Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Spam from Micrsofte.com

Posted on 2009-05-18
Medium Priority
Last Modified: 2013-11-30
Our system is generating large numbers of the following message - any ideas how we can trace where this is coming from?

Original message headers:

Received: from micrsofte.com ([]) by
 exch-intranet.CaringHomes.local with Microsoft SMTPSVC(6.0.3790.3959);       Sat,
 16 May 2009 17:36:19 +0100
Date: Sat, 16 May 2009 06:26:40 -1000
Reply-To: "aaronmeister@micrsofte.com" <aaronmeister@micrsofte.com>
From: "aaronmeister@micrsofte.com" <aaronmeister@micrsofte.com>
MIME-Version: 1.0
To: <wellisk@yahoo.com.br>, <crist_br@yahoo.com.br>, <vei.c3@yahoo.com.br>,
      <rosapublica@yahoo.com.br>, <brown5861@yahoo.com.br>, <alaraf@yahoo.com.br>,
      <vicmurad1@yahoo.com.br>, <dimenfao1@yahoo.com.br>, <apol@yahoo.com.br>,
      <vazquez11@yahoo.com.br>, <sdmm@yahoo.com.br>, <lvx@yahoo.com.br>,
      <rodascoli3@yahoo.com.br>, <maxlifeseg@yahoo.com.br>,
      <jcmorales@yahoo.com.br>, <janiostic@yahoo.com.br>, <hildejr@yahoo.com.br>,
      <fecraveiro@yahoo.com.br>, <amarilisrp@yahoo.com.br>,
      <soprani.vix@yahoo.com.br>, <pp.hh@yahoo.com.br>,
      <ircansaveis-l-lista@yahoo.com.br>, <l2f@yahoo.com.br>,
      <arygertes@yahoo.com.br>, <wwes@yahoo.com.br>,
      <flavio_de_brito@yahoo.com.br>, <osmael20@yahoo.com.br>,
      <mrdownloads@yahoo.com.br>, <dedecolares@yahoo.com.br>,
Subject: Hey Andrew problem sleeping?
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-Path: aaronmeister@micrsofte.com
Message-ID: <EXCH-INTRANETGdMNFm00000ff3@exch-intranet.CaringHomes.local>
X-OriginalArrivalTime: 16 May 2009 16:36:20.0151 (UTC) FILETIME=[712AA470:01C9D644]
X-TM-AS-Product-Ver: SMEX-
X-TM-AS-Result: No--4.827600-4.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
Question by:CaringIT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24414203
It's spam email. Which version of exchange do you have? Any antispam solutions?
LVL 17

Expert Comment

ID: 24414383
Looks like a virus has harvested a set of Brazilian email addresses and sending itself to the addressees.

The above expert is right.

Hope you did not open the attachment. Run a virus scan on the computers and see if you have SPF (www.openspf.org) and if using exchange, the option to check the DNS of senders domain set up.
LVL 65

Expert Comment

ID: 24417733
If you are seeing those in your queues, then the server is being abused directly.
Trying to stop the source of the message is a waste of time, as the spammer will be bouncing between systems. You need to find how the server is being attacked and block that.

It is basically one of three

- open relay
- authenticated relay
- NDR attack.

My spam clean up article will help you find out which one it is. http://www.amset.info/exchange/spam-cleanup.asp

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 24419311
This appears to be coming from our 2003 server - just this week I am in the process of moving to 2007 anyway!!

The server is definitely set to not relay and we have had that tested.  Or so I thought.
LVL 65

Expert Comment

ID: 24419691
If the messages are appearing in the Exchange queues then they are not coming from the server, a spammer is sending them to the server, and is abusing the server in one of the ways that I have stated.
The most common is authenticated user attack, as authenticated relaying is enabled by default. Therefore the spammer can sit there and attack the administrator account. Once he has the administrator account password relay away.


Author Comment

ID: 24419698
How does 2007 differ from 2003?  Does this provided more protection from this sort of attack?
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24419717
Put your email server details here http://www.mxtoolbox.com/diagnostic.aspx and see whether you are an open realy or not to start with.
LVL 65

Expert Comment

ID: 24419723
Exchange 2003 can be protected from this kind of attack by simply disabling authenticated relaying. It is not required for Exchange to operate correctly if all clients are connecting via Outlook to Exchange (ie no POP3/IMAP clients).

With Exchange 2007, to allow remote clients to authenticate a lot more has to be done.


Author Comment

ID: 24419724
Get back  OK - This server is not an open relay.
LVL 24

Accepted Solution

Rajith Enchiparambil earned 2000 total points
ID: 24422908
That's good news.

Disbale Authenticated relaying in exchange 2003

Author Comment

ID: 24586080
We are completing the migration of the 2003 to 2007 system this week and during this final transfer, the server has gone potty with spam - can't wait to shut it down now.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question