[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 485
  • Last Modified:

Spam from Micrsofte.com

Our system is generating large numbers of the following message - any ideas how we can trace where this is coming from?


Original message headers:

Received: from micrsofte.com ([124.198.54.204]) by
 exch-intranet.CaringHomes.local with Microsoft SMTPSVC(6.0.3790.3959);       Sat,
 16 May 2009 17:36:19 +0100
Date: Sat, 16 May 2009 06:26:40 -1000
Reply-To: "aaronmeister@micrsofte.com" <aaronmeister@micrsofte.com>
From: "aaronmeister@micrsofte.com" <aaronmeister@micrsofte.com>
MIME-Version: 1.0
To: <wellisk@yahoo.com.br>, <crist_br@yahoo.com.br>, <vei.c3@yahoo.com.br>,
      <rosapublica@yahoo.com.br>, <brown5861@yahoo.com.br>, <alaraf@yahoo.com.br>,
      <vicmurad1@yahoo.com.br>, <dimenfao1@yahoo.com.br>, <apol@yahoo.com.br>,
      <vazquez11@yahoo.com.br>, <sdmm@yahoo.com.br>, <lvx@yahoo.com.br>,
      <rodascoli3@yahoo.com.br>, <maxlifeseg@yahoo.com.br>,
      <jcmorales@yahoo.com.br>, <janiostic@yahoo.com.br>, <hildejr@yahoo.com.br>,
      <fecraveiro@yahoo.com.br>, <amarilisrp@yahoo.com.br>,
      <soprani.vix@yahoo.com.br>, <pp.hh@yahoo.com.br>,
      <ircansaveis-l-lista@yahoo.com.br>, <l2f@yahoo.com.br>,
      <arygertes@yahoo.com.br>, <wwes@yahoo.com.br>,
      <flavio_de_brito@yahoo.com.br>, <osmael20@yahoo.com.br>,
      <mrdownloads@yahoo.com.br>, <dedecolares@yahoo.com.br>,
      <ariadinojuijitsu@yahoo.com.br>
Subject: Hey Andrew problem sleeping?
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-Path: aaronmeister@micrsofte.com
Message-ID: <EXCH-INTRANETGdMNFm00000ff3@exch-intranet.CaringHomes.local>
X-OriginalArrivalTime: 16 May 2009 16:36:20.0151 (UTC) FILETIME=[712AA470:01C9D644]
X-TM-AS-Product-Ver: SMEX-8.0.0.1181-5.600.1016-16648.005
X-TM-AS-Result: No--4.827600-4.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
0
CaringIT
Asked:
CaringIT
  • 4
  • 3
  • 3
  • +1
1 Solution
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
It's spam email. Which version of exchange do you have? Any antispam solutions?
0
 
upul007Commented:
Looks like a virus has harvested a set of Brazilian email addresses and sending itself to the addressees.

The above expert is right.

Hope you did not open the attachment. Run a virus scan on the computers and see if you have SPF (www.openspf.org) and if using exchange, the option to check the DNS of senders domain set up.
0
 
MesthaCommented:
If you are seeing those in your queues, then the server is being abused directly.
Trying to stop the source of the message is a waste of time, as the spammer will be bouncing between systems. You need to find how the server is being attacked and block that.

It is basically one of three

- open relay
- authenticated relay
- NDR attack.

My spam clean up article will help you find out which one it is. http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
CaringITAuthor Commented:
This appears to be coming from our 2003 server - just this week I am in the process of moving to 2007 anyway!!

The server is definitely set to not relay and we have had that tested.  Or so I thought.
0
 
MesthaCommented:
If the messages are appearing in the Exchange queues then they are not coming from the server, a spammer is sending them to the server, and is abusing the server in one of the ways that I have stated.
The most common is authenticated user attack, as authenticated relaying is enabled by default. Therefore the spammer can sit there and attack the administrator account. Once he has the administrator account password relay away.

Simon.
0
 
CaringITAuthor Commented:
How does 2007 differ from 2003?  Does this provided more protection from this sort of attack?
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
Put your email server details here http://www.mxtoolbox.com/diagnostic.aspx and see whether you are an open realy or not to start with.
0
 
MesthaCommented:
Exchange 2003 can be protected from this kind of attack by simply disabling authenticated relaying. It is not required for Exchange to operate correctly if all clients are connecting via Outlook to Exchange (ie no POP3/IMAP clients).

With Exchange 2007, to allow remote clients to authenticate a lot more has to be done.

Simon.
0
 
CaringITAuthor Commented:
Get back  OK - This server is not an open relay.
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
That's good news.

Disbale Authenticated relaying in exchange 2003
http://www.amset.info/exchange/smtp-relaysecure.asp
0
 
CaringITAuthor Commented:
We are completing the migration of the 2003 to 2007 system this week and during this final transfer, the server has gone potty with spam - can't wait to shut it down now.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now