Solved

Exchange server and spammer

Posted on 2008-06-11
10
507 Views
Last Modified: 2008-06-12
Hi,  
out Server is not open relay. still  there is any way to find out if my server has been compromised by spammer or not ??

because today, i have received an email from Shawbiz.ca, the guy saying someone at 9.48 pm sent him email from our company email address which is actally spam email.

the username he said, we dont have any user , i have check message tracking to check what happended 9.48 pm
but no email has been sent out side at that time by that email address.

from my understanding : message trackign with show outgoing and imcommign message is nto it ??

so what shall i assume, my server has been compromised by spammer ??

 
0
Comment
Question by:fosiul01
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 35

Accepted Solution

by:
rakeshmiglani earned 300 total points
ID: 21760580
you can ask Shawbiz.ca to check the smtp header of the "spam" mail that he received.
it could have been that the email that Shawbiz.ca got did not generate from your server but the "spammer" must have used your domain name to send out the "spam" message from another server.
0
 
LVL 3

Assisted Solution

by:Karl12347
Karl12347 earned 60 total points
ID: 21760597
Spammers can make up any email address they want even if the domain does not belong to them. I would not worry about this. I would only worry if these spam emails are coming through to your company internally.
It is very unlikely that the exchange server has been compromised.
Any decent spam filter software should pickup the emails by the content anyway.

Hope this helps.
Karl
0
 
LVL 3

Expert Comment

by:tsorensen55
ID: 21760628
Your server isn't compromised, spammers use "spoofing" which basically means they can use any email address they want. Tell the person who notified you to look at the message headers and verify the server name the message came from. If it didn't originate from your server then you should be fine.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 21760661
But what is this message header ??
suppose , some company has Contact us form, where you need to write your email address.
if  i type someone elses email address, such as user1@mycompany.com so that company will think , Some one called user1 from mycompany has been sent the email is not it ??

but what will show in message header ??
0
 
LVL 3

Expert Comment

by:Trivious
ID: 21760677
This is not uncommon, but you would be wise to get a SPAM appliance anyways. You shouldn't have an unprotected network either way. I have a barracuda SPAM filter 300 for 75 clients and my spam and spoofing has been dramatically reduced!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 29

Author Comment

by:fosiul01
ID: 21760732
no, i am not getting spam from outsider, i am saying about : if my servr has been compromised by spammer, if they are sending email by using my sever .

as far i know, spam protection will protect you from getting email address from spammer. but it will not protect you if someone is tryign to sent spamming email by using your server, is nto it ??

and my server is not open relay
0
 
LVL 35

Expert Comment

by:rakeshmiglani
ID: 21760735
the message header shows details about the servers and ip address from where the message originated.
check http://www.emailaddressmanager.com/tips/header.html and http://www.uic.edu/depts/accc/newsletter/adn29/headers.html to understand more about it.
0
 
LVL 3

Assisted Solution

by:tsorensen55
tsorensen55 earned 140 total points
ID: 21761572
In outlook message headers can be viewed generally by right clicking on the message and choosing the message options. Once in there towards the bottom you will see Internet Headers and it will contain data similar to the below which is one of my messages received from one of my vendors.

The part that details originating server i will just put right here so you know what to look for:
Received: from mailout.vendor.com (mailout.vendor.com [12.*.*.*]) by cuda2.mydomain.com with ESMTP
--That line shows you my cuda2 server received the message from mailout.vendor.com, if he looks at his message header and sees Received: from "anything but your domainname.com" then it was not sent by your server and you are neither compromised nor at fault, simply a victim of spoofing.

Microsoft Mail Internet Headers Version 2.0
Received: from server.mydomain.com ([192.*.*.*]) by server.mydomain.com with Microsoft SMTPSVC(6.0.3790.3959);
       Wed, 11 Jun 2008 10:23:41 -0500
Received: from cuda2.mydomain.com ([192.*.*.*]) by server.mydomain.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
       Wed, 11 Jun 2008 10:23:38 -0500
X-ASG-Debug-ID: 1213197808-25da00ee0000-zLxarx
X-Barracuda-URL: http://192.*.*.*:8000/cgi-bin/mark.cgi
Received: from mailout.vendor.com (localhost [127.0.0.1])
      by cuda2.mydomain.com (Spam Firewall) with ESMTP
      id 48CDD998EE7; Wed, 11 Jun 2008 10:23:28 -0500 (CDT)
Received: from mailout.vendor.com (mailout.vendor.com [12.*.*.*]) by cuda2.mydomain.com with ESMTP id JAmGTj6XyYMvtgew; Wed, 11 Jun 2008 10:23:28 -0500 (CDT)
X-ASG-Whitelist: Barracuda Reputation
X-IronPort-AV: E=Sophos;i="4.27,624,1204524000";
   d="pdf'?scan'208,217";a="54356525"
X-CSIP: YES
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
0
 
LVL 29

Author Comment

by:fosiul01
ID: 21761591
Hi guys thanks
i emailed that guy to copy and past message header .
he has read the email , so now i am waiting for the reply

let him reply, then i will past the reply here .

0
 
LVL 29

Author Comment

by:fosiul01
ID: 21767080
Hi guys,
 that guy sent me header message, i have checked, the Sender Ip does not match with our Ip and server address.
so i reply him back to say, this is not from our company!!

thanks for helping me out here
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Familiarize people with the process of utilizing SQL Server views from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Access…
how to add IIS SMTP to handle application/Scanner relays into office 365.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now