Messaging Gateway

Good afteroon,

We have recently had two occurences of internal user's PCs getting infected/hacked and sending out mass spam messages in the middle of the night, getting our domain added to some blocklists.  Since I am a college, I don't have good control of the PCs or users in my email domain, so just tightening up my PC control isn't going to do it.

I have a few questions related to this to find ways to close up some exposure (by the way we are a single Exchange 2003 mail server and a single Brightmail 9.5 configured for inbound and outbound filtering).  At the first occurence of this, I called in to Symantec and the tech helped me find that I did not have outbound spam filtering turned on completely.  I turned it on and thought I was good, but then we had another occurence. Looking at the outbound messages, they come from valid users PCs who are logged in and don't look strongly like spam, hence making me wonder how brightmail would know they are spam and how we can block them.

Question #1> Looking at my configuration, I see that I have my Exchange Server's IP address in the Local Good Sender's IP list.  Is this a good thing or a bad thing?  Is it allowing all email to be sent out without being scanned?

Question #2>  I see that the outbound spam was 500 recipients per message and about 1500 messages sent.  This took our normal average outbound email recipients per day from 2,000 on most days to 80,0000 on that day.  It was a little higher messages per day than normal, but not so extreme as to make me think anything was significantly wrong even if I had seen it right away.  Given these things, is there a good way to help filter this problem out? 

  2a> My first preference would be if I could put a limit on how many recipients a single person could send to in a day. Of course, if this is even possible, I'd have to figure out how I identify the "single person who is sending" in this scenario as IP addresses are all the email server and from address can be easily spoofed (in this case it was not).  Even better is if I could have different policies for different users as I do have a few users who do send occasional mass mailings.

  2b> If that isn't possible, my second preference would be to get alerted asap if the number of recipients for the whole server exceeds 3,000 in a single day

  2c> My thirs preference might be to just cap the server to a max of 10,000 recipients per day.

Question #3> I am very open to any other suggestions...

Anyone have thoughts that could help me prevent getting blacklisted again?

Thanks,

Jim

Hi Jim,

You've got lots of options here. Of the top of my head you could tackle this problem in the following ways:

1. Remove the whitelist and allow outbound spam scanning to occur. As you mentioned, if the emails don't look particularly spammy, it might not help.

2. Leave the whitelist in place but configure a content filtering rule to check for messages that have more than say 100 outbound recipients and treat these as spam. You could enhance this by creating a seperate group for users that do send to this amount of people on a regular basis and exclude them from this rule.

There are probably a few other options available to you. If one of these options resolved the problem for you, mark me as the solution. If they don't fit, reply back and I'll see if I can come up with something else.

Cheers

Ben