Exchange 2003 - How do I stop spoofed e-mails on the intranet?

Greetings,
So now, what I have going on is a mm virus on the intranet? Virus for sure. Server is Exchange 2003. Clients use Outlook 2003.  We are receiving e-mails from spoofed addresses on our intranet i.e. evu@snoopy.com and not gjones@snoopy.com.  I can identify the IP address where they are coming from, but am unable to block the IP address or the sender.  I use SMSSMTP v4.1.15.47 which is catching most of the e-mails that try to come in, but not all, obviously.  I have not been able to identify the virus, but so know that the spammed e-mails are not getting out of our network - yet. Any suggestions?
LVL 1
Lyndy333Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SembeeCommented:
What is SMSSMTP ?

Are the messages coming in from inside or outside the network? If they are coming in from outside the network then your antispam software should be blocking them. If it is not then it isn't fit for purpose and you should look at using something else.

Spoofed email is very common and most antispam applications should be able to deal with them.

Simon.
0
SanDiegoComputerCommented:
If you know the IP address you can indeed block this from talking to your server.  You can do it several ways.  
1. open exchange system manager
2. Click the plus next to global settings.
3. Right click and properties Message Delivery.
4. On Connection filtering click Deny.
5. Specify the address and click ok till you are out of the message delivery tab.
6. Open the settings on smtp (servername / protocols / smtp / default smtp server)
7. Click Advanced / Edit / and checkapply connection filter and click ok.
0
Exchange_AdminCommented:
If its an internal machine then I would fdisk and reinstall.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Lyndy333Author Commented:
Hello San Diego...
This did not work for me. I am told that this is because I have the e-mail routed to the Symantec Mail Server Security for SMTP - first.  It seems that SPAM has increased on our network 200% too.
Any suggestions? Thank you.
0
SembeeCommented:
If you have email coming in via another device or application then any blocking must occur there first, not in Exchange. Exchange will not see the traffic coming from the external IP address but an internal address.

Simon.
0
Lyndy333Author Commented:
Simon,
Do you know of a program that I can use to block IP addresses? Otherwise, I will be forced to deny any traffic unless it appears on the accept list. The latter would not be condusive to our business as we have contacts from many other businesses that require critical communications.  I wish I had the time to research more... Thank you for your help!
0
Lyndy333Author Commented:
Simon... I mean block IP addresses for e-mail purposes...
0
SembeeCommented:
Have you verified whether the email is coming from an internal or external source?
Your original question was worded that made you think it was coming from inside.

As I wrote above, if you have antispam software and it is not doing the job then it should be replaced. Trying to block spam by IP address is a fruitless exercise. The closest you can get is a blacklist operated by someone like Spamhaus. However you would then need to be happy with someone else deciding what email you receive. I am not, so I don't use blacklists.

Simon.
0
Lyndy333Author Commented:
Hi Simon, The spam is coming from inside...as I have stated above.

The software I have uses Spamhaus and a few others.  I can also enter e-mail addresses that I want blocked which is a fruitless effort.  I need a better solution for sure, what that will be I do not know.

Thank you.
0
Lyndy333Author Commented:
The MM virus got in somehow.  
0
SembeeCommented:
I know that you wrote they were coming from inside in your original question, are you sure that it is coming from inside? How have you diagnosed that?

The reason I ask is that spam bots don't use another server on the network to send messages. They have their own SMTP engines and will be sending email out directly. They do not use a third party server to send the email messages.

Simon.
0
Lyndy333Author Commented:
I do not pick up (see) any traffic from the outside - in on the firewall or the SMTP server.  What I do see is 200 e-mails sent to internal e-mail addresses that were not sent outside the intranet and did not come in through the gateway.  Some of the clients actually receive these e-mails and perhaps the content of these e-mails would be helpful to you...they just peave me off.  The e-mails that are received on the intranet - from the intranet - are usually from evu@snoopy.com, but the e-mails can come from any spoofed address, and have, such as 0123@snoopy.com.

Currently, I am the only one that receives e-mails from evu@snoopy.com.  Comments?
0
SembeeCommented:
How do you know they didn't come through the gateway?
Can the Exchange server be seen from the outside?
Do you restrict SMTP traffic in any way?

If you look at the headers of the email message, that you have received they should should show the IP address of the server that sent the message - even a bot leaves that trace.

Viruses do not send email through another server. The only way those messages could have got on to your server from an internal machine is if you had an internal MX record and the messages were specifically targeted at your address by the bot net. The chances of that are quite small unless you are a high target.

