IMF Not Working???

For the past couple of weeks we've been flooded with emails posing as update
alerts from Microsoft, critical update for Outlook, looking very legitimate
for the untrained eye. Some get blocked by IMF, only because I have it set to
rate everything, and all of these come in with a rating of 1.5-1.8... most
make into the user inboxes. I send out daily warning messages to ignore and
delete the messages, so far good, but some people like to click on them just
to see what happens.

We have 3 layers of protection, including sonicwall, trend-micro worry free
advanced and the IMF, none doing their job. One would think that MS would
have this figured out and filtered it in the meantime, since these are doing
a good job of phishing MS and wanting to cause serious damage.

Windows SBS23k Std, with Exchange, etc. all latest service levels.

Obviously, these emails should never even make it past the first level...

Simple copy and paste from one of the emails:

Critical Update

Update for Microsoft Outlook / Outlook Express (KB910721)


Brief Description

Microsoft has released an update for Microsoft Outlook / Outlook Express.
This update is critical and provides you with the latest version of the
Microsoft Outlook / Outlook Express and offers the highest level of security
and stability.

Instructions


* To install Update for Microsoft Outlook / Outlook Express (KB910721)
please visit Microsoft Update Center:

http://update.microsoft.com/microsof...74704026060013
<http://update.microsoft.com.yhaqwe1r.co.uk/microsoftofficeupdate/KB910737/default.aspx?ln=en-us&email=&id=51058436935659 8153055737823674704026060013>



Quick Details


* File Name: officexp-KB910721-FullFile-ENU.exe
* Version: 1.5
* Date Published: Fri, 23 Oct 2009 19:45:09 -0500
* Language: English
* File Size: 100 KB


System Requirements


* Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows
NT; Windows Server 2003; Windows XP; Windows Vista

* This update applies to the following product: Microsoft Outlook / Outlook
Express

Contact Us <http://go.microsoft.com/?linkid=2028325>
© 2009 Microsoft Corporation. All rights reserved. Contact Us
<http://support.microsoft.com/contactus/?ws=mscom> |Terms of Use
<http://go.microsoft.com/?linkid=4412892> |Trademarks
<http://go.microsoft.com/?linkid=4412893> |Privacy Statement
<http://go.microsoft.com/?linkid=4412894>

btw, here's the header. Obviously not from MS.

Microsoft Mail Internet Headers Version 2.0
Received: from Static-IP-cr190146112234.cable.net.co ([190.146.112.234]) by
domainname.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 23 Oct 2009 20:45:44 -0400
Received: from 190.146.112.234 by mx.stripsteel.com.br; Fri, 23 Oct 2009
19:45:09 -0500
Message-ID: <000d01ca5443$3ccfe500$6400a8c0@dumbfoundedidc1>
From: "Microsoft Update Center" <>
To: <>
Subject: Microsoft has released an update for Microsoft Outlook
Date: Fri, 23 Oct 2009 19:45:09 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01CA5443.3CCFE500"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Return-Path:
X-OriginalArrivalTime: 24 Oct 2009 00:45:44.0547 (UTC)
FILETIME=[51CDE330:01CA5443]
X-TM-AS-Product-Ver: SMEX-8.6.0.1168-5.600.1016-16964.004
X-TM-AS-Result: Yes-42.371700-5.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No

------=_NextPart_000_0007_01CA5443.3CCFE500
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

------=_NextPart_000_0007_01CA5443.3CCFE500
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


------=_NextPart_000_0007_01CA5443.3CCFE500--


"Steve" wrote:

