Identifying Spam Emails and Mitigation

Occasionally, a customer’s mailbox may become compromised and the mailbox is used to send spam emails internally and externally from the customers email address. An email address is suspected to be sending spam when the sent message count from that email address exceeds 100 emails within a small time frame. 

The steps below will help identify if messages are spam and how to mitigate this internal spam source.  Not all mass mailings are considered to be spam; the steps below will be used to help identify a potential internal spam source of a compromised mailbox. Discretion for the suspected mass mailings is still required.

Identifying Spam Emails

•  Recipient counts over 500 are suspicious.

•  If multiple mass mailing are sent from the same sender, these messages may be considered as spam

•  If the majority of the recipients are external, these messages may be considered as spam.

•  If the message subject is blank or not relative coming from that sender, these messages may be considered as spam.

Mitigation and Resolution

•  Set a 1KB restriction for mail flow on the mailbox within Exchange.  PS Command:  set-mailbox mailbox -MaxSendSize 1KB

•  Disable any rule in the mailbox that looks suspicious. Delete any rule that can be positively identified as not being set by the customer. Use the following PS Commands:  

     Review Rules: get-inboxrule -mailbox mailbox | FL   <--Capture Identity of rule if you think is spam.

     Remove Rule: remove-inboxrule identity

•  Contact the customer to reset their password. Change it if no response.

•  Contact the customer’s LAN Administrator and advise them to run antimalware software on the affected customer’s computer.

•  Remove the MaxSendSize you set in step 1. It may take 30 minutes for this setting to go back into effect.  PS Command:  set-mailbox mailbox -maxsendsize unlimited