Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SPAM - ISA or Exchange?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> SPAM - ISA or Exchange? Page: [1]
Login
Message << Older Topic   Newer Topic >>
SPAM - ISA or Exchange? - 1.Jul.2008 7:27:54 PM   
sbeasl00

 

Posts: 6
Joined: 15.Aug.2007
Status: offline 		Thanks in advance!
Is there a definitive answer on whether incoming email spam (domains and IP's only - will save "content filtering" for a later discussion) should be blocked by ISA 2006 or Exchange Server 2007?
Steve
Post #: 1
RE: SPAM - ISA or Exchange? - 2.Jul.2008 7:43:48 AM   
paulo.oliveira

 

Posts: 911
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi Steve,

If you want this messages never reach your mail server, then it should be installed on ISA server machine. This prevents unwanted traffic to reach your mail server. But, I usually install it on my exchange server.

Regards,
Paulo Oliveira.

(in reply to sbeasl00)
Post #: 2
RE: SPAM - ISA or Exchange? - 2.Jul.2008 9:57:19 AM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline 		Yes, you can install the Exchange Edge server on the firewall. However, you won't be able to make the firewall a domain member, which reduces the overall security the firewall can provide.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to paulo.oliveira)
Post #: 3
RE: SPAM - ISA or Exchange? - 2.Jul.2008 1:07:31 PM   
paulo.oliveira

 

Posts: 911
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi Tom,

what I meant is install the anti-spam software on the ISA machine, not exchange server itself.
But you made me think, how can I install an Exchange frontend server and not join it to domain? Doesn´t exchange servers must be joined to an AD domain?

Regards,
Paulo Oliveira.

(in reply to tshinder)
Post #: 4
RE: SPAM - ISA or Exchange? - 2.Jul.2008 1:20:13 PM   
sbeasl00

 

Posts: 6
Joined: 15.Aug.2007
Status: offline 		Thanks for the replies,
My Exchange edge server is not (and i think - cannot be) joined to the domain. My ISA 2006 is joined to to my AD domain.  I am currently using the edge server with Exchange's built in anti-spam (no third party).  It works great, but "my logic" is:  If I know a huge number of spam is coming from xxx.xxx.xxx.xxx (and i would never want an email from this ip), why not just block it completely at my ISA and save the exchange servers' resources?

(in reply to paulo.oliveira)
Post #: 5
RE: SPAM - ISA or Exchange? - 2.Jul.2008 4:37:26 PM   
paulo.oliveira

 

Posts: 911
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi,

you can create a publish rule to deny access from this specific IP/network to your frontend exchange server.

Regards,
Paulo Oliveira.

(in reply to sbeasl00)
Post #: 6
RE: SPAM - ISA or Exchange? - 2.Jul.2008 5:42:00 PM   
sbeasl00

 

Posts: 6
Joined: 15.Aug.2007
Status: offline 		Thanks Paulo,
Since it's not clear, that it is a "best-practice" one way or another, I tried doing so with hammerofgods country set and a user-created address range, but got a server publishing rule error (although it is still working fine?).  I will post this error in the correct place on the forums.  I guess i will proceed if no one has a good reason not too?
Thanks again,
Steve

(in reply to paulo.oliveira)
Post #: 7
RE: SPAM - ISA or Exchange? - 3.Jul.2008 7:57:43 AM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: paulo.oliveira

Hi Tom,

what I meant is install the anti-spam software on the ISA machine, not exchange server itself.
But you made me think, how can I install an Exchange frontend server and not join it to domain? Doesn´t exchange servers must be joined to an AD domain?

Regards,
Paulo Oliveira.


