logo XD
logo Antler

ExchangeDefender Blog

28 Oct
Top 5 IT Problems Small Businesses Face in 2025 — and How to Fix Them
Read More
22 Oct
What Is a Watering Hole Attack (and Why You Should Care)
Read More
1 Oct
Reject vs Quarantine vs Allow: What Email Filtering Policies Really Do
Read More
ExchangeDefender

Commencing at midnight, August 15th, 2007 we will start relaying mail using the two new subnets announced a few weeks ago. We have also provided a helpful guide to setting up IP restrictions with Exchange 2003. It is also recommended that you enforce IP restrictions on your firewall depending on your network topology.

Our scans indicate that over 80% of our customer base has the new IP ranges programmed in. If you have not programmed in these IP restrictions please do so now:

64.182.140.0/24 (64.182.140.0-255, or 64.182.140.0 / 255.255.255.0)

64.182.139.0/24 (64.182.139.0-255 or 64.182.139.0 / 255.255.255.0)

Several questions also came up during this recent change, I am posting them here in hopes that they may answer some of your questions:

Why are you adding more IP ranges instead of using load balancers?

Each network subnet has specific routing and providers that service it. If we used a load balancing appliance we would be restricted to a single gateway / network interface which does not always scale with the network availability in a given data center. Also, by using multiple IP addresses from different subnets we can use different network providers allowing us to have a more distributed network that is less prone to a single point of failure.

Why should I not use the *.exchangedefender.com as the restricting mechanism instead of IP addresses that always change? 

Domain restriction question came up often. There are many reasons that we insist on using IP restriction policies but most relate to the most reliable deployment practices. We find that most of our customers do not have a reliable DNS system, so exposing customers and requiring them to run a massive amount of DNS queries could impact message delivery times, cause delays and even drops/rejections. PTR records can also be easily forged by anyone who has authoritative control over their IP address range, IP spoofing is a lot more difficult.

Why should I use Exchange access controls over the firewall access controls?

We recommend using firewall access policies to manage access lists to your servers. You should only allow connections via tcp port 25 for insecure SMTP and tcp ports 465/587 for secure SMTP/TLS connections from our range to your server and from your server to our outbound network. This is the most secure and the most effective way of locking down an SMTP server deployment.

However, such a deployment is often not practical for business use and causes a number of business issues that you may need to be aware of. For example, if you have external CRM deployments or external SMTP services (marketing, lists, subscriptions) that connect back to your network servers via port 25 restricting the connection via firewall would disable all those services. If you have authenticated users from remote servers connecting to your Exchange 2003/2007 server to relay mail via port 25 this deployment will also not be practical (remember that with authenticated connections you bypass IP restriction enforcement.)

I have programmed in the new restrictions, how do I know if it works?

We have enabled a subnet check wizard at http://check.exchangedefender.com

Just paste your IP address in the form and if your server accepts messages from that range you will get a green pass. If it fails, it will tell you so in bright red font.

If you experience any issues with this transition please open up a trouble ticket immediately and we will do whatever we can to help you with the issues that arise.

ExchangeDefender

The following guide helps you setup IP restrictions to allow only ExchangeDefender mail servers to connect to your network. We encourage all customers to configure IP restrictions because spammers and hackers should not be allowed to connect to your server directly without going through us. As a matter of fact, nearly all direct server SMTP connections after the MX records have been switched over to ExchangeDefender should be considered as hostile. Hackers and worms often scan entire networks to find vulnerable mail servers to be exploited. By only allowing access to the ExchangeDefender network you can reduce your exposure of critical services on the Internet.

This guide applies to Microsoft Exchange 2003 which is also a part of Microsoft Small Business Server 2003. To get started login as the Administrator and click on Start > All Programs > Microsoft Exchange > System Manager.

You will see the Exchange System Manager screen shown below. Please expand the Servers folder, expand Your server folder, expand Protocols folder, SMTP folder and finally right-click on the Default SMTP Virtual Server and select properties.

Xdr-step1

Click on the Access tab and then on the Connection button. This is where you will setup your IP restrictions. Note: You can also setup IP restrictions on your firewall.

Xdr-step2

Select Only the list below to restrict access to your SMTP server to ExchangeDefender networks only. Click on Add to start adding IP address ranges. 

Xdr-step3

Select Group of Computers radio button and type in the subnet address and the subnet mask. There are several:

65.99.192.0 / 255.255.255.0
65.99.255.0 / 255.255.255.0
64.182.164.0 / 255.255.255.0
64.182.133.0 / 255.255.255.0
70.84.106.0  /255.255.255.0
72.29.99.0 / 255.255.255.0
216.123.109.0 / 255.255.255.0
64.182.140.0 / 255.255.255.0
64.182.139.0 / 255.255.255.0

Xdr-step4

After you have entered all the IP address ranges click on Ok. Click on Apply.

