Solved

Spam from Micrsofte.com

Posted on 2009-05-18
11
470 Views
Last Modified: 2013-11-30
Our system is generating large numbers of the following message - any ideas how we can trace where this is coming from?


Original message headers:

Received: from micrsofte.com ([124.198.54.204]) by
 exch-intranet.CaringHomes.local with Microsoft SMTPSVC(6.0.3790.3959);       Sat,
 16 May 2009 17:36:19 +0100
Date: Sat, 16 May 2009 06:26:40 -1000
Reply-To: "aaronmeister@micrsofte.com" <aaronmeister@micrsofte.com>
From: "aaronmeister@micrsofte.com" <aaronmeister@micrsofte.com>
MIME-Version: 1.0
To: <wellisk@yahoo.com.br>, <crist_br@yahoo.com.br>, <vei.c3@yahoo.com.br>,
      <rosapublica@yahoo.com.br>, <brown5861@yahoo.com.br>, <alaraf@yahoo.com.br>,
      <vicmurad1@yahoo.com.br>, <dimenfao1@yahoo.com.br>, <apol@yahoo.com.br>,
      <vazquez11@yahoo.com.br>, <sdmm@yahoo.com.br>, <lvx@yahoo.com.br>,
      <rodascoli3@yahoo.com.br>, <maxlifeseg@yahoo.com.br>,
      <jcmorales@yahoo.com.br>, <janiostic@yahoo.com.br>, <hildejr@yahoo.com.br>,
      <fecraveiro@yahoo.com.br>, <amarilisrp@yahoo.com.br>,
      <soprani.vix@yahoo.com.br>, <pp.hh@yahoo.com.br>,
      <ircansaveis-l-lista@yahoo.com.br>, <l2f@yahoo.com.br>,
      <arygertes@yahoo.com.br>, <wwes@yahoo.com.br>,
      <flavio_de_brito@yahoo.com.br>, <osmael20@yahoo.com.br>,
      <mrdownloads@yahoo.com.br>, <dedecolares@yahoo.com.br>,
      <ariadinojuijitsu@yahoo.com.br>
Subject: Hey Andrew problem sleeping?
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-Path: aaronmeister@micrsofte.com
Message-ID: <EXCH-INTRANETGdMNFm00000ff3@exch-intranet.CaringHomes.local>
X-OriginalArrivalTime: 16 May 2009 16:36:20.0151 (UTC) FILETIME=[712AA470:01C9D644]
X-TM-AS-Product-Ver: SMEX-8.0.0.1181-5.600.1016-16648.005
X-TM-AS-Result: No--4.827600-4.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
0
Comment
Question by:CaringIT
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
Comment Utility
It's spam email. Which version of exchange do you have? Any antispam solutions?
0
 
LVL 17

Expert Comment

by:upul007
Comment Utility
Looks like a virus has harvested a set of Brazilian email addresses and sending itself to the addressees.

The above expert is right.

Hope you did not open the attachment. Run a virus scan on the computers and see if you have SPF (www.openspf.org) and if using exchange, the option to check the DNS of senders domain set up.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
If you are seeing those in your queues, then the server is being abused directly.
Trying to stop the source of the message is a waste of time, as the spammer will be bouncing between systems. You need to find how the server is being attacked and block that.

It is basically one of three

- open relay
- authenticated relay
- NDR attack.

My spam clean up article will help you find out which one it is. http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 

Author Comment

by:CaringIT
Comment Utility
This appears to be coming from our 2003 server - just this week I am in the process of moving to 2007 anyway!!

The server is definitely set to not relay and we have had that tested.  Or so I thought.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
If the messages are appearing in the Exchange queues then they are not coming from the server, a spammer is sending them to the server, and is abusing the server in one of the ways that I have stated.
The most common is authenticated user attack, as authenticated relaying is enabled by default. Therefore the spammer can sit there and attack the administrator account. Once he has the administrator account password relay away.

Simon.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:CaringIT
Comment Utility
How does 2007 differ from 2003?  Does this provided more protection from this sort of attack?
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
Comment Utility
Put your email server details here http://www.mxtoolbox.com/diagnostic.aspx and see whether you are an open realy or not to start with.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
Exchange 2003 can be protected from this kind of attack by simply disabling authenticated relaying. It is not required for Exchange to operate correctly if all clients are connecting via Outlook to Exchange (ie no POP3/IMAP clients).

With Exchange 2007, to allow remote clients to authenticate a lot more has to be done.

Simon.
0
 

Author Comment

by:CaringIT
Comment Utility
Get back  OK - This server is not an open relay.
0
 
LVL 24

Accepted Solution

by:
Rajith Enchiparambil earned 500 total points
Comment Utility
That's good news.

Disbale Authenticated relaying in exchange 2003
http://www.amset.info/exchange/smtp-relaysecure.asp
0
 

Author Comment

by:CaringIT
Comment Utility
We are completing the migration of the 2003 to 2007 system this week and during this final transfer, the server has gone potty with spam - can't wait to shut it down now.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now