Spam query
Hello all,
First off Merry Christmas!
Quick query regarding an interesting spam issue I'm observing at work. We use Exchange 2007 and we have a Proofpoint edge device for spam filtration purposes. For the record - the Proofpoint unit has been great as long as I've used it - approx 10 months - and has generally done a great job at holding spam at bay. It auto updates, and any functional issues are quickly addressed by Proofpoint support.
I hadn't known much about Proofpoint but research and colleague accounts show that it is comparable to a Barracuda unit etc. I'm more used to using 3rd party solutions like Message Labs in previous workplaces.
Anyhow - not sure if the festive season means spammers put in extra hours or something - but we've had one particular email - titled 'RE: CV' go around like wildfire. It is targeting only some accounts - then sends itself from those same accounts to other members of the sender's contact list. Interesting enough - it seems to be targeting old addresses mainly - people who are no longer with the business and dont even have an AD or Exchange account anymore.
Basically the behaviour is that it will send itself from internal address 'john@workplace.com' to the same internal address ie. 'john@workplace.com' as well as other now stagnant addresses- and it will do it ten times in a row before seemingly taking a rest and pushing off to another account where it will do the same thing over and over.
Virus scans on mail servers etv have all come up clear. I've checked for any open relays and all the usual processes in these kind of events but I'm drawing blanks.
It's just got me bedazzled that it's this one single same spam email. The Proofpoint quarantined list shows this email also being blocked many may times during the same time period - otherwise some of it is trickling through and sending again and again.
Anyone seen this before? Is is a passing thing or something more sinister?
Any advice would go much appreciated! Thanks - Nick.
First off Merry Christmas!
Quick query regarding an interesting spam issue I'm observing at work. We use Exchange 2007 and we have a Proofpoint edge device for spam filtration purposes. For the record - the Proofpoint unit has been great as long as I've used it - approx 10 months - and has generally done a great job at holding spam at bay. It auto updates, and any functional issues are quickly addressed by Proofpoint support.
I hadn't known much about Proofpoint but research and colleague accounts show that it is comparable to a Barracuda unit etc. I'm more used to using 3rd party solutions like Message Labs in previous workplaces.
Anyhow - not sure if the festive season means spammers put in extra hours or something - but we've had one particular email - titled 'RE: CV' go around like wildfire. It is targeting only some accounts - then sends itself from those same accounts to other members of the sender's contact list. Interesting enough - it seems to be targeting old addresses mainly - people who are no longer with the business and dont even have an AD or Exchange account anymore.
Basically the behaviour is that it will send itself from internal address 'john@workplace.com' to the same internal address ie. 'john@workplace.com' as well as other now stagnant addresses- and it will do it ten times in a row before seemingly taking a rest and pushing off to another account where it will do the same thing over and over.
Virus scans on mail servers etv have all come up clear. I've checked for any open relays and all the usual processes in these kind of events but I'm drawing blanks.
It's just got me bedazzled that it's this one single same spam email. The Proofpoint quarantined list shows this email also being blocked many may times during the same time period - otherwise some of it is trickling through and sending again and again.
Anyone seen this before? Is is a passing thing or something more sinister?
Any advice would go much appreciated! Thanks - Nick.