Xdr-step5

That is all! If you have any questions or if you would like us to assist you in the process described above please open up a support request at https://support.ownwebnow.com or just give us a call at (877) 546–0316

ExchangeDefender

We are very excited to announce that after months of development and beta testing, ExchangeDefender LiveArchive is officially launching this Monday, August 6th, 2007.

What is LiveArchive you ask? LiveArchive is a provision for business continuity – to allow your business to stay in business and keep on communicating even if your mail server, Internet connection or other means interfere with the mail flow to your mailbox. As e-mail is being processed by ExchangeDefender it is copied to a live mail server. The original message is delivered to your corporate mail server or sits in the queue if your mail server is down. At any time you have access to the past seven days of email via secure, web based interface available from anywhere you can browse the web. The connection is secured using commerce-grade SSL, the logins and access are audited for compliance purposes and even on-disk encryption is supported.

The best part? Well, it’s free. Yes, free as in each mailbox you currently have protected by ExchangeDefender can have a LiveArchive feature enabled through the control panel at no additional cost to you. As an additional show of appreciation for our community, LiveArchive is offered free of charge to the Florida government organizations and emergency operations during the hurricane season and has been in beta testing since March.

ExchangeDefender

We are comencing with our ExchangeDefender router core rollout. This piece of software/hardware manages the flow of messages through the ExchangeDefender network.

We anticipate the work to be complete by 9 PM EST today. Between 5 PM EST and 9 PM EST no mail will be dropped but may be delayed slightly (in most situations not at all, in some situations it could take up to 10 minutes)

Thank you for your patience.

ExchangeDefender Hosted Services

As we prepare for the massive upgrades coming this weekend we are obviously testing systems and making intermediate changes to the network. As a result, over the next 48 hours you are likely to see some latency in DNS query results which virtually impact all other services such as backups, ExchangeDefender, virtual servers and everything else thats being brought online.

While you are unlikely to notice any of these changes directly, if you do see slight performance issues they are probably related to the maintenance work being done on our end.

General

We are extending the maintenance cycle window for July 21, 2007. Our regular maintenance cycle is from 3AM to 7AM EST but due to the number of systems going online this week we are going to have to extend that window until noon EST. We will follow up with full details of the work being done but suffice to say it is significant.

If you are not familiar with our maintenance cycle activities do not worry, they are routine and they happen every week. Generally they are things you would expect – reboots to add more memory, storage, reboot for software patch installation, etc. At times there are other items such as electrical or network maintenance.

This particular weekend involves nearly all of the above plus a significant upgrade to our core infrastructure of ExchangeDefender, offsite backups and virtual servers. We’re bringing online 3 new data centers to top it off so we wanted to give ourselves more time to get everything done right.

General

Dear Partners,

I (Vlad Mazek, CEO) am at the Microsoft World Wide Partner Conference this week.

I have intentionally kept Thursday completely open on my schedule and have absolutely no appointments after breakfast – so if you are interested in speaking to me just track me down and lets get together whenever you have room between meetings. I have done this last year and found it very valuable to catch up with those of you that are very busy and just can’t find time in connect to arrange for an official gettogether, or meetings get cancelled, moved, etc. So send me an email and lets meet up whenever there is time.

ExchangeDefender

We recently started receiving complaints about certain users not having their SPAM and SURESPAM filtering policies applied correctly. For example, user would select to quarantine their SPAM and delete their SURESPAM but mail would still arrive in the inbox with the subject modified as [SPAM] or [SURESPAM].

As of 10 AM EST this bug has been fixed. If you have your mail set to quarantine on either of the SPAM presets the rules will be applied correctly. If that does not happen consistently and correctly please open up a support ticket at https://support.ownwebnow.com

Note: The issue was related to the legacy network policy server not syncronizing filtering rule tables in correct order. It would treat its local database as the most up-to-date one and would never apply the newer policies. This issue has been fixed.

ExchangeDefender

As you may have noticed over the last few days, there has been a huge increase in PDF SPAM. This spam is generally identified as a single message, with attached PDF containing JPEG image SPAM. This pattern easilly bypasses most appliances that have no ability to handle the processing power needed to decode images, much less those encoded inside a PDF file. Not that we’re gloating, but there are only 24 hours in a day and its not enough to talk about how different ExchangeDefender behavior is compared to RandomSpamApplianceFromTaiwan.

At the moment, there are also several unique characteristics to these images:

  • they are all 7bit encoded.
  • they all use a single useragent associated with the Mozilla Thurderbird mail software.
  • they are all blank messages with no text in the body.
  • the attachment matches the filename mentioned in the subject.
  • pdf file is a legitimate PDF file with no publishing information except for a single JPEG

Based on all that its relatively trivial to trap these messages, however, we expect the pattern to continue and to escalate into making these messages seem more legitimate. While these PDFs are not dangerous in nature they can be annoying and your users should be warned to never open any attachments from contacts they do not trust/know.

As always, thank you for your business and we’ll keep your mail clean for you.