[Mimedefang] OWA spam scripting attack

Joseph Brennan brennan at columbia.edu
Thu Oct 23 09:29:10 EDT 2008

Todd Aiken <todd.aiken at ubishops.ca> wrote:

> Just wondering if anybody has any ideas at how to stop this from
> happening? Unfortunately, our site policy prevents me from deleting any
> incoming messages, regardless of how highly they are rated by
> MIMEDefang/SpamAssassin as being spam... I am only allowed to flag them
> as such and then it's up to the individual user to filter based on that
> flag;

Since last spring this has become a common type of attack on university
systems.  So, you have to deliver everything.  Are you allowed to use
action_accept_with_warning to insert a new mime part 1 warning that the
message is falsified?

otherwise, I would delete these stupid phishing messages before
> they got to our Exchange server.  And I do not parse outgoing messages
> from our Exchange server to the outside world with MIMEDefang because
> there was never any need before now.  Is there something I can do on
> Exchange to prevent these OWA scripting attacks (besides dump Exchange,
> if only I could...)?

We didn't filter outbound very much either until last March.  We used
Mimedefang to check mostly for formal problems like bad headers.  Now
it goes through Spamassassin and some local rules that look for factors
like a changed From line, a changed Reply-to, and many recipients not
in our domain.  action_notify_administrator is useful in telling us
as soon as the rules detect a possible spam run.

Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology

More information about the MIMEDefang mailing list