Discussion on:

Spam Relay: Up close and personal

Well, I learned first hand what it means to get rooted. I'm definitely humbled, Rustock is quite impressive and only by shear luck was I able to remove it.

Have any of you been compromised by a rootkit, especially one focused on SPAM relay? That adds all sorts of pressure as it's just a matter of time before the compromised domain gets "Black-listed."

"Superhuman" to your credentials, which puts you at the top of my list for "go-to".

Hey Santee,

You will always perplex me. I hope that you found the article worthy.

Specially the fix.

Worthy, except you need to clean up the "shear" in your post above.

I'd be hiring you, sir.

(And thanks for the heads-up.)

Ditto again

I still think that I was very lucky.

I'm monitoring the server almost constantly, just because I'm concerned that it's still there but maybe dormant.

I had a very similar thing happen to my network. I had a user click on a link in a Spam message about top news videos. This compromised his password and within minutes my exchange server was sending thousands of messages to my queue. I had to use a port sniffer to determine which user's account was compromised, I changed his password, then re-installed my antivirus, cleaned the system, and stopped the infection. What a mess!

I am truly encouraged by reports of successful evictions of malware. It doesn't seem like that happens very often.

That's pretty frightening. Was that user set up as a "power user" or "administrator" by any chance?

I've had pretty good luck setting everyone up with standard "Domain User" or "User" accounts, and I haven't had a single malware or virus problem, well other than someone's wallpaper getting changed.

so you could wipe and reinstall. We used to do that regularly; had an optical storage disk with the image on it so we wouldn't have to reconfigure everything.

Files weren't an issue as all files were stored at the node locations, and backed up to one of our main offices.

The confused -- they are now to your left and to your right.

with confusion? They will shortly, if not already, be to his front and to his rear, as well.

I think every server admin needs to feel that sinking feeling at least once. Sometimes it?s the catalyst that convinces them that security practices are a requirement. Sometimes it?s instead an unwelcome but valuable reminder about becoming too comfortable and letting your guard down.

Shortly after establishing a webserver, the client started talking about email. The original plan was to go slow and add in each function only after the previous functions where well understood. That process held for a while until Email became the outstanding desired function and business needs/decisions meant opening those ports to the outside world sooner rather than later. It all seemed to go well for a while as we worked through any issues that hindered internal and external client connections and mail transport. Then the sinking feeling visited; an angry email from our registrar about not condoning spam servers. The mailer queue was full of failed outbound messages and the sinking feeling got worse at the thought of, statistically, how many must have not failed. We halted the mail deamons, closed the ports on the firewall and started investigating.

Our lessons learned; don?t open ports to the outside before you are truly ready and lock down all related configurations. It also added much more weight to our discussions on security. When I recommended not allowing any unencrypted client connections, we didn?t need to discuss why. In this case, it was a mis-configuration easily fixed. The small bit of luck was that the issue was not more severe like a rooted account or malware.

I agree completely. I can't imagine what large scale enterprises must be dealing with. They must be constantly hammered by malware. On the flip side though, they may have more resources available to do battle.

With that kind of budget, I'd be looking at specialized appliances to watch the network traffic rather than relying on AV at the exchange server. It would also get AV and malware scanning but not as the first line of defense.

My gateway makes an excellent firewall but I've never subscribed to the scanning service. I would think it would take a big load off the server or any other server doing the same service.

Now that I'm x64 again I'm back to using Symantec again. I don't know about Enterprise class but NIS 2009 still hasn't impressed me much. Especially when you spend all afternoon on the wire with support trying to get Live Update to work.

(edited)Maybe it's time for me to try CheckPoint's email scanning client.

