• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 381
  • Last Modified:

Receiving Spam from ourselves? MS Exchange 2003 and Barracuda 300 Spam Firewall

Hello to all,

First I want to tell you about our system, we have a Barracuda 300 Spam Firewall which filters all incoming mail, then forwards to the MS 2003 Exchange Server. When sending out, Exchange sends to the Barracuda for an out going log and then to the net.

Here is our probelm. Lately, when been receiving spam, from within our network. For example jdoe has a exchange account, and is receiving advertising email from him/her self.

Are we getting relayed?? Where can I check the setting to stop this?

Any luck is appreciated!
0
ravenrx7
Asked:
ravenrx7
  • 4
  • 4
  • 3
1 Solution
 
halejr1Commented:
sounds like an internal host is compromised, and running it's own smtp server locally.  

What I have always done in the past from a policy level, is disallow all smtp internally, as all clients would be exchange clients and therefore no need for SMTP locally.  In some instances you may have some applications requiring an smtp relay at which point we would either provide an exclusive, or create rules to explicitly allow that / those hosts.

0
 
ravenrx7Author Commented:
We're a private school most of the machines are school property,  all would need admins right to install. Is there a setting I should check to make sure our exchange server does not allow to replay?
0
 
MesthaCommented:
I would be surprised if it was a local machine that was compromised. Look at the headers of the spam message. If there are any external hosts in the headers it came from outside.

Ensure that your appliance is configured correctly - you haven't whitelisted your own domain for example.

-M
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
ravenrx7Author Commented:
How are they sending from our own email addresses then?
0
 
halejr1Commented:
source host names could also be "spoofed" and say they are coming from your server.  I'd check the logs, message tracking and validate if an alleged spam message shows as being originated at your server or from somewhere else.  

Some organizations get email that say they come from themselves, when in fact it comes from the outside, from a host that is spoofing your own address because you were listed in an address book on a host that was compromised.
0
 
MesthaCommented:
I could send you an email from your boss, and there would be nothing you could do to stop me. Telnet in to your server and put whatever you like in the From line. There is nothing in SMTP to validate the sender server is allowed. There are some initiatives to change that, but it is estimated 30 - 40% of mail servers at most support the additional DNS records that are required.

-M
0
 
halejr1Commented:
Mestha, you probably have a little more clout than I do, however am I correct when I say that they should not be running a SMTP relay on exchange if all their excange clients are "exchange clients"?  It is my belief that running an internal SMTP relay is recipe for disaster.  I think most administrators believe that it is required for outbound, but relay is not required for outbound if your clients are connecting to exchange mailboxes (all routing is internal to exchange with no smtp client connections to send mail...?)  am I correct?

0
 
MesthaCommented:
You don't need a relay to send spoof email.
The email is destined for a valid user - so relay settings are not required.

There is some misconception with the relay settings, but you do not need any relay settings for outbound email if everything is a MAPI client.

-M
0
 
ravenrx7Author Commented:
good information, but I checked and the emails are coming from our exchange users, where can i check to see if SMTP relay is enabled??
0
 
ravenrx7Author Commented:
Ok, here is a log  file of of one of the emails, captured by the Barracuda filter. If you noticed, this IP address
m1.mmcinc.com 206.159.132.16, used to host our POP 3 accounts which we no longer use. They were a hosting company who we had our domain name registered through. Would you say, somebody is  using their server to relay messages??

X-ASG-Debug-ID: 1234520727-451600010000-Ru0MO0X-Barracuda-URL: http://XXXXXX/cgi-bin/mark.cgiX-Barracuda-Orig-Rcpt: klilley@woodlandspreparatory.orgReceived: from mail.mmcinc.com (localhost [127.0.0.1])      by barracuda.woodlandsprep.org (Spam Firewall) with ESMTP id 922FEB57DD      for <klilley@woodlandspreparatory.org>; Fri, 13 Feb 2009 02:25:27 -0800 (PST)Received: from mail.mmcinc.com (m1.mmcinc.com [206.159.132.16]) by barracuda.woodlandsprep.org with ESMTP id faPiY0htbtBQsbZh for <klilley@woodlandspreparatory.org>; Fri, 13 Feb 2009 02:25:27 -0800 (PST)X-ASG-Whitelist: SenderDKIM-Signature: a=rsa-sha1; t=1234520727; x=1235125527; s=mail; d=woodlandspreparatory.org; c=relaxed/relaxed; q=dns; h=From:Subject:To:MIME-Version:Content-Type;   b=74C79YaLbPLs+sKbelaJduKWhF8C52NbQ9anMlHabMN/S3ee5xUNNPPwon88EiwqHqfG88CdtUI+ZdP0d2MWwg==Received: from airversal.com ([123.236.200.175])        by mail.mmcinc.com (VisNetic.MailServer.v9.3.2.0) with SMTP id UMM62420        for <klilley@woodlandspreparatory.org>; Fri, 13 Feb 2009 04:25:20 -0600To: <klilley@woodlandspreparatory.org>X-ASG-Orig-Subj: Order Shipped -- Order #14044Subject: Order Shipped -- Order #14044From: <klilley@woodlandspreparatory.org>MIME-Version: 1.0Importance: HighContent-Type: text/htmlX-Barracuda-Connect: m1.mmcinc.com[206.159.132.16]X-Barracuda-Start-Time: 1234520727Message-Id: <20090213102527.922FEB57DD@barracuda.woodlandsprep.org>Date: Fri, 13 Feb 2009 02:25:27 -0800 (PST)X-Barracuda-Virus-Scanned: by Barracuda Spam Firewall at woodlandsprep.org
0
 
MesthaCommented:
Most ISPs will presume that they are responsible for all email for domains that they look after. If the email is all coming off that ISP then you need to speak to them because they are allowing their servers to relay email from a spammer to your server. That is a configuration error on their part.

Spammers could also be using old MX record information - they will do that sort of thing, which is how they know to use that server.

-M
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now