar-Pitting-Explained.html

Questions? Thank you !