Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do spam mails come to new users' mailboxes 5

Status
Not open for further replies.
msworld

msworld

MIS
Jun 28, 2005
534
US
One of my technicians asked me this question.

We just created a new email address for a new user. Before the user sends any emails out, she receive 7 spam emails in her first day. Why?

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on
 
Sort by date Sort by votes
More likely than not, some spammer has sent out a blanket email to your domain.

Make sure that you have enabled IMF. Check out the tutorial here:

You can also use my free solution to manage the mail trapped by IMF.


I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote
Is your mail system open for directory lookups. I'm not finding the correct name for what I'm thinking but if you have anything turned on and open to the internet that allows hackers to "query" your system...they can get internal mail addresses of your users.

Be sure that you prevent relay and review your firewall to ensure that only port 25 is open. Exchange 2003 has better capabilities to do things like honey-pots, etc...that try and control hacker activities and prevent them from doing unauthorized things.
 
Upvote 0 Downvote
That's called Directory Harvesting. It can be made worse by recipient filtering under the right circumstances. Enabling tarpitting can help reduce the likelihood of directory harvesting.

SMTP tar pit feature for Microsoft Windows Server 2003

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
Ya...that's what I was thinking. Thanks 58sniper.
 
Upvote 0 Downvote
Handy enough for me to script it. This one is going in my Admin Script Pack, but I'll share it this time.

Code: 
[green]'==========================================================================
'
' NAME: SMTPTarpit.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 11/1/2006
'
' COMMENT: For details on the SMTP Tarpit feature refer to 
'          MSKB 842851.
'          Configures a 5 second delay in SMTP delivery.  Use this 
'          feature when recipient filtering is enabled in Exchange
'          to prevent directory harvesting.
'
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE SUPPLIERS 
'    BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'==========================================================================
[/green]
On Error Resume Next
Dim path
Set WSHShell = Wscript.CreateObject("WScript.Shell")
path = "HKLM\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters\"
WSHShell.RegWrite path & "TarpitTime","5","REG_DWORD"
[green]'to undo what this script has done, comment out the above line and uncomment the following
'WSHShell.RegWrite path & "TarpitTime","0","REG_DWORD"
[/green]
If Not Err Then
		If Msgbox("In order to complete setup, the SMTP service must be restarted.  OK to restart SMTP?", vbYesNo, "Restart SMTP?") = vbYes Then
		    WSHShell.Run "CMD.EXE /C NET STOP SMTPSVC & NET START SMTPSVC"
		End if
Else
	MsgBox "Sorry A Problem Was Encountered" & vbCrLf & "Make sure you have permission to write to the registry.",,"Error in SMTP Tarpit Configuration"
End If

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote
Thank you for all inputs. I think it could be one of our computers has a virus that sends global list out.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on
 
Upvote 0 Downvote
Thanks for the imfspam manager markdmac, it is so much easier to manage things from it.

I had one questions on the tutorial you referenced over at msexchange.org. The write references a MS document that is no longer available for additional registry strings. I am wondering if anyone has this document saved, or knows of another location of these options?

-Dave
 
Upvote 0 Downvote
You are welcome. Which link are you referring to that is dead? The SP2 beta doc?

Note, I did also create a script for the IMF updates and since I am feeling generous...

Code: 
'==========================================================================
'
' NAME: IMFUpdateEnabler.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' (c) 2006 All Rights Reserved
' DATE  : 5/22/2006
'
' COMMENT: Configures IMF to receive updates via Windows Update
'
' MODIFICATIONS:   
'   7/9/2006- Added event log code
'
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE SUPPLIERS 
'    BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'
'    This script and many more can be found in the Admin Script Pack
'    by The Spider's Parlor [URL unfurl="true"]http://www.thespidersparlor.com/vbscript[/URL]
'==========================================================================
Const SUCCESS = 0
Const LogERROR = 1
Const WARNING = 2
Const INFORMATION = 4
Const AUDIT_SUCCESS = 8
Const AUDIT_FAILURE = 16

keypath ="HKLM\SOFTWARE\Microsoft\Exchange\ContentFilterState"
Set WSHShell = CreateObject("Wscript.Shell")
WshShell.RegWrite keypath, 1, "REG_DWORD"
If Not Err Then
		If Msgbox("In order to complete setup, the SMTP service must be restarted.  OK to restart SMTP?", vbYesNo, "Restart SMTP?") = vbYes Then
		    WSHShell.Run "CMD.EXE /C NET STOP SMTPSVC & NET START SMTPSVC"
		    WshShell.LogEvent INFORMATION, "IMF configured for updates.  [URL unfurl="true"]http://www.thespidersparlor.com/vbscript"[/URL]
		End if
Else
	MsgBox "Sorry A Problem Was Encountered" & vbCrLf & "Make sure you have permission to write to the registry.",,"Something went wrong"
	WshShell.LogEvent LogERROR, "IMF update configuration failed.  [URL unfurl="true"]http://www.thespidersparlor.com/vbscript"[/URL]
End If	
WScript.Quit

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote
The missing document is "Chapter 6 of the Intelligent Message Filter Deployment Guide". Ive looked through the operations guide, but it only has a few registry additions.

I didn't need your script as I added the changes manually to setup auto updates. It took a few minutes for my WSUS server to push the latest update to my mail server.

If I get false positives, I'm assuming that I add the IP address of the legit mail server to the Global Accept list. Correct?

-Dave
 
Upvote 0 Downvote
Yes it was. I read through that document and got the setting I have now. IMF is working on my server, I just want to make sure it is running with the best possible setup.

-Dave
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

T
  • Locked
  • Question
How to use third party mail security gateway to scan internal/inter-domain mails in Exchange On-Premise?
Replies
3
Views
3K
DrB0b
DrB0b
stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
2K
Wesaf
Wesaf
PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
3K
PatrickRoggers
PatrickRoggers
Satishkumar007
  • Locked
  • Question
Help needed to recover after complete site failure
Replies
0
Views
3K
Satishkumar007
Satishkumar007
ComputersUnlimited
  • Locked
  • Question
Migrating to Exchange 2019
Replies
0
Views
3K
ComputersUnlimited
ComputersUnlimited

Part and Inventory Search

Sponsor

Back
Top