?
Solved

Exchange 2003 - How do I stop spoofed e-mails on the intranet?

Posted on 2007-07-27
25
Medium Priority
?
298 Views
Last Modified: 2008-01-09
Greetings,
So now, what I have going on is a mm virus on the intranet? Virus for sure. Server is Exchange 2003. Clients use Outlook 2003.  We are receiving e-mails from spoofed addresses on our intranet i.e. evu@snoopy.com and not gjones@snoopy.com.  I can identify the IP address where they are coming from, but am unable to block the IP address or the sender.  I use SMSSMTP v4.1.15.47 which is catching most of the e-mails that try to come in, but not all, obviously.  I have not been able to identify the virus, but so know that the spammed e-mails are not getting out of our network - yet. Any suggestions?
0
Comment
Question by:Lyndy333
  • 13
  • 10
  • +1
25 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 19582360
What is SMSSMTP ?

Are the messages coming in from inside or outside the network? If they are coming in from outside the network then your antispam software should be blocking them. If it is not then it isn't fit for purpose and you should look at using something else.

Spoofed email is very common and most antispam applications should be able to deal with them.

Simon.
0
 
LVL 8

Assisted Solution

by:SanDiegoComputer
SanDiegoComputer earned 400 total points
ID: 19582850
If you know the IP address you can indeed block this from talking to your server.  You can do it several ways.  
1. open exchange system manager
2. Click the plus next to global settings.
3. Right click and properties Message Delivery.
4. On Connection filtering click Deny.
5. Specify the address and click ok till you are out of the message delivery tab.
6. Open the settings on smtp (servername / protocols / smtp / default smtp server)
7. Click Advanced / Edit / and checkapply connection filter and click ok.
0
 
LVL 27

Expert Comment

by:Exchange_Admin
ID: 19586562
If its an internal machine then I would fdisk and reinstall.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 1

Author Comment

by:Lyndy333
ID: 19684021
Hello San Diego...
This did not work for me. I am told that this is because I have the e-mail routed to the Symantec Mail Server Security for SMTP - first.  It seems that SPAM has increased on our network 200% too.
Any suggestions? Thank you.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 19684329
If you have email coming in via another device or application then any blocking must occur there first, not in Exchange. Exchange will not see the traffic coming from the external IP address but an internal address.

Simon.
0
 
LVL 1

Author Comment

by:Lyndy333
ID: 19684687
Simon,
Do you know of a program that I can use to block IP addresses? Otherwise, I will be forced to deny any traffic unless it appears on the accept list. The latter would not be condusive to our business as we have contacts from many other businesses that require critical communications.  I wish I had the time to research more... Thank you for your help!
0
 
LVL 1

Author Comment

by:Lyndy333
ID: 19684698
Simon... I mean block IP addresses for e-mail purposes...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 19684749
Have you verified whether the email is coming from an internal or external source?
Your original question was worded that made you think it was coming from inside.

As I wrote above, if you have antispam software and it is not doing the job then it should be replaced. Trying to block spam by IP address is a fruitless exercise. The closest you can get is a blacklist operated by someone like Spamhaus. However you would then need to be happy with someone else deciding what email you receive. I am not, so I don't use blacklists.

Simon.
0
 
LVL 1

Author Comment

by:Lyndy333
ID: 19684897
Hi Simon, The spam is coming from inside...as I have stated above.

The software I have uses Spamhaus and a few others.  I can also enter e-mail addresses that I want blocked which is a fruitless effort.  I need a better solution for sure, what that will be I do not know.

Thank you.
0
 
LVL 1

Author Comment

by:Lyndy333
ID: 19684989
The MM virus got in somehow.  
0
 
LVL 104

Expert Comment

by:Sembee
ID: 19685075
I know that you wrote they were coming from inside in your original question, are you sure that it is coming from inside? How have you diagnosed that?

The reason I ask is that spam bots don't use another server on the network to send messages. They have their own SMTP engines and will be sending email out directly. They do not use a third party server to send the email messages.

Simon.
0
 
LVL 1

Author Comment

by:Lyndy333
ID: 19685257
I do not pick up (see) any traffic from the outside - in on the firewall or the SMTP server.  What I do see is 200 e-mails sent to internal e-mail addresses that were not sent outside the intranet and did not come in through the gateway.  Some of the clients actually receive these e-mails and perhaps the content of these e-mails would be helpful to you...they just peave me off.  The e-mails that are received on the intranet - from the intranet - are usually from evu@snoopy.com, but the e-mails can come from any spoofed address, and have, such as 0123@snoopy.com.

Currently, I am the only one that receives e-mails from evu@snoopy.com.  Comments?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 19685451
How do you know they didn't come through the gateway?
Can the Exchange server be seen from the outside?
Do you restrict SMTP traffic in any way?

If you look at the headers of the email message, that you have received they should should show the IP address of the server that sent the message - even a bot leaves that trace.

Viruses do not send email through another server. The only way those messages could have got on to your server from an internal machine is if you had an internal MX record and the messages were specifically targeted at your address by the bot net. The chances of that are quite small unless you are a high target.

Do you have your Exchange server configured to send a copy of NDRs or unknown recipients to your email server?

