Announcement

Collapse
No announcement yet.

How to tighten down Exchange Server security - blacklisted

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to tighten down Exchange Server security - blacklisted

    I have an unusual circumstance. I have Exchange on the network for a real
    estate agents. All the agents have laptops that they own that we have
    joined to the domain. We the company does not own the laptops, we
    occasional get an infected laptop that wants to start sending SPAM e-mail
    out the Exchange server and getting us blacklisted.

    We have Symantec Corporate 10.2 installed on the network, but many of the
    agents potentiall pick up malicious code browwsing web sites when connected
    to the Internet at home.

    There is no 'relay' enabled on the server, not even authenticated users. We
    do not use POP or IMAP either. All the remote laptops connect using RPC
    over HTTPS. We use IMF on the front end of Exchange followed by GFI
    MailEssentials 12.

    I am looking for something to detect an abnormal queue of e-mails being sent
    out. We have been blacklisted twice this year and senderbase.org has given
    us a 'poor' rating which is now affecting out e-mail delivery.

    I consider this senariou out of the ordinary and would welcome any
    suggestions. I though about installing Symantec Corporate 10.2 and using a
    Group Policy to force the installation, but this does not allow for a
    computer that became infected at an agents home and then gets plugged into
    teh network.

    TIA
    Network Engineers do IT under the desk

  • #2
    Re: How to tighten down Exchange Server security - blacklisted

    It isn't your server that is being blacklisted - it is your IP address.

    If the machines have been compromised then they will not be sending email out via your server, it will be direct to other hosts.
    I wrote a blog posting earlier this year that explains what is happening:
    http://www.sembee.co.uk/archive/2008/03/13/73.aspx

    Your other mistake is using Symantec AV.
    While I regularly kick their product, it is not without good reason. It is overpriced, resource hungry piece of junk that lets through more than it should. As it has so much of the market share it is the main thing that virus writers test their "product" with to ensure it gets through.

    What to do?

    Politics will be a major problem. I would suggest looking at the systems that Microsoft provide for quarantining machines that are not up to date on AV and patches.

    Another thing would be to get a second IP address, so that Exchange can have its own IP address. Another option would be to send your email out via another server or service.

    Block port 25 on your firewall for everything but the Exchange server is something else I would suggest.

    The major problem you have is that you don't own the laptops. I find that a few rebuilds will stop users from browsing in an unhealthy manner. If they have to reset everything tow or three times a month then they will soon stop. An infected machine can never be cleaned 100%, the only effective way to clean a system is to wipe it. However a machine that you don't own will mean the user will tell you to go away because it is their machine, not the company machine.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: How to tighten down Exchange Server security - blacklisted

      Thanks Sempee. I read your article and I am also cognizant of the fact the IP is being blocked and not the server. I better sharpen up my penmenship.

      The mail getting backed up in the queue is legitimate e-mail that is being rejected and queued for retry. Presently, the IP has not been blacklisted for several days but more and more companies are using the SenderBase.org rating and my client has a rating of 'poor'. Consequently, much of their e-mail is getting rejected.

      I never thought about blocking outgoing port 25 traffic for everything but the Excahnge server.

      Because we are dealing with a realestate office, everyone uses OWA, RPC over HTTPS and Windows Mobile Devices. We have not installed a BES yet although that is coming.

      What do you recommend for central antivirus/spam/malware control? I did an install of Symantec Endpoint Security 11 and it was an absolutely horrific program for a first installation. The server client installed as a standalone and blocked all the traffice shutting down shares and DHCP.

      I have tried an 10-station install of ESET NOD32 with the Remote Admin (server and console) installed and I found the instructions to get that running one of the most complicated and confusing documents in all my years. I ended up doing stand-alone installs until I have time to "figuree it out".
      Network Engineers do IT under the desk

      Comment


      • #4
        Re: How to tighten down Exchange Server security - blacklisted

        I don't rate anything Symantec for anything than a coffee cup stand. That is about all their software is of any use for.

        Spam software is also impossible to make recommendations on, because what works for one company doesn't work for another. You have to evaluate the products and see what works for you. Don't purchase anything without trying it first.

        Anti-malware isn't anything I have ever had to purchase as I operate my sites locked down.

        NOD32 is a little quirky with getting it setup. I have used it before and it seems to work fine. I mainly use AVG which I have found works very well. Not the free version, but the commercial version.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: How to tighten down Exchange Server security - blacklisted

          Originally posted by Sembee View Post
          I don't rate anything Symantec for anything than a coffee cup stand. That is about all their software is of any use for
          The documentation makes good kindling.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: How to tighten down Exchange Server security - blacklisted

            I have recommended Trend Micro Worry-Free™ Business Security Advanced to my customer. They have SBS 2003. Thanks for all the help and information. I have also bookmarked your blog.

            Rob
            Network Engineers do IT under the desk

            Comment

            Working...
            X