Solved

Spoof \ Fake Emails

Posted on 2004-08-26
3
1,075 Views
Last Modified: 2012-06-27
I've a question about these spoof \ fake emails spammers are sending to our organisation.

We are using Exchange 2003 with no open relays.  However in my junk mailbox sometimes an email appears to be sent from me to another someone else internal (Although our company disclaimer isn't attached)  And sometimes users will get an odd bit of junk mail sent from another user to them.

How do they do this ?  Do they just put in any "from" address and any "to" address using some sort of client and then just relay through servers they can authenticate with ?

Is there anything I need to check ?

Thanks
0
Comment
Question by:stevendunne
  • 2
3 Comments
 
LVL 15

Expert Comment

by:scampgb
ID: 11904134
Hi stevendunne,

You've hit the nail on the head :-)

It's very annoying, but they've spoofed the from: address.

As for what you can do (assuming you're using Outlook):
Open the offending email
View menu > Options
You'll see a load of "Internet Headers"
This explains what mail servers this email has travelled through on it's way to you.

Look a the "Recieved" lines - the bottom one will be the first mail server that this email went through after being sent by the spammer.
These people are likely to be either open relays, or not caring about the behaviour of their email users.  They're the people you should complain to.

If you post the internet headers here, I'll let you know how to go about complaining about it.

The other option is to use a spam filtering service of some sort.

I hope that this helps - let me know if you need any further help.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 11909103

Complete Guide to Reading Email Headers -
http://www.stopspam.org/email/headers.html

Cert on Spoofing/Forged Emails
http://www.cert.org/tech_tips/email_spoofing.html

Block SPAM with Intelligent Message Filter - Exchange 2k3 Add-on (Free)
http://www.petri.co.il/block_spam_with_exchange2003_imf.htm
http://www.microsoft.com/exchange/downloads/2003/imf/default.asp

Configure Exchange 2003 to check recipients in SMTP protocol
http://blogs.msdn.com/dlemson/archive/2003/10/17/52019.aspx

You might read up on the latest variant of the MyDoom virus ... I know a lot of the newer virus types will spoof your domain addresses. If you have good content filtering software you can not only block the attachments but filter based on subject line or by email address. I had an instance with one of the latest MyDoom virus where my mail gateways were receiving 10-20k emails a day with a spoofed address of mailerdaemon@domainname.com ... the Display name was Message Subsystem or something like that ... I ended up stripping all emails with that particular email address since it was invalid.

Example of what I'm talking about ...
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.N&VSect=T

More information regarding Spamming and Spoofing:
http://www.lse.ac.uk/itservices/help/spamming&spoofing.htm

Protect Against SPAM Tutorial:
http://www.msexchange.org/tutorials/Exchange-Spam.html

As always nothing beats a solid security model and educating your users. It is important they know not to use their work email addresses to sign up for list servers, forums or any place a harvester could collect their info.

0
 
LVL 12

Accepted Solution

by:
BNettles73 earned 350 total points
ID: 11909218

P.S. yes, you are correct - most Spammers will use a server with an open relay and use scripting to generate the From: address based on whatever lists they are using to email. There are general spoofing utilities but for the most part it is scripts sending through an open relay on an SMTP server with basic mail commands.

Your server receives the mail without authenticating because from the internet anonymous is allowed on most SMTP servers. This is by design .... it transfers the email to your or another users mailbox and gives the appearance that it is from you ... the headers tell the real story ... if you receive a lot of spam, I'd trace it back and notify the spammers ISP to try and get it shut down.

0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now