Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Add realtime spam protection to your Exchange 2003 4

Status
Not open for further replies.
talon121a

talon121a

MIS
Aug 21, 2003
92
0
0
US
By far the biggest problem with email is you guessed it, SPAM. By configuring your server to deny 'blacklisted' SMTP servers, you will limit spam as much as 99%.

This will stop listed SMTP Servers from connecting to your exchange server, and this is without using a third-party solution, however I do strongly recommend you use a third-party application to add protection. Including Anti-Virus, and Spam filtering, etc. You may also want to protect yourself from files, etc.

Step by Step
1. Review the list of blacklists available to choose from, there are many out there. The trick is to find a good consistent few. I presently use about 11 of these. Good list at:
2. Once youve determined what spam blacklists you wish to use, (not whitelists, just blacklists). Then, load up Exchange 2003 Management Console, Goto the Global Settings > Message Delivery, Then properties.

3. Click the Connection Filtering tab, this is where you add those black lists. for example. Just one of my entries.

Display Name: ORDB - DNS Suffix of provider: relays.ordb.org
Custom Error message: (I just left blank)

What this will do now whenever an SMTP tries sending you an email, it first checks the SMTP server connecting if its in that black list, and if it is, returns a message back to the user trying to send from that SMTP with that message usually of 'your message was blocked by ORDB -
And if you specifically need email from a specific provider, you can still get it, by going to the Exception or Global accept settings.

I hope this starts all you Exchange 2003 administrators off good. Ive been so confident with my spam solution, I openly invite it. (if they want to). And legitimate emails always get through. (Ive not yet had a legitimate not come through).

Let me know if anyone has issues or anything with this, I'll see what I can do ;-)






--------
Jason Burton
Starloop International
jasonburton@us.starloop.com
(im confident with my spam fighting solution)
 
Jason,

We're all in this war together. I have found something which may be even better. It's called "graylisting" and serves as a middle way between white- and blacklisting.

It looks like it works mainly with Linux though:

 
With third party support, Ive found Sybari AntiGen has 'Whitelist' abilities with Exchange 2003.

-- But with Exchange 2003, the article above, gives you a quick solution to a problem. (I've been 99% effective with over 100+ domains on the same serv.)



--------
Jason Burton
Starloop International
jasonburton@us.starloop.com
(im confident with my spam fighting solution)
 
So, what are the best ten or twelve blacklist sites? Anyone know?
 
Well from my own experience in order:

1. SPAMCOP - bl.spamcop.net
2. ORDB - relays.ordb.org
3. THE SPAMHAUS BLOCK LIST ("SBL") - sbl.spamhaus.org
4. DEVNULL - dev.null.dk
5. DEADBEEF - bl.deadbeef.com
6. SORBS-SPAM - dnsbl.sorbs.net
7. BLITZED - opm.blitzed.org
8. FIVETEN - blackholes.five-ten-sg.com
9. NJABL - dnsbl.njabl.org
10. EASYNET-PROXIES - proxies.blackholes.easynet.nl

Thats what im using for my top 10 DNS Blacklists with a 99% success rate. (about 15 emails per 30,000)

I've also added some domains that were listed, ie. yahoo.com, and netscape.com, (that are listed with some of those blacklists) to the acceptance list. Even though they had spam reports. But thats to the administrators discretion.

* Note: Some of the blacklists above , may or may not be still operational. I usually go through and make sure the blacklists are still alive regularly, because of constant changes in their operation or lack of resources on their part to keep the blacklist updated.




--------
Jason Burton
Starloop International
jasonburton@us.starloop.com
(im confident with my spam fighting solution)
 

I'm glad to see that Jason enjoys M$ implementation of RBL within Exchange 2003. One thing to note is that you can't be 100% certain that legitimate emails are getting through with this method. This is because Exchange drops the connection to a listed spammer before the mail is in the system. While this sounds great there is no way for you to know if the mail was indeed spam! Anyways, it's still a nice feature in Exchange 2003

-Forbsy
 
Blocking by domain name won't accomplish much, since they are all spoofed.

In our case, we could block everything from outside the USA though.
 
Yes, as with any RBL implementation.. You cant be 100% sure with any attempts. Although with my listed RBL's Ive been about 99% confident with stopping and allowing legitimate emails.

I will be posting soon just a listing of common 'allowed' but listed SMTP servers, that anyone can add to their exceptions list, so mail can get through legitimately.
---
ie. AOL, Yahoo, etc.

Sometimes the major providers are listed in the RBL falsely or because of a previous incident. Of course its up to the administrator to allow their SMTP servers; But I'll be posting something soon with ones Ive been using with the 99% confidence with my users.

-- Thanks

Jason Burton
SI
 
I'd just like to make a clarification to what has been posted here. The Exception button allows you exempt only internal addresses from the block lists. This allows any email to be delivered to certain internal addresses without filtering. I use a specific SMTP address to allow customers who are experiencing blocked mail to us to be able to send me an email so I can determine their SMTP servers IP address. To exempt outside SMTP servers, it is necessary to add the SMTP IP address of the sender using the Accept button.

Best Wishes,

Steve Foote
BYTE-RYTE Computers, Inc.
 
As of today if this still the best 10 Black listing ??

1. SPAMCOP - bl....
2. ORDB - relays...
3. THE SPAMHAUS BLOCK LIST ("SBL") - &nbs...
4. DEVNULL - ...
5. DEADBEEF - &nb...
6. SORBS-SPAM - &nbs...
7. BLITZED - opm...
8. FIVETEN - &nb...
9. NJABL - dnsbl...
10. EASYNET-PROXIES - ...

