[Mimedefang] OWA spam scripting attack

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 23 Oct 2008, Todd Aiken wrote:

> Just wondering if anybody has any ideas at how to stop this from happening?
> Unfortunately, our site policy prevents me from deleting any incoming
> messages, regardless of how highly they are rated by MIMEDefang/SpamAssassin

High rated messages get prepended a SpamAssassin warning report.

> as being spam... I am only allowed to flag them as such and then it's up to
> the individual user to filter based on that flag; otherwise, I would delete
> these stupid phishing messages before they got to our Exchange server.  And
> I do not parse outgoing messages from our Exchange server to the outside
> world with MIMEDefang because there was never any need before now.  Is there

I do filter in and out. Rated outgoings mails are rejected and a note is 
sent to the admin. I know that some people find the latency irritating as 
they assume mail is instant delivery, but most people never notice.

> something I can do on Exchange to prevent these OWA scripting attacks

Well, besides the limit by count mentioned by David, perhaps you can limit 
(or notify admin) by IP range or GeoIP (e.g. how many legal users you have 
from the end of the world?).

Bye,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJAcB35ThHZhj8SBwRAtmiAJ4xKhIhICyugd2Kh8yJErP+gXfU4gCfUxA1
+yZg3WVsBr6idZBbBIS3nLI=
=Nvc9
-----END PGP SIGNATURE-----