Similar symptom of sluggish Email server can also be the result of a different external cause e.g. external SPAM attack on a domain name. For instance, I had a domain attack where customer inboxes were getting filled up with NDR messages but the emails were to non-existent addresses in the same domain. As soon as I moved the mx record to a spam-filtering service the issue went away.

that it isn't a laptop or smartphone allowing this rootkit thru? I've encountered the too often stubborn individual that is more concerned over speed than security and disabling features to use the unit and then re-enabling them for IT when the time comes for a check. Did you scan each unit for this rootkit or a similar malware that might be allowing someone to get thru and install the rootkit later?

That's another attack, I've been up close and personal with. It almost mimics a DDoS attack.

That company had Symantec as well. What helped them was that I upgraded to the newest version of Mail Security for Exchange. It has a pretty good spam filter on it. My next move would have been as you suggested and use a spam-filtering service.

The only problem is that I mainly deal with small companies, so they are very concerned about costs. Especially now.

Prices are low and in the long run, between setup, maintenance, management, etc they'll save money.

It will catch all the spam, viruses, malware, etc as well as takes that load off of the Exchange server allowing it to run better.

The logic diagram on the website looks impressive; quite the filtering there!

We average about 40,000 emails a day and the Barracuda causes about a 1-2 second delay. Not sure about the actual throughput.

And for anyone out there that is a big proponent of open source, the Barracuda is essentially a Linux box with about a dozen or so software packages that, of course, are also tweaked by Barracuda.

Anyways, there start at under $1,499 I think and is a hell of a product. 15 minute setup and basically forget it's there after that.

I went to a seminar on Barracuda just yesterday and am considering purchasing their web filter and/or messaging archiver as well.

I go to the data centers of several large world-wide corporations and I see Barracudas in almost all of them. That in of itself says a great deal.

When you do enough digging at Linux Devices.com, you can find some references to DD-WRT firmware distrobutions that seem to do the same thing for Home Offices.

The reviewers had good things to say about the setup and the services on those devices (LinkSys), but I haven't had the time to investigate it myself.

Just be careful of what devices you use with DD-WRT. There is only one Linksys device that works well with DD-WRT and that's WRT54GL. I would personally suggest looking at the Buffalo devices as they are cheaper and IMO better suited for DD-WRT.

That was exactly the model Linux Devices recomended for that particular job.

I'll have to look at Buffalo, I think TigerDirect sells those.

I was interested in the Linux wireless router Netgear was selling untill I realized it didn't have a USB port for printer networking.

I would like to have seen what kind of filtering services those devices had. It would be proprietary fee based, I'm sure.

I'm a Cisco guy through and through, so I must accept LinkSys. Personally, I'm a huge fan of the Buffalo consumer wireless gear. My bits are coming to you via one right now.

I will be checking on that for sure. I'm think my clients will be interested.

The main reason I mentioned Buffalo devices is that they convert to DD-WRT very nicely. I have just read that the patent case against them was lifted. Which means that they hopefully will start importing them again.

I could be mistaken, but I believe Netgear just made a router with an open source OS. In addition, it supports both Tomato and DD-WRT.

I think it is the 614L.

I will look up that model number, but the only reason I didn't buy their first one is the lack of a USB printer port.

I'm too cheap to buy a networkable printer yet.

How has that worked out? I had heard that Netgear was kind of light on memory, which changed my mind.

LinkSys makes the wrt54GL that is specifically for DD-WRT and Buffalo has several models that work with it. Both LinkSys and Buffalo have 4 Mb of internal memory, if my memory serves me correctly.

in features I just couldn't bring myself to purchase it.

I think my CheckPoint gateway uses something written under GPL, if MY memory serves me correctly(NOT, heh, heh)

I really like the Safe@Office appliance I'm using. Its really for small businesses & SOHOs, but it has a respectable throughput for what it is. I'm using the Safe@Office 500W, just for information's sake.

CheckPoint now has a cheaper model with the same capabilies,under the ZoneAlarm brand name on their site. SofaWare specializes in my service, where CheckPoint is a separate entity, actually.

I'm not really sure how that corporation is organized. But I'm very impressed with the service, despite the fact they have chat support only, which sucks if your only router is down. Just got to keep a backup around!