> For the past couple of weeks we've been flooded with emails posing as update
> alerts from Microsoft, critical update for Outlook, looking very legitimate
> for the untrained eye. Some get blocked by IMF, only because I have it set to
> rate everything, and all of these come in with a rating of 1.5-1.8... most
> make into the user inboxes. I send out daily warning messages to ignore and
> delete the messages, so far good, but some people like to click on them just
> to see what happens.
>
> We have 3 layers of protection, including sonicwall, trend-micro worry free
> advanced and the IMF, none doing their job. One would think that MS would
> have this figured out and filtered it in the meantime, since these are doing
> a good job of phishing MS and wanting to cause serious damage.
>
> Windows SBS23k Std, with Exchange, etc. all latest service levels.
>
> Obviously, these emails should never even make it past the first level...
>
> Simple copy and paste from one of the emails:
>
> Critical Update
>
> Update for Microsoft Outlook / Outlook Express (KB910721)
>
>
> Brief Description
>
> Microsoft has released an update for Microsoft Outlook / Outlook Express.
> This update is critical and provides you with the latest version of the
> Microsoft Outlook / Outlook Express and offers the highest level of security
> and stability.
>
> Instructions
>
>
> * To install Update for Microsoft Outlook / Outlook Express (KB910721)
> please visit Microsoft Update Center:
>
> http://update.microsoft.com/microsof...74704026060013
> <http://update.microsoft.com.yhaqwe1r.co.uk/microsoftofficeupdate/KB910737/default.aspx?ln=en-us&email=&id=51058436935659 8153055737823674704026060013>
>
>
>
> Quick Details
>
>
> * File Name: officexp-KB910721-FullFile-ENU.exe
> * Version: 1.5
> * Date Published: Fri, 23 Oct 2009 19:45:09 -0500
> * Language: English
> * File Size: 100 KB
>
>
> System Requirements
>
>
> * Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows
> NT; Windows Server 2003; Windows XP; Windows Vista
>
> * This update applies to the following product: Microsoft Outlook / Outlook
> Express
>
> Contact Us <http://go.microsoft.com/?linkid=2028325>
> © 2009 Microsoft Corporation. All rights reserved. Contact Us
> <http://support.microsoft.com/contactus/?ws=mscom> |Terms of Use
> <http://go.microsoft.com/?linkid=4412892> |Trademarks
> <http://go.microsoft.com/?linkid=4412893> |Privacy Statement
> <http://go.microsoft.com/?linkid=4412894>
>
>
>

"Steve" <> wrote in message
news:34FC669C-ECF0-4FBA-93DA-...
> For the past couple of weeks we've been flooded with emails posing as
> update
> alerts from Microsoft, critical update for Outlook, looking very
> legitimate
> for the untrained eye. Some get blocked by IMF, only because I have it set
> to
> rate everything, and all of these come in with a rating of 1.5-1.8... most
> make into the user inboxes. I send out daily warning messages to ignore
> and
> delete the messages, so far good, but some people like to click on them
> just
> to see what happens.
>
> We have 3 layers of protection, including sonicwall, trend-micro worry
> free
> advanced and the IMF, none doing their job. One would think that MS would
> have this figured out and filtered it in the meantime, since these are
> doing
> a good job of phishing MS and wanting to cause serious damage.
>
> Windows SBS23k Std, with Exchange, etc. all latest service levels.
>
> Obviously, these emails should never even make it past the first level...
>
> Simple copy and paste from one of the emails:
>
> Critical Update
>
> Update for Microsoft Outlook / Outlook Express (KB910721)
>
>
> Brief Description
>
> Microsoft has released an update for Microsoft Outlook / Outlook Express.
> This update is critical and provides you with the latest version of the
> Microsoft Outlook / Outlook Express and offers the highest level of
> security
> and stability.
>
> Instructions
>
>
> * To install Update for Microsoft Outlook / Outlook Express (KB910721)
> please visit Microsoft Update Center:
>
> http://update.microsoft.com/microsof...74704026060013
> <http://update.microsoft.com.yhaqwe1r.co.uk/microsoftofficeupdate/KB910737/default.aspx?ln=en-us&email=&id=51058436935659 8153055737823674704026060013>
>
>
>
> Quick Details
>
>
> * File Name: officexp-KB910721-FullFile-ENU.exe
> * Version: 1.5
> * Date Published: Fri, 23 Oct 2009 19:45:09 -0500
> * Language: English
> * File Size: 100 KB
>
>
> System Requirements
>
>
> * Supported Operating Systems: Windows 2000; Windows 98; Windows ME;
> Windows
> NT; Windows Server 2003; Windows XP; Windows Vista
>
> * This update applies to the following product: Microsoft Outlook /
> Outlook
> Express
>
> Contact Us <http://go.microsoft.com/?linkid=2028325>
> © 2009 Microsoft Corporation. All rights reserved. Contact Us
> <http://support.microsoft.com/contactus/?ws=mscom> |Terms of Use
> <http://go.microsoft.com/?linkid=4412892> |Trademarks
> <http://go.microsoft.com/?linkid=4412893> |Privacy Statement
> <http://go.microsoft.com/?linkid=4412894>
>
>
>