Why would you not join your ISA firewall to the domain? A non-domain joined ISA firewall is far LESS secure than a domain joined ISA firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to paulo.oliveira)
Post #: 8
RE: SPAM - ISA or Exchange? - 3.Jul.2008 7:58:43 AM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: sbeasl00

Thanks for the replies,
My Exchange edge server is not (and i think - cannot be) joined to the domain. My ISA 2006 is joined to to my AD domain.  I am currently using the edge server with Exchange's built in anti-spam (no third party).  It works great, but "my logic" is:  If I know a huge number of spam is coming from xxx.xxx.xxx.xxx (and i would never want an email from this ip), why not just block it completely at my ISA and save the exchange servers' resources?


That's what I thought. But I have very good information that you CAN join the Edge Exchange server to the domain.

In fact, that's what might happen with the next version of the ISA firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to sbeasl00)
Post #: 9
RE: SPAM - ISA or Exchange? - 8.Jul.2008 4:56:59 PM   
sbeasl00

 

Posts: 6
Joined: 15.Aug.2007
Status: offline 		Thanks again, I have started blocking at the ISA Server by using hammerofgod computer sets and adding them to the exceptions in my SMTP Publishing rule.  Do you think this is the right way to do it, as far as access/publishing rules go?  I went from frazzled with 2-3 thousand spam emails per day to under 100 simply by blocking 15-20 countries!  Hammerofgod truly put the hammer down on spam, I can't thank them enough!
Tom, wouldn't joining an Edge server to the domain be the same as installing the anti-spam components to a Hub Transport server?  I thought the whole point of using an Edge Server is to utilize an ADAM instance (instead of AD) and an SSL Cert to communicate to the the Hub Transport with subscriptions.  With ISA, the risk is greatly diminished, but if a router was used to communicate directly into your domain your risk would be far greater without an Edge Server, wouldn't it?

Steve

(in reply to tshinder)
Post #: 10
RE: SPAM - ISA or Exchange? - 9.Jul.2008 10:33:28 AM   
pwindell

 

Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		Back on your original post you said "domains and IP's only".  That is pretty much a waste of time.

I don't know anything about Edge Exchange Server,..never even heard of it,...something new with Exchange 2007?,...or just a loose slang term for a Front End Exchange in general?

Anyway, all we did was place a Baracuda300 on the internal LAN and publish is "as if" it was the Exchange Server.  Then the Barracuda passes the mail to the Exchange after it passes all the test.  Our SPAM problems have pretty much vanished and I hardly even thnk about it anymore.

Yes the mail traffic passes to the Barracuda on the LAN, but that is not as big a deal as everyone might think.  Only the initial "SMTP conversation" passes through until the Baracuda verifies that the Recipient is actually a real user to begin with by making sure an actual mailbox applies to the incoming message. If it doesn't pass the test it is dropped immediately and the "body" of the message never passes in.  This kills almost half of the SPAM.

If it is a real mailbox then all the other SPAM test are applied and if it passes the tests then it goes to the Exchange.  The Barracuda does not have NDRs enabled and since most of the messages going to the Exchange are legitament there are very few if any NDR traffic generated.

After fighting for a couple years with different methods, techniques, and a little Snake Oil,...and then trying the Barracuda Appliance there just simply is no other decent option/method as far as I am concerned.  

_____________________________

Phillip Windell
www.wandtv.com

(in reply to sbeasl00)
Post #: 11
RE: SPAM - ISA or Exchange? - 9.Jul.2008 12:24:03 PM   
sbeasl00

 

Posts: 6
Joined: 15.Aug.2007
Status: offline 		Hi Phillip,
The Edge Server is a new role in Exchange 2007.  Baracuda, and others, do make good products.  I (mentally) just cant "fork over" the $2,500.00 PLUS the $500.00 /year subscription.  And I would imagine for smaller companies, this would be a burden as well.

(in reply to pwindell)
Post #: 12
RE: SPAM - ISA or Exchange? - 9.Jul.2008 12:30:01 PM   
pwindell

 

Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		I don't remember it being $500 a year.  But then I don't remember what it was at all for that matter. Another Dept pays that.  But no one is more "cheap" then we are here, so whatever it was they went for it.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to sbeasl00)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> SPAM - ISA or Exchange? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts