Even better, instead of looking at the raw log, we could use the Get-AgentLog cmdlet. This is helpful when searching for specific information. However for today we won't discuss this cmdlet. To get an idea of the information included in this log here is the list of field names: Timestamp, SessionId, LocalEndpoint, RemoteEndpoint, EnteredOrgFromIP, MessageId, P1FromAddress, P2FromAddresses, Recipient, NumRecipients, Agent, Event, Action, SmtpResponse, Reason, ReasonData, Diagnostics Which of these fields gets populated depends on the specific anti-spam agent generating the log entry. As you will know, Exchange includes a number of anti-spam agents. Each plugs to the email flow at different stages. The Content Filter Agent processes an incoming email after that this is completely received. So this agent is in the position to be very informative. Whereas the Connection Filter Agent processes emails at a much earlier stage since its filtering logic is mostly based on the IP of the remote host sending the email. So this agent will be less informative. To highlight this point let's have a look at two log entries one generated by the Content Filter and one by the Connection Filter. Field Name Content Filter Agent Log Connection Filter Agent Log Timestamp 2012-02-26T09:51:42.968Z 2012-02-26T09:47:57.269Z SessionId 08CEC282DA2C4CFE 08CEC282DA2C4CFD LocalEndpoint 192.168.30.60:25 192.168.30.60:25 RemoteEndpoint 192.168. 192.168.8 EnteredOrgFromIP 192.168.30.23 192.168.30.67 MessageId Microsoft Exchange Server v14 Bin EdgeTransport.exe.config From here we can configure: AgentLogEnabled - (default on) turn logging on/off. AgentLogMaxDirectorySize - (default 250Mb) specify the maximum total size taken by all log files in the directory in bytes. This limit will cause the oldest file to be deleted. AgentLogMaxFileSize - (default 10Mb) specify the maximum size of individual log files in bytes. Spam is not detected when Symantec Mail Security for Microsoft Exchange (SMSMSE) transport agents have a low priority. Aug 15, 2014 Experts Exchange > Questions > blocking phishing spam from a fake domain with just one letter different from our domain.? This limit will cause a new file to be created. AgentLogMaxAge - (default 30 days) specify the age limit of log files in the format d.hh:mm:ss.ff (.:::). Files aging beyond this limit get deleted. The initial configuration file won't have entries for AgentLogMaxDirectorySize, AgentLogMaxFileSize and AgentLogMaxAge. For any missing values, Exchange applies the defaults. To set a new value we need to add an element in the format: Here is what the configuration file may look like once you configure all of the properties relevant to agent logging. Important: The Exchange Transport Service must be restarted for changes to take effect. Final Tips This concludes our introduction to the Exchange 2007/2010 Anti-Spam Agent Logging. Today we had a quick look at the type of information we can obtain from these logs and how we can configure this functionality. For sure we could dig a lot deeper and discuss this topic more in depth. The Reason and ReasonData log fields are a gold mine. I would love to compile a detailed article on how to directly map these fields to the exact filtering reason. The Get-AgentLog cmdlet is also very useful and worthy of a closer look. There are various spam filtering tools at an Exchange admin’s disposal. How can these be used to leverage Exchange itself? What other solutions are there to defend against spam and malware? Configuring Edge Transport Server The Edge Transport server role was really created to serve as an additional layer to assess and filter incoming messages before allowing them into Exchange proper. In this regard, various policies and rules are used to identify and eliminate spam and other undesirable messages. Do note that it is not installed by default; a deployment done without one is still considered a fully operational Exchange Server messaging environment. An Edge Transport server works on new incoming messages in the following order: • IP Block and Allow Lists are first checked for a match (blacklisting and whitelisting respectively). • Next, IP Block List Providers and IP Allow List Providers are checked. • The Sender Filtering Agent checks the Blocked Senders list for a match. • A Sender Policy Framework (SPF) lookup is conducted. • The Blocked Recipients list is checked for a match; this also filters out nonexistent recipients. • Content Filtering Agent looks into the content of messages and filters them according to the company’s policy. • Mail attachments are then analyzed by the Attachment Filter Agent. • Finally, if everything checks out, the message is delivered into Exchange inboxes. Depending on the exact configuration, rejected messages could get an error message, be deleted without further notice, sent to the spam quarantine mailbox, or placed in a user’s Junk E-mail folder. One downside is that the accurate way to determine the impact or effectiveness of various rules would be to deploy an Edge Transport server in a “live” environment. As such, it makes sense to start with laxer filter configuration so as not to unwittingly delete legitimate emails – slowly tightening it over time. Third Party Solutions Administrators who prefer a more autonomous set of spam and malware filtering capabilities than those offered by an Edge Transport server have a number of anti-spam solutions to choose from: Cloud-based provider: A popular option, anti-spam cloud providers work by redirecting incoming email messages at the DNS MX level, with only legitimate mails being channeled back. This has the advantage of ensuring that no processing and bandwidth overhead enters your network. The downside is that regulatory rules or sensitivity of certain data may preclude this approach. Spam appliance: The spam appliance is attractive as it prevents CPU cycles from being wasted to process spam. Deployment is also generally straightforward, with little or no need for maintenance. However, spam appliances may be expensive, and prone to hardware obsolesce. Server deployed: This is usually the preferred option for businesses with on-premise Exchange deployments, and tends to saddle the middle ground between a cloud-based provider and spam appliance in terms of cost. Be prepared for a