Microsoft has a good IMF product. It works fine for me and all my customer
systems. It all depends on how it was configured.

Did you follow, if any, any web links to set it up?

Here;s a good tutorial. There are many others out there, too.


Please describe and elaborate on your IMF settings (each tab), including
RBLs used.

"Steve" <> wrote in message
news:34FC669C-ECF0-4FBA-93DA-...
> For the past couple of weeks we've been flooded with emails posing as
> update
> alerts from Microsoft, critical update for Outlook, looking very
> legitimate
> for the untrained eye. Some get blocked by IMF, only because I have it set
> to
> rate everything, and all of these come in with a rating of 1.5-1.8... most
> make into the user inboxes. I send out daily warning messages to ignore
> and
> delete the messages, so far good, but some people like to click on them
> just
> to see what happens.
>
> We have 3 layers of protection, including sonicwall, trend-micro worry
> free
> advanced and the IMF, none doing their job. One would think that MS would
> have this figured out and filtered it in the meantime, since these are
> doing
> a good job of phishing MS and wanting to cause serious damage.
>
> Windows SBS23k Std, with Exchange, etc. all latest service levels.
>
> Obviously, these emails should never even make it past the first level...
>
> Simple copy and paste from one of the emails:
>
> Critical Update
>
> Update for Microsoft Outlook / Outlook Express (KB910721)
>
>
> Brief Description
>
> Microsoft has released an update for Microsoft Outlook / Outlook Express.
> This update is critical and provides you with the latest version of the
> Microsoft Outlook / Outlook Express and offers the highest level of
> security
> and stability.
>
> Instructions
>
>
> * To install Update for Microsoft Outlook / Outlook Express (KB910721)
> please visit Microsoft Update Center:
>
> http://update.microsoft.com/microsof...74704026060013
> <http://update.microsoft.com.yhaqwe1r.co.uk/microsoftofficeupdate/KB910737/default.aspx?ln=en-us&email=&id=51058436935659 8153055737823674704026060013>
>
>
>
> Quick Details
>
>
> * File Name: officexp-KB910721-FullFile-ENU.exe
> * Version: 1.5
> * Date Published: Fri, 23 Oct 2009 19:45:09 -0500
> * Language: English
> * File Size: 100 KB
>
>
> System Requirements
>
>
> * Supported Operating Systems: Windows 2000; Windows 98; Windows ME;
> Windows
> NT; Windows Server 2003; Windows XP; Windows Vista
>
> * This update applies to the following product: Microsoft Outlook /
> Outlook
> Express
>
> Contact Us <http://go.microsoft.com/?linkid=2028325>
> © 2009 Microsoft Corporation. All rights reserved. Contact Us
> <http://support.microsoft.com/contactus/?ws=mscom> |Terms of Use
> <http://go.microsoft.com/?linkid=4412892> |Trademarks
> <http://go.microsoft.com/?linkid=4412893> |Privacy Statement
> <http://go.microsoft.com/?linkid=4412894>
>
>
>



Oops, I hit send too soon. What version of SBS?

Here's are some IMF tutorials.

Intelligent Message Filter version 2 (IMF v2)
http://www.msexchange.org/tutorials/...-2-IMF-v2.html

Exchange 2007 Content Filter: How to move messages to Junk Mail folder
http://exchangepedia.com/blog/2007/0...how-to_07.html

Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs
http://exchangepedia.com/blog/2007/0...pam-agent.html

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

We haven't seen those, but we may be lucky. Do you update the IMF filter
definitions?

