[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 889
  • Last Modified:

Putting an end to spam on my network

I am administrating an exchange server that is having problems.  There is a ton of spam that seems to be originating from one users computer.  We have scanned and cleared his computer of an infection, however, I do not think this is the source of the problem.  

I have checked the email headers, and traced it back to some sources:
212.74.220.224
inetnum:        212.74.220.0 - 212.74.221.255netname:        MX80L54-REALdescr:          inteleca
DHCP real pool L54country:        RUadmin-c:        VIK-RIPEtech-c:         VIK-RIPEstatus:         ASSIGNED PAmnt-by:         INTELECA-MNTmnt-lower:      INTELECA-MNTmnt-routes:     INTELECA-MNTsource:         RIPE #Filtered

UpdateDelete person:         Vitaliy E. Kretininaddress:        Russia, Barnaule-mail:         V.Kretinin@inteleca.orgphone:          +7(385)2-399502nic-hdl:        VIK-RIPEmnt-by:         INTELECA-MNTsource:         RIPE #Filtered

route:          212.74.192.0/19descr:          inteleca networkdescr:          Russia, Barnaulorigin:         AS21365mnt-by:         INTELECA-MNTsource:         RIPE #Filtered
                                           
113.162.167.46
inetnum:        113.162.0.0 - 113.162.255.255
netname:        VNPT-NET
country:        vn
descr:          IP ADSL static + Cable TV, VoIP VPN
descr:          MPLS Leased Line, Data Center , MANE Ha Noi
admin-c:        VIG1-AP
tech-c:         VIG1-AP
status:         ALLOCATED NON-PORTABLE
changed:        hm-changed@vnnic.net.vn 20100728
mnt-by:         MAINT-VN-VNPT
source:         APNIC
route:          113.162.160.0/19
descr:          VietNam Post and Telecom Corporation (VNPT)
descr:          VNPT-AS-AP
country:        VN
origin:         AS45899
remarks:        mailto: noc@vnn.vn
notify:         hm-changed@vnnic.net.vn
mnt-by:         MAINT-VN-VNPT
changed:        hm-changed@vnnic.net.vn 20100810
source:         APNIC
role:         VDC IPADMIN GROUP
address:      Internet Building, Block II, Thang Long Inter Village
address:      Nguyen Phong Sac str, Cau Giay Dist,  Ha Noi
country:      VN
phone:        +84-912-800008
fax-no:       +84-4-9430427
e-mail:       hathm@vdc.com.vn
trouble:      send spam reports to abuse@vdc.com.vn
trouble:      and abuse reports to abuse@vnn.vn
admin-c:      THMH1-AP
tech-c:       THMH1-AP
nic-hdl:      VIG1-AP
notify:       hm-changed@vnnic.net.vn
mnt-by:       MAINT-VN-VNPT
changed:      hm-changed@vnnic.net.vn 20090325
source:       APNIC

route:          212.74.220.0/22descr:          inteleca-hnet-nskorigin:         AS21365mnt-by:         INTELECA-MNTsource:         RIPE #Filtered

There's about 30+ of these a day to appear like they're coming from one user on the internal exchange 2010 server.
They're from a ton of different sources.

My config at this location:
Exchange 2010
Server 2008 R2
GFI Essentials (not up to date yet, applying patch later today)
Most windows updates are complete
AVG Mail Server edition 2011 is installed and up to date (we have a licence for 2012, I have to install this)

I'm unsure as to what to do at this point.  What sort of email spam is this? (it's usually about foreign brides, or viagra, etc.).  Spoofing?
0
mgedlaman
Asked:
mgedlaman
  • 9
  • 2
  • 2
  • +1
2 Solutions
 
mgedlamanAuthor Commented:
I have a feeling that if I start emailing the server admins, I will end up generating more spam...that, and there's a ton of ip addresses this email is coming from
0
 
mgedlamanAuthor Commented:
Also, how do I prevent our server from becoming "infected" and start spamming out other companies?
0
 
mgedlamanAuthor Commented:
I noticed his password is also pretty weak (4 numbers followed by 4 letters, all lower cased, no symbols).  Could this also be the source of the problem?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
mgedlamanAuthor Commented:
one suggestion was SPF, I'm looking for a manual now to see if it's already setup (perhaps incorrectly), or not.
0
 
Neil RussellTechnical Development LeadCommented:
Firstly have you checked for your server being an open relay?
Do exchange logs show the email originating internally?
Can you verify the above?
0
 
mgedlamanAuthor Commented:
I have confirmed with a web service that it is not a relay open to the rest of the internet.

