Spam email bursts - How do I stop it?

I am trying to understand what has happened to one of our users now two weeks in a row.  Last Monday morning, from midnight on, he received about 20-30 random emails that had subject lines like: "FW: Mail delivery failed: returned message to sender" type of emails.  They all seemed to have the .ru domain, which is Romania I think.  After about 8am, he only got about one more email.  Today, he had the same problem...a bunch of these emails in his inbox in the early morning hours, that have now tapered off late morning.  Without simply blocking all emails from .ru domain, is there a way I can get to the bottom of this?  Why is his email even targeted?  These emails aren't even trying to "sell" him anything, they just look like rejection emails.  I can't figure out what their purpose is, or even if it's malicious.  We have our own exchange 2003 server by the way.  Here is the body of one of the emails, with my real domain name replaced with mydomain (and user@mydomain.com):

Microsoft Mail Internet Headers Version 2.0
Received: from ant1.farpost.ru ([80.92.162.140]) by mail.mydomain.com with Microsoft SMTPSVC(6.0.3790.4675);
       Mon, 5 Dec 2011 05:59:55 -0700
Received: from mailnull by ant1.farpost.ru with local (Exim 4.69)
      id 1RXY9E-0007cG-AC
      for user@mydomain.com; Mon, 05 Dec 2011 23:59:56 +1100
X-Failed-Recipients: kiril@grasp.ru,
  kira@grasp.ru,
  kir@grasp.ru,
  kip@grasp.ru,
  king@grasp.ru,
  kina@grasp.ru,
  khe@grasp.ru,
  khazovam@grasp.ru,
  khazova@grasp.ru,
  khar@grasp.ru
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@ant1.farpost.ru>
To: user@mydomain.com
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1RXY9E-0007cG-AC@ant1.farpost.ru>
Date: Mon, 05 Dec 2011 23:59:56 +1100
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ant1.farpost.ru
X-AntiAbuse: Original Domain - mydomain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Source:
X-Source-Args:
X-Source-Dir:
Return-Path: <>
X-OriginalArrivalTime: 05 Dec 2011 12:59:55.0953 (UTC) FILETIME=[C9640210:01CCB34D]
X-TM-AS-Product-Ver: SMEX-8.6.0.1374-6.800.1017-18560.004
X-TM-AS-Result: No--3.553400-5.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No


-----Original Message-----
From: Mail Delivery System [mailto:Mailer-Daemon@ant1.farpost.ru]
Sent: Monday, December 05, 2011 6:00 AM
To: User
Subject: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

  kiril@grasp.ru
    SMTP error from remote mail server after RCPT TO:<kiril@grasp.ru>:
    host mx.grasp.ru [95.154.104.68]: 550 <kiril@grasp.ru>, Recipient unknown
  kira@grasp.ru
    SMTP error from remote mail server after RCPT TO:<kira@grasp.ru>:
    host mx.grasp.ru [95.154.104.68]: 550 <kira@grasp.ru>, Recipient unknown
  kir@grasp.ru
    SMTP error from remote mail server after RCPT TO:<kir@grasp.ru>:
    host mx.grasp.ru [95.154.104.68]: 550 <kir@grasp.ru>, Recipient unknown
  kip@grasp.ru
    SMTP error from remote mail server after RCPT TO:<kip@grasp.ru>:
    host mx.grasp.ru [95.154.104.68]: 550 <kip@grasp.ru>, Recipient unknown
  king@grasp.ru
    SMTP error from remote mail server after RCPT TO:<king@grasp.ru>:
    host mx.grasp.ru [95.154.104.68]: 550 <king@grasp.ru>, Recipient unknown
  kina@grasp.ru
    SMTP error from remote mail server after RCPT TO:<kina@grasp.ru>:
    host mx.grasp.ru [95.154.104.68]: 550 <kina@grasp.ru>, Recipient unknown
  khe@grasp.ru
    SMTP error from remote mail server after RCPT TO:<khe@grasp.ru>:
    host mx.grasp.ru [95.154.104.68]: 550 <khe@grasp.ru>, Recipient unknown
  khazovam@grasp.ru
    SMTP error from remote mail server after RCPT TO:<khazovam@grasp.ru>:
    host mx.grasp.ru [95.154.104.68]: 550 <khazovam@grasp.ru>, Recipient unknown
  khazova@grasp.ru
    SMTP error from remote mail server after RCPT TO:<khazova@grasp.ru>:
    host mx.grasp.ru [95.154.104.68]: 550 <khazova@grasp.ru>, Recipient unknown
  khar@grasp.ru
    SMTP error from remote mail server after RCPT TO:<khar@grasp.ru>:
    host mx.grasp.ru [95.154.104.68]: 550 <khar@grasp.ru>, Recipient unknown

