Solved

spam comming form what appears to be one of my users, help read email headers

Posted on 2008-10-15
6
216 Views
Last Modified: 2010-04-07
so a couple of users in my network have been recieving spam mail form what appears to be another one of our users. we are hosting our own email via exch 2003 standard. when i look at the headers i'm not sure how to read them. i will attach three. our org is called pangaiapartners.com the user spamming is jhines@pangaiapartners.com when i look at ESm tracking center i see the three emails in question but the sender is jhines@pangaiapartners.com for all other legit emails the sender in the tracking center shows up as jim hines: here are the headers our public ip is 68.195.194.138

Microsoft Mail Internet Headers Version 2.0
Received: from 68.195.194.138 ([201.32.180.55]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Mon, 13 Oct 2008 17:27:05 -0400
X-Originating-IP: 220.106.124.96 by smtp.201.32.180.55;  Mon, 13 Oct 2008 17:18:17 -0500
Message-ID: <rgsuqaPVTJZGjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
Reply-To: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Margarita Winslow
Date: Mon, 13 Oct 2008 17:22:17 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 13 Oct 2008 21:27:07.0093 (UTC) FILETIME=[718A7850:01C92D7A]


Microsoft Mail Internet Headers Version 2.0
Received: from host-92-4-67-250.as43234.net ([92.4.67.250]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Tue, 14 Oct 2008 15:06:12 -0400
X-Originating-IP: 104.40.76.252 by smtp.92.4.67.250;  Tue, 14 Oct 2008 12:58:25 -0700
Message-ID: <uzhgmJOPQRZBjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
Reply-To: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Lizzie Corcoran
Date: Tue, 14 Oct 2008 15:01:25 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 14 Oct 2008 19:06:12.0418 (UTC) FILETIME=[EC933220:01C92E2F]




Microsoft Mail Internet Headers Version 2.0
Received: from tdev138-145.codetel.net.do ([190.80.138.145]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Mon, 13 Oct 2008 09:27:01 -0400
X-Originating-IP: 100.214.16.44 by smtp.190.80.138.145;  Mon, 13 Oct 2008 17:19:26 +0300
Message-ID: <ipntwFDSWFZjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Madeleine Miranda
Date: Mon, 13 Oct 2008 09:22:26 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
X-Antivirus: avast! (VPS 081012-0, 12/10/2008), Outbound message
X-Antivirus-Status: Clean
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 13 Oct 2008 13:27:01.0843 (UTC) FILETIME=[60462230:01C92D37]
0
Comment
Question by:cfischer225
  • 3
  • 3
6 Comments
 

Author Comment

by:cfischer225
ID: 22722585
another thing i noticed thatmakes me think its spam is this, if it came from inside my org sent to someone in my org, there would be no header info because it would have never left, which makes me think all this is forged, the question is how do i stop it?
0
 
LVL 2

Accepted Solution

by:
TalonNYC earned 500 total points
ID: 22722690
Unfortunately you may not be able to stop it.  I suspect some other user (inside or outside your org) has become infected with a virus.  Today, spam viruses will forge complete headers, taking information randomly from the infected user's contact list.  So Mr. Hines is probably NOT the one infected, but someone who has him in their address book is.

While this type of virus is a blight on email systems, there is very little you, personally, can do - as the emails are coming most likely from a computer that you would have no control over.  I wish I had a more positive answer for you, but I'm afraid unless you know who got infected (which would be difficult at best as their info won't be in the forged headers), you're stuck just deleting the annoying missives and instructing your end users to follow safety protocols.  This includes not clicking on links or opening attachments in any email, even if they know the sender, unless they are specifically expecting to get a defined attachement (like a document or spreadsheet).

In future, we will have SMTP header/sender verification, but at the present time that's not widely used, and therefore useless in this situation.
0
 

Author Comment

by:cfischer225
ID: 22722722
since there is header info i know its not comming form inside my org? (correct?)

but how come i see these messages in the ESm tracking center like my user sent them?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 2

Expert Comment

by:TalonNYC
ID: 22722755
My suspicion is that once they hit Exchange it processes them as though they were sent by Mr. Hines, and therefore they're showing up in ESM, but I am not 100% sure on that bit.  
0
 

Author Comment

by:cfischer225
ID: 22722768
prob cause as i stated in the tracking center they show up as sent by jhines@pangaiapartners.com and all the legit email he sent shows up as sent by jim hines
0
 
LVL 2

Expert Comment

by:TalonNYC
ID: 22722792
Right, because Exchange is using the forged header info, which shows up as "native" but doesn't link up to an existing AD account.  Sorry, wish I had a better answer for you - these things drive me nuts too.
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Resolve DNS query failed errors for Exchange
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now