I've had no issues with ddWRT on 54GS, 54GL or 350N Linksys routers. There was a brief hickup when the 54GS devices changed to a newer hardware version but I believe that is now supported all the way up to the latest.

Provided your device is listed on the "supported hardware" list linked form the website, you should be able to download the applicable mini firmware for initial flash then the applicable VPN, VOIP or Standard firmware to reflash up too full features.

With linksys anyhow, there is a specific mini firmware for 54GL, 54GS (old hardware), 54GS (new hardware) and 350N hardware. I favor the VPN firmware as I don't need VOIP or Standard's XBox support.

If you have specific hardware that has given you grief though, let me know so I can add it to my own watch list.

If I remember my reading correctly, Linksys purposefully increased memory and selected Linux friendly hardware chips for the GL to allow for alternative firmware. At the time, the 54GS routers had less memory and moved to a newer hardware version using Linux unfriendly broadcom chips. The firmware has since gained support for the later 54GS hardware versions but the GL is the one to get in the "54" range if your going to be reflashing it; pretty much, all alternative firmware supported it from Tomato on through to OpenWRT.

The 350N is a very nice upgrade to consider even if your not going to use the "N" wireless; better reception, more memory, faster cpu.

In fact, I'm a proponent of the Buffalo routers over LinkSys. Just my opinion though.

with great success for years untill our spam volume got to the point of overloading the box. We ended up choosing the Ironport box instead ($500 cheaper for compariable Barracuda).
I can reccomend both vendors with no reservations. Barracuda wins in terms of speed of customer support and simplicity of message tracking. Ironport wins on speed and resource use.

There is certainly enough positive input for the Barracuda device. I now just have to get up enough courage to talk to the client.

but the question one has to ask is are there enough spam and suspect attachments being sent to users to warrant purchasing it.

It was either Buffalo or Netgear anyhow; .11N with 27 or so antenna stuffed in the router box. Linksys has treated me well and the 350N was a noticeable upgrade but that other router is worth a look.

I have been working my due diligence in that regards. The exchange server isn't working that hard and Mail Security for Exchange by Symantec is reportedly a fairly good spam filtering application.

I always like to offer more than one option to a client, as doing so is in their best interest.

I find that technology totally amazing and even wrote an article about it if your interested:

http://blogs.techrepublic.com.com/wireless/?p=189

It was the Netgear router that had the MetaMaterial antennas in it, allowing beam-forming.

We have a Barracuda for 22 months now and it has reduced our spam to nearly non-existent. It is fast and does a great job. We are a small office (less than 12 people), but have emails that are listed on numerous real estate web sites and as such are quite public and well targeted.

In those 22 months we have seen over 21 million attempted emails, with just over 1% of that being legit. Within a few days of installation of the Barracuda, the 'cuda does learn over time, we went from users with over 100 spams a day down to maybe 10. Within a month, spam was maybe 1 a day.

I highly recommend the Barracuda for a small office. Every user commented how nice it was once we got one. It is easily the best money I have spent on my network.

That was one question I did have as to if it made sense for small entities, the facility where the Exchange server is located has 25 users so your comments answered my question about that.

I still question whether this approach will help with malware being spread internally. I'm seeing that as the attack vector now. A user goes to a malicious Web site, gets hooked and spreads it through out the internal network.

Malware spreading internally (PC to PC)versus one internal user emailing malware to another internal user (via SMTP).

With an in-line setup (default), no the Barracuda won't stop one internal user from emailing another internal user malware.

The default or in-line installation simply points your MX record to the Barracuda and it then forwards all email once scanned to your Exchange server.

However, you can hang it off of a switch and thus force both internal and external email to hit the Barracuda before forwarding onto the Exchange server.

That is a quite different scenario, BTW, than simply outbound filtering.

Anyways, yes the Barracuda can prevent one internal user from emailing another internal user malware.

