Solved

spam comming form what appears to be one of my users, help read email headers

Posted on 2008-10-15
6
248 Views
Last Modified: 2010-04-07
so a couple of users in my network have been recieving spam mail form what appears to be another one of our users. we are hosting our own email via exch 2003 standard. when i look at the headers i'm not sure how to read them. i will attach three. our org is called pangaiapartners.com the user spamming is jhines@pangaiapartners.com when i look at ESm tracking center i see the three emails in question but the sender is jhines@pangaiapartners.com for all other legit emails the sender in the tracking center shows up as jim hines: here are the headers our public ip is 68.195.194.138

Microsoft Mail Internet Headers Version 2.0
Received: from 68.195.194.138 ([201.32.180.55]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Mon, 13 Oct 2008 17:27:05 -0400
X-Originating-IP: 220.106.124.96 by smtp.201.32.180.55;  Mon, 13 Oct 2008 17:18:17 -0500
Message-ID: <rgsuqaPVTJZGjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
Reply-To: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Margarita Winslow
Date: Mon, 13 Oct 2008 17:22:17 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 13 Oct 2008 21:27:07.0093 (UTC) FILETIME=[718A7850:01C92D7A]


Microsoft Mail Internet Headers Version 2.0
Received: from host-92-4-67-250.as43234.net ([92.4.67.250]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Tue, 14 Oct 2008 15:06:12 -0400
X-Originating-IP: 104.40.76.252 by smtp.92.4.67.250;  Tue, 14 Oct 2008 12:58:25 -0700
Message-ID: <uzhgmJOPQRZBjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
Reply-To: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Lizzie Corcoran
Date: Tue, 14 Oct 2008 15:01:25 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 14 Oct 2008 19:06:12.0418 (UTC) FILETIME=[EC933220:01C92E2F]




Microsoft Mail Internet Headers Version 2.0
Received: from tdev138-145.codetel.net.do ([190.80.138.145]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Mon, 13 Oct 2008 09:27:01 -0400
X-Originating-IP: 100.214.16.44 by smtp.190.80.138.145;  Mon, 13 Oct 2008 17:19:26 +0300
Message-ID: <ipntwFDSWFZjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Madeleine Miranda
Date: Mon, 13 Oct 2008 09:22:26 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
X-Antivirus: avast! (VPS 081012-0, 12/10/2008), Outbound message
X-Antivirus-Status: Clean
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 13 Oct 2008 13:27:01.0843 (UTC) FILETIME=[60462230:01C92D37]
0
Comment
Question by:cfischer225
  • 3
  • 3
6 Comments
 

Author Comment

by:cfischer225
ID: 22722585
another thing i noticed thatmakes me think its spam is this, if it came from inside my org sent to someone in my org, there would be no header info because it would have never left, which makes me think all this is forged, the question is how do i stop it?
0
 
LVL 2

Accepted Solution

by:
TalonNYC earned 500 total points
ID: 22722690
Unfortunately you may not be able to stop it.  I suspect some other user (inside or outside your org) has become infected with a virus.  Today, spam viruses will forge complete headers, taking information randomly from the infected user's contact list.  So Mr. Hines is probably NOT the one infected, but someone who has him in their address book is.

While this type of virus is a blight on email systems, there is very little you, personally, can do - as the emails are coming most likely from a computer that you would have no control over.  I wish I had a more positive answer for you, but I'm afraid unless you know who got infected (which would be difficult at best as their info won't be in the forged headers), you're stuck just deleting the annoying missives and instructing your end users to follow safety protocols.  This includes not clicking on links or opening attachments in any email, even if they know the sender, unless they are specifically expecting to get a defined attachement (like a document or spreadsheet).

In future, we will have SMTP header/sender verification, but at the present time that's not widely used, and therefore useless in this situation.
0
 

Author Comment

by:cfischer225
ID: 22722722
since there is header info i know its not comming form inside my org? (correct?)

but how come i see these messages in the ESm tracking center like my user sent them?
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 2

Expert Comment

by:TalonNYC
ID: 22722755
My suspicion is that once they hit Exchange it processes them as though they were sent by Mr. Hines, and therefore they're showing up in ESM, but I am not 100% sure on that bit.  
0
 

Author Comment

by:cfischer225
ID: 22722768
prob cause as i stated in the tracking center they show up as sent by jhines@pangaiapartners.com and all the legit email he sent shows up as sent by jim hines
0
 
LVL 2

Expert Comment

by:TalonNYC
ID: 22722792
Right, because Exchange is using the forged header info, which shows up as "native" but doesn't link up to an existing AD account.  Sorry, wish I had a better answer for you - these things drive me nuts too.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video discusses moving either the default database or any database to a new volume.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question