nerdexam
ExamsSY0-501Questions#110
CompTIACompTIA

SY0-501 · Question #110

SY0-501 Question #110: Real Exam Question with Answer & Explanation

The correct answer is E: Disable the open relay on the email server. After a phishing attack results in spam propagation and account issues, the immediate infrastructure fixes must target the email server misconfiguration enabling the spam to spread rather than individual account remediation.

Submitted by ravi_2018· Mar 4, 2026

Question

Security administrators attempted corrective action after a phishing attack. Users are still experiencing trouble logging in, as well as an increase in account lockouts. Users' email contacts are complaining of an increase in spam and social networking requests. Due to the large number of affected accounts, remediation must be accomplished quickly. Which of the following actions should be taken FIRST? (Select TWO)

Options

  • ADisable the compromised accounts
  • BUpdate WAF rules to block social networks
  • CRemove the compromised accounts with all AD groups
  • DChange the compromised accounts' passwords
  • EDisable the open relay on the email server
  • FEnable sender policy framework

Explanation

After a phishing attack results in spam propagation and account issues, the immediate infrastructure fixes must target the email server misconfiguration enabling the spam to spread rather than individual account remediation.

Common mistakes.

  • A. Disabling compromised accounts does not stop the email server's open relay from continuing to send spam and does not address the root infrastructure vulnerability enabling the ongoing attack.
  • B. Updating WAF rules to block social networks addresses a symptom (social networking requests) but does not remediate the email relay abuse or authenticate outbound mail, leaving the primary attack vector open.
  • C. Removing compromised accounts with all AD groups is destructive, time-consuming, and premature before confirming full scope; it also does not stop the email infrastructure from being abused.
  • D. Changing compromised account passwords is a valid remediation step but does not address the open relay or lack of SPF that are actively allowing spam to propagate through the mail server.

Concept tested. Email server hardening: open relay and SPF remediation

Reference. https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SY0-501 PracticeBrowse All SY0-501 Questions