The E-Mail server is not protected by having connections from “Sender Filter” sources dropped by the Edge Transport Server role (E-Mail Secure Gateway) at the perimeter.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18675	EMG2-021 Exch2K3	SV-20294r1_rule	ECSC-1	Medium

Description
SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malware impacts. It is recommended that “drop connections” action be taken when inbound requests are from addresses that match sender filters (such as those on Block List) and be performed in the perimeter network by an E-Mail Secure Gateway server, because eliminating threats there prevents them being evaluated inside the enclave where there is more risk they can do harm. If the other party has other messages to send, it must re-initiate the Simple Message Transfer Protocol (SMTP) connection to start sending the next message (as opposed to simply continuing the current connection). This will slow down the rate at which this blocked sender is able to send messages to the server, further mitigating the potential for a Denial of Service attack.

Description

SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malware impacts. It is recommended that “drop connections” action be taken when inbound requests are from addresses that match sender filters (such as those on Block List) and be performed in the perimeter network by an E-Mail Secure Gateway server, because eliminating threats there prevents them being evaluated inside the enclave where there is more risk they can do harm. If the other party has other messages to send, it must re-initiate the Simple Message Transfer Protocol (SMTP) connection to start sending the next message (as opposed to simply continuing the current connection). This will slow down the rate at which this blocked sender is able to send messages to the server, further mitigating the potential for a Denial of Service attack.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22394r1_chk )
Interview the E-mail Administrator or the IAO. Request documentation that indicates connections from sources matching sender filters are dropped on an Edge Transport Role (E-mail Secure Gateway) server outside the enclave at the perimeter. Criteria: If incoming connections from “sender filter” sources are dropped, this is not a finding.

Fix Text (F-19322r1_fix)
Implement perimeter-based protection in the form of a Secure E-mail Gateway that performs, among other protections, dropping connections when the address matches “sender filter” sources, for SPAM elimination prior to forwarding message traffic to mailbox servers.