?
Solved

Email spoofing issue

Posted on 2006-05-10
3
Medium Priority
?
321 Views
Last Modified: 2009-02-05
We have an issue with someone apparently sending email to our internal users posing as our actual exchange server. Below is the header of an email. Note that the email looks like it is coming from our mail server (pti-nj.com) but the IP address (58.10.84.86) is not ours. The email is sent with a from address of one of our internal users and sent to other users in our company. We have relay restrictions on our Exchange server (only allowing the IP address of our Exchange server to relay but does allow any authenticated user to relay), this is set on the Relay restrictions tab of the SMTP virtual server. HELP! We are getting a lot of these type of emails.

Microsoft Mail Internet Headers Version 2.0
Received: from pti-nj.com ([58.10.84.86]) by mailserver.pti-nj.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 4 May 2006 08:12:34 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0
From: <register@pti-nj.com>
To: <mktg@pti-nj.com>
Subject: Members Support
Date: Thu, 4 May 2006 19:11:47 +0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
            boundary="----=_NextPart_000_0000_961632E8.767635F9"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: <register@pti-nj.com>
Message-ID: <MAILSERVERVY5jVkjA20000051a@mailserver.pti-nj.com>
X-OriginalArrivalTime: 04 May 2006 12:12:34.0818 (UTC) FILETIME=[06D57620:01C66F74]
------=_NextPart_000_0000_961632E8.767635F9
Content-Type: text/html;
            charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
------=_NextPart_000_0000_961632E8.767635F9
Content-Description: warning.htm
Content-Type: text/html;
            name="warning.htm"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
            filename="warning.htm"

 

 

------=_NextPart_000_0000_961632E8.767635F9--

0
Comment
Question by:cberinger
1 Comment
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 2000 total points
ID: 16649230
It's not easy to stop this kind of thing.  Since they are using your own SMTP domain, it isn't technically relaying.  You could try enforcing SPF lookups (after creating your own SPF record, of course), but then you would without doubt lose many genuine emails.  I would be inclined to 'ride it out', and see if it stops.  If not, then a spam filter should stop most of the junk mail.  If you use E2003 SP2, then I find that the built-in IMF is quite good.  Mind you, many other people don't like it.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question