However, no the Barracuda isn't a web filter and won't prevent malware from infecting one PC from another via the network.

filters all ingoing and outgoing traffic for malware if you buy into all the services it will do AV, SPAM, and other filtering services.

I'm sure their enterprise devices have even more capability but I doubt they filter the internal bridge either.

I have never set up an exchange server in the DMZ so I can't attest to the filtering capablity there either.

Thanks to both of you. I didn't realize that the Barracuda could filter internal as well as external e-mail. That's significant and I'm going to check into that for sure now.

I also have a huge softspot in my heart for CheckPoint. I love their GUI, even I can get it. I have only used them for Internet-facing firewalls or VPN implements.

Does the Barracuda have client licenses like CheckPoint devices?

Just the intial purchase plus yearly updates. Optional is a instant replacement warranty.

If I remember correctly, that makes it a better deal than CheckPoint as they charge for client licenses.

We get the SPAM attacks fairly often (one or two users about once every 2 months). We're using Postini to filter incoming and the only mail that's supposed to be outgoing also supposed to go through postini, but that doesn't always work, helps a lot though.
The Co. president was the target about 3 weeks ago, started about 5:30 on a Friday evening. Ran the battery down on his blackberry by 10:30 that evening, fortunately he waited til Monday morning for me to deal with it. By then about 2000 to 2500 messages had slipped through the filters. When I went into the filter and started deleting the attack resumed (I think from backed up queues). When it was finally over he had received over 17,000 NDR messages.
One of the things I found kinda odd was most of the messages that slipped through the filter failed reverse dns lookup, these are supposed to be blocked too.

they seemed to have made an improvement on the virus side of things, but when you let messages thru that have no subject line in them, that is pretty bad.

I have one account with them but I'm not familiar with the whole product line, or if there is one, so I digress.

A good way to prevent or at least reduce NDRs resulting from "joe jobs" is to implement SPF records into your DNS server.

It's basically free, and lets other servers that bother to check them realize that you did not authorize that spam.

I made our SPF record myself with a little help from a SPF generator on the internet, and a little manual configuration, and from what I understand, will eventually be a requirement for AOL servers to receive your email.

Joe Job - see http://en.wikipedia.org/wiki/Joe_job
SPF - see http://en.wikipedia.org/wiki/Sender_Policy_Framework

I'm in no way a MS basher, or a penguin head but Exchange does have it's issues!

I ran a Netware server with GroupWise for almost 10 years and didn't have to worry about Virus' on the server, or the clients for that matter! They just couldn't get infected, the client wasn't as pretty as Outlook but the features were there and easier.

I'm running an Exchange server now and it's a serious pain in the A$$!! The weekly updates and reboots. Constantly worrying about infection, it's not fun!!
Once the Groupwise was running and configured it ran for months with out issue. There were only 2 critical updates for the system in that time!

AHH the good old days!

I remember being pretty nervous when I installed that last service pack.

I run a Zimbra server and it hasn't been rebooted in at least 6 months (Linux). *nix is by far more stable.

I was looking at that as a replacement for GroupWise at one time but couldn't find anyone running it.
How is it working for you and whats the client side look like? Are you using Outlook, if so do all the features work like delegating and shared calendaring etc.

I am sorry to hear that. I work for KyndL Corp. We take care of IT for small businesses.

First, You are right in your statement that it is more important to find out how the email are getting into your queue. You fix the problem. Usually, for me, we where spammed from PC in-house. People infected thier workstations themselves.

Second thing I noticed is you have the wrong tools.

1) Windows Defender - total peice of junk. Uninstall it.
2) Malicious Software Removal Tool - never found anything worth removing. another peice of junk from Microsoft.
3) Symantec End Point - The only thing worse than using this is trying to un-install it without breaking your exchange server.

Suggests for better running network and exchange server...

