Solved

spam comming form what appears to be one of my users, help read email headers

Posted on 2008-10-15
6
266 Views
Last Modified: 2010-04-07
so a couple of users in my network have been recieving spam mail form what appears to be another one of our users. we are hosting our own email via exch 2003 standard. when i look at the headers i'm not sure how to read them. i will attach three. our org is called pangaiapartners.com the user spamming is jhines@pangaiapartners.com when i look at ESm tracking center i see the three emails in question but the sender is jhines@pangaiapartners.com for all other legit emails the sender in the tracking center shows up as jim hines: here are the headers our public ip is 68.195.194.138

Microsoft Mail Internet Headers Version 2.0
Received: from 68.195.194.138 ([201.32.180.55]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Mon, 13 Oct 2008 17:27:05 -0400
X-Originating-IP: 220.106.124.96 by smtp.201.32.180.55;  Mon, 13 Oct 2008 17:18:17 -0500
Message-ID: <rgsuqaPVTJZGjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
Reply-To: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Margarita Winslow
Date: Mon, 13 Oct 2008 17:22:17 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 13 Oct 2008 21:27:07.0093 (UTC) FILETIME=[718A7850:01C92D7A]


Microsoft Mail Internet Headers Version 2.0
Received: from host-92-4-67-250.as43234.net ([92.4.67.250]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Tue, 14 Oct 2008 15:06:12 -0400
X-Originating-IP: 104.40.76.252 by smtp.92.4.67.250;  Tue, 14 Oct 2008 12:58:25 -0700
Message-ID: <uzhgmJOPQRZBjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
Reply-To: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Lizzie Corcoran
Date: Tue, 14 Oct 2008 15:01:25 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 14 Oct 2008 19:06:12.0418 (UTC) FILETIME=[EC933220:01C92E2F]




Microsoft Mail Internet Headers Version 2.0
Received: from tdev138-145.codetel.net.do ([190.80.138.145]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Mon, 13 Oct 2008 09:27:01 -0400
X-Originating-IP: 100.214.16.44 by smtp.190.80.138.145;  Mon, 13 Oct 2008 17:19:26 +0300
Message-ID: <ipntwFDSWFZjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Madeleine Miranda
Date: Mon, 13 Oct 2008 09:22:26 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
X-Antivirus: avast! (VPS 081012-0, 12/10/2008), Outbound message
X-Antivirus-Status: Clean
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 13 Oct 2008 13:27:01.0843 (UTC) FILETIME=[60462230:01C92D37]
0
Comment
Question by:cfischer225
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 

Author Comment

by:cfischer225
ID: 22722585
another thing i noticed thatmakes me think its spam is this, if it came from inside my org sent to someone in my org, there would be no header info because it would have never left, which makes me think all this is forged, the question is how do i stop it?
0
 
LVL 2

Accepted Solution

by:
TalonNYC earned 500 total points
ID: 22722690
Unfortunately you may not be able to stop it.  I suspect some other user (inside or outside your org) has become infected with a virus.  Today, spam viruses will forge complete headers, taking information randomly from the infected user's contact list.  So Mr. Hines is probably NOT the one infected, but someone who has him in their address book is.

While this type of virus is a blight on email systems, there is very little you, personally, can do - as the emails are coming most likely from a computer that you would have no control over.  I wish I had a more positive answer for you, but I'm afraid unless you know who got infected (which would be difficult at best as their info won't be in the forged headers), you're stuck just deleting the annoying missives and instructing your end users to follow safety protocols.  This includes not clicking on links or opening attachments in any email, even if they know the sender, unless they are specifically expecting to get a defined attachement (like a document or spreadsheet).

In future, we will have SMTP header/sender verification, but at the present time that's not widely used, and therefore useless in this situation.
0
 

Author Comment

by:cfischer225
ID: 22722722
since there is header info i know its not comming form inside my org? (correct?)

but how come i see these messages in the ESm tracking center like my user sent them?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 2

Expert Comment

by:TalonNYC
ID: 22722755
My suspicion is that once they hit Exchange it processes them as though they were sent by Mr. Hines, and therefore they're showing up in ESM, but I am not 100% sure on that bit.  
0
 

Author Comment

by:cfischer225
ID: 22722768
prob cause as i stated in the tracking center they show up as sent by jhines@pangaiapartners.com and all the legit email he sent shows up as sent by jim hines
0
 
LVL 2

Expert Comment

by:TalonNYC
ID: 22722792
Right, because Exchange is using the forged header info, which shows up as "native" but doesn't link up to an existing AD account.  Sorry, wish I had a better answer for you - these things drive me nuts too.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question