This site has great IMF information as well:
http://www.exchangeinbox.com/category.aspx?c=3

--
Allan Williams




Steve wrote:
> For the past couple of weeks we've been flooded with emails posing as
> update alerts from Microsoft, critical update for Outlook, looking
> very legitimate for the untrained eye. Some get blocked by IMF, only
> because I have it set to rate everything, and all of these come in
> with a rating of 1.5-1.8... most make into the user inboxes. I send
> out daily warning messages to ignore and delete the messages, so far
> good, but some people like to click on them just to see what happens.
>
> We have 3 layers of protection, including sonicwall, trend-micro
> worry free advanced and the IMF, none doing their job. One would
> think that MS would have this figured out and filtered it in the
> meantime, since these are doing a good job of phishing MS and
> wanting to cause serious damage.
>
> Windows SBS23k Std, with Exchange, etc. all latest service levels.
>
> Obviously, these emails should never even make it past the first
> level...
>
> Simple copy and paste from one of the emails:
>
> Critical Update
>
> Update for Microsoft Outlook / Outlook Express (KB910721)
>
>
> Brief Description
>
> Microsoft has released an update for Microsoft Outlook / Outlook
> Express. This update is critical and provides you with the latest
> version of the Microsoft Outlook / Outlook Express and offers the
> highest level of security and stability.
>
> Instructions
>
>
> * To install Update for Microsoft Outlook / Outlook Express (KB910721)
> please visit Microsoft Update Center:
>
> http://update.microsoft.com/microsof...74704026060013
> <http://update.microsoft.com.yhaqwe1r.co.uk/microsoftofficeupdate/KB910737/default.aspx?ln=en-us&email=&id=51058436935659 8153055737823674704026060013>
>
>
>
> Quick Details
>
>
> * File Name: officexp-KB910721-FullFile-ENU.exe
> * Version: 1.5
> * Date Published: Fri, 23 Oct 2009 19:45:09 -0500
> * Language: English
> * File Size: 100 KB
>
>
> System Requirements
>
>
> * Supported Operating Systems: Windows 2000; Windows 98; Windows ME;
> Windows NT; Windows Server 2003; Windows XP; Windows Vista
>
> * This update applies to the following product: Microsoft Outlook /
> Outlook Express
>
> Contact Us <http://go.microsoft.com/?linkid=2028325>
> © 2009 Microsoft Corporation. All rights reserved. Contact Us
> <http://support.microsoft.com/contactus/?ws=mscom> |Terms of Use
> <http://go.microsoft.com/?linkid=4412892> |Trademarks
> <http://go.microsoft.com/?linkid=4412893> |Privacy Statement
> <http://go.microsoft.com/?linkid=4412894>

"Al Williams" <> wrote in message
news:...
> We haven't seen those, but we may be lucky. Do you update the IMF filter
> definitions?
>
> This site has great IMF information as well:
> http://www.exchangeinbox.com/category.aspx?c=3
>
> --
> Allan Williams
>

Alexander Zammit has a video in that link on how to configure the 2003 IMF,
but he uses third party tools. Not trying to complicate it, and it's a good
vidoe, I was more curious how Steve (the original poster) had configured his
settings to see why 'it's not working,' which would help us diagnose what's
going on.

I should make a video from one of my customer's sites that still has
Exchange 2003 using the native tools. I'll get around to it! :-)

Ace

Wait wait wait,

You have *multiple* filters in place, and yet you say "one would think that
MS would have this figured out"

What kind of drive-by attack is that?!? Not exactly fair to single out MS
as some sort of failed culprit. To be fair, there has been a lot of botnet
spamming lately, so detecting is like playing whack-a-mole, which is why
*all* of your products are failing. The solution I'd recommend is adding a
good RBL to your Exchange setup. The botnets tend to be dynamic IPs and
spamhaus, for example, keeps a list of dynamic IPs that shouldn't be sending
email. As well, the spamlist tends to get updated quickly when new spam is
detected. That'll go a long way towards reducing your spam issues since it
won't be signature based, but a nice hardline rejection.

