This is a consolidation of information I've found on blacklisting and whitelisting in Office365:
Whitelisting or blacklisting by IP address:
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ_oRstwdgLIv5vRX6VQlGA0QGL4ZcT6-2iEWPnTmyyWeV3iI-LV_4J-64rlxpEQ4VlBbag6HA_STunISwGfyvWvJxDHAh9Rm8g3iiK1wPO29nIZBNK7NpOlkxbmtw3M9COO_lSjb_hNU/s1600/20131125.king.net.office365.howto.whitelist.JPG
Exchange Admin Center -> Protection -> Connection Filter -> connection filtering by IP address
Whitelist by domain name:
http://www.mattwharton.co.uk/2014/08/how-to-whitelist-a-domain-in-office-365-exchange-online.html
or
http://www.office365tipoftheday.com/2013/12/02/whitelist-a-domain-to-bypass-exchange-online-protection-spamfilter/
Exchange Admin Center -> Mail Flow -> Create New Rule -> Bypass spam filtering -> Apply this rule ... if the sender domain is
Powershell configuration:
https://support.microsoft.com/en-us/kb/2545137?wa=wsignin1.0
Showing posts with label blacklist. Show all posts
Showing posts with label blacklist. Show all posts
Thursday, April 16, 2015
Thursday, February 14, 2013
spambot on the LAN caused our mail server to get blacklisted - how I handled it
Yesterday, a machine on one of my client's LANs got a virus (particularly the cutwail spambot). The machine began sending out spam which got the LAN's public IP address put on 6 different blacklists which severely compromised the functionality of my Exchange 2010 server on the LAN that served approximately 80 users.
The first thing I wanted to do was identify the compromised computer and clean it. With more than 80 computers on the LAN, I needed a centralized way to do that. Luckily, my Fortigate 60C firewall can spit out a report with that information. Under System -> Config -> Advanced, there was a packet capture widget which could give me what I needed. Here's how I captured all traffic on port 25:
The packet capture file was in PCAP format, which is a Wireshark format. I opened up the file in Wireshark, and I could see (in this case) that 172.16.1.107 (which is not the mail server) was sending a lot of traffic over port 25 to a lot of different locations. This was my culprit. I cleaned the computer using Malwarebytes and then delisted the public IP from the various blacklists it was on.
I'm going to look at options for having all network traffic go out on a different IP than the one that the mail server uses to avoid this in the future. That could be a long term solution to this issue.
The first thing I wanted to do was identify the compromised computer and clean it. With more than 80 computers on the LAN, I needed a centralized way to do that. Luckily, my Fortigate 60C firewall can spit out a report with that information. Under System -> Config -> Advanced, there was a packet capture widget which could give me what I needed. Here's how I captured all traffic on port 25:
The packet capture file was in PCAP format, which is a Wireshark format. I opened up the file in Wireshark, and I could see (in this case) that 172.16.1.107 (which is not the mail server) was sending a lot of traffic over port 25 to a lot of different locations. This was my culprit. I cleaned the computer using Malwarebytes and then delisted the public IP from the various blacklists it was on.
I'm going to look at options for having all network traffic go out on a different IP than the one that the mail server uses to avoid this in the future. That could be a long term solution to this issue.
Thursday, November 19, 2009
adding blacklists to Exchange 2007
IMF in Exchange 2007 is more configurable than in Exchange 2003, but I find it more cumbersome than GFI Mail Essentials, which I love.
For this particular Exchange 2007 server (via SBS 2008), I had users complaining about Microsoft and Facebook spam. Since the IMF updates were not adjusting the content filtering to adjust for these messages, I decided to add black lists. I have hated black lists for years, as I occasionally find myself on them and it's a bitch getting off of them - but conceptually, if the blacklist is accurate with no false positives, it should be a very good tools.
OF NOTE - you should limit your number of blacklists to 3. See this post for more information
To configure it, I opened up Exchange Management Console -> Organization Configuration -> Hub Transport and went to the anti-spam tab. I went into IP block list providers and added these blacklists:
zen.spamhaus.org
list.dsbl.org
combined.njabl.org
bhnc.njabl.org
dnsbl.ahbl.org
Here are some others I could have added:
dnsbl.sorbs.net
bl.spamcop.net
dnsbl-1.uceprotect.net
For this particular Exchange 2007 server (via SBS 2008), I had users complaining about Microsoft and Facebook spam. Since the IMF updates were not adjusting the content filtering to adjust for these messages, I decided to add black lists. I have hated black lists for years, as I occasionally find myself on them and it's a bitch getting off of them - but conceptually, if the blacklist is accurate with no false positives, it should be a very good tools.
OF NOTE - you should limit your number of blacklists to 3. See this post for more information
To configure it, I opened up Exchange Management Console -> Organization Configuration -> Hub Transport and went to the anti-spam tab. I went into IP block list providers and added these blacklists:
zen.spamhaus.org
list.dsbl.org
combined.njabl.org
bhnc.njabl.org
dnsbl.ahbl.org
Here are some others I could have added:
dnsbl.sorbs.net
bl.spamcop.net
dnsbl-1.uceprotect.net
Subscribe to:
Posts (Atom)