Any solutions?

Unanswered Question
Nov 13th, 2007
User Badges:

Hello,
I have a customer who has Exchange server, behind firewall ( cisco PIX ) in private network and ironport instaled before cisco Pix .He configure his mx record for domain X to go to ironport applience and ironport routes to his server.Everything is ok, BUT he continue to recieve spam, because spammers use the old MX record which go direct on Cisco Pix out interface.The solution is :
Create a rule on cisco pix which allow to accept smtp traffic only from ironport, BUT he has Outside users who connect to Exchange server remotely via SMTP and send/recieve mails.

He don't want to install Ironport in the private network.

Any solutions about this situation?

Thanks a lot :)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tminchin_ironport Wed, 11/14/2007 - 04:31
User Badges:

It's a tough one - a lot of spam software seems to cache MX records (for a long time).

Perhaps on the Exchange server enable SMTP AUTH - so only users who can authenticate can use the Exchange SMTP service (you'll still get the spammers trying to get in though - no way around that).

Or enable SMTP AUTH on the Ironport (which then LDAPs to your Exchange or Active Directory) - and cut off access to Exchange.

Alternatively, just make everyone VPN into your private network if they want to access Exchange (cutting off direct access via SMTP from the internet).

bpoyner_ironport Wed, 11/14/2007 - 14:27
User Badges:


It's a tough one -  a lot of spam software seems to cache MX records (for a long time).


I'm still seeing attempted traffic to the IP where our old MX server resided. Nothing has been configured to respond at that IP address for the last 4 1/2 months and I'm still seeing a significant number of SMTP attempts when I tcpdump for it. I can confirm it'll be a long, long time before the spammers remove that IP from their caches.
sspeerin Wed, 11/14/2007 - 21:59
User Badges:



I'm still seeing attempted traffic to the IP where our old MX server resided. Nothing has been configured to respond at that IP address for the last 4 1/2 months and I'm still seeing a significant number of SMTP attempts when I tcpdump for it. I can confirm it'll be a long, long time before the spammers remove that IP from their caches.


Thats because some spamming tools come with a list of "supposed valid email server addresses" and the user just spams to that list. The tool doesn't actually validate the MX it just blasts spam to the IP address regardless.
Donald Nash Thu, 11/15/2007 - 02:25
User Badges:

This is a common problem. We solved it by requiring SMTP authentication for all mail inbound to our mail server, not just for mail to be relayed. We exempt our IronPorts from this requirement. The end result is that the spammers can't authenticate, so they can't bypass the spam defenses.

Actions

This Discussion