Solved

how did a spam email generated and sent from my server?

Posted on 2006-06-15
5
335 Views
Last Modified: 2011-09-20
my server is windows 2003 with exchange 2003. last couple days, number of accounts has sent out mails like these below samples. i can't figure out how it happen or if my server is infected or local user machines are infected with viruses. the email was sent out using authorized account and sent to the same account under alias address as below. different subject and body content were sent out each time.

From: Jeanine [mailto:firname_lastname@domainname.com]
Sent: Wednesday, June 14, 2006 1:55 PM
To: firstname lastname
Subject: RE: yOur pi11z r3quest
Importance: High

HOw are yOu Guys?!

Please open your mind for a simple thing
Internet provided products always cheaper than others.
You may agree or not, but this is a fact
Just compare the numbers and get the same goods for a half value
You may agree or not, but this is a fact

0HNiTsfUebnAZb9XR4DM
0
Comment
Question by:cuc888
  • 2
  • 2
5 Comments
 
LVL 8

Expert Comment

by:smeek
ID: 16918026
Enable message tracking on your server properties in ESM.  Query on the next message you receive.  This is to make sure the messages were not just spooked emails (crafted to look like they came from your server).

You might also check and make sure the guest account in your domain is enabled?

You should also check and see if your server is an open relay.
http://www.abuse.net/relay.html

Steve
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16919773
Are you sure that the messages are coming from your server? You need to see the header information to confirm if they have originated off your machine, or the messages are spoofed.

If you are sure, then it could be either an open relay or authenticated user. If the machine is being used you can usually tell as there will be a large number of messages in the queues.
Authenticated user attacks are usually against the administrator account, so change that account password.
If you don't have any users outside relaying through your server with Outlook Express or similar SMTP product, then you don't even need authenticated relaying and can turn it off.

Simon.
0
 

Author Comment

by:cuc888
ID: 16922437
i've checked and it is not open for replay. i've looked at the queue and there is no large queue of unknown addresses. here is the header of one of the spam email. i can't tell where it is generated from.

Microsoft Mail Internet Headers Version 2.0
Received: from Robin ([172.30.6.1] RDNS failed) by mail.myserver.com with Microsoft SMTPSVC(6.0.3790.1830);
             Fri, 16 Jun 2006 06:31:51 -0700
Return-path: <firstname_lastname@myserver.com>
Received: from [142.135.192.72] (port=2710 helo=[142.135.192.72])
        by myserver.com with esmtp
        id 0ZKEf4-fZl291-83
        for firstname_lastname@myserver.com; Fri, 16 Jun 2006 08:01:51 -1000
Reply-To: Leanna <firstname_lastname@myserver.com>
Message-ID: <79158161.20060616080151@myserver.com>
From: Leanna <firstname_lastname@myserver.com>
To: <firstname@myserver.com>
Subject: Save your money, buy pills here!
Date: Fri, 16 Jun 2006 08:01:51 -1000
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0068_01C4B064.95321943"
X-Priority: 1
X-Mailer: The Bat! (v3.71.14) Home
X-Spam: Not detected
X-OriginalArrivalTime: 16 Jun 2006 13:31:51.0734 (UTC) FILETIME=[39F07D60:01C69149]

------=_NextPart_000_0068_01C4B064.95321943
Content-Type: text/html;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

------=_NextPart_000_0068_01C4B064.95321943
Content-Type: image/gif;
Content-ID: <pOwi8GK9DRX0$HrwYoTHz$AK1WehJLQ@nMpW>
Content-Transfer-Encoding: base64


------=_NextPart_000_0068_01C4B064.95321943--
0
 

Author Comment

by:cuc888
ID: 16922543
is this where the email sent from?

Received: from [142.135.192.72] (port=2710 helo=[142.135.192.72])

i look at other headers of other spam emails and they are different on each one like this for example:
Received: from [81.229.108.74] (port=1758 helo=[81.229.108.74])

is this server problem or client?

0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 16923276
The presence of Internet headers means the message came from outside.
The first IP (142.135...) is from Canada. The second (81.229...) is Sweden.

It looks like standard spam, with one of their standard methods of putting your domain in both the from and the to line.

The messages aren't coming off your machine, which means there is nothing you can do about them.
Your spam filter should be dealing with these types of messages.

Simon.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question