I am just about to configure on a SBS2003 server.

Cheers in advance
 
With the majority of spam coming from hacked home computers, is there a more or less reliable blacklist for Dial-up/broadband IP address spaces?
 
Personaly I use spamcop.net to filter all my privat email. With my email address I wouldn't have been able to use it for many years now without spamcop.net
On my little privat domain (3 domainnames and my wife and me as users) I can get as much as 20.000+ spam emails a day on a havy day, and more the 5.000 on a low trafic day.

But in a company network blacklists also have some drawbacks. In the company I work for we have big problems trying to stop spam, especialy because we have an alarm center where it is very very importend that our customers can get in contact with us, even if they are in the middle of nowhere in China or Brazil with no access to a phone and the only way to reach us is by email via a blacklisted ISP's mailserver.

We also have a problem with filtering emails on keywords since medical information that we get can contain words like sex, viagra, penis and God knows what else and still be an very inportend email from a doctor to one of our doctors.

My privat fight against spam is that I also work as a "spamtrap" for spamcop.net so more then 99% of the emails I get I never see (except in my logfiles)
 
Jason,

Have you thought about using Intelligent Messaging Filtering from Microsoft? How did you decide on the 11 blacklists? I'm running Microsoft Server 2003 Small Business Server with Exchange 2003 SP1. I've installed IMF and followed the deployment guide to the tee. The only thing I can't configure are the IMF counters in System Monitor. Any thoughts?

Mike
 
Hi Mike,

I've done the same thing, configured IMF per the guide, then waited for the filter to kick in to be able to see the counters in the Perf Mon. Three days and I still don't get the counters they say will be available in order to allow me to see SCL ratings on the e-mails. I do have some e-mails showing up in my Outlook Junk folder on my desktops now though, so it must be working. If you come up with anything please post it here, and I will do likewise.

Eric
 
Just wanted to reply with some more info, seeing that I havent been on here in a while.. (keeping the users happy).

I havent done the IMF yet with Exchange 2003 (I havent guaged the effectiveness versus the RBL technology.)

But so far, this is my best options.. And I've seen about 94% legit email come thru our email system. Ive setup my SMTP to log to SQL, and using a stored procedure, I do nightly statistics on offending domains. ie. Take 550's and check em.

Id definitely still take a look at the current list of RBL's to fit your particular organization's policies..


I would also check the IMF as mentioned previously by mlmClean (thanks).

I will be posting more here as I improve my organization's email system. (as well as helping others).

Jason Burton
LM
 
wow, nice timing, Jason, as I'm just now looking into either configuring my new Exchange 2k3 server or buying an Anti spaming software to install. Should the configuration that you have mentioned work, that will save our company lots of money..... and make me look GOOOooooOOOOD! :+D

Once again, Thank you for your post.

Danny
 
Jason, when I add the new Connection Filtering Rule I get the following message:

"Connection, Recepiant & Sender Filtering must manually be enabled on a specific SMTP Virtual serer IP Address assignments as they are not enabled by Default. For more inforamtion on how to enable any of the above filtering types, read their associated help."

As a n00b to this filtering stufff, am I missing a step here?
What does this message mean?

Danny
 
Nope your doing the right thing, but what you need to do is goto your SMTP server (in exchange > Servers > SMTP) right click it, goto properties. Then goto Advanced (IP setup) then make sure those options are selected so that the rules are applied. It just wanted to ensure you had things enabled.



--------
Jason Burton
Leximedia,LLC.
jab@leximedia.net
(im confident with my spam fighting solution)
 
Oh Danny, good luck with your implementation. I'd suggest installing an Anti Virus package for exchange however... Which usually includes Spam protection. --- ie. Symantec Mail Security for exchange. ---

Since even if your spam protected, virus's can slip through. If your environment has client side virus scanners you should be ok, but for things like those big nasty worms, you may come up with a problem there.. But the RBL method(s) should protect most undesirables.

Please let me know if I can help. (send a private msg)

Jason Burton
LM


--------
Jason Burton
Leximedia,LLC.
jab@leximedia.net
(im confident with my spam fighting solution)
 
yes, Purchasing an GREAT antivirus protection service/software is what I'm doing now. I currently have the network on Norton's Corporate Edition with all the workstations having the client installed. However, with our new server I plan on remaining with Symantec and purchasing a Network/Email Virus protection solution from them. Should this also include Spam filtering, so much the better. I will call CDW and purchase this Symantec Mail Security For Exchange solution that you mentioned.

Once again, thank you, Jason.

Danny
 
Status
Not open for further replies.

Similar threads

PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
582
PatrickRoggers
PatrickRoggers
ComputersUnlimited
  • Locked
  • Question
Migrating to Exchange 2019
Replies
0
Views
543
ComputersUnlimited
ComputersUnlimited
Brent Fletcher
  • Locked
  • Question
Exchange rule to remove "✉" icon when it appears in a subject title from a supplier
Replies
0
Views
587
Brent Fletcher
Brent Fletcher
stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
552
Wesaf
Wesaf
Satishkumar007
  • Locked
  • Question
Help needed to recover after complete site failure
Replies
0
Views
557
Satishkumar007
Satishkumar007

Part and Inventory Search

Sponsor

Back
Top