-Cliff


"Steve" <> wrote in message
news:34FC669C-ECF0-4FBA-93DA-...
> For the past couple of weeks we've been flooded with emails posing as
> update
> alerts from Microsoft, critical update for Outlook, looking very
> legitimate
> for the untrained eye. Some get blocked by IMF, only because I have it set
> to
> rate everything, and all of these come in with a rating of 1.5-1.8... most
> make into the user inboxes. I send out daily warning messages to ignore
> and
> delete the messages, so far good, but some people like to click on them
> just
> to see what happens.
>
> We have 3 layers of protection, including sonicwall, trend-micro worry
> free
> advanced and the IMF, none doing their job. One would think that MS would
> have this figured out and filtered it in the meantime, since these are
> doing
> a good job of phishing MS and wanting to cause serious damage.
>
> Windows SBS23k Std, with Exchange, etc. all latest service levels.
>
> Obviously, these emails should never even make it past the first level...
>
> Simple copy and paste from one of the emails:
>
> Critical Update
>
> Update for Microsoft Outlook / Outlook Express (KB910721)
>
>
> Brief Description
>
> Microsoft has released an update for Microsoft Outlook / Outlook Express.
> This update is critical and provides you with the latest version of the
> Microsoft Outlook / Outlook Express and offers the highest level of
> security
> and stability.
>
> Instructions
>
>
> * To install Update for Microsoft Outlook / Outlook Express (KB910721)
> please visit Microsoft Update Center:
>
> http://update.microsoft.com/microsof...74704026060013
> <http://update.microsoft.com.yhaqwe1r.co.uk/microsoftofficeupdate/KB910737/default.aspx?ln=en-us&email=&id=51058436935659 8153055737823674704026060013>
>
>
>
> Quick Details
>
>
> * File Name: officexp-KB910721-FullFile-ENU.exe
> * Version: 1.5
> * Date Published: Fri, 23 Oct 2009 19:45:09 -0500
> * Language: English
> * File Size: 100 KB
>
>
> System Requirements
>
>
> * Supported Operating Systems: Windows 2000; Windows 98; Windows ME;
> Windows
> NT; Windows Server 2003; Windows XP; Windows Vista
>
> * This update applies to the following product: Microsoft Outlook /
> Outlook
> Express
>
> Contact Us <http://go.microsoft.com/?linkid=2028325>
> © 2009 Microsoft Corporation. All rights reserved. Contact Us
> <http://support.microsoft.com/contactus/?ws=mscom> |Terms of Use
> <http://go.microsoft.com/?linkid=4412892> |Trademarks
> <http://go.microsoft.com/?linkid=4412893> |Privacy Statement
> <http://go.microsoft.com/?linkid=4412894>
>
>
>

I'd have to agree here. I find that RBL lists like spamhaus zen knock out
90% of our spam on their own. This leaves the remaining for IMF and
anti-virus which usually handle the rest for us.

