Solved

Spam Email Headers

Posted on 2011-03-01
11
1,246 Views
Last Modified: 2012-05-11
Guys, we have a constant SPAMMING issue, where someone within the organisation is spamming our mail server (its been ongoing for weeks now)

I have looked inside the header of the spam email and found the following

Received: from User by nepeaneng.com.au
      (MDaemon.PRO.v7.1.2.R)
      with ESMTP id md50002621363.msg
      for <jhn.andrew1@gmain.com>; Wed, 02 Mar 2011 15:19:01 +1100
Reply-To: <barclaysfundtra @aol.com>
From: "Firdous Amin"<chengvincent@live.com>
Subject: Private
Date: Tue, 1 Mar 2011 23:19:00 -0800
MIME-Version: 1.0
Content-Type: text/plain;
      charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Authenticated-Sender: roberts@nepeaneng.com.auX-Spam-Processed: mail.nepeaneng.com.au, Wed, 02 Mar 2011 15:19:01 +1100
      
X-MDRemoteIP: 61.164.40.151
X-Return-Path: chengvincent@live.com
X-MDaemon-Deliver-To: jhn.andrew1@gmain.com

The valid account here is roberts@nepeaneng.com.au. I found his computer and turned it off. Still the spamming continues. How do I rid myself of this nuisence? If thats the email that it is using to drop its payload, why is it when I kill his local lan access, the spamming persists?

chengvincent@live.com is the email sender that is spoofing

Any help would be appreciated.
0
Comment
Question by:Network_Padawan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 35014605
61.164.40.151 comes back as:
inetnum:      61.164.40.144 - 61.164.40.159
netname:      HZ-DINGDIAN-FINANCIAL-LTD
country:      CN
descr:        Hangzhou Dingdian Financial net Ltd.

It's not your IP or live.com's IP.  Unless you have customers there, you could possibly block that IP.
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 35014913
Mdaemon has many checking facilities to not accept Spam.  Just by checking whether the Sender correlates with the Sender's IP (in a similar way to what DaveBaldwin did manually) you can check whether to accept email from that person or not.  Mdaemon can be setup also to look at BlackLists and reject anything that emanates from an IP on one of those lists.  That IP is pretty well-known as a Spam source, see here:-

http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a61.164.40.151
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 35014932
These things are all under Mdaemon's Security menu.  Look for DNS-BL (for BlackList checking) under Spam Filter; and under Security Settings there are many useful tools, look at Reverse Lookups in particular for your problem.  Be careful before ticking any box marked "caution".
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 35015034
Please have a read of my article that should help you sort out your problem (you sound like you are an authenticated relay):

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

If the sender is roberts@nepeaneng.com.au - please change his password to a much stronger one then restart the SMTP Service and then have a read of my blogs:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:Network_Padawan
ID: 35022845
Great thanks guys, Im looking into this now and hope I can resolve this today as user complaints are stressing me out.  I have been managing the queue myself for the past few days (pain in the xxxx!)

Spam is not a license product on our Mail Daemon. We are going to get rid of Mdaemon soon so management does not want to pay for a license. So that solution is not available.

I have changed the users password and it seems to have stopped the spamming. Will see how it goes for the next 24 hours before considering this solved.

Thanks guys.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35022940
Sounds good - if you still have mail in the queues you want rid of (and sorry if I am too late), download aqadmcli.exe and use that to zap the queues in no time at all.

ftp://ftp.microsoft.com/pss/Tools/Exchange%20Support%20Tools/Aqadmcli/aqadmcli.exe

Usage instructions:

http://community.spiceworks.com/how_to/show/267
0
 

Author Comment

by:Network_Padawan
ID: 35023294
THanks Alan, appreciated. Can I just ask you a quick question, when we put exchange in place, and we are hit with the same issue, does exchange have the same tools and utlities to manage the queues and resolve these issues. Mail Daemon seems really good in terms of the number of tools it has for management, is exchange the poorer product?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35023320
I've not seen it happen to Exchange 2007 / 2010 yet so not sure what would happen.  Exchange 2010 is much improved over 2003 and very different.

Don't know Mail Daemon so can't comment I'm afraid.  Exchange has plenty of tools available and lots of 3rd party stuff too.
0
 

Author Comment

by:Network_Padawan
ID: 35023552
Can you recommend some of the 3rd party tools?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35023575
What would you be looking for the tools to do?
0
 

Author Closing Comment

by:Network_Padawan
ID: 35048009
Thanks Alan, your response was comprehensive and provided the solution, so I am giving you sole points.

Thanks for replying.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AD - Domain Admins Group - Track changes 4 56
Emails sent from iPhone rejected as spam 29 115
Gmail with domain mail 8 34
DNS record 4 28
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question