------ This is a copy of the message, including all the headers. ------

Return-path: <user@mydomain.com>
Received: from 94.41.29.74.dynamic.ufanet.ru ([94.41.29.74])
      by ant1.farpost.ru with esmtp (Exim 4.69)
      (envelope-from <user@mydomain.com>)
      id 1RXY9D-0007aw-PP; Mon, 05 Dec 2011 23:59:56 +1100
Received: from [94.41.29.74] (port=7547 helo=admin830ba6464)
      by mail.mydomain.com with asmtp
      id 593BCE-0003A4-92
      for <khar@grasp.ru>; Mon, 5 Dec 2011 17:59:44 +0500
Message-ID: <267BF57FCD014BC985DEA3027C0C2D6C@admin830ba6464>
From: =?koi8-r?B?9MHNz9bFzs7PxSDawcvPzs/EwdTFzNjT1NfP?=<user@mydomain.com>
To: <khar@grasp.ru>
Subject: =?koi8-r?B?9dDMwdTBINTBzc/Wxc7O2cgg0M/bzMnO?=
Date: Mon, 5 Dec 2011 17:59:44 +0500
MIME-Version: 1.0
Content-Type: text/plain;
      format=flowed;
      charset="windows-1251";
      reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
X-Mras: Ok

Ïðàêòè÷åñêîå ïðèìåíåíèå íîâîãî òàìîæåííîãî çàêîíîäàòåëüñòâà: òàìîæåííàÿ ñòîèìîñòü, êîððåêòèðîâêà, êîíòðîëü, òàìîæåííûå ïðîâåðêè è ïðîôèëè ðèñêà. Âîçâðàò òàìîæåííûõ ïëàòåæåé. Ïðàâà, îáÿçàííîñòè è îòâåòñòâåííîñòü äåêëàðàíòîâ è òàìîæåííûõ áðîêåðîâ

Îäíîäíåâíûé ñåìèíàð / 9 äåêàáðÿ ã. Ìîñêâà

Óçíàòü íåîáõîäèìóþ èíôopìaöèþ è îôîðìèòü ðåãèñòðàöèþ ìîæíî ïo ò/ô: (4-9-5) 5 8 5 0 6 4 2

Ïðîãðàììà ñåìèíàðà:

Öåëü ñåìèíàðà: ïðåäîñòàâèòü ñëóøàòåëÿì ïðàêòè÷åñêèå çíàíèÿ è íàâûêè äëÿ ðàáîòû â óñëîâèÿõ äåéñòâèÿ íîâîãî òàìîæåííîãî çàêîíîäàòåëüñòâà.
 