--
Allan Williams




Cliff Galiher wrote:
> Wait wait wait,
>
> You have *multiple* filters in place, and yet you say "one would
> think that MS would have this figured out"
>
> What kind of drive-by attack is that?!? Not exactly fair to single
> out MS as some sort of failed culprit. To be fair, there has been a
> lot of botnet spamming lately, so detecting is like playing
> whack-a-mole, which is why *all* of your products are failing. The
> solution I'd recommend is adding a good RBL to your Exchange setup. The
> botnets tend to be dynamic IPs and spamhaus, for example, keeps a
> list of dynamic IPs that shouldn't be sending email. As well, the
> spamlist tends to get updated quickly when new spam is detected. That'll
> go a long way towards reducing your spam issues since it
> won't be signature based, but a nice hardline rejection.
> -Cliff
>
>
> "Steve" <> wrote in message
> news:34FC669C-ECF0-4FBA-93DA-...
>> For the past couple of weeks we've been flooded with emails posing as
>> update
>> alerts from Microsoft, critical update for Outlook, looking very
>> legitimate
>> for the untrained eye. Some get blocked by IMF, only because I have
>> it set to
>> rate everything, and all of these come in with a rating of
>> 1.5-1.8... most make into the user inboxes. I send out daily warning
>> messages to ignore and
>> delete the messages, so far good, but some people like to click on
>> them just
>> to see what happens.
>>
>> We have 3 layers of protection, including sonicwall, trend-micro
>> worry free
>> advanced and the IMF, none doing their job. One would think that MS
>> would have this figured out and filtered it in the meantime, since
>> these are doing
>> a good job of phishing MS and wanting to cause serious damage.
>>
>> Windows SBS23k Std, with Exchange, etc. all latest service levels.
>>
>> Obviously, these emails should never even make it past the first
>> level... Simple copy and paste from one of the emails:
>>
>> Critical Update
>>
>> Update for Microsoft Outlook / Outlook Express (KB910721)
>>
>>
>> Brief Description
>>
>> Microsoft has released an update for Microsoft Outlook / Outlook
>> Express. This update is critical and provides you with the latest
>> version of the Microsoft Outlook / Outlook Express and offers the
>> highest level of security
>> and stability.
>>
>> Instructions
>>
>>
>> * To install Update for Microsoft Outlook / Outlook Express
>> (KB910721) please visit Microsoft Update Center:
>>
>> http://update.microsoft.com/microsof...74704026060013
>> <http://update.microsoft.com.yhaqwe1r.co.uk/microsoftofficeupdate/KB910737/default.aspx?ln=en-us&email=&id=51058436935659 8153055737823674704026060013>
>>
>>
>>
>> Quick Details
>>
>>
>> * File Name: officexp-KB910721-FullFile-ENU.exe
>> * Version: 1.5
>> * Date Published: Fri, 23 Oct 2009 19:45:09 -0500
>> * Language: English
>> * File Size: 100 KB
>>
>>
>> System Requirements
>>
>>
>> * Supported Operating Systems: Windows 2000; Windows 98; Windows ME;
>> Windows
>> NT; Windows Server 2003; Windows XP; Windows Vista
>>
>> * This update applies to the following product: Microsoft Outlook /
>> Outlook
>> Express
>>
>> Contact Us <http://go.microsoft.com/?linkid=2028325>
>> © 2009 Microsoft Corporation. All rights reserved. Contact Us
>> <http://support.microsoft.com/contactus/?ws=mscom> |Terms of Use
>> <http://go.microsoft.com/?linkid=4412892> |Trademarks
>> <http://go.microsoft.com/?linkid=4412893> |Privacy Statement
>> <http://go.microsoft.com/?linkid=4412894>

Sorry, did not mean to offend anyone, just getting a lot of it lately and
getting blamed from all sides, especially from those who pay all of the
subscription fees, plus my salary, for protection, and aren't getting it,
just passing it along...

Exchange version is 6.5.7638.1
Windows SBS2K3 Std

I try to keep the entire SBS at the latest service level at all times, and
use as few 3rd party resources as possible. I believe that the only non MS
product on the box is the Trend Micro Worry Free Advanced and IMF companion,
and I would like to keep it that way.

I have had some IMF issues recently, had to change the configuration around
because we were not getting emails from our internal services, had to remove
our email server addresses from the perimeter settings and add them to
connection filtering exceptions. Since then we have been receiving the
internal emails, and since then Sender ID filtering has been failing, because
it wants an address entry in the perimeter settings. I have not had a chance
to dig into this.

I do use IMF companion multiple times a day and it shows the SCL rating on
the IMF filtered messages. According to it, we get a whole lot of bad email
with SCL ratings starting at 1, all the way up to 9.99... we get an average
of at least 1,000 bad emails a day. Some of our users just don't care and use
their email addresses to sign up for junk email.

The Sonicwall and Trend Micro are using RBL technology, supposedly the
latest and greatest.