higher maintenance and administrative overheads here however. Endpoint protection: Many antimalware suites feature endpoint spam protection. Personally, I least prefer this option due to the general lack of central manageability in such software. There are many options that can be brought to bear against spam and malware. Indeed, a mix-and-match approach would work too, though it will obviously result in a higher cost. Ultimately, the ideal solution would depend on the company’s infrastructure, its overall budget, as well as the amount of spam that an organization is receiving. Like this post? If you like this post and would like to receive more Exchange Server tips, as well as the latest Exchange Server posts from across the web, plus a free ebook with 42 Exchange tools, subscribe to the! Donald Manson April 30, 2012 at 4:57 am And what is the advantage of using Third Party solutions instead of using Edge Transport? Why would “autonomy” be important? Judging from what was written here, it is better to Edge Transport, instead. This is not exactly a “deeper” look at various filtering options. It simply describes the features of each and points out the most obvious disadvantage of each type. A tabular form of comparison based on various factors would be more helpful. Don’t get me wrong. This article has been a bit helpful. But the title is just “deceptive”, for the lack of a better term, or the article fails to deliver on what the title says it should be about. We use GFI Mail Essential, a few interesting spams from the same spammer passed all spam filter and delivered to our financial controller. I posted the email at the bottom of this. Basically the spammer created a fake domain and actually registered (even paying and doing home work for this spam), and sent an email to our financial controller to wire money. The sender name is the same as our president and the email address is just one letter different with our domain name. I guess the spammer actually did some lInkedin search to find our company management list then created a domain adding 'i' and created email server account and all the hard works to send this spam. So technically this domain and email server is legit and will pass our GFI Mail Essential spam filtering such as SPF check, DNS & phishing database since it's new domain, etc. How can I block this type of emails from a domain which is technically all legit, never has been in any spam database, but just one letter 'i' is different from our domain name? -------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------- COMPANY_CONTROLLER_NAME Process a wire for $207,398.49 to the attached instructions now, code to admin expenses. Confirm when you have it sent. COMPANY_PRESIDENT_NAME -------- Original Message -------- Subject: (no subject) Date: 2014-08-14 16:11 From: COMPANY_CEO_NAME To: COMPANY_PRESIDENT_NAME COMPANY_PRESIDENT_NAME, Per our conversation, attached is the wiring instructions for the payment. Let me know when done. COMPANY_CEO_NAME X-Antivirus: AVG for E-mail Microsoft Mail Internet Headers Version 2.0 Received: from smtprelay.b.hostedemail.co m ([64.98.42.211]) by mail.COMPANY_DOMAIN with Microsoft SMTPSVC(6.0.3790.4675); Thu, 14 Aug 2014 10:21:14 -0400 Received: from filter.hostedemail.com (b-bigip1 [10.5.19.254]) by smtprelay02.b.hostedemail. Even if this domain is legitimate from a spam filter point of view, you can still block it from your mail server because its domain name is different from yours; whether by one character or ten characters is irrelevant. I don't know the policies of your organisation, but you can block this dodgy domain at the server, or presumably you can tell GFI Mail Essentials to treat all mail from that domain as spam based purely on its domain name rather than its content. You could also do a Whois lookup to find out where the domain is being hosted, although you'll probably find that it's somewhere where the forces of law and order are a bit thin on the ground. Short answer: you can’t. Even if you block one, this won’t stop the attacker to create and use a new one. Your user is subject of targeted social engineering attack. This kind of attacks cannot be stopped by technical means. The only way is to educate the users to distinguish legit mail from a fake one. If the environment is very sensible, you could opt-in for mail encryption and digital signatures. As a workaround, while looking for a long-term solution, you could create mail rules for the targeted user to flag the good e-mails. I blocked the domain, so the spam will not come to our company. But there are two concerns. What if they create domain with a different letter, ex) companyname.com and fake domain is compan yyname.com 2. I also concern if the spammer uses the fake domain with our clients or any entity in public representing our company. For this reason, I submitted the case to the fake domain registrar to see how they handle it. Also, we have to look into the process of how we communicate with our clients for sensitive information. I wonder if any of you encountered this type of phishing email solely targetting a specific business entity and how you handled it. Human beings are still better than technology at detecting fraudulent emails, but only if those human beings are educated and alert. You caught this attempt at fraud before it did any damage; your customers should be just as alert. However, you might want to advise your clients of this nearly-your-domain threat, and any subsequent ones, as the possibilities for damage to the company/client relationship are substantial if you don't. If the cybercriminals can't fool you into parting with money they might settle for trying to ruin the company's reputation instead. I agree manual inspection is still better filtering spams, but sometimes, you made mistake and later you found it's wrong, but it's too late to get back the sent email with my credit card information. This can happen to our clients even though we alert them. So, I wonder if there's any email technology available to verify if the email our clients receive is actually from us. Is there any email technology other than just creating a signature in outlook or using company template word document with a company letter head?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
May 2019
Categories |