Robert
Tue May 10 11:03:56 CDT 2005
I'll do all the above, thanks Jim!
On Sun, 08 May 2005 21:52:17 GMT, Jim Behning
<jimbehning@spamblockmindspring.com> wrote:
>Have you forced everyone to change their password?
>
>Have set the password policy to 8 characters or greater and complex?
>
>The joy of ISA is that you can read the ISA logs to look for bogus ips
>hammering you. Technically not bogus but if you have no business doing
>business with China then why would you see a lot of traffic from
>China? You should have the same sort of logs in any firewall product
>or else it is not worth having.
>
>In answer to your Exchange question, I don't know. Maybe turn on
>message tracking to max. If you right click your servername/properties
>in Exchange System Manager you see all kinds of stuff you can track.
>
>Robert Shamansky <bshamansky@jwmbdottcom> wrote:
>
>>What exchange services should I be monitoring in the event logs to see
>>if anyone's account has been compromised by spammers. Thanks Jim!
>>
>>On Thu, 05 May 2005 02:57:13 GMT, Jim Behning
>><jimbehning@spamblockmindspring.com> wrote:
>>
>>>dnsstuff.com has an ip lookup option. My account did not do business
>>>with anyone in China so we assumed that they were ips safe to block.
>>>
>>>Robert Shamansky <bshamansky@jwmbdottcom> wrote:
>>>
>>>>We don't have ISA installed on the server. We are using a Watchguard
>>>>Firebox as our firewall. The SMTP logs show IP addresses, how do I
>>>>know which ones are from spammers and which ones are legit email?
>>>>
>>>>We are coming up clean on the relay abuse sites so far. Thanks for the
>>>>input!
>>>>
>>>>On Mon, 02 May 2005 23:10:49 GMT, Jim Behning
>>>><jimbehning@spamblockmindspring.com> wrote:
>>>>
>>>>>I do not recall seeing any anonymous access. I do see a box for allow
>>>>>authenticated users to relay which I always uncheck.
>>>>>
>>>>>I set the password for the disabled guest account.
>>>>>
>>>>>I set the passwords to be at least 8 characters and be complex. After
>>>>>a problem you should force everyone to change their password.
>>>>>
>>>>>I review my ISA logs and start banning ips when I see attacks.
>>>>>
>>>>>Have you gone back to the relay abuse testing sites to see if you are
>>>>>set correctly? If you get blacklisted it is hell to get back off some
>>>>>of the lists. Some blacklists definition of relay or problems is not
>>>>>the same a true relay. At one account that I did not manage they had
>>>>>to change their ip because a week after closing down the open relay
>>>>>stuff they were still blacklisted.
>>>>>
>>>>>Robert Shamansky <bshamansky@jwmbdottcom> wrote:
>>>>>
>>>>>>We are getting mercilessly hammered with what looks like people
>>>>>>relaying spam through our Exchange server. I followed the advice last
>>>>>>year to make sure we aren't an open relay but the Current Sessions
>>>>>>queue in SMTP is constantly filled with email from outside domains and
>>>>>>we are getting 10-20K undeliverable emails everyday.
>>>>>>
>>>>>>If I adjust the Access checkboxes so Anonymous Access is removed the
>>>>>>spam stops but we don't receive outside email. This is an Exchange
>>>>>>2000 server with SP3 on SBS2K and we are hosting our own email for
>>>>>>three different domains.
>>>>>>
>>>>>>I talked to our consultant today and he suggested putting another box
>>>>>>in front of the Exchange server so it can get hammered and not the SBS
>>>>>>server. I'm going to research this and I was wondering if anyone else
>>>>>>had some alternate ideas on dealing with this.
>>>>>>
>>>>>>Thanks!
>>>>>
>>>>>Jim B. SBS MVP
>>>>>I don't have much to say but it can be found here
>>>>>
http://msmvps.com/bgb/
>>>
>>>Jim B. SBS MVP
>>>I don't have much to say but it can be found here
>>>
http://msmvps.com/bgb/
>
>Jim B. SBS MVP
>I don't have much to say but it can be found here
>
http://msmvps.com/bgb/