ASKER
Please find header below (I've put dummy domain names and IPs for obvious reasons):
Received: from spamfilter.testcorp.com.au
mail.testcorp.com.au (192.168.88.51) with Microsoft SMTP Server id
8.3.137.0; Tue, 28 Dec 2010 07:08:16 +1100
Received: from [178.122.141.228] ([178.122.141.228]) by
spamfilter.testcorp.com.au
Tue, 28 Dec 2010 07:08:34 +1100
Date: Tue, 28 Dec 2010 07:08:33 +1100
Message-ID: <201012272008.oBRK8XoV0192
From: <craig.testwood@testcorp.c
<darren@testcorp.com.au>, <dave@testcorp.com.au>,
<doug@testcorp.com.au>, <enny@testcorp.com.au>,
<es@testcorp.com.au>, <fernanda@testcorp.com.au>
<fleur@testcorp.com.au>, <gaylin@testcorp.com.au>,
<gc@testcorp.com.au>, <gm@testcorp.com.au>
CC: <gymiylv@testcorp.com.au>,
<iciyan@testcorp.com.au>, <gymiylv@testcorp.com.au>,
<hr@testcorp.com.au>, <iciyan@testcorp.com.au>
To: <craig.testwood@testcorp.c
<darren@testcorp.com.au>, <dave@testcorp.com.au>,
<doug@testcorp.com.au>, <enny@testcorp.com.au>,
<es@testcorp.com.au>, <fernanda@testcorp.com.au>
<fleur@testcorp.com.au>, <gaylin@testcorp.com.au>,
<gc@testcorp.com.au>, <gm@testcorp.com.au>
Subject: Office/Sales Manager position
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding:
X-Proofpoint-Virus-Version
definitions=2010-12-27_10:
X-Proofpoint-Spam-Details:
phishscore=0 bulkscore=100 adultscore=0 classifier=spam adjust=0
reason=mlx engine=5.0.0-1010190000 definitions=main-101227010
Return-Path: jgartner@oam-group.com
Received: from spamfilter.testcorp.com.au
mail.testcorp.com.au (192.168.88.51) with Microsoft SMTP Server id
8.3.137.0; Tue, 28 Dec 2010 07:08:16 +1100
Received: from [178.122.141.228] ([178.122.141.228]) by
spamfilter.testcorp.com.au
Tue, 28 Dec 2010 07:08:34 +1100
Date: Tue, 28 Dec 2010 07:08:33 +1100
Message-ID: <201012272008.oBRK8XoV0192
From: <craig.testwood@testcorp.c
<darren@testcorp.com.au>, <dave@testcorp.com.au>,
<doug@testcorp.com.au>, <enny@testcorp.com.au>,
<es@testcorp.com.au>, <fernanda@testcorp.com.au>
<fleur@testcorp.com.au>, <gaylin@testcorp.com.au>,
<gc@testcorp.com.au>, <gm@testcorp.com.au>
CC: <gymiylv@testcorp.com.au>,
<iciyan@testcorp.com.au>, <gymiylv@testcorp.com.au>,
<hr@testcorp.com.au>, <iciyan@testcorp.com.au>
To: <craig.testwood@testcorp.c
<darren@testcorp.com.au>, <dave@testcorp.com.au>,
<doug@testcorp.com.au>, <enny@testcorp.com.au>,
<es@testcorp.com.au>, <fernanda@testcorp.com.au>
<fleur@testcorp.com.au>, <gaylin@testcorp.com.au>,
<gc@testcorp.com.au>, <gm@testcorp.com.au>
Subject: Office/Sales Manager position
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding:
X-Proofpoint-Virus-Version
definitions=2010-12-27_10:
X-Proofpoint-Spam-Details:
phishscore=0 bulkscore=100 adultscore=0 classifier=spam adjust=0
reason=mlx engine=5.0.0-1010190000 definitions=main-101227010
Return-Path: jgartner@oam-group.com
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the assistance Alan. You are correct and had me going in the right direction again. Proofpoint support also confirmed that it is indeed a particular type of spam with spoofing behavior hence the internal addressing source - or so thought as being internal.
They suggested setting up SPF records etc and some adjustments to the filtering on the in house edge device - this has appeared to stem the spam for the moment.
Happy New Year and thanks for the help!
They suggested setting up SPF records etc and some adjustments to the filtering on the in house edge device - this has appeared to stem the spam for the moment.
Happy New Year and thanks for the help!
ASKER
Solution was more an indication than overall solution. Steps required to stem the spam was provided by the hardware vendor.
Can you post a header of one such email that made it through please.
Alan