 
1. Íîâàÿ ñèñòåìà òàìîæåííîãî çàêîíîäàòåëüñòâà â 2011 ã., îáùèé îáçîð.
 2. Ïðàêòè÷åñêèå âîïðîñû òàìîæåííîé ñòîèìîñòè ïî Ñîãëàøåíèþ îá îïðåäåëåíèè òàìîæåííîé ñòîèìîñòè òîâàðîâ, ïîäòâåðæäàþùèå äîêóìåíòû, îøèáêè, äîïóñêàåìûå ïðè îïðåäåëåíèè òàìîæåííîé ñòîèìîñòè è îôîðìëåíèè äîêóìåíòîâ, êàê èõ èçáåæàòü.
3. Êîíòðîëü òàìîæåííîé ñòîèìîñòè ïî Òàìîæåííîìó êîäåêñó Òàìîæåííîãî ñîþçà äî è ïîñëå âûïóñêà. Ôîðìû è ñðîêè òàìîæåííîãî êîíòðîëÿ.
 4. Êàê îòâå÷àòü íà çàïðîñû òàìîæåííûõ îðãàíîâ.
 5. Êîððåêòèðîâêà òàìîæåííîé ñòîèìîñòè – íîâûå ïîëîæåíèÿ, èñòî÷íèêè öåíîâîé èíôîðìàöèè òàìîæåííûõ îðãàíîâ, íîâûå ñðîêè ïðîâåäåíèÿ ïðîâåðêè òàìîæåííîé ñòîèìîñòè.
 6. Äîïîëíèòåëüíûå íà÷èñëåíèÿ ê ñòîèìîñòè ñäåëêè, ñêèäêè è ïëàòåæè çà èñïîëüçîâàíèå òîâàðíîãî çíàêà ïðè ôîðìèðîâàíèè òàìîæåííîé ñòîèìîñòè, îôîðìëåíèå â äîãîâîðå.
 7. Îáåñïå÷åíèå óïëàòû òàìîæåííûõ ïëàòåæåé: ñïîñîáû, îïðåäåëåíèå ñóììû îáåñïå÷åíèÿ, èçìåíåíèÿ â íîâîì òàìîæåííîì çàêîíîäàòåëüñòâå.
 8. Âçûñêàíèå òàìîæåííûõ ïëàòåæåé.
 9. Âîçâðàò òàìîæåííûõ ïëàòåæåé.
 10. Òàìîæåííûå ïðîâåðêè, ðàñøèðåíèå ïåðå÷íÿ ïîäêîíòðîëüíûõ ëèö (òàìîæåííûé ïðåäñòàâèòåëü, ïåðåâîç÷èê, èíûå þðèäè÷åñêèå ëèöà).
 11. Êàìåðàëüíûå è âûåçäíûå ïðîâåðêè: ïåðèîäè÷íîñòü, ïîðÿäîê ïðîâåäåíèÿ, ïðàâà è îáÿçàííîñòè ïðîâåðÿåìîãî ëèöà.
 12. Íåîáõîäèìûå (îáÿçàòåëüíûå) äîêóìåíòû äëÿ ïîäòâåðæäåíèÿ ñâåäåíèé ïî òàìîæåííîé ñòîèìîñòè ïî òàìîæåííîìó çàêîíîäàòåëüñòâó.
 13. Äîïîëíèòåëüíûå äîêóìåíòû, ïðåäñòàâëÿåìûå ïî òðåáîâàíèþ òàìîæåííûõ îðãàíîâ, îöåíêà èõ îáÿçàòåëüíîñòè.
 14. Òàìîæåííûå àñïåêòû âíåøíåòîðãîâîãî äîãîâîðà, òðåáîâàíèÿ ê êîììåð÷åñêèì äîêóìåíòàì ñ ó÷åòîì òàìîæåííîãî çàêîíîäàòåëüñòâà (èíâîéñ, ïðàéñ-ëèñò è ò.ä.) â öåëÿõ ñíèæåíèÿ ðèñêà êîððåêòèðîâêè.
 15. Îáæàëîâàíèå äåéñòâèé (áåçäåéñòâèÿ) è ðåøåíèé òàìîæåííûõ îðãàíîâ, ñâÿçàííûõ ñ ïðîâåäåíèåì òàìîæåííîãî êîíòðîëÿ: âîçìîæíîñòè è ðåçóëüòàòû.
 16. Ñóäåáíàÿ ïðàêòèêà ïî òàìîæåííûì ñïîðàì, êîììåíòàðèé è ïðîãíîç.


Âðåìÿ ñåìèíàðà: ñ 10 äî 17 (c ïåpåpûâoì ía îáåä è êîôå-ïaóçy).
Ñåìèíàð ïðîõîäèò â Ìîñêâå.
Öåíà oáy÷åíèÿ: 9 OOO ðóáëåé âêëþ÷àÿ ÍÄÑ.
B ñòîèìîñòü îáó÷åíèÿ âêëþ÷åíî:  ðàáî÷èå äîêóìåíòû êîôå-ïaóça, îáåä.

Äëÿ påãècòðaöèè ía ñeìèíað âàì íàäî oòïpàâèòü íaì ïî ôàêcy: ðeêâèçèòû îðãaíèçaöèè, òåìy è äaòó ceìèíàpa, ïoëíîe ÔÈO y÷añòíèêîâ, êîíòàêòíûé òeëeôoí è ôaêc.
Äëÿ çàêaça âèäåîêyðca íóæíî îòïðaâèòü íaì ïo ôaêcy: ðeêâèçèòû îðãaíèçaöèè, íàçâàíèå âèäeoêypña, yêaçàòü íîcèòåëü (ÄBÄ èëè CÄ äèñêè), òeëeôîí, ôàêc, êîíòàêòíîe ëèöo è òî÷íûé aäpåc äîñòaâêè.