1) NOD32 for exchange and enterprise - great software. Finds viruses that Symantec does not see. Low overhead, roll out and update from server.

2) Barracuda Email Filter - point your mx record to the Barracuda then forward the mail to your real exchange server. The spam, viruses, and hackers never see your real server. It filters out tons of stuff. We have some customers who have their own box while most run through our box here. BTW, you can set the MX record to have 2 pointers first - Barracuda box. second - real exchange server. So if our barracuda box goes down email still gets to customer's server directly.

3) Spyware removal tools -
A) Adaware
B) Spybot Search & Destroy
C) Webroot Swpysweeper
D) Counterspy
E) AVG Anti-spyware
F) SuperAntispyware

I don't mean one of these. I mean ALL of these are run on a system to make sure it is totally clean.

In your case you found a specific removal tool for the spyware/rootkit. This does not mean that there is nothing else on the server. I would run the programs above to make sure nothing else was infected on the machine.

I explain to customers some spyware are like teenage kids while you are away. They invite two friends over who invite two friends over... so on and so on. Till you have 30 kids wrecking your house while you are away.

I hope this is a helpful post. Anyone else have any better tools they would suggest?

While I no longer admin an exchange server, I support the idea that Symantec is big part of the problem and it should be replaced at the next rebuild. Symantec is just plain junk and I've got the rebuilds to show for it after its use.

I found Barracuda to be a high end but lower cost solution to the overall problem. It is not 100% (nothing is) but I used Trend as a second layer defense to back up the Barracuda. In over 5 years of this plan, only one problem ever made it all the way through and was blocked because the user did not have the correct rights to install software. It was determined that this was a new virus, only hours old and neither system had been updated for it. I recall that Barracuda had a solution out before Trend did.

I think Michael did a good job of troubleshooting the problem but he should now be able to sell an "upgrade" to improve the security of his client network and e-mail. Get an appliance like Barracuda and dump Symantec. The new network I am using now is Symantec protected. I get more spam in day then I did in 6 months or more on the Barracuda / Trend. That only raises the chances of getting something bad through.

Appliances are just Internet facing though. Wouldn't you still have the problem of getting infected from the private network? So hopefully AV software will react to it.

I'm looking real hard at Trend Micro. I like their latest version that is pretty much AV/Internet security in the cloud. I think Eva Chen is really forward-looking and creating some good software.

Is the Exchange server in question also set up for web-based email access such as "www.example.com/exchange" or even as an IIS server? If so, IIS is a likely intrusion vector. Have you looked at the IIS logs around the estimated time of the infection?

The Exchange server has Outlook Web Access enables using HTTPS. It is configured to work with the ISA server. I will take a look at the IIS logs and see if I can find anything.

Could you go into some more detail, I'd really appreciate it.

Note that I am most certainly not an expert in this field, and that these suggestions really only apply to defending your machines from the internet. Defending your machine from the local network and physical access are another matter.

First, I would figure out exactly how visible the Exchange server is to the internet.

From your description, it sounds as if the ISA server is acting as both a firewall and a proxy server. Is the ISA server the only device plugged directly into the Internet router and there are no other firewalls? If so, what ports does the ISA server forward to allow external (Internet) access to the Exchange server?

For example, where I work, we have a little cisco pix firewall with ports 80 (http) and 443 (https) are forwarded to the exchange server, and port 25 (smtp) is forwarded to a spamfiltering appliance that then forwards to the exchange server. Then in IIS, I?ve majorly restricted anonymous access, disabled script execution where prudent, and required SSL for most of the site. So far, nothing has broken into the server.

After making sure the server has as little visibility from the internet as possible for your purposes, I would check the IIS logs. By default, they are found in C:\WINDOWS\system32\LogFiles\W3SVC1. What I would be looking for are some entries like these:

2007-08-10 19:18:22 172.16.2.3 1441 172.16.1.10 444 HTTP/1.1 GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd 403 - Forbidden ?

