IMSS

All posts tagged IMSS

Block unknown internal domains with Trend Micro IMSS

Maybe you have seen it mails from unknown domains will be relayed via the internal mailserver or mailserver that is placed in the DMZ. Normally when configuring the mailservers correctly it’s not possibly to send mail from a domain which is not hosted on the internal mailserver. But it can also be that a virus is active on a mailserver which is allowed to relay.

In this tutorial I will explain how you can create a policy in Trend Micro IMSS to prevent this. The way of configuring is not really the way you think you have to do it, but the endresult will work.

open

Block unknown internal domains with Trend Micro IMSS

Maybe you have seen it mails from unknown domains will be relayed via the internal mailserver or mailserver that is placed in the DMZ. Normally when configuring the mailservers correctly it’s not possibly to send mail from a domain which is not hosted on the internal mailserver. But it can also be that a virus is active on a mailserver which is allowed to relay.

In this tutorial I will explain how you can create a policy in Trend Micro IMSS to prevent this. The way of configuring is not really the way you think you have to do it, but the endresult will work.

First we will create a rule which matches incoming messages.

Select the button add and choose the option other.

Ensure that the this rule will apply to option is set to incoming , we wil change this later to both incoming and outgoing messages. We could not do this right now because the policy will not be created correctly then.

Next select on the link recipients a new window will be opened.

Select the option anyone and select save, the window will close. Next click on senders a new windows will be opened again.

Select the option anyone and select save, the last parameter we need to define in this step is the exceptions.

Add the following exception:

Repeat this for each domain.

When ready click on save to save the changes, you will get the following overview after this.

Click on the next button to continue. In this step we will define the conditions when a mail must be scanned by this policy.

In this case we want to scan all messages so we don’t select anything en click on the next button.

You will get a warning that all messages will be scanned if not choosing any condition. Confirm this by clicking on the OK button.

The next step is the action that needs to be executed when a mail meets the conditions. In this case we will delete all messages which meet the conditions. You could choose to quarantine the messages, if you would like to do this change the action.

Next we will define the name and number of the policy. Keep in mind that the policy always needs to be created below the Global Antivirus Rule and Default Spam Rule. You may choose to not activate the policy right now but activate it after the steps below.

When you return to the policy overview you can see that the policy is added.

Now we have added the policy we need to change it. This because it’s not possible to add *@* as sender/recipient in this policy when choosing the option to apply this policy on both incoming and outgoing messages.

Click on the policy to view the details

Click on if recipient and senders are

Change the option this rule will apply to to both incoming and outgoing messages. Next we will change the exceptions. This can be done by clicking the link Senders and Recipients after the option exceptions.

Add the following exception:

Add the exception for each domain, when ready click save 4 times to return to the policy overview. If you have not activated the policy activate it.

Prevend spoofing with IMSS

It’s time for a new tutorial, this time about IMSS from Trend Micro. IMSS is the antivirus/antispam solution from Trend Micro. In this tutorial I will explain how you can create a policy to prevend spoofing mails reaching the end-users mailbox.

open

Prevend spoofing with IMSS

It’s time for a new tutorial but this time with another subject Trend Micro Interscan Messaging Security Suite, IMSS for short. IMSS is the antivirus/imss solution from Trend Micro which is available for Windows, Linux, Solaris and as appliance.

With policies we can define our own rules, we will create a rule which will prevend spoofing. To do this we need to login to the admin console of IMSS. This can be done by selecting the option policy and then select the option policy list in the left menu.

Next we will choose the option new and choose the option other from the drop-down menu. Standard the option is selected that this rule needs to be applied to incoming mails.

First we define the sender/recipient en exclusions.

First the recipient, this can be done by clicking on the link recipient

As recipient we select all the users in the domain trendmicro.dyndns.org

When you are responsible for multiple domains you can fill in all domains here. When all domains are added you can click on the save button. The next step is choosing the sender, this can be done by clicking on the link sender. Here we fill in the same domains as defined in the recipient option. When ready we will click on save again when all domains are added.

