• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1959
  • Last Modified:

Getting Spam from me to myself

I'm getting alot messages from me to myself, We have an exchange server 2003 and I have checked our exchange server isn't mail relay using the website abuse.net:
--------------------------------------------------
Relay test result
All tests performed, no relays accepted.
--------------------------------------------------

Email from: myemail@mydomain.org
Email to:     myemail@mydomain.org

Here is the outlook headers


Microsoft Mail Internet Headers Version 2.0
Received: from gateway.mydomain.org ([192.168.24.13]) by gateway.mydomain.org with Microsoft SMTPSVC(6.0.3790.3959);
       Tue, 11 Nov 2008 17:33:20 +0000
X-EC0D2A8E-5CB7-4969-9C36-46D859D137BE-PartID: DB7DB1B8-1F06-4D54-A013-FA2437D6F194
thread-index: AclEI5Kg3dtUbOPYTkuF7Ta835i8qA==
Received: from e177233246.adsl.alicedsl.de ([85.177.233.246]) by gateway.mydomain.org with Microsoft SMTPSVC(6.0.3790.0); Tue, 11 Nov 2008 17:33:11 +0000
Content-Transfer-Encoding: 7bit
To: <myemail@mydomain.org>
Content-Class: urn:content-classes:message
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Subject: Your private life compromised
From: <myemail@mydomain.org>
MIME-Version: 1.0
Importance: High
Content-Type: text/html;
      charset="iso-8859-1"
Return-Path: <myemail@mydomain.org>
Message-ID: <MAILWGnzi95HfqR77bi0000009a@gateway.mydomain.org>
X-OriginalArrivalTime: 11 Nov 2008 17:33:12.0378 (UTC) FILETIME=[922DA9A0:01C94423]
Date: 11 Nov 2008 17:33:12 +0000


Also there are other users that have the same problem ( getting spam from their own email address)


0
GuildOfDruids
Asked:
GuildOfDruids
  • 7
  • 4
1 Solution
 
Hedley PhillipsCommented:

Sounds like it is a case of spoofing.

You could set Exchange to not accept messages for non existant users:

http://www.amset.info/exchange/filter-unknown.asp

and run through these:

a) Check the mail smtp queues in Exchange System Manager to see if there is unusual activity.

b) Do a DNS test at http://member.dnsstuff.com/pages/dnsreport.php

c) See if you are blacklisted at http://www.robtex.com/

d)  In case you need to secure your server:
http://technet.microsoft.com/en-us/library/bb123843.aspx
http://www.microsoft.com/technet/security/prodtech/exchangeserver/excrelay.mspx

e) Run a virus check on the clients.

f) Enable Message tracking and check through the logs to confirm that the emails were not sent by your server.
0
 
Hedley PhillipsCommented:
We have Message tracking on permanently as I find it very useful. I don't use the built in Message Tracking Centre in ESM - Tools but prefer to read through the actual logs myself.

See: http://www.msexchange.org/tutorials/Exchange-2003-Message-Tracking-Logging.html
0
 
GuildOfDruidsAuthor Commented:
Hi
 
Thanks for you response


Filter Out Mail to Non-Existent Users is already checked plus I'm using GFI mailessentials and have enabled Directory Harvest option, actioned to delete messages destined to non-existent users.

a) Here is my smtp queue, looks fine to me. http://i36.tinypic.com/2qbbymf.png

b) No Critical DNS, MX errors

c) Not Blacklisted in any server

d) Mached with both the links (no problem)

e) Nod32 is running on exchange and on every client. (10 clients)

f) Can I find via message tracking the reason of these kind of emails? can't it says same thing in outlook mail header?



Thanks

0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Hedley PhillipsCommented:
I would relax and forget about it then.

Spoofing comes in waves, you will find that it clears up fairly soon until the next batch. Blacklists aren't fooled by the spoof so you won't get added to their lists.

GFI is a good bit of software and the Directory harvesting works well. Do you have it set at header level or email body as the latest version allows you to kill the spam at the header level thus reducing the load on your server.

Regarding f) you should be able to see in your logs Exchange server logs the source mail server for the emails. If you want, paste an excerpt from them so we can have a look. I imagine you will only see the incoming mails and nothing goin gout.
0
 
hodgeyohnCommented:
to really get rid of spam, both from your own address, and the trillion of others you really only have two options.

1.  a device on your own network such as the sonicwall email security appliance
2.  a hosted solutions such as mxlogic.  www.mxlogic.com

0
 
GuildOfDruidsAuthor Commented:
Here is message tracking log of the email from me to myself.


2008-11-13      13:12:12 GMT      192.168.0.50      gateway.mymailserver.org      -      mailserver 192.168.0.50      myemail@mydomain.org      1019      20081113114204.2646.qmail@ABTS-TN-dynamic-129.93.164.122.airtelbroadband.in      0      0      7682      1      2008-11-13 13:12:12 GMT      0      Version: 6.0.3790.3959      -      -      myemail@mydomain.org

how can i stop emails like these?




0
 
Hedley PhillipsCommented:
In Exchange an email from you to you would not route out to airtelbroadband.in it would stay inside the building and look like:

2008-11-14      9:45:28 GMT      -      -      -      EXCHANGE1      -      /O=DOMAIN/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=USERNAME      1027      ACB1BAB90DC835499689E200CA2C999244F00C@exchange1.DOMAIN.local      0      0      1235      1      2008-11-14 9:45:28 GMT      0      -      c=US;a= ;p=DOMAIN;l=EXCHANGE1-081114094528Z-139      FUCK      EX:/O=DOMAIN/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=USERNAME      -

The only way to stamp on these is to configure your GFI and tighten it up. We use the same software as you and don't get any of these so I can only assume we have our GFI locked down tighter.

Make sure you have all the different filters set and also I would also recommend setting SPF on your DNS records.

See: http://www.openspf.org/

This has really helped cut down on spam.


0
 
Hedley PhillipsCommented:
Hi,

how are you progressing with this?
0
 
GuildOfDruidsAuthor Commented:
My GFI is set to a balanced settings, If I tightened it more up I could block some legitimate emails and vice versa. But I cant do anything about email from me to myself. I thought there would be some different settings for such case. I'm sure the spammers alter the heading because you are right these are being route from (example) airtelbroadband.in.

I do have the SPF settings and .... hang on, let me paste those settings may there is something wrong in it.

v=spf1 mx a:mail.domain.org -all

I do have the GFI Sender Policy Framework set to Low, but as I said making this option more tightened can cause some clients email being filtered.

Anyway thanks for your above email which clarified that these ain't triggered from my exchange server.


0
 
Hedley PhillipsCommented:
Hi,

are you happy to close this question down and assign points?
0
 
GuildOfDruidsAuthor Commented:
just last thing, Is there anything wrong in the spf i'm using?

v=spf1 mx a:mail.domain.org -all


0
 
Hedley PhillipsCommented:
That is correct.

The -all means that no other servers can send mail with a hard fail. If you sued a ~ this would give a soft fail
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now