Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

spam comming form what appears to be one of my users, help read email headers

Posted on 2008-10-15
6
Medium Priority
?
273 Views
Last Modified: 2010-04-07
so a couple of users in my network have been recieving spam mail form what appears to be another one of our users. we are hosting our own email via exch 2003 standard. when i look at the headers i'm not sure how to read them. i will attach three. our org is called pangaiapartners.com the user spamming is jhines@pangaiapartners.com when i look at ESm tracking center i see the three emails in question but the sender is jhines@pangaiapartners.com for all other legit emails the sender in the tracking center shows up as jim hines: here are the headers our public ip is 68.195.194.138

Microsoft Mail Internet Headers Version 2.0
Received: from 68.195.194.138 ([201.32.180.55]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Mon, 13 Oct 2008 17:27:05 -0400
X-Originating-IP: 220.106.124.96 by smtp.201.32.180.55;  Mon, 13 Oct 2008 17:18:17 -0500
Message-ID: <rgsuqaPVTJZGjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
Reply-To: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Margarita Winslow
Date: Mon, 13 Oct 2008 17:22:17 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 13 Oct 2008 21:27:07.0093 (UTC) FILETIME=[718A7850:01C92D7A]


Microsoft Mail Internet Headers Version 2.0
Received: from host-92-4-67-250.as43234.net ([92.4.67.250]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Tue, 14 Oct 2008 15:06:12 -0400
X-Originating-IP: 104.40.76.252 by smtp.92.4.67.250;  Tue, 14 Oct 2008 12:58:25 -0700
Message-ID: <uzhgmJOPQRZBjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
Reply-To: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Lizzie Corcoran
Date: Tue, 14 Oct 2008 15:01:25 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 14 Oct 2008 19:06:12.0418 (UTC) FILETIME=[EC933220:01C92E2F]




Microsoft Mail Internet Headers Version 2.0
Received: from tdev138-145.codetel.net.do ([190.80.138.145]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Mon, 13 Oct 2008 09:27:01 -0400
X-Originating-IP: 100.214.16.44 by smtp.190.80.138.145;  Mon, 13 Oct 2008 17:19:26 +0300
Message-ID: <ipntwFDSWFZjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Madeleine Miranda
Date: Mon, 13 Oct 2008 09:22:26 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
X-Antivirus: avast! (VPS 081012-0, 12/10/2008), Outbound message
X-Antivirus-Status: Clean
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 13 Oct 2008 13:27:01.0843 (UTC) FILETIME=[60462230:01C92D37]
0
Comment
Question by:cfischer225
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 

Author Comment

by:cfischer225
ID: 22722585
another thing i noticed thatmakes me think its spam is this, if it came from inside my org sent to someone in my org, there would be no header info because it would have never left, which makes me think all this is forged, the question is how do i stop it?
0
 
LVL 2

Accepted Solution

by:
TalonNYC earned 2000 total points
ID: 22722690
Unfortunately you may not be able to stop it.  I suspect some other user (inside or outside your org) has become infected with a virus.  Today, spam viruses will forge complete headers, taking information randomly from the infected user's contact list.  So Mr. Hines is probably NOT the one infected, but someone who has him in their address book is.

While this type of virus is a blight on email systems, there is very little you, personally, can do - as the emails are coming most likely from a computer that you would have no control over.  I wish I had a more positive answer for you, but I'm afraid unless you know who got infected (which would be difficult at best as their info won't be in the forged headers), you're stuck just deleting the annoying missives and instructing your end users to follow safety protocols.  This includes not clicking on links or opening attachments in any email, even if they know the sender, unless they are specifically expecting to get a defined attachement (like a document or spreadsheet).

In future, we will have SMTP header/sender verification, but at the present time that's not widely used, and therefore useless in this situation.
0
 

Author Comment

by:cfischer225
ID: 22722722
since there is header info i know its not comming form inside my org? (correct?)

but how come i see these messages in the ESm tracking center like my user sent them?
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 2

Expert Comment

by:TalonNYC
ID: 22722755
My suspicion is that once they hit Exchange it processes them as though they were sent by Mr. Hines, and therefore they're showing up in ESM, but I am not 100% sure on that bit.  
0
 

Author Comment

by:cfischer225
ID: 22722768
prob cause as i stated in the tracking center they show up as sent by jhines@pangaiapartners.com and all the legit email he sent shows up as sent by jim hines
0
 
LVL 2

Expert Comment

by:TalonNYC
ID: 22722792
Right, because Exchange is using the forged header info, which shows up as "native" but doesn't link up to an existing AD account.  Sorry, wish I had a better answer for you - these things drive me nuts too.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question