2007-08-10 19:20:42 172.16.2.3 2195 172.16.1.10 444 HTTP/1.1 GET /scripts/..%c0%9v..%c0%9v..%c0%9v..%c0%9v..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\+/OG 400 - URL -

2007-08-10 19:23:33 172.16.2.3 4484 172.16.1.10 444 HTTP/1.1 GET ..\..\..\..\..\..\windows\win.ini 400 - URL ?

Requests like these can be used on an unpatched server to get passwords, upload executable files, and even execute those uploaded files. That?s why I was suggesting checking the IIS logs around the time of the original infection.

I hope some of this helps, and good luck on tracking down what happened!

I appreciate your help. I'll be checking into that when I have chance. Yet another area where my knowledge level is lacking.

First off, for a little extra money you can purchase a Barracuda with outbound protection.

Second, it can be configured so that it would provide internal protection. The standard install would be in-line (thus not offering internal protection) but there are alternatives that do provide internal protection.

Hello, Rick

Could you explain what you meant by internal protection? Are you using it as a default gateway?

Barracuda's filter mail in one direction only. But at ~$1000, 2 of them can be affordable compared to loss of email service. And for ~$2500, a single Barracuda device can do incoming and outgoing filtering, so it becomes the internal mail proxy, so all mail goes through the Barracuda, in both directions, befor touching the server. Also, the mid/high end Barracuda's include AD integration, so it can just drop any incomming recipiant thats non-valid instead of scanning and passing it to the mail server. Ironport offers similar features. I prefer the Barracuda, but the Ironport is very effective, and can be monitored with a terminal window (command refrence is about 800 pages).

Thanks Dumphrey,

The Barracuda sure sounds like a great device, is there any reason why its' not more popular?

Its not the cheapest option. But its also not the most expensive option. Their low end equipment is easy to replace with better, less expensive options (hence we now run Ionport (also very nice)), but their upper tier is amazing.
Even if your client does not buy barracuda, any appliance is better then none. I cant even imagine trying to run a mail server without one. ATM the spam volume may be low, but it will grow. And no server should have to be tied up on spam when the ham needs to go out.
I have almost 3 years worth of traffic reports, and have watched the amounts double and tripple every year. And I doubt that will reverse anytime in the near future.
It would be a huge disservice to not mention it to your client. The cost is prohibitive at first, but much less then the problems it can prevent down the road.

I understand very much about it being a disservice to my client.

Its the other way around, I've been able to do quite a bit with minimal costs and that facility is running quite well. Even with the Rustock infection the outgoing email was down less than a day and that was a Sunday.

So, it becomes hard to justify additional costs, especially now. That's why I have to have me ducks in order.

that you do not need one yet, but its good to be prepared for when you do. Educating users to not use a work mail account to do on-line shopping goes a long way to preventing spam. Depending on size of the agency and number of visable email addresses, it could be a few years befor one is required. But, knowing options and costs ahead of time simplifies the process. For that matter, you could always build a spam filter on a linux box with spam assasin and clamav. Ill dig around, I would be surprised if there is not a walk through or distro designed as such. (Not counting the commercial free for home use distros like Astaro).

I've heard some good things about Astaro, have you any experience with it?

Remember too, even the entry level Barracudas can handle multiple domains. If you have multiple domains to which you support, perhaps you can spread the cost accross them and ease each domains' burden.

I have about a dozen domains which I filter. Each domain can then forward to the "real" email server at each domain.

This may be an added 'feature' you could sell.

I'm not sure what you mean by different domains. Are you referring to different domains at one location or different physical locations?

Although I'm not using their filtering service for email, I do like the firewall.

When I get an infection they are nearly always blocked from communicating to the outside world.

I get a monthly report showing who is attacking and from where. If I see outgoing blocks I know I have an undefined malware in the system.

NOD32 has really nailed this down for me but I also use almost everything in the list that was previously mentioned, as far as freeware and payware to mitigate the problem.

