Avatar of Silencer001
Silencer001
Flag for Belgium asked on

Spam from internal network?

Hi everyone,

A customer of mine keeps getting spam emails from info@theirdomain.net to info@theirdomain.net. They are using Trend Micro's Hosted Email Security for their spam. A policy is active to block *@theirdomain.net to *@theirdomain.net

Normally this would stop the spoofing, but the mails keep getting through. The strange thing is that the mailheaders don't point out that this mail is being filtered by trend micro. Maybe a client is infected with a virus that keeps sending spam?

This is the mailheader from the emails:
 
Received: from 121.96.170.180.BTI.NET.PH (121.96.170.180) by buro.theirdomain.net
 (192.168.0.1) with Microsoft SMTP Server id 8.3.106.1; Wed, 10 Aug 2011
 09:47:56 +0200
Received: from  121.96.170.180 (account <info@theirdomain.net> HELO theirdomain.net)	by
 theirdomain.net (CommuniGate Pro SMTP 5.2.3)	with ESMTPA id 264460314 for
 <info@theirdomain.net>; Wed, 10 Aug 2011 15:48:22 +0800
From: info <info@theirdomain.net>
To: info <info@theirdomain.net>
Date: Wed, 10 Aug 2011 09:48:22 +0200
Subject: Job Proposal
Thread-Topic: Job Proposal
Thread-Index: AcxXMdIw7Kk1fGVnRsaiFRZNzEmdpQ==
Message-ID: <7203926585.5VKXJ9VE285736@ghtpbko.xovsoz.tv>
X-MS-Has-Attach:
X-MS-Exchange-Organization-SenderIdResult: None
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-PRD: theirdomain.net
X-MS-TNEF-Correlator:
received-spf: None (SBS.theirdomain.local: info@theirdomain.net does not designate
 permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Open in new window


I hope some of you can shed a light on this.

Kind regards,
Sven
ExchangeAntiSpamSBS

Avatar of undefined
Last Comment
Cliff Galiher

8/22/2022 - Mon
Miguel Angel Perez Muñoz

This email came from outside: 121.96.170.180

Is a typical spoofing mail address.
Silencer001

ASKER
Ok thanks, just came up with this link: http://www.reputationauthority.org/lookup.php?ip=121.96.170.180&d=yahoo.co.jp

But how comes that Trend Micro isn't filtering these messages? They don't even show up in the mailheaders and our only MX-record is pointing to trend micro.
Miguel Angel Perez Muñoz

Because local domain are same on origin and receipt, and software suppose that are internal.

Your antispam software uses RBL? Consider applying to better results.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Larry Struckmeyer MVP

And check to see if the spf record is set correctly, or if there even is one.  

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
ASKER CERTIFIED SOLUTION
Cliff Galiher

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question