Óçíàòü äoïîëíèòeëüíyþ èíôopìaöèþ è çàpeãècòðèpîâàòücÿ ìîæíî ïo ò/ô: /495/ 5 8 5 0 6 4 2
LVL 1
jbobstAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
If you had some Anti-Spam software installed on your server, then these messages wouldn't make it through.

Spammers gather email addresses from all sorts of sources and can actively target IP Addresses and when they find an email server sitting behind one, they can launch a Directory Harvest Attack, which essentially will tell them which email addresses are valid and which are not.  Again, with good Anti-Spam software installed, this kind of attack can be stopped / slowed down.

Two options here:

1. Buy some good Anti-Spam software and I would recommend Vamsoft ORF - www.vamsoft.com - free 30-day trial is available and I am sure you will eventually spend the $239 per server that it costs.

2. Beef up your security on your existing server - http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2527-How-to-prevent-Spoofed-Emails-in-Exchange-2003.html

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jon BrelieSystem ArchitectCommented:
Additionally, (and I am sure that the second link Alan provided covers this) - make sure you have a valid SPF record for your domain.  It looks like these messages were sent with a forged header to look like they were being sent from your user.  SPF records will cut down on the number of remote servers that get fooled by this method.
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
hey alan ... hey others ... because alan here i have nothing to introduce but simple solution (quick solution) blocking spam in exchange 2003 using exchange intelligent filter :

http://www.petri.co.il/block_spam_with_exchange_2003.htm

but this not forever , you should buy Antispam like alan said...

good luck
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

RAdministratorCommented:
Someone (manually or via bot) is trying to use your email server as a relay for Russian spam.
Exchange comes configured with relaying denied. It should automatically drop emails from domain names it doesn't have configured.
The messages you are seeing is the Exchange server thinking your user sent that spam. They are called delivery status notifications (DSN).

You can create a transport rule in the Exchange Management Console to drop messages with certain conditions without a DSN. This way your user will work in peace while you get yourself an anti-spam software or appliance.

EMC - Yourdomain.local - Transport Hub - Transport Rules tab - New... - messages coming from persons - external mail - *@domain.ru - Delete without notifying anyone.

I attached the code the EMC wizard spits out, this is what it should look like:
Name: 'Rule name'
Comments: ''
Priority: '0'
Enabled: $true
From: '*@farpost.ru','*@grasp.ru'
DeleteMessage: $true

Open in new window

0
Andrej PirmanCommented:
Hi,

my 5 cents:

1.) On your CLIENT(s) PC check, if any mail is sent out via any other route, except Exchange.
Command prompt, type:
netstat -an | find "TCP"

Open in new window

If you find any connection TO port 25, then this PC is sending out mail. Most probably infected! (...ok, it could also be a custom mail client to external account, or mail program)

Also scan client for viruses, MOST PROPER way to do this is in off-line mode, or at least by booting into Windows SAFE MODE, then run antivirus scanner from there. Doing so will remove also those most resilient and stealth viruses.

2.) On MAIL SERVER:
Test, if your Exchange server is an open relay:
Test 1: http://www.mxtoolbox.com/diagnostic.aspx
Test 2: http://www.abuse.net/relay.html

3.) On your PUBLIC DNS zone for "yourdomain.com":
Do you have SPF record? Meaning, do your SPF allow any other mail server to send on behalf of your user domain?
TEST here: http://www.kitterman.com/spf/validate.html
If you don't have SPF, create it here: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

4.) On your FIREWALL/ROUTER:
Make sure, that you have also OUTGOING rule, which blocks:
- PERFECT settings: first, allow only OUT traffic TO public ports 80, 443 and maybe 1723 for VPN (or some else if needed)
  Then allow only Exchange LAN IP to send OUT TO port 25.
  Block all other traffic.
- STILL OK would be: at least, allow only Exchange LAN IP to send OUT TO public port 25, block all others.

5.) Test your firewall for open ports:
https://www.grc.com/x/ne.dll?bh0bkyd2
0
jbobstAuthor Commented:
Thanks for the answers so far.  By the way, I do have an anti spam filter, that seems in general to work very well.  It's the Trend Micro Worry Free Business Advanced software that is protecting the exchange server.

As for the other things, here are some additional answers:
On testing with mxtoolbox, the server is NOT an open relay, but there doesn't appear to be an SPF record.  Once I create an SPF record on that Microsoft site you recommended Labsy, what do I do with that record?  Send it to our domain hosting company?  Put it on our exchanges server?