I've never priced AVG antispyware for enterprise or Spybot Search & Destroy. Webroot and Spyware Doctor were either unstable as hell or just didn't do enough good to be added to the mix in my in-depth-defense. Just my opinion. I restest them regularly on my honeypot, so I'm not totally condemning them forever.

I agree with the negatives on Symantec, I would never recommend it to a client, and I am only using it because it is free and I don't have a good Vista x64 substitute yet. I know Avast works on XP x64 but I don't know yet about Vista 64 bit.

(edited) I use Kiwi Syslog to look for outbound blocks between monthly reports, and this has done very well for me; but I like rickk's idea better. I have no idea how much they charge for those filtering services though. Checkpoint's charges are reasonable for an Enterprise I should think.

One could go with a FOSS solution to this but I have no idea on cost or effectivness for Windows networks there either.

Their spam/virus/firewall appliance I think starts at $1,499 or so...maybe less.

Their web filter is about $3,000.

I'm quoting numbers for an organization our size, prices go up and down depending on the model you select.

Their pricing is based the hardware and it's initial purchase. Then, after that you have NO (yes I said no) per user fees. You just pay for updates and warranty (if you choose).

I think the warranty (instant replacement) and the updates costs us about $700 a year.

and a lot cheaper than CheckPoints security services for a year. If you go with the latest appliance it is even more expensive for Enterprise packages.

It is good to know the device runs on a Linux kernel, although it would be difficult to gain access to do a flash firmware attack anyway. I disable remote administration from the cloud.

Baracuda uses SpamAssasin and ClamAV along with about 10 other open source packages in addition to their claim of other "commercial" improvements.

It is a pretty damn good product. I would encourage anyone to look into it.

97% of our email is spam, on average. We have a false positive hit rate of pretty much zero. And we only let through maybe 10 emails a day that are spam (out of about 40,000 total on average).

Grant it, that's after some "training" of the device.

In addition, like other anti-spam products, with the Barracuda the user can have an Outlook plugin so they can mark their own messages as whitelist, blacklist, spam, etc in addition to getting an email everyday to manage their own account.

yes! I believe that is what my old client went to. We never had a spam problem with that utility.

We did have the occasional individual sending unwanted personal emails but we could simply block them of course.

Now that you have me interested, what does "training" entail? The device would be located with no on-site IT, and only myself remoting in if needed.

I meant training meaning teaching it what is spam and what isn't on top of the default settings.

Sure, there are default settings (and they work OK) but fine tuning it is where the big payoff is, like with most products.

For example, you literally have a slider bar for various scenarios (score 1-10).

You can tag an email as potentially being spam but still deliver it to the recipient with a tag in the subject line. You can automatically block emails, in which case the don't reach the intended recipient or you can quarantine emails, in which case your users can be setup to get an email periodically where they can manage they own questionable emails (marking them as spam, not spam, blacklist or whitelist).

Now, all that being said, I picked a couple of users to test with. I asked them to send me 200 borderline emails each. I then "trained" the Barracuda using these questionable emails thus taking Barracuda's settings and augmenting them with our company's type of emails.

Lastly, on top of all of that, there is an Outlook plugin (free) where users can mark their own emails as spam or not spam.

Over a period of a few weeks, the accuracy of this device becomes deadly accurate if you are willing to spend the time to train it.

And the interface is web based some just VPN or whatever onto their network and you can manage it remotely.

Thank you, Rick

That sound very good. Especially being able to remote into it. I suspected as much.

I appreciate your patience in explaining the details as well.

We use Postini as our incoming spam/virus filter and allow mail in through the firewall ONLY from Postini to the Exchange 03 box. so far so good. good article and follow-ups, thanks all.

I suspect it's the same process. I really didn't think about the fact that the email will only be coming from one source.

The Exchange server in question doesn't have a service like Postini at this time. I may suggest that approach to them and see what they say.

