Link to home
Create AccountLog in
Avatar of Funktopus
FunktopusFlag for Australia

asked on

Spam query

Hello all,

First off Merry Christmas!

Quick query regarding an interesting spam issue I'm observing at work. We use Exchange 2007 and we have a Proofpoint edge device for spam filtration purposes. For the record - the Proofpoint unit has been great as long as I've used it - approx 10 months - and has generally done a great job at holding spam at bay. It auto updates, and any functional issues are quickly addressed by Proofpoint support.

I hadn't known much about Proofpoint but research and colleague accounts show that it is comparable to a Barracuda unit etc. I'm more used to using 3rd party solutions like Message Labs in previous workplaces.

Anyhow - not sure if the festive season means spammers put in extra hours or something - but we've had one particular email - titled 'RE: CV' go around like wildfire. It is targeting only some accounts - then sends itself from those same accounts to other members of the sender's contact list. Interesting enough - it seems to be targeting old addresses mainly - people who are no longer with the business and dont even have an AD or Exchange account anymore.

Basically the behaviour is that it will send itself from internal address 'john@workplace.com' to the same internal address ie. 'john@workplace.com' as well as other now stagnant addresses- and it will do it ten times in a row before seemingly taking a rest and pushing off to another account where it will do the same thing over and over.

Virus scans on mail servers etv have all come up clear. I've checked for any open relays and all the usual processes in these kind of events but I'm drawing blanks.

It's just got me bedazzled that it's this one single same spam email. The Proofpoint quarantined list shows this email also being blocked many may times during the same time period - otherwise some of it is trickling through and sending again and again.

Anyone seen this before? Is is a passing thing or something more sinister?

Any advice would go much appreciated! Thanks - Nick.
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

I tend to find Spam drops dramatically around Xmas time, so it could be a virus somewhere that has triggered it.

Can you post a header of one such email that made it through please.

Alan
Avatar of Funktopus

ASKER

Please find header below (I've put dummy domain names and IPs for obvious reasons):

Received: from spamfilter.testcorp.com.au (192.168.88.240) by
mail.testcorp.com.au (192.168.88.51) with Microsoft SMTP Server id
8.3.137.0; Tue, 28 Dec 2010 07:08:16 +1100
Received: from [178.122.141.228] ([178.122.141.228])     by
spamfilter.testcorp.com.au (8.14.3/8.14.3) with ESMTP id oBRK8XoV019249;
               Tue, 28 Dec 2010 07:08:34 +1100
Date: Tue, 28 Dec 2010 07:08:33 +1100
Message-ID: <201012272008.oBRK8XoV019249@spamfilter.testcorp.com.au>
From: <craig.testwood@testcorp.com.au>, <craven@testcorp.com.au>,
               <darren@testcorp.com.au>, <dave@testcorp.com.au>,
               <doug@testcorp.com.au>, <enny@testcorp.com.au>,
               <es@testcorp.com.au>, <fernanda@testcorp.com.au>,
               <fleur@testcorp.com.au>, <gaylin@testcorp.com.au>,
               <gc@testcorp.com.au>, <gm@testcorp.com.au>
CC: <gymiylv@testcorp.com.au>, <hr@testcorp.com.au>,
               <iciyan@testcorp.com.au>, <gymiylv@testcorp.com.au>,
               <hr@testcorp.com.au>, <iciyan@testcorp.com.au>
To: <craig.testwood@testcorp.com.au>, <craven@testcorp.com.au>,
               <darren@testcorp.com.au>, <dave@testcorp.com.au>,
               <doug@testcorp.com.au>, <enny@testcorp.com.au>,
               <es@testcorp.com.au>, <fernanda@testcorp.com.au>,
               <fleur@testcorp.com.au>, <gaylin@testcorp.com.au>,
               <gc@testcorp.com.au>, <gm@testcorp.com.au>
Subject: Office/Sales Manager position
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.2.15,1.0.148,0.0.0000
definitions=2010-12-27_10:2010-12-27,2010-12-27,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=88
phishscore=0 bulkscore=100 adultscore=0 classifier=spam adjust=0
reason=mlx engine=5.0.0-1010190000 definitions=main-1012270106
Return-Path: jgartner@oam-group.com
ASKER CERTIFIED SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks for the assistance Alan. You are correct and had me going in the right direction again. Proofpoint support also confirmed that it is indeed a particular type of spam with spoofing behavior hence the internal addressing source - or so thought as being internal.

They suggested setting up SPF records etc and some adjustments to the filtering on the in house edge device - this has appeared to stem the spam for the moment.

Happy New Year and thanks for the help!

Solution was more an indication than overall solution. Steps required to stem the spam was provided by the hardware vendor.