The last option is to define the exceptions, this can be done when using a form on your website which uses an e-mail address which exists in your domain as the sender. In this case we choose the address info@trendmicro.dyndns.org

In this case we only allow from info@trendmicro.dyndns.org to info@trendmicro.dyndns.org but this can also be the complete domain.

When we have defined all three options it’s time to define the scanning conditions. Here we only need to specify one thing. In this case we want to check every mail which is bigger then 1 Kb.

When we are statisfied with the settings we click on next to continue and specify the action.

Because we don’t want the spoofing mails to arrive in the mailbox of users we select the option delete entire message. In case you want to first have a look what the result is you can choose the option quarantine to this will ensure that mail is placed in quarantine.

When the action is defined it’s time for the last step, define the name and rulenumber. This last two fields can be defined with whatever you like. In our case we defined the name of the rule as anti-spoofing and placed it as the 8th rule.

Were finished now with creating the anti-spoofing rule. Keep in mind that this wil also block mails from sites which let you forward articles and use your e-mail address as sender, inform your users about this.

Propably every one has to do with spam today, sometimes you receive more spam then normal mail. There are a few anti-spam solutions which try to prevent spam mails in the users inbox, for example the Fortimail from Fortinet or the IMSS from Trend Micro.

Exchange 2007 includes a few anti-spam agent to prevent spam. This filters are active by default on the Edge Transport server but also can be activated on the Hub Transport server by executing the following command in Powershell:

./install-AntispamAgents.ps1

This command needs to be executed from the scripts directory, you will find it in the Exchange install directory.

When the command is executed you need to restart the Transport Services, this can be done by executing the following command:

Restart-Service MSExchangeTransport

After restarting the Transport Services you can open the Exchange Management Console, when it is opened click on the Organizational Configuration and then choose HUB Transport. You will see there’s an extra tab added named Anti-Spam, click on it

You will see the anti-spam agents that are installed:

  • content filtering
  • IP Allow list
  • IP Allow list providers
  • IP Block list
  • IP Block list providers
  • Recipient filtering
  • Sender filtering
  • Sender ID
  • Sender reputation

Below the agents are described per agent:

Content Filtering

With this agent you can filter on keywords. For example you can filter on the words Make Money Fast, this can be seen below. But when you have a company that does sell Hovercrafts you don’t want mail with that word ends up in the junk mail. This word can be added to the top of the screen in the section named Messages with these words or phrases will not be blocked.

Besides the last called option there is a possibility to exclude mail-adresses from filtering. This can be done on the tab Exceptions.

The final step is deciding which action needs to be executed, this can be: delete, reject or quarantaine. Per action you can define when it needs to be executed. Which action is executed depends on the SCL (Spam Confidence Level), this is determined by the IMF (Intelligent Message Filter) i.c.w. de words we setup earlier. When you are gone experimentate with the filter, for example put the SCL values lower. Then I would suggest to first choose the action to quarantaine it before choosing delete/reject as the action. This will safe you a lot of angry end-users that don’t receive their normal mail anymore.

Powershell commands:

Set-ContentFilterConfig-SclQuarantineEnabled:$true -SclRejectEnabled:$true -SclDeleteEnabled:$true -SclQuarantineThreshold 5 -SclRejectThreshold 6 -SclDeleteThreshold 8 -QuarantineMailbox spamQ@contoso.com -RejectionResponse ”Message rejected due to content restrictions” -AuthenticatedMessageBypassEnabled:$true -PuzzleValidationEnabled:$true -BypassedRecipients user1@contoso.com, user2@contoso.com

The content filter will be activated with the following options:

  • Quarantaine will be activated for all mails with a SCL of 5 words will be placed in it, the quarantaine box has the following address spamQ@contoso.com
  • Reject will be activated for all mails met a SCL if 6  this mails will be bounced, senders of the mail will get a mail back that their mail is bounced with the following text in it ”Message rejected due to content restrictions”.
  • Delete will be activated for all mails with a SCL of 8 will be deleted
  • When mail is sent to user1/user2@contoso.com the filter will not be applied.
  • It turns on Autenticated Message Bypass
  • It turns on Puzzle Validation

Get-ContentFilterConfig returns the current settings for the Content filter agent

Add-ContentFilterPhrase-Phrase:”This is an e-mail that you don’t want to receive” -Influence:BadWord

This command will add “This is an e-mail that you don’t want to receive” to the list of forbidden words or sentences. 

