stevendunne
asked on
Spoof \ Fake Emails
I've a question about these spoof \ fake emails spammers are sending to our organisation.
We are using Exchange 2003 with no open relays. However in my junk mailbox sometimes an email appears to be sent from me to another someone else internal (Although our company disclaimer isn't attached) And sometimes users will get an odd bit of junk mail sent from another user to them.
How do they do this ? Do they just put in any "from" address and any "to" address using some sort of client and then just relay through servers they can authenticate with ?
Is there anything I need to check ?
Thanks
We are using Exchange 2003 with no open relays. However in my junk mailbox sometimes an email appears to be sent from me to another someone else internal (Although our company disclaimer isn't attached) And sometimes users will get an odd bit of junk mail sent from another user to them.
How do they do this ? Do they just put in any "from" address and any "to" address using some sort of client and then just relay through servers they can authenticate with ?
Is there anything I need to check ?
Thanks
Complete Guide to Reading Email Headers -
http://www.stopspam.org/email/headers.html
Cert on Spoofing/Forged Emails
http://www.cert.org/tech_tips/email_spoofing.html
Block SPAM with Intelligent Message Filter - Exchange 2k3 Add-on (Free)
http://www.petri.co.il/block_spam_with_exchange2003_imf.htm
http://www.microsoft.com/exchange/downloads/2003/imf/default.asp
Configure Exchange 2003 to check recipients in SMTP protocol
http://blogs.msdn.com/dlemson/archive/2003/10/17/52019.aspx
You might read up on the latest variant of the MyDoom virus ... I know a lot of the newer virus types will spoof your domain addresses. If you have good content filtering software you can not only block the attachments but filter based on subject line or by email address. I had an instance with one of the latest MyDoom virus where my mail gateways were receiving 10-20k emails a day with a spoofed address of mailerdaemon@domainname.co
Example of what I'm talking about ...
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.N&VSect=T
More information regarding Spamming and Spoofing:
http://www.lse.ac.uk/itservices/help/spamming&spoofing.htm
Protect Against SPAM Tutorial:
http://www.msexchange.org/tutorials/Exchange-Spam.html
As always nothing beats a solid security model and educating your users. It is important they know not to use their work email addresses to sign up for list servers, forums or any place a harvester could collect their info.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You've hit the nail on the head :-)
It's very annoying, but they've spoofed the from: address.
As for what you can do (assuming you're using Outlook):
Open the offending email
View menu > Options
You'll see a load of "Internet Headers"
This explains what mail servers this email has travelled through on it's way to you.
Look a the "Recieved" lines - the bottom one will be the first mail server that this email went through after being sent by the spammer.
These people are likely to be either open relays, or not caring about the behaviour of their email users. They're the people you should complain to.
If you post the internet headers here, I'll let you know how to go about complaining about it.
The other option is to use a spam filtering service of some sort.
I hope that this helps - let me know if you need any further help.