Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1437
Views
0
Helpful
4
Replies

Any solutions?

thedarkangel_ironport
Level 1
Level 1

‎11-13-2007 02:48 PM

Hello,
I have a customer who has Exchange server, behind firewall ( cisco PIX ) in private network and ironport instaled before cisco Pix .He configure his mx record for domain X to go to ironport applience and ironport routes to his server.Everything is ok, BUT he continue to recieve spam, because spammers use the old MX record which go direct on Cisco Pix out interface.The solution is :
Create a rule on cisco pix which allow to accept smtp traffic only from ironport, BUT he has Outside users who connect to Exchange server remotely via SMTP and send/recieve mails.

He don't want to install Ironport in the private network.

Any solutions about this situation?

Thanks a lot :)

Labels:
0 Helpful
4 Replies 4

tminchin_ironport
Level 1
Level 1

‎11-14-2007 04:31 AM

It's a tough one - a lot of spam software seems to cache MX records (for a long time).

Perhaps on the Exchange server enable SMTP AUTH - so only users who can authenticate can use the Exchange SMTP service (you'll still get the spammers trying to get in though - no way around that).

Or enable SMTP AUTH on the Ironport (which then LDAPs to your Exchange or Active Directory) - and cut off access to Exchange.

Alternatively, just make everyone VPN into your private network if they want to access Exchange (cutting off direct access via SMTP from the internet).

0 Helpful

bpoyner_ironport
Level 1
Level 1

‎11-14-2007 02:27 PM 

It's a tough one -  a lot of spam software seems to cache MX records (for a long time).


I'm still seeing attempted traffic to the IP where our old MX server resided. Nothing has been configured to respond at that IP address for the last 4 1/2 months and I'm still seeing a significant number of SMTP attempts when I tcpdump for it. I can confirm it'll be a long, long time before the spammers remove that IP from their caches.

0 Helpful

sspeerin
Level 1
Level 1

‎11-14-2007 09:59 PM 


I'm still seeing attempted traffic to the IP where our old MX server resided.  Nothing has been configured to respond at that IP address for the last 4 1/2 months and I'm still seeing a significant number of SMTP attempts when I tcpdump for it.  I can confirm it'll be a long, long time before the spammers remove that IP from their caches.


Thats because some spamming tools come with a list of "supposed valid email server addresses" and the user just spams to that list. The tool doesn't actually validate the MX it just blasts spam to the IP address regardless.

0 Helpful

Donald Nash
Level 3
Level 3

‎11-15-2007 02:25 AM

This is a common problem. We solved it by requiring SMTP authentication for all mail inbound to our mail server, not just for mail to be relayed. We exempt our IronPorts from this requirement. The end result is that the spammers can't authenticate, so they can't bypass the spam defenses.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents