Putting an end to spam on my network
Posted on 2011-10-11
I am administrating an exchange server that is having problems. There is a ton of spam that seems to be originating from one users computer. We have scanned and cleared his computer of an infection, however, I do not think this is the source of the problem.
I have checked the email headers, and traced it back to some sources:
inetnum: 220.127.116.11 - 18.104.22.168netname: MX80L54-REALdescr: inteleca
DHCP real pool L54country: RUadmin-c: VIK-RIPEtech-c: VIK-RIPEstatus: ASSIGNED PAmnt-by: INTELECA-MNTmnt-lower: INTELECA-MNTmnt-routes: INTELECA-MNTsource: RIPE #Filtered
UpdateDelete person: Vitaliy E. Kretininaddress: Russia, Barnaule-mail: V.Kretinin@inteleca.orgphone: +7(385)2-399502nic-hdl: VIK-RIPEmnt-by: INTELECA-MNTsource: RIPE #Filtered
route: 22.214.171.124/19descr: inteleca networkdescr: Russia, Barnaulorigin: AS21365mnt-by: INTELECA-MNTsource: RIPE #Filtered
inetnum: 126.96.36.199 - 188.8.131.52
descr: IP ADSL static + Cable TV, VoIP VPN
descr: MPLS Leased Line, Data Center , MANE Ha Noi
status: ALLOCATED NON-PORTABLE
changed: firstname.lastname@example.org 20100728
descr: VietNam Post and Telecom Corporation (VNPT)
remarks: mailto: email@example.com
changed: firstname.lastname@example.org 20100810
role: VDC IPADMIN GROUP
address: Internet Building, Block II, Thang Long Inter Village
address: Nguyen Phong Sac str, Cau Giay Dist, Ha Noi
trouble: send spam reports to email@example.com
trouble: and abuse reports to firstname.lastname@example.org
changed: email@example.com 20090325
route: 184.108.40.206/22descr: inteleca-hnet-nskorigin: AS21365mnt-by: INTELECA-MNTsource: RIPE #Filtered
There's about 30+ of these a day to appear like they're coming from one user on the internal exchange 2010 server.
They're from a ton of different sources.
My config at this location:
Server 2008 R2
GFI Essentials (not up to date yet, applying patch later today)
Most windows updates are complete
AVG Mail Server edition 2011 is installed and up to date (we have a licence for 2012, I have to install this)
I'm unsure as to what to do at this point. What sort of email spam is this? (it's usually about foreign brides, or viagra, etc.). Spoofing?