Title: EXC17 10 Tips to Make Your Exchange Server a Good Net Neighbor
1EXC17 10 Tips to Make Your Exchange Server a
Good Net Neighbor
- Devin L. Ganger (3Sharp LLC) deving_at_3sharp.com
- (e)Mail Insecurity http//blogs.3sharp.com/blog/d
eving/
2Download the most up-to-date version of these
slides athttp//www.3sharp.com/files/deving/exc1
7-ganger-s07.ppt
3Tip 1Verify the health of your DNS
4Verify the health of your DNS
- How are your MX records configured?
- Do you have PTR records?
- Do your A records match your PTR records?
- Are you using CNAME records appropriately?
5Tip 2Investigate user spam reports before
reporting to blocklists
6Investigate user spam reports
- Users never make mistakes
- They always remember signing up for bulk email
- They always remember signing up for mailing lists
- Users are always experts in reading messages they
receive
7Tip 3Run all outbound messages through message
hygiene
8Outbound message hygiene
- You are responsible for anything that comes from
your IP addresses - Helps you identify issues that originate within
your network - Dont stamp outgoing messages with silly Scanned
by Product Foo! messages
9Tip 4Only allow outgoing SMTP from authorized
servers
10Restrict outgoing SMTP
- Do not allow unmonitored processes to send
directly out to the Internet - Do not enable SMTP AUTH on TCP port 25 use the
SMTP submission port (TCP 587)
11Tip 5Don't turn open relay back on
12Open Relay
- Off by default from Exchange 2000 and later
versions - Restriction options
- IP address suitable ONLY for internal networks,
but flawed - SMTP authentication can be difficult to get
older third-party apps to work with - Deploying SMTP authentication should follow best
practices
13Tip 6Publish SPF/Sender ID records
14SPF and Sender ID
- Not the same thing know the difference!
- NOT an anti-spam technology
- Anti-spoofing
- Enhances the reliability of domain reputation
systems - Used mainly by spammers but this is a good
thing
15Tip 7Use a reliable service for bulk emails
16Bulk email services
- Getting bulk email right is hard
- Difficulty
- Time
- Troubleshooting
- Reputation is everything
17Tip 8Don't put front-end servers in your
perimeter network
18Placing front-end servers
- Restrict domain membership to internal servers
- Front-end ! SMTP bridgehead
- Client protocols vs. SMTP
- Threat models are different
19Tip 9Provide alternate file transfer
capabilities
20File Transfer
- FTP
- SSH/SCP
- HTTP
- SharePoint
- Home-rolled solution
- Third-party vendor
- Check the vendor floor
21Tip 10Enable recipient checking at your mail
gateway
22Enable recipient checking
- Recipient checking vs. data harvesting
- Accepting all mail quantifiable damage
- To your own organization
- To others
- Data harvesting what is the real damage?
- Can you put a price tag on it?
- Can you quantify the risk?
- Can you guarantee that your addresses arent
already harvested?
23Bonus TipThe perception of Exchange is
influenced by the behavior of Outlook
24Exchange Outlook (from the outside)
- Quoting behavior
- Type of text (plain vs. HTML)
- Size/type of attachments
- Lack of support for common standards (RE)
25Questions?