Solved

SPAM how to determine the originator? Exchange 2003

Posted on 2010-09-10
13
900 Views
Last Modified: 2012-05-10
I have two users who have been recieving messages like these for the last couple of days.  I don't think that they are coming from my server.  How do I determine where they are originating from?  


Your message did not reach some or all of the intended recipients.
      Subject:  smiling to you, dear
      Sent:     9/10/2010 7:33 AM
The following recipient(s) could not be reached:
      dta77@hotmail.com on 9/10/2010 7:33 AM
            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <SNT0-MC3-F30.Snt0.hotmail.com #5.5.0 smtp;550 Requested action not taken: mailbox unavailable (1044235902:3448:-2147467259)>
0
Comment
Question by:bmsjeff
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 166 total points
ID: 33646283
right click on the message and select message options
review the header to determine the origin
the first entry at the top should be your server receiving it and as you go down the last will be the source
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33646346
This assumes that somebody has not forged any of the SMTP header information.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33646372
this is for the hops, not the from
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33646533
view > options > header info.
Copy paste the entire contents into notepad

check the message-id: field
Message-ID: <76131413fe3ae29312fea96dd9fbf5@tifa-5fa7cbaf0b>

If its a exchange server - the part after the @ sign is the mailbox servername.
If its java etc - it is probably scripted through some Java/PHP mailer

now look for this field
Received: from TIFA-5FA7CBAF0B.Local (tifadc05@112.105.178.186 with login)
        by smtp109.mail.tp2.yahoo.com with SMTP; 03 Sep 2010 22:32:18 -0700 PDT

--
what I do is
a) Find the originating server - TIFA in this case.
b) Search for TIFA in the header field.
The IP address next to that = source of spam

--
But these things can be spoofed too.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33646706
I can insert fake from's to make it look like my SMTP server was the middle of the stream instead of the originator of the stream.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33646714
True @ giltjr
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 14

Author Comment

by:bmsjeff
ID: 33648020
Here is the header.
 
spam.txt
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33648064
Message-ID: <LbIUndNXh0000e41f@SNT0-MC3-F14.Snt0.hotmail.com>
spam
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33648076
most likely someone using hotmail for their relay
0
 
LVL 57

Accepted Solution

by:
giltjr earned 167 total points
ID: 33648109
If  you beleive everything the 1st entry point is:

Received: from FILESERVER (LRouen-152-83-1-113.w80-13.abo.wanadoo.fr [80.13.64.113])
            by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
            Fri, 10 Sep 2010 11:00:34 +0200 (CEST)

Which means a computer with the IP address of 80.13.64.113 sent them e-mail thru the smtp server mwinf2721.orange.fr

Now are these the header from the e-mail telling you it was rejected?  Or are these the headers from the rejected e-mail?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33648111
all of these headers can be spoofed.

They even have a x- header with spam assassin signature as clean.

------------------
Microsoft Mail Internet Headers Version 2.0

Received: from mail.spamserver.net ([x.x.x.x]) by exchange.myserver.com with Microsoft SMTPSVC(6.0.3790.4675);

Resent-To: info@exchange.myserver.com
Resent-From: info@myserver.com
Resent-Message-Id: <B0534444566@mail.spamserver.net>
Resent-Date: Fri, 10 Sep 2010 05:05:57 -0400

X-Modus-Audit: FALSE;0;0;0

Received: from mailin-1.spamserver.net (unverified [x.x.x.x]) by mail.spamserver.net (Vircom SMTPRS 5.0.916.0)
with ESMTP id <B0534444564@mail.spamserver.net> for <info@myserver.com>;

X-Modus-BlackList: x.x.x.x=OK;=OK
X-Modus-Trusted: x.x.x.x=NO
X-Modus-Audit: FALSE;0;0;0
Received: from snt0-omc4-s43.snt0.hotmail.com (snt0-omc4-s43.snt0.hotmail.com [65.54.51.94])
            by mailin-1.spamserver.net (Postfix) with ESMTP id 4E1EAC30356
            for <info@myserver.com>; Fri, 10 Sep 2010 05:00:36 -0400 (EDT)
Received: from SNT0-MC3-F14.Snt0.hotmail.com ([65.55.90.199]) by snt0-omc4-s43.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
             Fri, 10 Sep 2010 02:00:36 -0700
Message-ID: <LbIUndNXh0000e41f@SNT0-MC3-F14.Snt0.hotmail.com>
Subject: Delivery Status Notification (Failure)

X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0,
            required 7, autolearn=disabled, RCVD_IN_DNSWL_NONE -0.00)

Received: from smtp27.orange.fr ([80.12.242.96]) by SNT0-MC3-F14.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
             Fri, 10 Sep 2010 02:00:36 -0700
Received: from me-wanadoo.net (localhost [127.0.0.1])
            by mwinf2721.orange.fr (SMTP Server) with ESMTP id 22C8F1C00042;
            Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from me-wanadoo.net (localhost [127.0.0.1])
            by mwinf2721.orange.fr (SMTP Server) with ESMTP id 14E071C00280;
            Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from FILESERVER (LRouen-152-83-1-113.w80-13.abo.wanadoo.fr [80.13.64.113])
            by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
            Fri, 10 Sep 2010 11:00:34 +0200 (CEST)
0
 
LVL 28

Assisted Solution

by:sunnyc7
sunnyc7 earned 167 total points
ID: 33648124
To answer your question

This is the source and then it got routed through others (Received From fields)

--------
Received: from FILESERVER (LRouen-152-83-1-113.w80-13.abo.wanadoo.fr [80.13.64.113])
            by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
---------
Can you download a trial of VamSoft ORF
www.vamsoft.com/orfee_features.asp

It provides a before/after scenario and out of the box functionality for backscatter and other spam attacks.
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 33648133
This is the header from the e-mail telling you it was rejected.

I have not record of sending the email.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now