[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 606
  • Last Modified:

How to find a SPAM causing email address and incriminating IP

Hi,

Could someone please tell me how to pinpoint the correct IP address and incriminating email address from the below diagnostic statement that is doing the rounds of sending spam mails and undeliverable messages to a lot of my company directors and VIP's and is giving me a career nightmare..

surely there must be some way of exactly pinpointing where these mails are originating from and the tools required to look up the incrimainating address and block them. we use postini to blacklist these ip and address. I would really be grateful if you could show me in a step by step manner how to pinpoint the ip and address from all the information given below...I have tried to be as detailed as i could.

please help.


mail was -

-----Original Message-----
From: derek@flightbox.co.uk [mailto:derek@flightbox.co.uk]
Sent: 01 May 2011 11:25
To: derek@flightbox.co.uk; pmggiy@flightbox.co.uk
Subject: from Selma

I am a pretty woman, brunette with brown eyes, and I'm looking for an intelligent man to communicate by e-mail, Skype, or on real dates!

My home page: www.rus-flirt.ru


But this mail was being bccd to a lot of my directors and they were also getting the delivery undeliverable message that I have pasted below.

Looking at the internet headers of the above mail - I could see the following :

Received: from scomf05.netintelligence.com(glamf09.netintelligence.com[127.0.0.1]) by mailfilter.iomart.com ; Sun, 01 May 2011 06:55:17 BST
Received: from ppp91-77-94-63.pppoe.mtu-net.ru (ppp91-77-94-63.pppoe.mtu-net.ru [91.77.94.63])
      by scomf05.netintelligence.com (8.12.11.20060308/8.12.11) with ESMTP id p415tHfj031575;
      Sun, 1 May 2011 06:55:17 +0100
Received: from  91.77.94.63 (account <derek@flightbox.co.uk>,
      <pmggiy@flightbox.co.uk> HELO flightbox.co.uk)
      by flightbox.co.uk (CommuniGate Pro SMTP 5.2.3)
      with ESMTPA id 483400727 for <derek@flightbox.co.uk>; Sun, 1 May 2011 08:55:17 +0300
From: <derek@flightbox.co.uk>, <pmggiy@flightbox.co.uk>
To: <derek@flightbox.co.uk>, <pmggiy@flightbox.co.uk>
Subject: from Selma
Date: Sun, 1 May 2011 08:55:17 +0300
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: wwhbdibaqv.27
Message-ID: <5721548255.5T6WGRK0407089@ejaok.buowqzgdcfues.tv>


delivery undeliverable message contained the following texts -

Diagnostic information for administrators:

Generating server: spandrel.co.uk

041841@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

66216u58.4679717@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

497711471.09848424568880@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

533443062.22672402586673@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

151697188.04417191320777@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

maxwell@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

134707301.07648652855330@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

394396205.16770264383049@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

1.21679472729091@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

476931300.58214430735365@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

251584825.51305821299631@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

586770124.94625870479038@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

73591m10.2440907@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

397449668.58815074776059@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

928167657@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

724870541.54176135607820@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

8585619.05308958413827@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

499727909.50011262154263@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

003709931.15469690769788@bluetowel.com
#< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP#

Original message headers:

Received: from 200-233-150-101.xf-static.ctbcnetsuper.com.br (200.233.150.101)
 by ex2010.spandrel.co.uk (192.168.84.26) with Microsoft SMTP Server id
 14.0.722.0; Thu, 28 Apr 2011 13:17:01 +0100
Received: from  200.233.150.101 (account 0-wv08.xgbpltbwpzlc@animail.net HELO
 uoygsw.aihqpku.org)      by 200-233-150-101.xf-static.ctbcnetsuper.com.br
 (CommuniGate Pro SMTP 5.2.3)      with ESMTPA id 770282188 for
 397449668.58815074776059@bluetowel.com; Thu, 28 Apr 2011 09:17:24 -0300
From: <no-reply-187@job.com>
To: <397449668.58815074776059@bluetowel.com>, <928167657@bluetowel.com>,
      <73591m10.2440907@bluetowel.com>, <251584825.51305821299631@bluetowel.com>,
      <586770124.94625870479038@bluetowel.com>,
      <499727909.50011262154263@bluetowel.com>,
      <003709931.15469690769788@bluetowel.com>,
      <724870541.54176135607820@bluetowel.com>,
      <8585619.05308958413827@bluetowel.com>,
      <476931300.58214430735365@bluetowel.com>,
      <497711471.09848424568880@bluetowel.com>, <silentbob@bluetowel.com>,
      <533443062.22672402586673@bluetowel.com>, <041841@bluetowel.com>,
      <66216u58.4679717@bluetowel.com>, <151697188.04417191320777@bluetowel.com>,
      <394396205.16770264383049@bluetowel.com>, <1.21679472729091@bluetowel.com>,
      <maxwell@bluetowel.com>, <134707301.07648652855330@bluetowel.com>
Subject: subscribe: n.8746
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <76c7a7c5-dffa-40be-bd34-b87234e18746@EX2010.spandrel.co.uk>
Return-Path: praveen.sasidharan@allianzcornhill.co.in
Date: Thu, 28 Apr 2011 13:17:01 +0100
Received-SPF: Fail (ex2010.spandrel.co.uk: domain of no-reply-187@job.com
 does not designate 200.233.150.101 as permitted sender)
 receiver=ex2010.spandrel.co.uk; client-ip=200.233.150.101;
 helo=200-233-150-101.xf-static.ctbcnetsuper.com.br;
0
rax2473
Asked:
rax2473
1 Solution
 
ckeshavCommented:
This are invalid bouncebacks that have been forged with the corporation's e-mail addresses by a spammer to hide the real source of the e-mail. They are messages bounced back as undeliverable to senders that never actually sent them.
To avoid this you need to have good Anti-Spam solution which supports "Bounce Verification" technology.

If you are using Exchange 2007 or Exchange 2010 then you can enable Anti-Spam on the HUB Server.


Please explain your setup and Exchange Environment, Version and if you have any anit-spam solution in place.
0
 
ajpowell74Commented:
Here is a page that will walk you through the process of tracking down (as closely as possible) the point of origin for the spam:
http://www.immune.com/SpamNotFromImmune.Com.html

0
 
Sudeep SharmaTechnical DesignerCommented:
@rax2473,

If those are the headers information then I could not see that the message has been filtered or came through Postini system.

It seems that the spammer has targeted your mail server IP address and your mail server is acceptiing the emails from the outside. It should accept emails only from the Postini hosts. (64.18.0.0).

Here are the few things you should do:
 --> on your mail server or on your firewall, accept SMTP connections only from Postini. (check with Postini their IP range and allow only that range or IP addresses to be able to pass SMTP traffic)
--> also on your email server (Exchange) don't allow anonymous sender to send the emails, only authorized users should send the emails.
--> On you Firewall only allow your Exchange server to send the emails out, so only allow exchange IP address to send the SMTP traffic (port 25)

Report back after checking the Firewall.

You could also check Postini message header analyzer to check what Postini has to say about the email spam which you have received.

http://www.google.com/postini/headeranalyzer/

Sudeep
0
 
rax2473Author Commented:
Excellent and to the point - very good help
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now