Our Exchange server is getting slammed with anywhere between 450,000 and 700,000 spam messages per day. We receive about 1700 legitimate messages in the same time frame.
Roughly 75% of the spam is directory harvesting. We currently have GFI MailEssentials installed. To it's credit, it's doing a very good job, but the sheer volume of spam that we're receiving, and the number of connections that our exchange server is making is preventing legitimate email from being delivered in a timely manner.
GFI is set up to check for directory harvesting at the SMTP level, which I presume intercepts the mail before it hits the Exchange services , or goes through SMSE. This "module" is ordered at the top of the list, so (hopefully) dealing with the harvesting is consuming a minimum amount of server resources and bandwidth.
My question is, is there anything I can do to prevent our Exchange server's connection pool from being eaten up by these spam hosts? We had to limit the number of concurrent connections being made by Exchange, because it was consuming all of our bandwidth.
Thanks, in advance.
if you have ability to set up additional host [ can be virtual machine ] - i suggest you get postfix [ or exim or any other linux smtp relay ] that can filter mails based on recipient address.
i had case similar to yours, load of exchange was dramatically reduced by:
also - if you look for fully blown [ yet open source ] antispam - take a look at esva. it's ready to use appliance for vmware based on postfix and couple of content filters. in their forums you'll find description how to pull white list of users from AD. their forum might look semi dead and author is not the most active one - but whole solution is really sophisticated and works great for me in couple of deployments.
I would use a combination of Recipient Filtering, and SMTP Tar-pitting. This is explained in more detail here:
http://www.exchangeinbox.com/article.aspx?i=49
As a summary, Exchange rejects connections to addresses that don't exist. However this allows spam harvesters to check a large number of addresses quickly against your server.
By enabling tar-pitting, you add a delay to the response your server gives, which reduces the amount of connections a harvester makes to your server.
You could also potentially offload spam filtering to a 3rd party, which would filter out most of that traffic and spam before it ever hits your network. Three good options for this service are:
http://www.microsoft.com/online/exchange-hosted-services/filtering.mspx
http://www.messagelabs.com/products/email/anti_spam.aspx
http://www.google.com/postini/email.html
Absolutely you should look at a 3rd party to filter the mail before it gets to your server in addition to the ones mentioned on smearp's answer I've had good experiences with MX Logic, as well as Google's Postini. I preferred MX Logic personally. The addtional benefit is you can then set your Exchange Edge server to only accept SMTP connects from the 3rd party, drastically reducing the load on the server and your bandwidth.
I barely think about spam anymore.
It seems to me that you've already done everything you can to limit the mail reaching the Exchange server - the next step would be to try and find a common factor in the spam that would allow you to block it before it even reaches the GFI box. (i.e. Treating it like a DDoS attack)
If the traffic is coming from only a handful of hosts, would it be feasible to shun those IP's on your border routers? Sometimes ISP's are also willing to help out with these sort of attacks - might be worth contacting them to see if they can ID and drop the bad traffic.
One duct tape solution might be to make your primary MX record an invalid one, and make the secondary MX record the valid one. Most spambots won't waste time trying alternate MX records, while legit mail will still come through... the down side is, you run a small risk of losing mail from incorrectly configured MTA's.
I can think of a few things you might want to consider. The first is to watch your logs, put together a list of spam source hosts (assuming that there is a reasonable number that are brute forcing with the directory harvesting), and block them at your firewall.
A more comprehensive, but more complicated, solution would be to offload your initial spam handling with an e-mail gateway server. This is what we did at my previous job. We built a Linux box running Postfix and a collection of additional tools (spamassassin, clamav, a greylisting daemon, amavisd, etc) and some custom stuff. We then put that out in front of the Exchange cluster and routed all of our e-mail (in and out of the network) through it.
This can provide you with a lot of additional flexibility to rate-limit connections, block spam sources, and setup whitelists and blacklists. We were able to significantly reduce the amount of spam our users were receiving, as well as reducing the load on the Exchange boxes.
