[Mimedefang] OWA spam scripting attack

Todd Aiken todd.aiken at ubishops.ca
Thu Oct 23 08:57:47 EDT 2008

Greetings all.

We've been using MIMEDefang for quite a while with various different methods
for catching incoming spam, and it's been working great.  However, recently
I've been having a problem with outgoing spam from our institution that I'd
like to put a stop to.  The attack begins with a generalized email coming in
from the outside disguising itself as our IT department which tries to get
users to send them their username and password.  Regardless of having told
our users numerous times that we will never do this, and to ignore these
types of requests, some fool usually goes ahead and sends the spammer their
credentials.  This ends up in the spammer taking those credentials and using
some sort of script to send out their spam from our Exchange 2003 OWA
webmail system until we change the user's password.

Just wondering if anybody has any ideas at how to stop this from happening?
Unfortunately, our site policy prevents me from deleting any incoming
messages, regardless of how highly they are rated by MIMEDefang/SpamAssassin
as being spam... I am only allowed to flag them as such and then it's up to
the individual user to filter based on that flag; otherwise, I would delete
these stupid phishing messages before they got to our Exchange server.  And
I do not parse outgoing messages from our Exchange server to the outside
world with MIMEDefang because there was never any need before now.  Is there
something I can do on Exchange to prevent these OWA scripting attacks
(besides dump Exchange, if only I could...)?


CU L8R...

Todd A. Aiken
Systems Analyst/Administrator
ITS Department
Sherbrooke, Quebec, CANADA

HTML in email is like putting an air conditioner on a motorcycle.

More information about the MIMEDefang mailing list