EXC17 10 Tips to Make Your Exchange Server a Good Net Neighbor

1
EXC17 10 Tips to Make Your Exchange Server a
Good Net Neighbor

• Devin L. Ganger (3Sharp LLC) deving_at_3sharp.com
• (e)Mail Insecurity http//blogs.3sharp.com/blog/d
  eving/

2
Download the most up-to-date version of these
slides athttp//www.3sharp.com/files/deving/exc1
7-ganger-s07.ppt
3
Tip 1Verify the health of your DNS
4
Verify the health of your DNS

• How are your MX records configured?
• Do you have PTR records?
• Do your A records match your PTR records?
• Are you using CNAME records appropriately?

5
Tip 2Investigate user spam reports before
reporting to blocklists
6
Investigate user spam reports

• Users never make mistakes
• They always remember signing up for bulk email
• They always remember signing up for mailing lists
• Users are always experts in reading messages they
  receive

7
Tip 3Run all outbound messages through message
hygiene
8
Outbound message hygiene

• You are responsible for anything that comes from
  your IP addresses
• Helps you identify issues that originate within
  your network
• Dont stamp outgoing messages with silly Scanned
  by Product Foo! messages

9
Tip 4Only allow outgoing SMTP from authorized
servers
10
Restrict outgoing SMTP

• Do not allow unmonitored processes to send
  directly out to the Internet
• Do not enable SMTP AUTH on TCP port 25 use the
  SMTP submission port (TCP 587)

11
Tip 5Don't turn open relay back on
12
Open Relay

• Off by default from Exchange 2000 and later
  versions
• Restriction options
• IP address suitable ONLY for internal networks,
  but flawed
• SMTP authentication can be difficult to get
  older third-party apps to work with
• Deploying SMTP authentication should follow best
  practices

13
Tip 6Publish SPF/Sender ID records
14
SPF and Sender ID

• Not the same thing know the difference!
• NOT an anti-spam technology
• Anti-spoofing
• Enhances the reliability of domain reputation
  systems
• Used mainly by spammers but this is a good
  thing

15
Tip 7Use a reliable service for bulk emails
16
Bulk email services

• Getting bulk email right is hard
• Difficulty
• Time
• Troubleshooting
• Reputation is everything

17
Tip 8Don't put front-end servers in your
perimeter network
18
Placing front-end servers

• Restrict domain membership to internal servers
• Front-end ! SMTP bridgehead
• Client protocols vs. SMTP
• Threat models are different

19
Tip 9Provide alternate file transfer
capabilities
20
File Transfer

• FTP
• SSH/SCP
• HTTP
• SharePoint
• Home-rolled solution
• Third-party vendor
• Check the vendor floor

21
Tip 10Enable recipient checking at your mail
gateway
22
Enable recipient checking

• Recipient checking vs. data harvesting
• Accepting all mail quantifiable damage
• To your own organization
• To others
• Data harvesting what is the real damage?
• Can you put a price tag on it?
• Can you quantify the risk?
• Can you guarantee that your addresses arent
  already harvested?

23
Bonus TipThe perception of Exchange is
influenced by the behavior of Outlook
24
Exchange Outlook (from the outside)

• Quoting behavior
• Type of text (plain vs. HTML)
• Size/type of attachments
• Lack of support for common standards (RE)

25
Questions?