Spam query

Hello all,

First off Merry Christmas!

Quick query regarding an interesting spam issue I'm observing at work. We use Exchange 2007 and we have a Proofpoint edge device for spam filtration purposes. For the record - the Proofpoint unit has been great as long as I've used it - approx 10 months - and has generally done a great job at holding spam at bay. It auto updates, and any functional issues are quickly addressed by Proofpoint support.

I hadn't known much about Proofpoint but research and colleague accounts show that it is comparable to a Barracuda unit etc. I'm more used to using 3rd party solutions like Message Labs in previous workplaces.

Anyhow - not sure if the festive season means spammers put in extra hours or something - but we've had one particular email - titled 'RE: CV' go around like wildfire. It is targeting only some accounts - then sends itself from those same accounts to other members of the sender's contact list. Interesting enough - it seems to be targeting old addresses mainly - people who are no longer with the business and dont even have an AD or Exchange account anymore.

Basically the behaviour is that it will send itself from internal address 'john@workplace.com' to the same internal address ie. 'john@workplace.com' as well as other now stagnant addresses- and it will do it ten times in a row before seemingly taking a rest and pushing off to another account where it will do the same thing over and over.

Virus scans on mail servers etv have all come up clear. I've checked for any open relays and all the usual processes in these kind of events but I'm drawing blanks.

It's just got me bedazzled that it's this one single same spam email. The Proofpoint quarantined list shows this email also being blocked many may times during the same time period - otherwise some of it is trickling through and sending again and again.

Anyone seen this before? Is is a passing thing or something more sinister?

Any advice would go much appreciated! Thanks - Nick.
LVL 3
FunktopusAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
I tend to find Spam drops dramatically around Xmas time, so it could be a virus somewhere that has triggered it.

Can you post a header of one such email that made it through please.

Alan
FunktopusAuthor Commented:
Please find header below (I've put dummy domain names and IPs for obvious reasons):

Received: from spamfilter.testcorp.com.au (192.168.88.240) by
mail.testcorp.com.au (192.168.88.51) with Microsoft SMTP Server id
8.3.137.0; Tue, 28 Dec 2010 07:08:16 +1100
Received: from [178.122.141.228] ([178.122.141.228])     by
spamfilter.testcorp.com.au (8.14.3/8.14.3) with ESMTP id oBRK8XoV019249;
               Tue, 28 Dec 2010 07:08:34 +1100
Date: Tue, 28 Dec 2010 07:08:33 +1100
Message-ID: <201012272008.oBRK8XoV019249@spamfilter.testcorp.com.au>
From: <craig.testwood@testcorp.com.au>, <craven@testcorp.com.au>,
               <darren@testcorp.com.au>, <dave@testcorp.com.au>,
               <doug@testcorp.com.au>, <enny@testcorp.com.au>,
               <es@testcorp.com.au>, <fernanda@testcorp.com.au>,
               <fleur@testcorp.com.au>, <gaylin@testcorp.com.au>,
               <gc@testcorp.com.au>, <gm@testcorp.com.au>
CC: <gymiylv@testcorp.com.au>, <hr@testcorp.com.au>,
               <iciyan@testcorp.com.au>, <gymiylv@testcorp.com.au>,
               <hr@testcorp.com.au>, <iciyan@testcorp.com.au>
To: <craig.testwood@testcorp.com.au>, <craven@testcorp.com.au>,
               <darren@testcorp.com.au>, <dave@testcorp.com.au>,
               <doug@testcorp.com.au>, <enny@testcorp.com.au>,
               <es@testcorp.com.au>, <fernanda@testcorp.com.au>,
               <fleur@testcorp.com.au>, <gaylin@testcorp.com.au>,
               <gc@testcorp.com.au>, <gm@testcorp.com.au>
Subject: Office/Sales Manager position
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.2.15,1.0.148,0.0.0000
definitions=2010-12-27_10:2010-12-27,2010-12-27,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=88
phishscore=0 bulkscore=100 adultscore=0 classifier=spam adjust=0
reason=mlx engine=5.0.0-1010190000 definitions=main-1012270106
Return-Path: jgartner@oam-group.com
Alan HardistyCo-OwnerCommented:
The originating IP seems to be 178.122.141.228 which is listed in 5 IP Address Blacklists:

http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist:178.122.141.228

IP Information - 178.122.141.228

IP address:                     178.122.141.228
Reverse DNS:                    [No reverse DNS entry per ns-pri.ripe.net.]
Reverse DNS authenticity:       [Unknown]
ASN:                            6697
ASN Name:                       BELPAK-AS (BELPAK)
IP range connectivity:          2
Registrar (per ASN):            RIPE
Country (per IP registrar):     BY [Belarus]
Country Currency:               Unknown
Country IP Range:               178.120.0.0 to 178.127.255.255
Country fraud profile:          High
City (per outside source):      Unknown
Country (per outside source):   -- []
Private (internal) IP?          No
IP address registrar:           whois.arin.net
Known Proxy?                    No
Link for WHOIS:                 178.122.141.228

So - it clearly appears to be spam and should have been picked up by your Anti-Spam device.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FunktopusAuthor Commented:
Thanks for the assistance Alan. You are correct and had me going in the right direction again. Proofpoint support also confirmed that it is indeed a particular type of spam with spoofing behavior hence the internal addressing source - or so thought as being internal.

They suggested setting up SPF records etc and some adjustments to the filtering on the in house edge device - this has appeared to stem the spam for the moment.

Happy New Year and thanks for the help!

FunktopusAuthor Commented:
Solution was more an indication than overall solution. Steps required to stem the spam was provided by the hardware vendor.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.