Link to home
Start Free TrialLog in
Avatar of Silencer001
Silencer001Flag for Belgium

asked on

Spam from internal network?

Hi everyone,

A customer of mine keeps getting spam emails from info@theirdomain.net to info@theirdomain.net. They are using Trend Micro's Hosted Email Security for their spam. A policy is active to block *@theirdomain.net to *@theirdomain.net

Normally this would stop the spoofing, but the mails keep getting through. The strange thing is that the mailheaders don't point out that this mail is being filtered by trend micro. Maybe a client is infected with a virus that keeps sending spam?

This is the mailheader from the emails:
 
Received: from 121.96.170.180.BTI.NET.PH (121.96.170.180) by buro.theirdomain.net
 (192.168.0.1) with Microsoft SMTP Server id 8.3.106.1; Wed, 10 Aug 2011
 09:47:56 +0200
Received: from  121.96.170.180 (account <info@theirdomain.net> HELO theirdomain.net)	by
 theirdomain.net (CommuniGate Pro SMTP 5.2.3)	with ESMTPA id 264460314 for
 <info@theirdomain.net>; Wed, 10 Aug 2011 15:48:22 +0800
From: info <info@theirdomain.net>
To: info <info@theirdomain.net>
Date: Wed, 10 Aug 2011 09:48:22 +0200
Subject: Job Proposal
Thread-Topic: Job Proposal
Thread-Index: AcxXMdIw7Kk1fGVnRsaiFRZNzEmdpQ==
Message-ID: <7203926585.5VKXJ9VE285736@ghtpbko.xovsoz.tv>
X-MS-Has-Attach:
X-MS-Exchange-Organization-SenderIdResult: None
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-PRD: theirdomain.net
X-MS-TNEF-Correlator:
received-spf: None (SBS.theirdomain.local: info@theirdomain.net does not designate
 permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Open in new window


I hope some of you can shed a light on this.

Kind regards,
Sven
Avatar of Miguel Angel Perez Muñoz
Miguel Angel Perez Muñoz
Flag of Spain image

This email came from outside: 121.96.170.180

Is a typical spoofing mail address.
Avatar of Silencer001

ASKER

Ok thanks, just came up with this link: http://www.reputationauthority.org/lookup.php?ip=121.96.170.180&d=yahoo.co.jp

But how comes that Trend Micro isn't filtering these messages? They don't even show up in the mailheaders and our only MX-record is pointing to trend micro.
Because local domain are same on origin and receipt, and software suppose that are internal.

Your antispam software uses RBL? Consider applying to better results.
And check to see if the spf record is set correctly, or if there even is one.  

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
ASKER CERTIFIED SOLUTION
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial