6

Our Exchange server is getting slammed with anywhere between 450,000 and 700,000 spam messages per day. We receive about 1700 legitimate messages in the same time frame.

Roughly 75% of the spam is directory harvesting. We currently have GFI MailEssentials installed. To it's credit, it's doing a very good job, but the sheer volume of spam that we're receiving, and the number of connections that our exchange server is making is preventing legitimate email from being delivered in a timely manner.

GFI is set up to check for directory harvesting at the SMTP level, which I presume intercepts the mail before it hits the Exchange services , or goes through SMSE. This "module" is ordered at the top of the list, so (hopefully) dealing with the harvesting is consuming a minimum amount of server resources and bandwidth.

My question is, is there anything I can do to prevent our Exchange server's connection pool from being eaten up by these spam hosts? We had to limit the number of concurrent connections being made by Exchange, because it was consuming all of our bandwidth.

Thanks, in advance.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
Aaron Alton
  • 1,118
  • 11
  • 10
  • I haven't forgotten about this - I'm just working on implementing some of the easier solutions. I'll return to accept a solution once I get to the bottom of it! – Aaron Alton May 22 '09 at 20:17

12 Answers12

4

if you have ability to set up additional host [ can be virtual machine ] - i suggest you get postfix [ or exim or any other linux smtp relay ] that can filter mails based on recipient address.

i had case similar to yours, load of exchange was dramatically reduced by:

  • setting postfix server as only advertised MX for company's domain
  • periodically [ once every hour ] re-creating white list of allowed mail addresses based on simple php script retrieving all mail addresses from active directory via LDAP

also - if you look for fully blown [ yet open source ] antispam - take a look at esva. it's ready to use appliance for vmware based on postfix and couple of content filters. in their forums you'll find description how to pull white list of users from AD. their forum might look semi dead and author is not the most active one - but whole solution is really sophisticated and works great for me in couple of deployments.

pQd
  • 29,561
  • 5
  • 64
  • 106
  • That sounds really effective...and scares the cr@p out of me. Lots of technologies I'd rather not learn ;-) +1 for the thorough suggestion though! – Aaron Alton May 21 '09 at 18:59
  • don't be scared. i think starting from some scale/volume - it's worth the trouble. for esva - you can find info how to pull valid mail addresses from AD at http://www.global-domination.org/forum/viewtopic.php?t=1063 – pQd May 21 '09 at 19:18
  • A lot of large volume ISPs (think ones like FrontBridge) use a Postfix/Linux mail gateway to do filtering, greylisting, tarpitting, scanning, etc before they hit the Exchange servers. – Astra May 21 '09 at 19:42
  • You may convince me yet! I'm going to try the tarpitting and identifying the common offenders (IP blocks and/or whining to my ISP). If that doesn't work, I guess I have a little Linux to learn! – Aaron Alton May 21 '09 at 19:55
  • Here's a couple articles on tarpitting in Win2003. http://www.exchangeinbox.com/article.aspx?i=49 http://support.microsoft.com/?kbid=842851 – squillman May 21 '09 at 20:00
  • i'm affraid trying to filter only based on ip is hopeless case [ unless you are willing to blacklist everything and then start with whitelisting ]. spam i see comes literally from around the world, it's very helpful to use RBL's to guess 'spaminess' of mail comming from given ip but that alone is not good enough either to drop or to allow message to exchange. – pQd May 21 '09 at 20:20
3

I would use a combination of Recipient Filtering, and SMTP Tar-pitting. This is explained in more detail here:

http://www.exchangeinbox.com/article.aspx?i=49

As a summary, Exchange rejects connections to addresses that don't exist. However this allows spam harvesters to check a large number of addresses quickly against your server.

By enabling tar-pitting, you add a delay to the response your server gives, which reduces the amount of connections a harvester makes to your server.

