[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 260
  • Last Modified:

Email messages sent that look like spam

Checked message tracking and noticed emails with abnormal(spam type) subjects being sent from domain users accounts. Some messages went to external email address and some others the sender and the reciepent were the same domain user. I checked the users sent items from their outlook profiles and those sent items were not there. I ran CA antivirus complete scan, nothing found, same with Symantec AV and panda online. Also scanned desktops. Nothing found. These email have been sent at random times, from several different users mailboxes and with different subjects. Cant figure out where they are originating.
0
tmharris09
Asked:
tmharris09
  • 2
  • 2
1 Solution
 
SysExpertCommented:
SOmeone is probably spoofing your user addresses.

That is what spammers do.

These probably came from the outside , not the inside.

Else, you have some malware doing this on your LAN.


I hope this helps !
0
 
dipak_in_2kCommented:
It's all are comes from outside, check IMF security zone and also check if your SMTP might have open relay.
0
 
tmharris09Author Commented:
How can the messages be sent from the outside if when i view items being sent from that user the spams show up. Message tracking tool does not know the difference if its a spoofed address? Another thing I should note is that, this IP was blacklisted for spam. I do believe there is something on the inside but how do i find it. Server is not an open relay
0
 
SysExpertCommented:
You may need to do network packet analysis, or use something like Hijackthis logging on each machine to look for malware.

malware - Leetutor list
Have you tried running virus scans and spyware scans  This could be a problem with viruses/trojans/spyware or other malware. Some free online virus scanners:

http://housecall.antivirus.com 

http://www.pcpitstop.com/antivirus/default.asp

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Also try these free programs to rid your system of spyware, trojans, and other malware:

http://download.com.com/3000-2144-10194058.html?tag=lst-0-1
Spybot - Search & Destroy

http://download.com.com/3000-2094-10045910.html?legacy=cnet
LavaSoft Ad-aware  

I use BOTH of the above programs on my 3 Windows systems; what one program misses, the other catches.  Also make sure to download the most up-to-date data before you run the programs.

Another very good freeware program for ridding yourself of spyware is this:

http://www.superantispyware.com/
SuperAntiSpyware

You might also try this free program (HijackThis) -- install it in its own folder, don't download to your Desktop:

http://www.spychecker.com/download/download_hijackthis.html

HijackThis is a tool that is for advanced users, because it lists all the installed browser add-on and startup items, allowing you to inspect them and then optionally remove any ones you select.  You must be careful in choosing what to remove, although the program can create a backup of your original settings.  But put a check mark to fix any home page or search page setting that HijackThis detects which you have not entered yourself.  The program has an option to download online updates of the hijack data.

You should first post the log at this site:  

http://www.hijackthis.de/index.php?langselect=english

and it will be automatically analyzed for you (after you click on the button labeled "Analyze" near the bottom of the page), telling you which entries (called "Nasty") should be fixed.  You will also be told if you have any items that are "Possibly Nasty", or "Unnecessary", or "Unknown". If you don't know what to do about these, you might find something on the module name by doing a Google search of the internet.

If you have any questions about what it is asking you to fix that you would like the E-E experts to comment on, then do this:  right above the Analyze button you will see this message: "The following analyses has been stored temporarily", and there will be a link where the analysis file will be saved (for a period of three days). Click on it and then copy the link of that page from the address bar of your browser and paste it here, and experts can check it for you.  (Please DON'T post the entire log itself in your question.)

In case you would like to learn more yourself how to use HijackThis, here are a couple of urls:

http://www.tomcoyote.org/hjt/
HijackThis Quick Start


http://www.spywareinfo.com/~merijn/htlogtutorial.html
HijackThis log tutorial

I hope this helps !
0
 
tmharris09Author Commented:
Blocked outbound port 25 on firewall except for server, checked logs, and found ip address of machine hitting port 25. CA av did not pick up but Symantec AV found it. Trojan.pandex was the culprit.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now