Simon.
0
 
LVL 1

Author Comment

by:Lyndy333
ID: 19686235
Simon,
The e-mail address for 'evu@snoopy.com' comes from an internal NAT IP address - which happens to be the Exchange servers' NAT IP address.  When other clients, within the intranet, receive an e-mail from 'evu@snoopy.com' it shows the Exchange servers IP address too.  

The only thing that I have is an IP address 61.17.215.33:  61.17.0.0 - 61.17.255.255
netname:      VSNL-IN
descr:        Videsh Sanchar Nigam Ltd - India.
descr:        Videsh Sanchar Bhawan, M.G. Road
descr:        Fort, Bombay 400001
61.17.215.33 is what I find when I go to 'evu@snoopy.com's' mailbox. Again, evu@snoopy.com does NOT exist on the Exchange server.  I can look 'evu@snoopy.com' (and find it) only on the SMTP server.  I know this makes no sense, this is why I am asking for help.
0
 
LVL 1

Author Comment

by:Lyndy333
ID: 19686242
Simon,
As for your questions 2 & 3, the answer is no to both.
Thanks, Lynda
0
 
LVL 104

Expert Comment

by:Sembee
ID: 19686593
Can you post the headers of one of the email messages?
What is between the Exchange server and the internet?
You say that the Exchange server has a NAT address. If the server cannot be seen from the internet, then why does it have a NAT address?

Simon.
0
 
LVL 1

Author Comment

by:Lyndy333
ID: 19686688
Simon,

Aug 13, 2007 12:25:57 AM  Action: Message Delivered  Server: 10.0.32.25:25  From: Symantec_Mail_Security_for_SMTP@snoopy.com  
To: lgabrielse@snoopy.com  Subject: SMSSMTP Policy Violation  SMTP ID: M2007081300255706136  
Connection ID: 7160  Last Response: 250 2.6.0 <EXCHANGEm5JgUjTNVv500000058@Exchange.snoopy.com> Queued mail for delivery  

It is external IP address, Sonicwall Firewall, (NAT ENABLED NETWORK on this side of the firewall)   SMS-SMTP, Exchange and File Server.  
0
 
LVL 104

Expert Comment

by:Sembee
ID: 19686819
That is the message from the Symantec application.
Have you seen the actual message that is being blocked?

Some firewalls, the Netscreens for example, present NAT traffic to the internal machines in such a way that it appears to be internal traffic rather than external traffic. I have been caught on that myself. I don't know if the Sonic Wall does that or not.

Simon.
0
 
LVL 1

Author Comment

by:Lyndy333
ID: 19716458
Simon,
EVU is not a user on the network, can not be seen by the exchange server or active directory, but is only seen on the SMTP server which filters virus - not SPAM.  And, the exchange server is not able to filter the SPAM because the E-mai comes through the SMTP server first, so Exchange can not see it.  

The following message violated system policy:

Connection From: 61.17.215.33
From: 3dgovind@mafoi.com
To: evu@snoopy.com
Date: Fri, 17 Aug 2007 04:05:24 -0500
Subject: Your information


The following violations were detected:

--- Scan information follows ---

Virus Name: W32.Netsky.T@mm
File Attachment: final_version5.pif
Attachment Status: deleted

--- File name Block information follows ---

File Attachment: final_version5.pif
Matching file name: Message is considered to be a mass-mailer.

--- File name Block information follows ---

File Attachment: M2007081704052405353.mes/final_version5.pif
Matching file name: *.pif



The message was dropped.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 19716860
Is 61.17.215.33 connected to you in any way?

Simon.
0
 
LVL 1

Author Comment

by:Lyndy333
ID: 19716896
Nope...

Lynda
0
 
LVL 104

Expert Comment

by:Sembee
ID: 19716929
In that case the message is a standard spoofed message that originated from outside of your network. Nothing you can do about stopping them coming in, what you do with the message is up to you.

Recipient filtering on the gateway will drop anything addressed to non-existent users.
If the To address is valid then you will need to delete the message once it is delivered. Don't try and bounce it back as the address will almost certainly be spoofed.

Simon.
0
 
LVL 1

Author Comment

by:Lyndy333
ID: 19717071
Once this e-mail is sent, which is every morning, evu@snoopy.com then sends e-mails to internal addresses which use internal IP NAT addressing.  The recipient filtering, on the Exchange server, did not work...I assume because it is not the gateway.  

Lynda
0
 
LVL 1

Author Comment

by:Lyndy333
ID: 19717085
Even though the SMTP server is finding and deleting the attachment that contains the virus, something else is happening when this particular e-mail is received.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 1600 total points
ID: 19718250
Recipient filtering only works when the Exchange server is the first thing to receive email off the domain.

I think what you are seeing is standard BCC tactics. The email message has one address in the To line and the rest are in the BCC line. Very common.
It could also be someone on that IP address has a copy of email addresses on your domain and they start their machine up the virus runs again, sending the messages to the same recipients time after time.

Simon.
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is the biggest problem in managing an exchange environment today? It is the lack of backups, disaster recovery (DR) plan, testing of the DR plan or believing that it won’t happen to us.
There’s hardly a doubt that Business Communication is indispensable for both enterprises and small businesses, and if there is an email system outage owing to Exchange server failure, it definitely results in loss of productivity.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question