Jeff Miles
  • 2,020
  • 2
  • 19
  • 26
  • Tar-pitting sounds like it should help the situation. Will the tar-pitting work if GFI is filtering the directory harvesting? I think GFI sits on IIS, but I'm not 100% sure. – Aaron Alton May 21 '09 at 18:54
3

You could also potentially offload spam filtering to a 3rd party, which would filter out most of that traffic and spam before it ever hits your network. Three good options for this service are:

http://www.microsoft.com/online/exchange-hosted-services/filtering.mspx

http://www.messagelabs.com/products/email/anti_spam.aspx

http://www.google.com/postini/email.html

Sean Earp
  • 7,207
  • 3
  • 34
  • 38
  • 1
    Your best bet will be to offload as smearp suggests. Not only does this reduce the storage and CPU overhead on your Exchange server; it also saves you bandwidth by eliminating the transport of mail you're going to throw away anyway. We currently use Microsoft's hosted filtering, but all of the tier-1 filtering services (including Postini and MXLogic) will give you better results than what you're getting now. If you're thinking about upgrading to Exchange 2007/2010, the enterprise CAL includes Exchange Hosted Filtering, too. – paulr May 27 '09 at 17:48
3

Absolutely you should look at a 3rd party to filter the mail before it gets to your server in addition to the ones mentioned on smearp's answer I've had good experiences with MX Logic, as well as Google's Postini. I preferred MX Logic personally. The addtional benefit is you can then set your Exchange Edge server to only accept SMTP connects from the 3rd party, drastically reducing the load on the server and your bandwidth.

I barely think about spam anymore.

Leroy Clark
  • 366
  • 2
  • 5
1

It seems to me that you've already done everything you can to limit the mail reaching the Exchange server - the next step would be to try and find a common factor in the spam that would allow you to block it before it even reaches the GFI box. (i.e. Treating it like a DDoS attack)

If the traffic is coming from only a handful of hosts, would it be feasible to shun those IP's on your border routers? Sometimes ISP's are also willing to help out with these sort of attacks - might be worth contacting them to see if they can ID and drop the bad traffic.

One duct tape solution might be to make your primary MX record an invalid one, and make the secondary MX record the valid one. Most spambots won't waste time trying alternate MX records, while legit mail will still come through... the down side is, you run a small risk of losing mail from incorrectly configured MTA's.

gharper
  • 5,365
  • 4
  • 28
  • 34
  • I'll have to see if I can pull an aggregation of the hosts from GFI. I know that the logging is done through MS Access, so I can always extract and analyze the data if need be. I won't be able to blog common hosts (ex. BellNexxia), but I should be able to kill obvious spammers. Upper mgmt is pretty sensitive to false positives, but I'll keep the MX record suggestion in my back pocket too. Thanks for the suggestion! I'll let you know how it works out. – Aaron Alton May 21 '09 at 18:52
1

I can think of a few things you might want to consider. The first is to watch your logs, put together a list of spam source hosts (assuming that there is a reasonable number that are brute forcing with the directory harvesting), and block them at your firewall.

A more comprehensive, but more complicated, solution would be to offload your initial spam handling with an e-mail gateway server. This is what we did at my previous job. We built a Linux box running Postfix and a collection of additional tools (spamassassin, clamav, a greylisting daemon, amavisd, etc) and some custom stuff. We then put that out in front of the Exchange cluster and routed all of our e-mail (in and out of the network) through it.

This can provide you with a lot of additional flexibility to rate-limit connections, block spam sources, and setup whitelists and blacklists. We were able to significantly reduce the amount of spam our users were receiving, as well as reducing the load on the Exchange boxes.

Update: Forgot to mention, but there are also a number of anti-spam gateway appliances that are available out there, too. You buy the box, configure it from a web interface (usually) and just plug it into your network. A few tweaks in Exchange and DNS (so e-mail is flowing through it) and it will handle all of the anit-spam heavy lifting for you.

Christopher Cashell
  • 8,999
  • 2
  • 31
  • 43
  • Which logs in particular? GFI or Exchange? I'm a bit of a deliberate Exchange neophyte, and finding logs doesn't seem to be as easy as it should be ;-) – Aaron Alton May 21 '09 at 18:58
  • I would say GFI, but I'm not very familiar with it, so I don't know where to find it's logs. Depending on how it logs, anything it blocks might not show up in the standard exchange logs. – Christopher Cashell May 21 '09 at 19:49
1

MailEssentials works at the Event Sink level in SMTP, so it indeed gracefully drops the connection for nonexistent email addresses, without letting the message actually touch your server (as long as you've pushed this up top of the list, which you have. There isn't too much else you can do at your box -- this is a pretty phenomenal amount of directory harvesting activity you're seeing, and I agree your next step should be to work with your isp to see if you can narrow down to a few IPs or sets of IPs that are sending a majority of this and have them blocked.

nedm
  • 5,610
  • 5
  • 30
  • 52
1

I know this is now a ways out from when the original post went up, but I have to agree with John Gardeniers regarding Mailcleaner.