In 2005 we used that as a solution with Exchange 5.5, I believe.

I don't know what they are using now, as I no longer contract with them, but I suspect it is way obsolete.

It was very effective at the time, despite occasional internal infections.(Trend Microscan). But they had some very tight Group Policy controls on the IIS server, that made it pretty difficult to get out on the cloud in many unauthorized sites.

I wasn't privy to the setup over there so I can't relate that now. I do know if you could not get out to the internet is was because you either didn't need to, or it was for your own good, and the company's security.

(edited) for typos.

I hate to say this but Web filtering is probably the best way to protect the network.
At my old place we I had 1 virus infection in 7 years and it was downloaded from someone's Hotmail account, so I blocked all webmail, shopping, sites social networking, games, pretty much anything that wasn't needed for the job description was blocked. 50% of people got no access at all!

While the Internet is a great tool it is also the worlds biggest waste of time.
Look at me reading all these post and replying when I should be working on redesigning my backup system!

I'm researching backup systems for a future article. I would love to hear what you have found.

A simple black list was used I suspect. But our clients had to have some leeway to do their jobs, in fact I needed to do networking research and there weren't many blocked sites that I ran into.

We had our own web-mail set up using OWA with SSL, so it caused very little trouble. As long as we kept up our security policy education for new clients, we generally didn't have many problems from even our remote clients.

Sorry about wasting your time Cyclops116, I really appreciate youy input non-the-less. TechRepublic was required reading at our organization. We discussed TR articles all the time at our staff meetings and participated in webinars also.

Had important workstation that contained our clinics financial info infected with nasty Rustock B from an email attachment. It took many hours to remove, but if you are persistant and lucky it can be done. I used BartPE, Sysinternals Regdelnull that finds and deletes hidden reg keys, and ADSSpy by Merijn that removes hidden streams to fix. Despite patching and virus scanners and other security measures you can never be 100% protected. All these were in place and current and the infection still occured.

I think using an alternative OS is the key to removing polymorphic types of malware. Symantec had me go into Recovery Console mode to remove it.

for most techs I suspect. I think either seanferd or neon turned me on to that.

I just use the Windows installation disc to go to the recovery consol, most clients don't have it installed on the hard drive already. Doing so would be wise.

I would hope any kernel mode root kit could be discovered this way.

Thanks very much for sharing this. Seems like
High end Firewalls, IDSs, Forescout, good
Antivirus, Postini and extreme measures are
never enough!!!....

Thanks for sharing your real expertise!

I keep saying I think it was more persistence than expertise. I really can't explain why I reloaded the AV software, but that's what caught it for me.

Now your client has a different problem -- their mail server is probably blacklisted all over the place.

There is NOT an easy solution -- if you have ever tried to get a server OUT of the RBLs, you will know what I mean.

For one client, I needed to have the ISP grant them a new block of clean IP Addresses. This was also NOT EASY, but was the only way to solve the problem.

Until the new block of IPs was used, the client couldn't communicate with half their customers. This in itself can be just as serious as having a compromised server.

I think this is another area where I lucked out. I checked the server's IP address at the following link:

http://www.mxtoolbox.com/blacklists.aspx

The other reason I believe is that the problem was caught so quickly. As soon as I noticed what was going on I disabled outgoing mail and to be sure I even took the Exchange server off-line.

I understand the pain involved when trying to get off of a black list, as a friend of mine had to go through that process.

Michael, I always read your articles. You do an excellent job with something most admins can't comprehend. Namely you don't act as if you know it all. I really appreciate that. I always learn something from your informative articles.

Keep up the good work.

Alan

Very kind words. I say that because writing in that manner is very important to me. Some of the most amazing mentors and professors in my life were that way. Just to think that I might remotely approach that style is very special.

I did have a personal Linux machine compromised by a weak ssh password (not my account allowing about 50 or 60 phishing emails before the IDS caught the traffic and blocked outbound port 25.