logo XD
logo Antler

ExchangeDefender

ExchangeDefender

Spam wars tend to evolve over time. Initially, SPAM looked just like the offers you still find in your fax machine – direct, informative, actionable. You’re almost pushed to buy something with countless incentives, promotions and reinforcement of just what a great deal you’re getting. We eliminated a bulk of this years ago through use of Bayesian analysis, or text patterns, found in the SPAM messages. Notice how when you get a spam you can tell within seconds that it is garbage just by glancing at its formatting?

The second evolution of SPAM was when it became convenient to make a purchase. No longer were you sold and promoted to but just asked to click on a link and proceed to buy that latest watch or drug. We eliminated those easily through the use of URIBL, specific blacklists of URL (web site addresses) and additional HTML analysis.

The latest evolution of SPAM has been the most difficult to isolate by far. You’ve seen dozens of these in your inbox nearly every day: Image SPAM. The email is very easy to characterize, it has a big gif or jpeg image followed by paragraphs of garbage text. At first, there was just an image – which contained text that used to be a part of the SPAM you’ve been receiving for years. Except because it was stored in an image it bypassed all SPAM filters. Fine, we easily discarded messages that contained no text. Then spammers started adding text. No problem, we eliminated them by calculating the ratio of the screen being taken up by text vs. image. Think about how often you get an email message that starts with an image that takes up most of your screen? Easy solution. Following the natural evolution of the spam war, image spam became harder and harder to detect.

We have finally come up with a set of solutions that effectively eliminates nearly all known strains of Image SPAM:

  • All inline JPG and GIF images are OCR’ed. By using optical character recognition we can convert the image into plain text and determine whether it is SPAM or not.
  • Parsing JPG and GIF image info. Each picture has series of image attributes, such as the Camera maker, model, F-Stop, Max aperture and so on. Dynamically generated image spam does not.
  • Finally, we have spent the past month developing an image footprint database.

Image footprint database is something exclusive to ExchangeDefender. We strip known SPAM messages from our honeypot (public email addresses that only exist to collect SPAM) and store the known images in spam into a database. We then run analysis on them and compare all new incoming messages against the known samples of SPAM.

OCRing images is very expensive in terms of processor cycles and as expensive as it is for us to analyze each incoming message it is even more expensive for the spammers to create these images for each SPAM they send out. They create a single SPAM message that is then broadcast millions of times – and we’re ready for it!

So thank you for your continuing support of ExchangeDefender and as always, we’ll keep your mailbox clean for you.

ExchangeDefender

One of the most common Exchange questions we get is “How do I export all the SMTP addresses on my Exchange server?”

First of all, SMTP addresses are part of the User object in the Microsoft Active Directory. Active Directory is an LDAP-based database and by using LDIF (LDAP Data Interexchange Format) you can run queries against this database. You can use ldifde to accomplish this.

The following ldifde syntax will export the proxyaddress list for each user object in the directory on the server SERVERNAME.DOMAIN.TLD:

ldifde -f C:\DATA.ldf -s SERVERNAME -d “dc=DOMAIN,dc=TLD” -p subtree -r “(objectClass=user)” -l “cn,proxyaddresses”

The data is then dumped in C:\DATA.ldf. But suppose your server name was SBSBOX.MYDOMAIN.LOCAL. The syntax changes to:

ldifde -f C:\DATA.ldf -s sbsbox -d “dc=mydomain,dc=local” -p subtree -r “(objectClass=user)” -l “cn,proxyaddresses”

If you open it up with notepad you’ll see a number of entries in this file:

dn: CN=Administrator,CN=Users,DC=MYDOMAIN,DC=LOCAL
changetype: add
cn: Administrator
proxyAddresses: smtp:Administrator@MYDOMAIN.LOCAL
proxyAddresses: SMTP:Administrator@mydomain.com
proxyAddresses: smtp:postmaster@mydomain.com
proxyAddresses: X400:c=US;a= ;p=MYDOMAIN;o=Exchange;s=Administrator;
proxyAddresses: smtp:postmaster@MYDOMAIN.LOCAL

Nothing very private in here, just the display name and a few containers along with the proxyAddresses. Now another interesting bit – notice how there are both SMTP and smtp addresses here? What is the difference you may wonder? SMTP is the default SMTP address and smtp are the additional addresses and aliases.

The process is quick and convenient but unfortunately it does not export proxyAddress attributes from other objects such as distribution lists and public folders. For that you can use a third party script, such as this one that our friend emailed over. Simple vbScript that will create a list of users and addresses in C:\EmailAddresses.txt.

Pick your way but as you can tell, exporting SMTP addresses in Exchange is a piece of cake.

ExchangeDefender

We will begin deploying ExchangeDefender 3.0 over the next two months. Because ExchangeDefender is a large cloud-based network all updates are all-or-none so we will be deploying features one by one. We will be announcing them here on our blog so please stay tuned.

The first significant change to come is the end to open relaying:

Starting November 1st, 2006 we will no longer blindly relay domains through ExchangeDefender for our customers. The following email address requirements will be established for the new accounts:

  • All users and valid email addresses must be provided at the time of account activation. By default ExchangeDefender will block traffic to addresses it is not aware of.
  • All users will be programmed into the Valid Recipients database, either by the customer, reseller or ExchangeDefender staff (through the LDF file)
  • All users that activate their accounts will automatically be allowed through the ExchangeDefender cloud, there is no need for double entry on the administrative side.

All current customers will have until December 1st, 2006 to provide a list of valid recipients or establish a protocol for address verification. We will of course be available to assist you with any administrative tasks that may be required to get the data exported correctly.

Reasons for Address Restrictions

ExchangeDefender has always applied address restrictions but until now it was an optional feature. Unfortunately over the past year address book attacks and mail probes have made open addressing impossible to facilitate. Many major ISP’s (Own Web Now Corp included) have stopped allowing “catch-all” addresses. Furthermore, many sites have even stopped issuing NDR’s (Non-Delivery Receipt) alltogether.

In the modern world of email threats, NDR’s can and are often used to flood the third party mailbox with SPAM. All servers are configured by default to send an NDR if there is a problem with delivery. Spammers can identify mail servers that openly issue NDR’s and can forge the From: address that the message is being sent from. When the target SMTP server rejects the message by issuing an NDR the message is sent back to the forged From: email address.

The result? Flooded mailbox. Quota Warnings. Diminished effectiveness of spam filtering. Increased overall load on the mail server. To protect our customers from all of these we’ll begin enforcing address validations through ExchangeDefender.

Any questions? Let us know – support@ownwebnow.com