[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 284
  • Last Modified:

spam comming form what appears to be one of my users, help read email headers

so a couple of users in my network have been recieving spam mail form what appears to be another one of our users. we are hosting our own email via exch 2003 standard. when i look at the headers i'm not sure how to read them. i will attach three. our org is called pangaiapartners.com the user spamming is jhines@pangaiapartners.com when i look at ESm tracking center i see the three emails in question but the sender is jhines@pangaiapartners.com for all other legit emails the sender in the tracking center shows up as jim hines: here are the headers our public ip is 68.195.194.138

Microsoft Mail Internet Headers Version 2.0
Received: from 68.195.194.138 ([201.32.180.55]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Mon, 13 Oct 2008 17:27:05 -0400
X-Originating-IP: 220.106.124.96 by smtp.201.32.180.55;  Mon, 13 Oct 2008 17:18:17 -0500
Message-ID: <rgsuqaPVTJZGjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
Reply-To: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Margarita Winslow
Date: Mon, 13 Oct 2008 17:22:17 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 13 Oct 2008 21:27:07.0093 (UTC) FILETIME=[718A7850:01C92D7A]


Microsoft Mail Internet Headers Version 2.0
Received: from host-92-4-67-250.as43234.net ([92.4.67.250]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Tue, 14 Oct 2008 15:06:12 -0400
X-Originating-IP: 104.40.76.252 by smtp.92.4.67.250;  Tue, 14 Oct 2008 12:58:25 -0700
Message-ID: <uzhgmJOPQRZBjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
Reply-To: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Lizzie Corcoran
Date: Tue, 14 Oct 2008 15:01:25 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 14 Oct 2008 19:06:12.0418 (UTC) FILETIME=[EC933220:01C92E2F]




Microsoft Mail Internet Headers Version 2.0
Received: from tdev138-145.codetel.net.do ([190.80.138.145]) by mail.pangaiapartners.com with Microsoft SMTPSVC(6.0.3790.1830);
       Mon, 13 Oct 2008 09:27:01 -0400
X-Originating-IP: 100.214.16.44 by smtp.190.80.138.145;  Mon, 13 Oct 2008 17:19:26 +0300
Message-ID: <ipntwFDSWFZjhines@pangaiapartners.com>
From: "jhines@pangaiapartners.com" <jhines@pangaiapartners.com>
To: jhines@pangaiapartners.com
Subject: Dear Madeleine Miranda
Date: Mon, 13 Oct 2008 09:22:26 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: base64
X-Antivirus: avast! (VPS 081012-0, 12/10/2008), Outbound message
X-Antivirus-Status: Clean
Return-Path: jhines@pangaiapartners.com
X-OriginalArrivalTime: 13 Oct 2008 13:27:01.0843 (UTC) FILETIME=[60462230:01C92D37]
0
cfischer225
Asked:
cfischer225
  • 3
  • 3
1 Solution
 
cfischer225Author Commented:
another thing i noticed thatmakes me think its spam is this, if it came from inside my org sent to someone in my org, there would be no header info because it would have never left, which makes me think all this is forged, the question is how do i stop it?
0
 
TalonNYCCommented:
Unfortunately you may not be able to stop it.  I suspect some other user (inside or outside your org) has become infected with a virus.  Today, spam viruses will forge complete headers, taking information randomly from the infected user's contact list.  So Mr. Hines is probably NOT the one infected, but someone who has him in their address book is.

While this type of virus is a blight on email systems, there is very little you, personally, can do - as the emails are coming most likely from a computer that you would have no control over.  I wish I had a more positive answer for you, but I'm afraid unless you know who got infected (which would be difficult at best as their info won't be in the forged headers), you're stuck just deleting the annoying missives and instructing your end users to follow safety protocols.  This includes not clicking on links or opening attachments in any email, even if they know the sender, unless they are specifically expecting to get a defined attachement (like a document or spreadsheet).

In future, we will have SMTP header/sender verification, but at the present time that's not widely used, and therefore useless in this situation.
0
 
cfischer225Author Commented:
since there is header info i know its not comming form inside my org? (correct?)

but how come i see these messages in the ESm tracking center like my user sent them?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
TalonNYCCommented:
My suspicion is that once they hit Exchange it processes them as though they were sent by Mr. Hines, and therefore they're showing up in ESM, but I am not 100% sure on that bit.  
0
 
cfischer225Author Commented:
prob cause as i stated in the tracking center they show up as sent by jhines@pangaiapartners.com and all the legit email he sent shows up as sent by jim hines
0
 
TalonNYCCommented:
Right, because Exchange is using the forged header info, which shows up as "native" but doesn't link up to an existing AD account.  Sorry, wish I had a better answer for you - these things drive me nuts too.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now