GuildOfDruids
asked on
Getting Spam from me to myself
I'm getting alot messages from me to myself, We have an exchange server 2003 and I have checked our exchange server isn't mail relay using the website abuse.net:
-------------------------- ---------- ---------- ----
Relay test result
All tests performed, no relays accepted.
-------------------------- ---------- ---------- ----
Email from: myemail@mydomain.org
Email to: myemail@mydomain.org
Here is the outlook headers
Microsoft Mail Internet Headers Version 2.0
Received: from gateway.mydomain.org ([192.168.24.13]) by gateway.mydomain.org with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 11 Nov 2008 17:33:20 +0000
X-EC0D2A8E-5CB7-4969-9C36- 46D859D137 BE-PartID: DB7DB1B8-1F06-4D54-A013-FA 2437D6F194
thread-index: AclEI5Kg3dtUbOPYTkuF7Ta835 i8qA==
Received: from e177233246.adsl.alicedsl.d e ([85.177.233.246]) by gateway.mydomain.org with Microsoft SMTPSVC(6.0.3790.0); Tue, 11 Nov 2008 17:33:11 +0000
Content-Transfer-Encoding: 7bit
To: <myemail@mydomain.org>
Content-Class: urn:content-classes:messag e
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Subject: Your private life compromised
From: <myemail@mydomain.org>
MIME-Version: 1.0
Importance: High
Content-Type: text/html;
charset="iso-8859-1"
Return-Path: <myemail@mydomain.org>
Message-ID: <MAILWGnzi95HfqR77bi000000 9a@gateway .mydomain. org>
X-OriginalArrivalTime: 11 Nov 2008 17:33:12.0378 (UTC) FILETIME=[922DA9A0:01C9442 3]
Date: 11 Nov 2008 17:33:12 +0000
Also there are other users that have the same problem ( getting spam from their own email address)
--------------------------
Relay test result
All tests performed, no relays accepted.
--------------------------
Email from: myemail@mydomain.org
Email to: myemail@mydomain.org
Here is the outlook headers
Microsoft Mail Internet Headers Version 2.0
Received: from gateway.mydomain.org ([192.168.24.13]) by gateway.mydomain.org with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 11 Nov 2008 17:33:20 +0000
X-EC0D2A8E-5CB7-4969-9C36-
thread-index: AclEI5Kg3dtUbOPYTkuF7Ta835
Received: from e177233246.adsl.alicedsl.d
Content-Transfer-Encoding:
To: <myemail@mydomain.org>
Content-Class: urn:content-classes:messag
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Subject: Your private life compromised
From: <myemail@mydomain.org>
MIME-Version: 1.0
Importance: High
Content-Type: text/html;
charset="iso-8859-1"
Return-Path: <myemail@mydomain.org>
Message-ID: <MAILWGnzi95HfqR77bi000000
X-OriginalArrivalTime: 11 Nov 2008 17:33:12.0378 (UTC) FILETIME=[922DA9A0:01C9442
Date: 11 Nov 2008 17:33:12 +0000
Also there are other users that have the same problem ( getting spam from their own email address)
We have Message tracking on permanently as I find it very useful. I don't use the built in Message Tracking Centre in ESM - Tools but prefer to read through the actual logs myself.
See: http://www.msexchange.org/tutorials/Exchange-2003-Message-Tracking-Logging.html
See: http://www.msexchange.org/tutorials/Exchange-2003-Message-Tracking-Logging.html
ASKER
Hi
Thanks for you response
Filter Out Mail to Non-Existent Users is already checked plus I'm using GFI mailessentials and have enabled Directory Harvest option, actioned to delete messages destined to non-existent users.
a) Here is my smtp queue, looks fine to me. http://i36.tinypic.com/2qbbymf.png
b) No Critical DNS, MX errors
c) Not Blacklisted in any server
d) Mached with both the links (no problem)
e) Nod32 is running on exchange and on every client. (10 clients)
f) Can I find via message tracking the reason of these kind of emails? can't it says same thing in outlook mail header?
Thanks
Thanks for you response
Filter Out Mail to Non-Existent Users is already checked plus I'm using GFI mailessentials and have enabled Directory Harvest option, actioned to delete messages destined to non-existent users.
a) Here is my smtp queue, looks fine to me. http://i36.tinypic.com/2qbbymf.png
b) No Critical DNS, MX errors
c) Not Blacklisted in any server
d) Mached with both the links (no problem)
e) Nod32 is running on exchange and on every client. (10 clients)
f) Can I find via message tracking the reason of these kind of emails? can't it says same thing in outlook mail header?