"Cliff Galiher" wrote:

> Wait wait wait,
>
> You have *multiple* filters in place, and yet you say "one would think that
> MS would have this figured out"
>
> What kind of drive-by attack is that?!? Not exactly fair to single out MS
> as some sort of failed culprit. To be fair, there has been a lot of botnet
> spamming lately, so detecting is like playing whack-a-mole, which is why
> *all* of your products are failing. The solution I'd recommend is adding a
> good RBL to your Exchange setup. The botnets tend to be dynamic IPs and
> spamhaus, for example, keeps a list of dynamic IPs that shouldn't be sending
> email. As well, the spamlist tends to get updated quickly when new spam is
> detected. That'll go a long way towards reducing your spam issues since it
> won't be signature based, but a nice hardline rejection.
>
> -Cliff
>
>
> "Steve" <> wrote in message
> news:34FC669C-ECF0-4FBA-93DA-...
> > For the past couple of weeks we've been flooded with emails posing as
> > update
> > alerts from Microsoft, critical update for Outlook, looking very
> > legitimate
> > for the untrained eye. Some get blocked by IMF, only because I have it set
> > to
> > rate everything, and all of these come in with a rating of 1.5-1.8... most
> > make into the user inboxes. I send out daily warning messages to ignore
> > and
> > delete the messages, so far good, but some people like to click on them
> > just
> > to see what happens.
> >
> > We have 3 layers of protection, including sonicwall, trend-micro worry
> > free
> > advanced and the IMF, none doing their job. One would think that MS would
> > have this figured out and filtered it in the meantime, since these are
> > doing
> > a good job of phishing MS and wanting to cause serious damage.
> >
> > Windows SBS23k Std, with Exchange, etc. all latest service levels.
> >
> > Obviously, these emails should never even make it past the first level...
> >
> > Simple copy and paste from one of the emails:
> >
> > Critical Update
> >
> > Update for Microsoft Outlook / Outlook Express (KB910721)
> >
> >
> > Brief Description
> >
> > Microsoft has released an update for Microsoft Outlook / Outlook Express.
> > This update is critical and provides you with the latest version of the
> > Microsoft Outlook / Outlook Express and offers the highest level of
> > security
> > and stability.
> >
> > Instructions
> >
> >
> > * To install Update for Microsoft Outlook / Outlook Express (KB910721)
> > please visit Microsoft Update Center:
> >
> > http://update.microsoft.com/microsof...74704026060013
> > <http://update.microsoft.com.yhaqwe1r.co.uk/microsoftofficeupdate/KB910737/default.aspx?ln=en-us&email=&id=51058436935659 8153055737823674704026060013>
> >
> >
> >
> > Quick Details
> >
> >
> > * File Name: officexp-KB910721-FullFile-ENU.exe
> > * Version: 1.5
> > * Date Published: Fri, 23 Oct 2009 19:45:09 -0500
> > * Language: English
> > * File Size: 100 KB
> >
> >
> > System Requirements
> >
> >
> > * Supported Operating Systems: Windows 2000; Windows 98; Windows ME;
> > Windows
> > NT; Windows Server 2003; Windows XP; Windows Vista
> >
> > * This update applies to the following product: Microsoft Outlook /
> > Outlook
> > Express
> >
> > Contact Us <http://go.microsoft.com/?linkid=2028325>
> > © 2009 Microsoft Corporation. All rights reserved. Contact Us
> > <http://support.microsoft.com/contactus/?ws=mscom> |Terms of Use
> > <http://go.microsoft.com/?linkid=4412892> |Trademarks
> > <http://go.microsoft.com/?linkid=4412893> |Privacy Statement
> > <http://go.microsoft.com/?linkid=4412894>
> >
> >
> >
> .
>

"Al Williams" <> wrote in message
news:...
> I'd have to agree here. I find that RBL lists like spamhaus zen knock out
> 90% of our spam on their own. This leaves the remaining for IMF and
> anti-virus which usually handle the rest for us.
>
> --
> Allan Williams
>


That's why I had asked for Steve to elaborate on his setup, including what,
if any, RBLs being used.

:-)

Ace