Get-ContentFilterPhrase returns the current settings for the Content filter phrase agent

Remove-ContentFilterPhrase -Identity “This is an e-mail that you don’t want to receive”

This command will delete “This is an e-mail that you don’t want to receive” from the list of of forbidden words or sentences. 

IP Allow List

As the name already tells you this agent lets you create IP-address white-lists. This can be used for business-relations that are on a black-list but you still want to receive mail from them. When clicking on Addyou can add an ip-address of ip-range.

Powershell commando’s:

Set-IPAllowListConfig-InternalMailEnabled:$true -DomainController ad-server.test.nl

With this command you will setup the DC on which the IP allow list needs to be saved/

Get-IPAllowListConfig returns the current settings for the  IP Allow list agent

Add-IPAllowListEntry-IPRange:192.168.0.1/24

Adds the IP-range 192.168.0.1/24 to the IP Allow list

Get-IPAllowListEntry returns the current settings for the specific IP Allow list entry

Remove-IPAllowListEntry -Identity <Integer> removes IP-address/the IP-range from the IP Allow list where the integer is the id  from the specific rule.

IP Allow List Providers

Besides RBL providers there are white-list providers. This are providers who provide lists with safe IP-addresses. On the following site you will find an overview of Whitelist providers: SpamLinks .

Powershell commando’s:

Add-IPAllowListProvider-Name:Example -LookupDomain:Example.com

The command above will add an Allow List Provider to the list with the name Example and domain/address example.com

Get-IPAllowListProvider returns the current settings of the IP allow list provider

Set-IPAllowListProvider-Identity Example.com -AnyMatch:$true

This command will tell Exchange that is has to check every e-mail with the Allow List provider example.com and will be threated the same despite the code that will be replied by the Allow List Provider.

Remove-IPAllowListProvider -Identity Example.com

Removes the provider example.com from the allow list provider.

Test-IPAllowListProvider-IPAddress 192.168.0.1 -Provider ExampleProviderName

With this command you can do a lookup of the IP-address 192.168.0.1 with the White-list provider ExampleProviderName

IP Block List

This agent contains IP-addresses who will be blocked by Exchange. It can happen that you don’t want to accept mails from specific IP-addresses or IP-ranges because you receive a lot of viruses or spam from them. In most cases it is easier to use a RBL provider then using an list with manual entries.

Powershell commando’s:

Set-IPBlockListConfig-InternalMailEnabled:$true -DomainController ad-server.test.nl

This command will tell to which DC the configuration needs to be saved.

Get-IPBlockListConfig returns the current settings of the IP Blocklist agent.

Add-IPBlockListEntry-IPRange:192.168.0.1/24

Adds the IP-range 192.168.0.1/24 to the IP Block list

Get-IPBlockListEntry returns the current settings of the IP Block list entry

Remove-IPAllowListEntry -Identity <Integer> deletes the entry of the IP-address/IP-range of the IP Block list with the id of the rule as the integer.

IP Block List providers

In this agent we can add RBL providers. This are organizations who provide lists with IP-addresses that are sending a lot of spam or servers which are configured as open-relay. On this page you can find an overview of them.

Within this agent there is an extra tab added exceptions, here  you can exclude IP-addresses from this agent.

Powershell commando’s:

Add-IPBlockListProvider-Name:Example -LookupDomain:Example.com -RejectionResponse “Originating IP addressed matched to Example.com’s IP Block List provider service”

This command will add a Block List Provider with the name Example and domain/address example.com. When an IP is found on list the sender will receive the following message: “Originating IP addressed matched to Example.com’s IP Block List provider service”

Get-IPBlockListProvider returns the current settings of the IP Block List Provider agent

Set-IPBlockListProvider-Identity Example.com -AnyMatch:$true

This command will tell Exchange to check every mail with the Block List Provider example.com. Despite the code that is being returned from the provider each mail will be threated the same.

