Spam questions in Exchange

Over the weekend a few users got a bunch of fake emails from Amazon, and some other "team" that has our domain name on it (as if it's coming from the website "team" of our domain).  The amazon email looked very real, and a few employees started freaking out and calling me saying their amazon account had been compromised.

I am just trying to understand how these spammers get some of our valid email addresses.  I went into the exchange server management console, to message tracking, and looked at one of the amazon emails...  The recipients listed in the message had about 10 emails listed.  Four of them were valid emails of employees in our company, and the other 6 emails where way off track and not valid emails (although the part was right).  How did the real email addresses even get on the list?  How do I protect our email accounts better so that these spammers don't know our real email accounts?

Also, in Exchange, the sender just says  I know that is not the real address, but how do I see what the real sending address is?

Who is Participating?
roarkincConnect With a Mentor Commented:
lots going on there.  the real address might not be even available, but the real sending server you can get it by looking at the headers of the message.
spammers are looking for valid email address.  it is called directory harvesting when a spammer sends messages to multiple email addresses and figures out which ones are real by checking your servers response (accepted mail means the account is valid, rejected that the account doesn't exist.)
your best way around spam is of course a spam filter either on the exchange box or on your firewall or a service like postini.
regardless of what spam filter you use, spam will get through.  just like viruses, the spammers figure out a new way to get through and it takes time for the spam filters to learn that and start blocking it.

what version of exchange are you running?  2008 has some spam features built in.
also, you can prevent same getting in from your own domain by changing some settings, but to tell you which, i would need to know if any other server can send mail as your domain, like does your web server send a thank you email for customer sign ups.
mrbrain646Connect With a Mentor Commented:
How did the real email addresses even get on the list?
This is most likely caused by infected computers in and outside your network.
Home users with pop or imap email, Iphones, android phones configured with your email settings.
once they get infected they gather all theose email addresses and use them to spoof and send spam.
How do I protect our email accounts better so that these spammers don't know our real email accounts?
This would be difficult but have outside users use rpc/http or owa. disable pop3 imap.
also use barracuda spam firewall is a good anti spam appliance.

in Exchange, the sender just says  I know that is not the real address, but how do I see what the real sending address is?

open the original email in outlook and goto view mentu then options to view the header information.

Dave_LaSalleConnect With a Mentor Commented:
There are a myriad of ways, too many to say here.  But as an example: 60% of connections to an email server may be for "Invalid Users"  they just keep guessing.  Other ways are hacked address books of ppl you send mail to from malware and tracking info in html emails then sold on lists.

Fight spam with a good frontend antispam solution.
You can also check for outgoing spam and viruses to protect your company's reputation.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

jbobstAuthor Commented:
I forgot to mention that we do have the Trend Micro Worry Free Business product for spam on our Exchange server.  It does a fairly good job, but then stuff like this gets in once in awhile...mostly to a select group of users who get the most spam in our company.

We are running Exchange 2003.  Also, we don't have any home users with POP or anything like that.  Just some laptops with cached mode, and some OWA use.  There are a few smart phone users, but I think that is over a secure connection...I think.
Alan HardistyConnect With a Mentor Co-OwnerCommented:
Spammers will target your server and try to harvest the Email Addresses on your server (Directory Harvest Attack) and this is fairly simple to achieve, but you can slow down such an attack from taking a matter of hours to achieve, to taking a number of years by enabling Tar Pitting, which inserts a delay into the responses sent from your server back to the spammer.
Also installing some Good Anti-Spam software that can detect and reject Directory Harvest Attacks is a good idea and if your current software cannot, then it is worthwhile investing in one that can.
To enable Tar Pitting, please have a read of the following: 
tar pitting is a great idea!

your trend micro worry free has an update (about 3-6 months ago i think) that should fix the fake emails from internal addresses.
".mostly to a select group of users who get the most spam in our company."

We have a few users who thought you should click every link in an email that said "To Opt Out - Click Here".  They now receive over 2,000 spam messages a week.  So a little education to your users in this matter could go a long way.
Alan HardistyCo-OwnerCommented:
FYI - Vamsoft ORF - - has built-in Directory Harvest Attack mechanisms and is my preferred Anti-Spam software of choice.  It reduced my spam from 5-6 a week to 5 or 6 a month and protects 95% of my customers servers (one didn't want to miss the odd email from genuine customers with Blacklisted IP Address!!!).
and it only costs $239 per server.
jbobstAuthor Commented:
Thanks for all the advice everyone.  As an update, I was looking in my queues this morning on the exchange server, and there were a bunch of emails from "" trying to go to bogus email addresses.  I found a microsoft article that said that because I didn't have recipient filtering enabled, that any invalid email address sent to our server will be accepted, then a NDR will try to be sent.  So, I enabled recipient filtering this morning, and cleared out the few messages stuck in the queues.  At this point now, I should go ahead and enable tarpitting, as mentioned by some of you in your posts, right?  How many seconds should I set in the registry for the tarpitting setting?  In the microsoft article, it mentions 5 seconds I think.  Should I do it for a longer value?
Alan HardistyCo-OwnerCommented:
Recipient Filtering should definitely be done if not already.
Tar-Pitting will help you fend off spammers trying to run a Directory Harvest Attack and is highly recommended to be setup.
I set Tar-Pitting to 60 seconds on my servers : )
Alan HardistyCo-OwnerCommented:
Check to see if you are listed on -
If you were sending out NDR's to spammers - you will most likely be listed.
jbobstAuthor Commented: reported we were on one list.  I fixed that one.  I will go ahead and set the tar pitting for 60 seconds.  Thanks for the advice!
Alan HardistyCo-OwnerCommented:
You are welcome.  No surprises that you were listed - if you have enabled Recipient Filtering - you should be good to get off
Does Trend Micro work well for you in terms of dealing with spam?
jbobstAuthor Commented:
It seems to do's pretty simple and straight forward with regards to setup/maintenance, so that is a plus.  But, stuff still get's through often.
Alan HardistyCo-OwnerCommented:
I think any anti-spam software will allow spam through - I guess it just depends on the quantity of the ones that make it past the defenses.
If it is happening often - do take a serious look at Vamsoft ORF - it is absolutely brilliant IMHO and in other EE Exchange Experts opinions.
Check out this blog article: 
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.