ExchangeDefender Address Book Lockdowns

ExchangeDefender Address Book Lockdowns

Effective March 1st, ExchangeDefender will only allow delivery to email addresses that exist in our Service Manager or ExchangeDefender Admin Portal. This is a non-event for 99.999% of our clients (it’s only being mentioned because it’s a refresh of the AUP/TOS policy) and it is intended as a security precaution against threats we’re seeing in the wild and on our honeypot networks.

The Problem

ExchangeDefender as an SMTP proxy will scan and deliver any email targeted at a protected domain. Even though we sanitize each message and do not permit dangerous content through, if the email address does not exist on the clients server, the message will bounce to the sender. Now, imagine that sender doesn’t have an SPF/DMARC, and imagine that the address itself is spoofed – now send that message a few thousand times and an attacker can destroy a mailbox simply by overloading with non-delivery receipts and bounce messages.

Why this happened in the first place

Bad automation. It happens, and when it happens on a scale of ExchangeDefender, it creates an issue. So to minimize complaints, we just stopped actively enforcing address book validation. To those of you protecting servers on networks outside of ExchangeDefender’s control (think Google, Office 365, etc) the management and addition of new addresses will become automatic. Here is a peak at our new support portal. It should make a lot of you very happy.

screen1

Figure 1: Service Manager. Instead of having a ton of accounts in the listing, everything is now logically grouped by a Company. This way whenever you go to manage one client you only see the users belonging to that client and any addition or modification will pull pricing, configuration and meta data from that organization’s settings. This should virtually eliminate mistakes, billing issues and configuration problems.

screen2

Figure 2: Adding a new mailbox. The process is streamlined, clean and remarkably simple. The reality is that IT departments are no longer in charge of this anyhow, neither are our MSP partners. Businesses want the ability to control memberships, configurations, distribution lists, permissions and everything in between.

screen3

Figure 3: Mailbox permissions, settings, etc. There are several screens for this but needless to say we’re looking to expose a lot of the features that can be managed granularly in a way that businesses expect them to. Let’s face it, your average office manager dealing with the new hire isn’t about to fire up remote PowerShell; Strong passwords, additional features, granular control, public folder and distribution group membership templates, etc are all coming soon.

Other really cool stuff is coming very soon as well, we’re pretty excited with what we’re building and delivering… but the focus for us always remains on the security and safe communication – and everything that supports it goes hand in hand.