Solved

Spam from Micrsofte.com

Posted on 2009-05-18
11
471 Views
Last Modified: 2013-11-30
Our system is generating large numbers of the following message - any ideas how we can trace where this is coming from?


Original message headers:

Received: from micrsofte.com ([124.198.54.204]) by
 exch-intranet.CaringHomes.local with Microsoft SMTPSVC(6.0.3790.3959);       Sat,
 16 May 2009 17:36:19 +0100
Date: Sat, 16 May 2009 06:26:40 -1000
Reply-To: "aaronmeister@micrsofte.com" <aaronmeister@micrsofte.com>
From: "aaronmeister@micrsofte.com" <aaronmeister@micrsofte.com>
MIME-Version: 1.0
To: <wellisk@yahoo.com.br>, <crist_br@yahoo.com.br>, <vei.c3@yahoo.com.br>,
      <rosapublica@yahoo.com.br>, <brown5861@yahoo.com.br>, <alaraf@yahoo.com.br>,
      <vicmurad1@yahoo.com.br>, <dimenfao1@yahoo.com.br>, <apol@yahoo.com.br>,
      <vazquez11@yahoo.com.br>, <sdmm@yahoo.com.br>, <lvx@yahoo.com.br>,
      <rodascoli3@yahoo.com.br>, <maxlifeseg@yahoo.com.br>,
      <jcmorales@yahoo.com.br>, <janiostic@yahoo.com.br>, <hildejr@yahoo.com.br>,
      <fecraveiro@yahoo.com.br>, <amarilisrp@yahoo.com.br>,
      <soprani.vix@yahoo.com.br>, <pp.hh@yahoo.com.br>,
      <ircansaveis-l-lista@yahoo.com.br>, <l2f@yahoo.com.br>,
      <arygertes@yahoo.com.br>, <wwes@yahoo.com.br>,
      <flavio_de_brito@yahoo.com.br>, <osmael20@yahoo.com.br>,
      <mrdownloads@yahoo.com.br>, <dedecolares@yahoo.com.br>,
      <ariadinojuijitsu@yahoo.com.br>
Subject: Hey Andrew problem sleeping?
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-Path: aaronmeister@micrsofte.com
Message-ID: <EXCH-INTRANETGdMNFm00000ff3@exch-intranet.CaringHomes.local>
X-OriginalArrivalTime: 16 May 2009 16:36:20.0151 (UTC) FILETIME=[712AA470:01C9D644]
X-TM-AS-Product-Ver: SMEX-8.0.0.1181-5.600.1016-16648.005
X-TM-AS-Result: No--4.827600-4.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
0
Comment
Question by:CaringIT
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24414203
It's spam email. Which version of exchange do you have? Any antispam solutions?
0
 
LVL 17

Expert Comment

by:upul007
ID: 24414383
Looks like a virus has harvested a set of Brazilian email addresses and sending itself to the addressees.

The above expert is right.

Hope you did not open the attachment. Run a virus scan on the computers and see if you have SPF (www.openspf.org) and if using exchange, the option to check the DNS of senders domain set up.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24417733
If you are seeing those in your queues, then the server is being abused directly.
Trying to stop the source of the message is a waste of time, as the spammer will be bouncing between systems. You need to find how the server is being attacked and block that.

It is basically one of three

- open relay
- authenticated relay
- NDR attack.

My spam clean up article will help you find out which one it is. http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 

Author Comment

by:CaringIT
ID: 24419311
This appears to be coming from our 2003 server - just this week I am in the process of moving to 2007 anyway!!

The server is definitely set to not relay and we have had that tested.  Or so I thought.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24419691
If the messages are appearing in the Exchange queues then they are not coming from the server, a spammer is sending them to the server, and is abusing the server in one of the ways that I have stated.
The most common is authenticated user attack, as authenticated relaying is enabled by default. Therefore the spammer can sit there and attack the administrator account. Once he has the administrator account password relay away.

Simon.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:CaringIT
ID: 24419698
How does 2007 differ from 2003?  Does this provided more protection from this sort of attack?
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24419717
Put your email server details here http://www.mxtoolbox.com/diagnostic.aspx and see whether you are an open realy or not to start with.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24419723
Exchange 2003 can be protected from this kind of attack by simply disabling authenticated relaying. It is not required for Exchange to operate correctly if all clients are connecting via Outlook to Exchange (ie no POP3/IMAP clients).

With Exchange 2007, to allow remote clients to authenticate a lot more has to be done.

Simon.
0
 

Author Comment

by:CaringIT
ID: 24419724
Get back  OK - This server is not an open relay.
0
 
LVL 24

Accepted Solution

by:
Rajith Enchiparambil earned 500 total points
ID: 24422908
That's good news.

Disbale Authenticated relaying in exchange 2003
http://www.amset.info/exchange/smtp-relaysecure.asp
0
 

Author Comment

by:CaringIT
ID: 24586080
We are completing the migration of the 2003 to 2007 system this week and during this final transfer, the server has gone potty with spam - can't wait to shut it down now.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now