Remove-IPBlockListProvider -Identity Example.com

Deletes the block list provider example.com from the IP Allow Block Provider agent.

Test-IPBlockListProvider-IPAddress 192.168.0.1 -Provider ExampleProviderName

This command will do a lookup of the IP-address 192.168.0.1 with the provider ExampleProviderName

Recipient Filtering

With recipient filtering you can filter messages on existing/non-existing recipients on the HUB transport without reaching a mailbox. This will prevent space being used by mails to non existing recipient such as administratornn@domain.com.

This agent can use the GAL as source, the GAL will be automatically updated when a user is added to Exchange. Besides that there is a possibility to manually add addresses that you want to block, when you use the previous mentioned option this is not necessary.

Powershell commando’s:

Set-RecipientFilterConfig-RecipientValidationEnabled:$true

Enables using the GAL as the source for recipient filtering.

Set-RecipientFilterConfig-BlockListEnabled:$true -BlockedRecipients klaas@domein.com,pietje@domein.com

Checks if the mail is send to klaas@domein.com or pietje@domein.com if this is the cases then the mail will be blocked.

Get-RecipientFilterConfig returns the current settings of the Recipient Filtering agent

Sender Filtering

You may wish to block e-mails from specific senders because you receive a lot of spam from this address. Then you can use the sender filtering agent. Here you can specify addresses from which you don’t want to receive mail. Besides that possibility you can enable the option to block e-mails which contain no sender address. Depending on which action is activate on the tab action mail will be bounced or marked as spam.

Powershell commando’s:

Set-SenderFilterConfig-BlankSenderBlockingEnabled:$true -BlockedDomainsAndSubdomains *example.com -BlockedSenders klaas@domein.com,pietje@domein.com

When a mail is send from the domain or subdomain example.com mail will be blocked. When mail is send from klaas@domein.com of pietje@domein.com mail also will be blocked.

Get-SenderFilterConfig returns the current settings of the Sender Filtering agent

Sender ID

With sender ID you can prevent spoofing mails being delivered. When a mail arrives at the Hub Transport Server the SMTP header will be checked and according to the results a query will be done via DNS. The agent will search for a SPF record; in this record all IP-addresses are listed which are used by the domain to send mail.

When the IP-address is not found in the SMTP-header, then the mail will be rejected, deleted or marked as spam.

Powershell commando’s:

Set-SenderIdConfig-SpoofedDomainAction Delete -BypassedRecipients klaas@domein.com,pietje@domein.com

When mail is send from a spoofed address is will be deleted except when it is send to klaas@domein.com or pietje@domein.com

Get-SenderIdConfig returns the current settings of the Sender ID agent

Test-SenderID-IPAddress 213.144.234.221 -PurportedResponsibleDomain example.com

This command let’s you manually check if the IP-addresses may be used to send mail from for a specific domain.

Sender Reputation

This agent will check the sender reputation. The sender reputation is determined by the following parameters:

  • helo/ehlo analyse
  • reverse dns lookup
  • analysis by the content filter to determine the SCL level
  • open proxy test

On the tab action you can specify how the filter will work, besides that you can specify how long the sender will be blocked. All e-mails that will be blocked by this agent will be blocked for 24 hours by default. Besides that you can define the following actions:

Powershell commando’s:

Set-SenderReputationConfig-SrlBlockThreshold 8 -SenderBlockingEnabled:$true -SenderBlockingPeriod 24

This command will block all e-mails that don’t pass the open proxy test and the SRL (Spam Reputation Level) is 8 or higher. The sender address will be blocked for 24 hours.

Get-SenderReputationConfig returns the correct settings of the Sender Reputation agent

This is a very long tutorial but I think we talked about all the points. When you like to have more commands, all Powershell commando’s are linked to pages on Technet which contain more info.

Regular expressions

 

 

 

 

Today I’ve spend some time on regular expressions. Trend Micro IMSS uses this in the policies and I can tell you that you can really create complex rules with it. You can find a lot of it on the internet, a nice site is  regular-expressions.info, this site contains some nice tutorials, examples and software-packages that you canuse. During surfing I found the cartoon above, it’s really funny.