Re: SMTP Filter, blocking inbound spoof addresses

Tech-Archive recommends: Fix windows errors by optimizing your registry

Umm, looks like you're getting the wrong end of the stick here.

First off the hope was that the ISA's addin SMTP filter could actually
filter SMTP traffic for a listed domain(s), OK it seems it can't do it, maybe
on the wish list for a future version. After all the idea of a configurable
software firewall is the addins can be used to do these sorts of jobs,
otherwise I'd go back to a PIX!

So, I suggested sticking a mail server in the DMZ which only accepts the
vaild inbound addressed e-mail, i.e. whatever@xxxxxxxxxxxxxx and rejecting
e-mail not addressed to the domainname.net. This will cut down the LAN
traffic and traffic thru the ISA server since only mail address to people in
my domain will be passed on, with the server in the dmz rejecting mail not
for users here.

Adding reverse DNS checks to inbound e-mail for e-mail addressed to valid
users will be nominal after rejecting e-mail which isn't addressed to users
in the domain. 85%+ of mail coming thru the ISA server at present isn't for
a valid address here and is attempted relay by spammers. By using a Domino
server (or other mailserver) I can use a lookup on the NAB (native Domino) or
LDAP check for valid addresses, before passing mail to the ISA server for the
final pass on to the inside and the mailserver, thus dropping e-mail and not
rejecting which is valid domain but not for a valid user (saves on phishing).

Reverse DNS checks on inbound e-mail won't add too much load to the internet
connection, since most cases the same domains contact us, so the DNS will be
cached, most people average a TTL on their MX records of between 60 min and 1
week, so even with 300 domains sending us e-mail a day (we get only around
100 - 300 valid e-mails aday) that's less than 13 reverse DNS checks a hour
on max on an empty cache and no e-mails from the same domains, hardly a
massive amount, and less traffic that we currently get from spammers, which
is 4-5 e-mails a minute. Mind you if everyone set a TTL of 600 sec on domain
mx records, yes this would push the bandwidth.

Neil [MCSE and Dual CLP]

"Phillip Windell" wrote:

> "ncudmore" <ncudmore@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:FB84C7D2-098F-4C9C-AEB5-92F8071C169D@xxxxxxxxxxxxxxxx
> > Well guess I wanted a simple check for inbound mail, on a valid inbound
> > domain address in the to, cc, bcc fields for mail addressed to users, and
> if
> > there wasn't a valid address in these fields to reject it at ISA level.
> >
> > Figure now the answer is to build a mailserver into the DMZ, outside the
> > existing ISA server, and behind the external hardware firewall, and get it
> to
> > check this, then, relay valid mail thru the ISA server, and drop mail from
> > people attempting to use it as an open relay.
>
> No. You only need a Spam Filtering System to do that not a real mail
> server. But *be warned*, checking for proper lookup of the sending Domain
> will create a *ton* of false positives depending on the "logic" used by the
> filtering software and will likely cause an overload of the Line due to the
> massive amount of DNS Queries made,....it isn't going to matter where you
> "stick" the machine (LAN, DMZ, External, Whatever).
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>
>
.

Relevant Pages

  • Re: I dont uderstand ISA Logs
    ... This really has not much todo with the ISA server, ... Generally user requests are to pages like: ... When you are programming an ISAPI filter, you should try to catch the ...
    (microsoft.public.isa)
  • Re: Packet filter just wont work.
    ... You use packet filters to provide access to the ISA Server itself, ... DMZ network. ... delete the packet filter and try creating a Server Publishing rule ...
    (microsoft.public.isa.configuration)
  • Re: SMTP Filter, blocking inbound spoof addresses
    ... But this is missing the point of wanting the ISA’s SMTP ... Filter to check the inbound traffic for only valid traffic. ... My current config on the server is not allowing relaying of spam as ... the inside firewall (the ISA server) and not reach the network, after all, is ...
    (microsoft.public.isa.configuration)
  • Re: Bybass HTTP ( extension files ) in ISA 2004
    ... The request was rejected by the HTTP filter. ... Contact your ISA Server administrator. ...
    (Bugtraq)
  • Re: How to allow POP3 SSL connections w ISA 2004
    ... I am at SP3 for ISA Server 2004. ... Yes, you are correct, this is mostly an Outlook settings issue, you can try ... Please also help to gather the ISA logs: ...
    (microsoft.public.windows.server.sbs)