Yes, the exchange logs show it coming from his email address, however the client IP and hostname do not match his computer information.
I tracked the IP address to Poland...and his computer is here in Canada...
0
 
mgedlamanAuthor Commented:
Thank you for responding.  In the meantime, I have spoken to GFI support and setup their SPF record support as it was not turned on.  Also, I noticed that all internal email addresses were whitelisted.
0
 
5g6tdcv4Commented:
For startes, I would change that users password. Their account may have been comprosmised and spam senders would be able to send email through your server as if they were that user.........
what does mxtoolbox.com smtp diagnostics return?
0
 
mgedlamanAuthor Commented:
Thank you, I will do.

 OK - 204.191.xxx.xx resolves to mail.xxx.ca
 Warning - Reverse DNS does not match SMTP Banner
 0 seconds - Good on Connection time
 Not an open relay.
 5.445 seconds - Warning on Transaction time
0
 
Neil RussellTechnical Development LeadCommented:
It sounds very much as if this is just plain and simple spoofed spam email. It does not originate on your network and you will do little more than the SPF record to stop it. Changing the users password will almost certainly make NO difference at all. The spam is NOT really from your users account.
0
 
aleghartCommented:
I second Neilsr.  Spoofed email is hard to kill unless you use enforce SPF lookups.  Then, you can set GFI or any other mail filter to _only_ receive mail from your domain if it is sent from a valid IP address or FQDN listed in your DNS TXT record for SPF.

This, of course, means that other messages using your domain will be booted.  This could be from home users, remote admin services, firewall devices, web page referrals where you type your address as the 'from', e-commerce servers not explicitly listed in your DNS.

GFI does whitelist your existing users by default.  I suspended RBL filtering for a couple of days, and I've been deluged by spam from myself...looking for love in all the wrong places.

RBLs are one way to block SMTP traffic before message delivery, but they can block people from whom you _do_ want mail, but happened to be blacklisted for a temporary virus, or collateral damage when larger subnets are listed.  When you reject the traffic before SMTP, there is no "spam box" into which you can search for missing messages.  They just don't show up, and your users (and customers/vendors) won't know why.
0
 
mgedlamanAuthor Commented:
So, what you two are saying is that, I can setup the SPF which should help some, but if I set the settings too high, then I will end up screwing myself?

What about contacting the administrators that are looking after the systems that are sending the spam?  Are they looking after compromised systems?, or, are they the ones that are responsible?
0
 
aleghartCommented:
>What about contacting the administrators that are looking after the systems that are sending the spam?

In foreign countries, especially schools, it's useless.  The language barrier is huge.  At schools, the inmates are running the asylum.

I don't know how much spam you get, but our average is 60-85% spam to non-spam, depending on the day and the hour.  I used to contact primary ISPs, upstream ISPs and research for the admin of the subnet or actual mail server.  Consumed far too many hours of the day, and did not reduce the spam.  For every 1 admin you actually reach, there are dozens more bots and home users and temporary virus infections that are out of anyone's direct control.

Better to spend that time on fine-tuning the filtering and archiving functions so that you still retain copies of mail that are filtered, and have a means of user retrieval.  Then, you can turn up the filtering on the server.

> if I set the settings too high, then I will end up screwing myself?

Temporarily.  Murphy's Law of SMTP, I guess.  You never know what or whom you've authorized to use your email address, until you make that blanket _deny_.  Then you start wondering where your firewall alerts disappeared to.  You can't catch everything.
0
 
mgedlamanAuthor Commented:
Thank you Neilsr for sticking in with me, and thank you goes to Aleghart for finishing up in the end.

Good advice gentlemen :)

Sorry for taking my sweet time to get back to you.  With the password change, and turning on the GFI SPF, life is good now :)
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 9
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now