Solved

Spam from Micrsofte.com

Posted on 2009-05-18
11
472 Views
Last Modified: 2013-11-30
Our system is generating large numbers of the following message - any ideas how we can trace where this is coming from?


Original message headers:

Received: from micrsofte.com ([124.198.54.204]) by
 exch-intranet.CaringHomes.local with Microsoft SMTPSVC(6.0.3790.3959);       Sat,
 16 May 2009 17:36:19 +0100
Date: Sat, 16 May 2009 06:26:40 -1000
Reply-To: "aaronmeister@micrsofte.com" <aaronmeister@micrsofte.com>
From: "aaronmeister@micrsofte.com" <aaronmeister@micrsofte.com>
MIME-Version: 1.0
To: <wellisk@yahoo.com.br>, <crist_br@yahoo.com.br>, <vei.c3@yahoo.com.br>,
      <rosapublica@yahoo.com.br>, <brown5861@yahoo.com.br>, <alaraf@yahoo.com.br>,
      <vicmurad1@yahoo.com.br>, <dimenfao1@yahoo.com.br>, <apol@yahoo.com.br>,
      <vazquez11@yahoo.com.br>, <sdmm@yahoo.com.br>, <lvx@yahoo.com.br>,
      <rodascoli3@yahoo.com.br>, <maxlifeseg@yahoo.com.br>,
      <jcmorales@yahoo.com.br>, <janiostic@yahoo.com.br>, <hildejr@yahoo.com.br>,
      <fecraveiro@yahoo.com.br>, <amarilisrp@yahoo.com.br>,
      <soprani.vix@yahoo.com.br>, <pp.hh@yahoo.com.br>,
      <ircansaveis-l-lista@yahoo.com.br>, <l2f@yahoo.com.br>,
      <arygertes@yahoo.com.br>, <wwes@yahoo.com.br>,
      <flavio_de_brito@yahoo.com.br>, <osmael20@yahoo.com.br>,
      <mrdownloads@yahoo.com.br>, <dedecolares@yahoo.com.br>,
      <ariadinojuijitsu@yahoo.com.br>
Subject: Hey Andrew problem sleeping?
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-Path: aaronmeister@micrsofte.com
Message-ID: <EXCH-INTRANETGdMNFm00000ff3@exch-intranet.CaringHomes.local>
X-OriginalArrivalTime: 16 May 2009 16:36:20.0151 (UTC) FILETIME=[712AA470:01C9D644]
X-TM-AS-Product-Ver: SMEX-8.0.0.1181-5.600.1016-16648.005
X-TM-AS-Result: No--4.827600-4.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
0
Comment
Question by:CaringIT
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24414203
It's spam email. Which version of exchange do you have? Any antispam solutions?
0
 
LVL 17

Expert Comment

by:upul007
ID: 24414383
Looks like a virus has harvested a set of Brazilian email addresses and sending itself to the addressees.

The above expert is right.

Hope you did not open the attachment. Run a virus scan on the computers and see if you have SPF (www.openspf.org) and if using exchange, the option to check the DNS of senders domain set up.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24417733
If you are seeing those in your queues, then the server is being abused directly.
Trying to stop the source of the message is a waste of time, as the spammer will be bouncing between systems. You need to find how the server is being attacked and block that.

It is basically one of three

- open relay
- authenticated relay
- NDR attack.

My spam clean up article will help you find out which one it is. http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:CaringIT
ID: 24419311
This appears to be coming from our 2003 server - just this week I am in the process of moving to 2007 anyway!!

The server is definitely set to not relay and we have had that tested.  Or so I thought.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24419691
If the messages are appearing in the Exchange queues then they are not coming from the server, a spammer is sending them to the server, and is abusing the server in one of the ways that I have stated.
The most common is authenticated user attack, as authenticated relaying is enabled by default. Therefore the spammer can sit there and attack the administrator account. Once he has the administrator account password relay away.

Simon.
0
 

Author Comment

by:CaringIT
ID: 24419698
How does 2007 differ from 2003?  Does this provided more protection from this sort of attack?
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24419717
Put your email server details here http://www.mxtoolbox.com/diagnostic.aspx and see whether you are an open realy or not to start with.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24419723
Exchange 2003 can be protected from this kind of attack by simply disabling authenticated relaying. It is not required for Exchange to operate correctly if all clients are connecting via Outlook to Exchange (ie no POP3/IMAP clients).

With Exchange 2007, to allow remote clients to authenticate a lot more has to be done.

Simon.
0
 

Author Comment

by:CaringIT
ID: 24419724
Get back  OK - This server is not an open relay.
0
 
LVL 24

Accepted Solution

by:
Rajith Enchiparambil earned 500 total points
ID: 24422908
That's good news.

Disbale Authenticated relaying in exchange 2003
http://www.amset.info/exchange/smtp-relaysecure.asp
0
 

Author Comment

by:CaringIT
ID: 24586080
We are completing the migration of the 2003 to 2007 system this week and during this final transfer, the server has gone potty with spam - can't wait to shut it down now.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question