Thanks
I would relax and forget about it then.
Spoofing comes in waves, you will find that it clears up fairly soon until the next batch. Blacklists aren't fooled by the spoof so you won't get added to their lists.
GFI is a good bit of software and the Directory harvesting works well. Do you have it set at header level or email body as the latest version allows you to kill the spam at the header level thus reducing the load on your server.
Regarding f) you should be able to see in your logs Exchange server logs the source mail server for the emails. If you want, paste an excerpt from them so we can have a look. I imagine you will only see the incoming mails and nothing goin gout.
Spoofing comes in waves, you will find that it clears up fairly soon until the next batch. Blacklists aren't fooled by the spoof so you won't get added to their lists.
GFI is a good bit of software and the Directory harvesting works well. Do you have it set at header level or email body as the latest version allows you to kill the spam at the header level thus reducing the load on your server.
Regarding f) you should be able to see in your logs Exchange server logs the source mail server for the emails. If you want, paste an excerpt from them so we can have a look. I imagine you will only see the incoming mails and nothing goin gout.
to really get rid of spam, both from your own address, and the trillion of others you really only have two options.
1. a device on your own network such as the sonicwall email security appliance
2. a hosted solutions such as mxlogic. www.mxlogic.com
1. a device on your own network such as the sonicwall email security appliance
2. a hosted solutions such as mxlogic. www.mxlogic.com
ASKER
Here is message tracking log of the email from me to myself.
2008-11-13 13:12:12 GMT 192.168.0.50 gateway.mymailserver.org - mailserver 192.168.0.50 myemail@mydomain.org 1019 20081113114204.2646.qmail@ ABTS-TN-dy namic-129. 93.164.122 .airtelbro adband.in 0 0 7682 1 2008-11-13 13:12:12 GMT 0 Version: 6.0.3790.3959 - - myemail@mydomain.org
how can i stop emails like these?
2008-11-13 13:12:12 GMT 192.168.0.50 gateway.mymailserver.org - mailserver 192.168.0.50 myemail@mydomain.org 1019 20081113114204.2646.qmail@
how can i stop emails like these?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
how are you progressing with this?
how are you progressing with this?
ASKER
My GFI is set to a balanced settings, If I tightened it more up I could block some legitimate emails and vice versa. But I cant do anything about email from me to myself. I thought there would be some different settings for such case. I'm sure the spammers alter the heading because you are right these are being route from (example) airtelbroadband.in.
I do have the SPF settings and .... hang on, let me paste those settings may there is something wrong in it.
v=spf1 mx a:mail.domain.org -all
I do have the GFI Sender Policy Framework set to Low, but as I said making this option more tightened can cause some clients email being filtered.
Anyway thanks for your above email which clarified that these ain't triggered from my exchange server.
I do have the SPF settings and .... hang on, let me paste those settings may there is something wrong in it.
v=spf1 mx a:mail.domain.org -all
I do have the GFI Sender Policy Framework set to Low, but as I said making this option more tightened can cause some clients email being filtered.
Anyway thanks for your above email which clarified that these ain't triggered from my exchange server.
Hi,
are you happy to close this question down and assign points?
are you happy to close this question down and assign points?
ASKER
just last thing, Is there anything wrong in the spf i'm using?
v=spf1 mx a:mail.domain.org -all
v=spf1 mx a:mail.domain.org -all
That is correct.
The -all means that no other servers can send mail with a hard fail. If you sued a ~ this would give a soft fail
The -all means that no other servers can send mail with a hard fail. If you sued a ~ this would give a soft fail
Sounds like it is a case of spoofing.
You could set Exchange to not accept messages for non existant users:
http://www.amset.info/exchange/filter-unknown.asp
and run through these:
a) Check the mail smtp queues in Exchange System Manager to see if there is unusual activity.
b) Do a DNS test at http://member.dnsstuff.com/pages/dnsreport.php
c) See if you are blacklisted at http://www.robtex.com/
d) In case you need to secure your server:
http://technet.microsoft.com/en-us/library/bb123843.aspx
http://www.microsoft.com/technet/security/prodtech/exchangeserver/excrelay.mspx
e) Run a virus check on the clients.
f) Enable Message tracking and check through the logs to confirm that the emails were not sent by your server.