Posted by paris on Mar 16, 2017 in Random
Recently after setting an Office 365 Mailbox user up via Windows Live as they did not have Microsoft Outlook installed and didn’t want to use Webmail
You need to use IMAP settings for this as there is no Active Sync connector
After setting up Windows Live , a test email to the user’s self from himself never reached the Inbox after it was sent. If I sent one from Webmail it would come through
After research , it turns out it was going into Junk Email in Office 365 after being sent from smtp.office365.com on port 587 and this folder was not syncronised in the Windows Live settings so did not show.
I had to disable the junk mail filter or add a rule which would whitelist the own user from Junk Mail!
Posted by paris on Sep 20, 2016 in Random
Recently I had a user get in contact with a problem, that they had received thousands of emails from different email address’ of nonsense. Sure enough after checking this was true. It seems that someone was bulk sending paragraphs of a book to this users , new email = new paragraph x 1000 + Interesting , was this just an email bomb or something else?
So sending emails from a book is a new way for spammers / attackers to get around the spam filter , they were sending from legitimate created Gmail/Yahoo address even though they where for email spams.
Upon investigation, the emails had stop being received about 2 hours before the user contacted me , any new emails were not coming through which means the user has hit gmails receiving limit https://support.google.com/a/answer/1366776?hl=en
This is a sign that the attacker has reset an account password somewhere and wants the email to notify you this has been done to get “lost” so the user doesn’t know he’s being attacked until its too late!
How to stop this?
You will need to purchase Google Apps Premium and enable the Post Ini filter which can detect emails bombs
Posted by paris on Mar 8, 2016 in Random
There’s been a new recent wave of spoof emails sent to companies , usually emailed to financial personnel’s pretending to be from the CEO to get quick funds paid and withdrawn.
Spoofing an email address isn’t hard and with the correct background check , spammers get the correct email and sometimes signature of the “CEO”.
How do we stop this?
- To start with SPF, DKIM, DMARC records should all be added to the domain to verify the sender to check they are allowed to send from the company domain
- You should definitely have an incoming spam filter before Microsoft Exchange , depending if this is a Barracudo box / Post fix / Microsoft Frontbridge you should be able to enable a Rule to SPF check for only your domain. Enabling this for all domains will starting to spam lots of incoming email due to people not having SPF records
- Create a quarantine in Exchaneg – From EMC > Organization Configuration > Hub Transport > Transport Rules create a new transport rule that says:
From users that are outside the organization
And when the from address matches text patterns yourdomain.com
Forward the message to firstname.lastname@example.org for moderation
Now, if you have other SMTP servers in or out of your org that send on behalf of your domain, you’ll need to create an exception by adding:
Except when the message header received matches text patterns smtp.yourdomain.com or smtp.theirdomain.com
Posted by paris on Dec 1, 2015 in Random
You can forward these emails to : email@example.com or use the Outlook plugin to report and hopefully Microsoft should block these in future : https://www.microsoft.com/en-us/download/details.aspx?id=18275
Microsoft have actually now got a new filtering service for 365 however its paid for and by user you could maybe try : https://products.office.com/en-us/exchange/online-email-threat-protection
It’s not uncommon nowadays to have another third party appliance such as a barracuda or a hosted service such as post fix to filter items before they get to 365. It seems once a spammer figures out how to exploit 365 , all domains get the same spam. 2 layers of protection is safer!
1) Make sure your own SPF Records are in check : http://www.spfwizard.net/
2) Get your DKIM records in check : http://blogs.msdn.com/b/tzink/archive/2015/10/08/manually-hooking-up-dkim-signing-in-office-365.aspx
3) Get your DMARC Records in check : http://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx
Posted by paris on Feb 23, 2015 in Random
We received an NDR recently from barracuda networks spam filter with a 550 error code. It also came back with the SMTP address we were trying to send to as well as :blocked at the end. E.g.
Final-Recipient: rfc822; [email protected].com
Remote-MTA: dns; d9590b.ess.barracudanetworks.com
Diagnostic-Code: smtp; 550 permanent failure for one or more recipients
I tried all the basics making sure our IP had not been blacklisted :
http://www.barracudacentral.org/reputation which it had not. I tried
telneting to one of the SMTP servers to view the error, however this
produced a malformed 550 error so not a good test.
Upon liaising with the postmaster at the receiving end, turns out the email had a domain name
in the body which was on their Intent Database :
https://techlib.barracuda.com/display/bessv10/intent+analysis+-+inbound+mail which is why it
got blocked. Make sure you check your email for domain names if you get these.