I've used Mailcleaner now for roughly 4 years. The initial edition wasn't as flexible to modification, but it was pretty solid anyway. Around a year ago, I got ahold of Mailcleaner 2010, which is a complete re-write of Mailcleaner from the ground up. While the 2006 edition of Mailcleaner was built on a Debian v4 based engine, the newer 2010 release is based on Ubuntu Server, if I'm not mistaken. The older build was prone to breaking, but the newer build is so solid and feature filled that I haven't felt the need to do any under-the-hood modifications.

As is, Mailcleaner 2010 is by far the most solid and clean anti-spam solution I've used this side of a Barracuda Anti-spam / anti-virus Firewall. At my work, we use a Barracuda M600 appliance, designed to handle roughly 30 million email per day. We receive around 300,000 email on an average day, with roughly 7% to 10% of that being actual legitimate email. On the Barracuda, we use quarantining (which I abhor, but our management insists). On my personal domain, where I use Mailcleaner 2010 configured as a virtual server hosted on VMWare ESXi, I have Mailcleaner configured for LDAP address verification combined with tagging on suspected spam. All tagged spam is automatically delivered to my users' 'Junk Email' folder on our Exchange Server (2003), which automatically expires out the tagged messages after 30 days. This makes for a very, very low footprint for my Mailcleaner Anti-spam gateway, and with the auto-expiry of tagged email, it keeps my Exchange Server from overflowing with spam. The false positive rate is very, very low, and since I use tagging, even if a message receives a false positive, we don't have to worry about loosing that mail so long as we check in on our email responsibly... which all of my regular users do.

Anyways, having used a Barracuda anti-spam system, I had very picky expectations regarding an alternative for my own domain, since we don't have a corporate/government level budget to fund the purchase of appliances. All things considered, it would have been difficult at best to find a better solution than Mailcleaner 2010, because it seems to take a lot of influence from Barracuda, but it's not a straight rip-off of Barracuda's firmware. At the same time, it's much easier to setup than the Barracuda.

When I first started working my current job, my employers were using GFI's anti-spam engine (v10?). We had severe problems out of GFI because of how it handled blacklisting. I did the research and scored us the Barracuda M600. The Barracuda has been a great solution, because it allows for blacklisting by CIDR addresses, as well as a ton of other scanning techniques that work very well. So far, the only problems I've run into with the Barracuda are regarding false positives due to bad rules entered by those less experienced in combatting spam. The Mailcleaner 2010 Virtual appliance that I run requires much, much less interaction to achieve a near perfect solution.

Check it out if you get a chance. I think you'll be glad you did. :)

Share & enjoy!

1

I third the opinion of thrid party Spam filtering. We Really like: http://www.mxlogic.com/ It remove Spam way better than GFI, doesn't use andy server resources, makes your email servers more secure(follow Leroyclark's suggestion), and you won't have issue with licensing issues crashing your exchange server.

Nathan
  • 11
  • 2
1

If you have a spare machine, even a fairly low spec PC, you might consider installing MailCleaner, which will provide ant-spam and antivirus scanning of your inbound emails. It's Linux based but doesn't require any great degree of familiarity with Linux in order to get it set up and running. The filtering results are excellent, even without "training" the anti-spam databases, and the web interface makes day-to-day tasks a breeze. There's also a support forum should you need it.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
0

You can also use the new solution www.altea.ca for Altea MailProtection wich is a third party Anti spam and zero hour antivirus

0

If looking at third party filtering services, look at http://www.safentrix.com also. You can try out its performance.

One of the features that might be useful is lack of quarantine (and thus near zero maintenance).