Update: Forgot to mention, but there are also a number of anti-spam gateway appliances that are available out there, too. You buy the box, configure it from a web interface (usually) and just plug it into your network. A few tweaks in Exchange and DNS (so e-mail is flowing through it) and it will handle all of the anit-spam heavy lifting for you.
MailEssentials works at the Event Sink level in SMTP, so it indeed gracefully drops the connection for nonexistent email addresses, without letting the message actually touch your server (as long as you've pushed this up top of the list, which you have. There isn't too much else you can do at your box -- this is a pretty phenomenal amount of directory harvesting activity you're seeing, and I agree your next step should be to work with your isp to see if you can narrow down to a few IPs or sets of IPs that are sending a majority of this and have them blocked.
I third the opinion of thrid party Spam filtering. We Really like: http://www.mxlogic.com/ It remove Spam way better than GFI, doesn't use andy server resources, makes your email servers more secure(follow Leroyclark's suggestion), and you won't have issue with licensing issues crashing your exchange server.
If you have a spare machine, even a fairly low spec PC, you might consider installing MailCleaner, which will provide ant-spam and antivirus scanning of your inbound emails. It's Linux based but doesn't require any great degree of familiarity with Linux in order to get it set up and running. The filtering results are excellent, even without "training" the anti-spam databases, and the web interface makes day-to-day tasks a breeze. There's also a support forum should you need it.
I know this is now a ways out from when the original post went up, but I have to agree with John Gardeniers regarding Mailcleaner.
I've used Mailcleaner now for roughly 4 years. The initial edition wasn't as flexible to modification, but it was pretty solid anyway. Around a year ago, I got ahold of Mailcleaner 2010, which is a complete re-write of Mailcleaner from the ground up. While the 2006 edition of Mailcleaner was built on a Debian v4 based engine, the newer 2010 release is based on Ubuntu Server, if I'm not mistaken. The older build was prone to breaking, but the newer build is so solid and feature filled that I haven't felt the need to do any under-the-hood modifications.
As is, Mailcleaner 2010 is by far the most solid and clean anti-spam solution I've used this side of a Barracuda Anti-spam / anti-virus Firewall. At my work, we use a Barracuda M600 appliance, designed to handle roughly 30 million email per day. We receive around 300,000 email on an average day, with roughly 7% to 10% of that being actual legitimate email. On the Barracuda, we use quarantining (which I abhor, but our management insists). On my personal domain, where I use Mailcleaner 2010 configured as a virtual server hosted on VMWare ESXi, I have Mailcleaner configured for LDAP address verification combined with tagging on suspected spam. All tagged spam is automatically delivered to my users' 'Junk Email' folder on our Exchange Server (2003), which automatically expires out the tagged messages after 30 days. This makes for a very, very low footprint for my Mailcleaner Anti-spam gateway, and with the auto-expiry of tagged email, it keeps my Exchange Server from overflowing with spam. The false positive rate is very, very low, and since I use tagging, even if a message receives a false positive, we don't have to worry about loosing that mail so long as we check in on our email responsibly... which all of my regular users do.
Anyways, having used a Barracuda anti-spam system, I had very picky expectations regarding an alternative for my own domain, since we don't have a corporate/government level budget to fund the purchase of appliances. All things considered, it would have been difficult at best to find a better solution than Mailcleaner 2010, because it seems to take a lot of influence from Barracuda, but it's not a straight rip-off of Barracuda's firmware. At the same time, it's much easier to setup than the Barracuda.
When I first started working my current job, my employers were using GFI's anti-spam engine (v10?). We had severe problems out of GFI because of how it handled blacklisting. I did the research and scored us the Barracuda M600. The Barracuda has been a great solution, because it allows for blacklisting by CIDR addresses, as well as a ton of other scanning techniques that work very well. So far, the only problems I've run into with the Barracuda are regarding false positives due to bad rules entered by those less experienced in combatting spam. The Mailcleaner 2010 Virtual appliance that I run requires much, much less interaction to achieve a near perfect solution.
Check it out if you get a chance. I think you'll be glad you did. :)
Share & enjoy!