Do you have your Exchange server configured to send a copy of NDRs or unknown recipients to your email server?

Simon.
0
Lyndy333Author Commented:
Simon,
The e-mail address for 'evu@snoopy.com' comes from an internal NAT IP address - which happens to be the Exchange servers' NAT IP address.  When other clients, within the intranet, receive an e-mail from 'evu@snoopy.com' it shows the Exchange servers IP address too.  

The only thing that I have is an IP address 61.17.215.33:  61.17.0.0 - 61.17.255.255
netname:      VSNL-IN
descr:        Videsh Sanchar Nigam Ltd - India.
descr:        Videsh Sanchar Bhawan, M.G. Road
descr:        Fort, Bombay 400001
61.17.215.33 is what I find when I go to 'evu@snoopy.com's' mailbox. Again, evu@snoopy.com does NOT exist on the Exchange server.  I can look 'evu@snoopy.com' (and find it) only on the SMTP server.  I know this makes no sense, this is why I am asking for help.
0
Lyndy333Author Commented:
Simon,
As for your questions 2 & 3, the answer is no to both.
Thanks, Lynda
0
SembeeCommented:
Can you post the headers of one of the email messages?
What is between the Exchange server and the internet?
You say that the Exchange server has a NAT address. If the server cannot be seen from the internet, then why does it have a NAT address?

Simon.
0
Lyndy333Author Commented:
Simon,

Aug 13, 2007 12:25:57 AM  Action: Message Delivered  Server: 10.0.32.25:25  From: Symantec_Mail_Security_for_SMTP@snoopy.com  
To: lgabrielse@snoopy.com  Subject: SMSSMTP Policy Violation  SMTP ID: M2007081300255706136  
Connection ID: 7160  Last Response: 250 2.6.0 <EXCHANGEm5JgUjTNVv500000058@Exchange.snoopy.com> Queued mail for delivery  

It is external IP address, Sonicwall Firewall, (NAT ENABLED NETWORK on this side of the firewall)   SMS-SMTP, Exchange and File Server.  
0
SembeeCommented:
That is the message from the Symantec application.
Have you seen the actual message that is being blocked?

Some firewalls, the Netscreens for example, present NAT traffic to the internal machines in such a way that it appears to be internal traffic rather than external traffic. I have been caught on that myself. I don't know if the Sonic Wall does that or not.

Simon.
0
Lyndy333Author Commented:
Simon,
EVU is not a user on the network, can not be seen by the exchange server or active directory, but is only seen on the SMTP server which filters virus - not SPAM.  And, the exchange server is not able to filter the SPAM because the E-mai comes through the SMTP server first, so Exchange can not see it.  

The following message violated system policy:

Connection From: 61.17.215.33
From: 3dgovind@mafoi.com
To: evu@snoopy.com
Date: Fri, 17 Aug 2007 04:05:24 -0500
Subject: Your information


The following violations were detected:

--- Scan information follows ---

Virus Name: W32.Netsky.T@mm
File Attachment: final_version5.pif
Attachment Status: deleted

--- File name Block information follows ---

File Attachment: final_version5.pif
Matching file name: Message is considered to be a mass-mailer.

--- File name Block information follows ---

File Attachment: M2007081704052405353.mes/final_version5.pif
Matching file name: *.pif



The message was dropped.
0
SembeeCommented:
Is 61.17.215.33 connected to you in any way?

Simon.
0
Lyndy333Author Commented:
Nope...

Lynda
0
SembeeCommented:
In that case the message is a standard spoofed message that originated from outside of your network. Nothing you can do about stopping them coming in, what you do with the message is up to you.

Recipient filtering on the gateway will drop anything addressed to non-existent users.
If the To address is valid then you will need to delete the message once it is delivered. Don't try and bounce it back as the address will almost certainly be spoofed.

Simon.
0
Lyndy333Author Commented:
Once this e-mail is sent, which is every morning, evu@snoopy.com then sends e-mails to internal addresses which use internal IP NAT addressing.  The recipient filtering, on the Exchange server, did not work...I assume because it is not the gateway.  

Lynda
0
Lyndy333Author Commented:
Even though the SMTP server is finding and deleting the attachment that contains the virus, something else is happening when this particular e-mail is received.
0
SembeeCommented:
Recipient filtering only works when the Exchange server is the first thing to receive email off the domain.

I think what you are seeing is standard BCC tactics. The email message has one address in the To line and the rest are in the BCC line. Very common.
It could also be someone on that IP address has a copy of email addresses on your domain and they start their machine up the virus runs again, sending the messages to the same recipients time after time.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.