Re: Spoofing e-mail revisited

On Mar 8, 2:55 pm, "RobW" <robwal...@xxxxxxxxxxxxx> wrote:
If I turn the Trend antispam filtering off an the e-mail from the mls site
go through and get delivered.  There seems to be little room to fine-tune
Trend so I put a call in.  Not many here here seemed 'solution oriented'
with problem and my primar interest is toward my customer.

I configured Trend to send the quarantined items to the desktop junk folder
and not the server-side quarantine folder.  Then I opened up a ticket with
Trend where they are not so arragant with 'Windows type' users.

"Stephen Ward" <stephen.usenet.w...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in
messagenews:49b3f157$0$16173$db0fefd9@xxxxxxxxxxxxxxxxx

On Sun, 08 Mar 2009 11:07:20 -0400, Rich Matheisen [MVP] wrote:

On 08 Mar 2009 14:07:06 GMT, Stephen Ward
<stephen.usenet.w...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

[ snip ]

Not sure I've read this right but check the Barracuda upstream does not
have SPOOF PROTECTION on for the *any* of the domains on it. If it sees
mail from the wild claiming to be from a domain it hosts - it will block
it with a rather odd 'client' message. Usually it should *not* be set to
send any form of bounce for this.

It does not do this by reference to SPF - just claimed sending domain.

So if the MAIL FROM (which isn't necessarily the same address as the
"From:") is from a domain that's routed "internally" then it's
considered to be spoofed? How do they handle someone that's legitimately
using that domain from some other location (from home, from some other
hosted server, etc.)? They'll either have to add those IP addresses as
accepted relay servers or exclude those IP addresses from the rule that
checks for that condition.

BTW - The Trend is using the same 'CLAM-AV' Engine as the upstream
firewall so you are probably wasting your time with it.

If your assumption is that all email-borne junk arrives from the
Internet, perhaps. That wouldn't be a good thing to assume, though.
Portable devices (USB drives (hard and solid state), phones, laptops,
etc.) easily carry this kind of stuff right around any perimeter
defenses you throw up.
---
Rich Matheisen
MCSE+I, Exchange MVP

1) If the message contains <>@domain in the MAIL FROM -or- ENVELOPE FROM
and spoof protection is on, that will kill it. It does *not* do SPF/rDNS
to qualify it.

2) I refer to the hardware gateway device from Trend, not the desktop/
plugin bread on the local machine.

I apologise for any confusion - I must remember to explain things more
clearly when dealing with Windows people ;-)

--
. . .

Not to be rude & jump into the conversation here, but I've got
basically the same situation - using Exchange 2003 & TM's Worry Free
Advanced & am getting hammered by spam.
I wonder can Exchange's spam filtering & TM's co-exist with no
problems?
One thing I don't like is 2 spam folders in client's outlook - is
there a way to condense down to one?
Are there settings that should be set in Exchange & separate ones set
in TM to make them work well together or compliment each other?
I've had it tightened down pretty good, but then users outside the LAN
have problems sending mail.
I am planning on eventually setting up RPC over HTTP to fix this, but
currently my DCs are all Win2k & I believe I need a 2003 DC to make
this work.
Spammers deserve a kick in the nuts by Tom Dempsey.

.

Relevant Pages

  • Re: Trend CSM 3.0 beta suggestions, please!
    ... Hypothetically speaking, if a Trend project manager were to ... if that person were to ask for reasons to bring back the server-side ... quarantine, what you would say? ... totally does away with the point of spam filtering in the first place - ...
    (microsoft.public.windows.server.sbs)
  • Re: Using IMF in conjunction with Trend CSM
    ... I think if you have the JMF threshold set in IMF to a number less than ... though - so the best method is to look at the message header - the trend A/S ... because some users have spam in their junk email ... Use the JMF folder in Outlook *only* for spam or unwanted email that ...
    (microsoft.public.windows.server.sbs)
  • Re: Trend CSM 3.0 beta suggestions, please!
    ... Unable to complete CSM installation during Remote Web Workplace ... CSM notification is blocked as spam ... Trend Micro is beta testing Client\Server\Messaging ... Give us back the V2 server-side spam quarantine and console, ...
    (microsoft.public.windows.server.sbs)
  • Using IMF in conjunction with Trend CSM
    ... was that most users failed to check that folder for possible false ... the folder as * Possible Spam during the re-installation of the EUQ (that is ... Trend EUQ still has a bunch of spam in it as well. ... users have to look in two places to make sure no valid message ...
    (microsoft.public.windows.server.sbs)
  • Re: TrendMicro Spam Folder vs. Junk Mail Folder
    ... Using both folders is using one folder too many for most users;-). ... to disable EUQ in Trend, ... superior spam protection to Trend Anti-Spam. ... Les Connor [SBS Community Member - SBS MVP] ...
    (microsoft.public.windows.server.sbs)
Loading