[Mimedefang] Re: OWA spam scripting attack

Scott Silva ssilva at sgvwater.com
Thu Oct 23 12:05:09 EDT 2008 

on 10-23-2008 5:57 AM Todd Aiken spake the following:
> Greetings all.
> 
> We've been using MIMEDefang for quite a while with various different methods
> for catching incoming spam, and it's been working great.  However, recently
> I've been having a problem with outgoing spam from our institution that I'd
> like to put a stop to.  The attack begins with a generalized email coming in
> from the outside disguising itself as our IT department which tries to get
> users to send them their username and password.  Regardless of having told
> our users numerous times that we will never do this, and to ignore these
> types of requests, some fool usually goes ahead and sends the spammer their
> credentials.  This ends up in the spammer taking those credentials and using
> some sort of script to send out their spam from our Exchange 2003 OWA
> webmail system until we change the user's password.
> 
> Just wondering if anybody has any ideas at how to stop this from happening?
> Unfortunately, our site policy prevents me from deleting any incoming
> messages, regardless of how highly they are rated by MIMEDefang/SpamAssassin
> as being spam... I am only allowed to flag them as such and then it's up to
> the individual user to filter based on that flag; otherwise, I would delete
> these stupid phishing messages before they got to our Exchange server.  And
> I do not parse outgoing messages from our Exchange server to the outside
> world with MIMEDefang because there was never any need before now.  Is there
> something I can do on Exchange to prevent these OWA scripting attacks
> (besides dump Exchange, if only I could...)?
> 
> Thanks.
Even though you can't delete anything, can you modify the return address of
these types of messages?
At least when they stupidly reply, it can go to your IT dept. or a special
mailbox so you can chastise (laugh at) the user. Technically you didn't delete
the message.

Or you could scan outgoing for spam and script a warning to IT to catch it
quicker.


-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20081023/95909494/attachment.sig>

More information about the MIMEDefang mailing list