On the firewall test, we have port 25, 80, and 443 open, everything else is closed.  The firewall rule for port 25 is allow Send email (SMTP) from any source, but the destination is only on the LAN side with the private ip address of our exchange server.  I have an older Sonicwall firewall, and not exactly sure how to setup the rules per Labsy's advice.
0
younghvCommented:
This is an incorrect statement:

"MOST PROPER way to do this is in off-line mode, or at least by booting into Windows SAFE MODE, then run antivirus scanner from there. "Doing so will remove also those most resilient and stealth viruses.""

Most current malware is smart enough to NOT start its processes while the system is booted to "Safe Mode" - and the good malware scanners are smart enough to identify and repair most malware variants while functioning in "Normal Mode".

More information here: Malware Fighting – Best Practices

"Anti-virus scanners" are almost all completely helpless in removing infections. If the existing AV application allowed the infection in the first place - it certainly isn't going to remove it after the fact.

Removing malware infections calls for using tools/scanners that are especially developed for that purpose.

Details here:
Stop-the-Bleeding-First-Aid-for-Malware
Rogue-Killer-What-a-great-name
0
Alan HardistyCo-OwnerCommented:
If you read the headers properly, you will see that the emails originate from an external source, not an internal source, so the suggestion that you should check the internal computers is not relevant here, and doing so in safe mode is the worst possible advice that could be given.
0
Andrej PirmanCommented:
@younghv
I do not agree with your statement about detection posibilities in SAFE MODE of OFFLINE.
You say that most malware does not start its processes in safe mode, thus pass undetected. So you say that malware needs to start itself to be detected? Ok, but WHAT did START the process - this starter remains undetected by your logic?
Nevermind...If you got infected, it happened because your AV/AntiMalware did NOT detect intruder running in NORMAL mode. So go into SAFE MODE and try disinfect from there.

SPF:
SPF record must be added as TXT type of record into your public DNS.
0
younghvCommented:
Labsy -
"I do not agree with your statement about detection posibilities in SAFE MODE of OFFLINE."

I understand that you do not agree, which is why I posted the links to the articles. Give them a read and post your reasons for disagreeing - over in the articles. I would be grateful for the opportunity to help you start learning about proper procedures.

The ramifications of poor advice in fighting malware can be devastating to the end-user. It is critical that anyone offering suggestions on this topic learn about best practices before telling others what to do.
0
Andrej PirmanCommented:
@younghv
I appreciate your work and article you wrote about removing viruses and malware - very good article!
But I still disagree with your statement about NOT to run virus/malware scanners in SAFE MODE. Well, as you say, it is essential for us who give answers to "know what we are doing" (...or better, saying), and debate about to scan or not in safe mode is exactly that: argumented debate about the subject.

Well, at first, I give credits to most of your writing, and also to the part I disagree. Running antivirus scan in SAFE MODE can indeed damage the system...but AFAIK only until you reboot. Let's see, what happens when some essential windows file is infected:
- if you DO NOT scan, windows should detect its CRC not mathing upon reboot, so windows itself should replace it with healthy file from dllcache
- if you DO SCAN and if file is not repairable, antivirus will in worst case delete the file (in SAFE MODE), and windows will heal it after reboot from dllcache
- if dllcache is infected, too, then you need windows REPAIR in any case

Beyond that, it is also true your statement that heuristics is not in function when running scans from SAFE MODE, and I may add that also behaviour analysis is of no use in SAFE MODE. Why? Because malware process is not running, so its behavior cannot be analyzed.
But on the other hand, main weapon of antivirus and anti*ware is still fingerprint detection, which is 100% functional and reliable ONLY in safe mode. In normal mode, viruses and malware may hide, stealth and employ other techniques to protect themselves and hide from scanners, and they are harder to detect, and even more hard or impossible to remove.

Therefore I still recommend:
- FIRST, try all weapons in normal mode, with fully updated fresh scanners
- if still having problems, go with SAFE-MODE scan
- and finally run OFF-LINE scan using antivirus boot disk

If you anyhow get to the point where you will need system repair - well, sorry, your system was already beyond the point of normal repair anyways.
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
i think its better to split points among all participates because everyone introduced possible solution
0
Alan HardistyCo-OwnerCommented:
My $0.02 worth:

My article covers how to reduce spam in Exchange 2003 by using the free / built-in tools available so if my article is followed, then the problem would go away.

I would therefore suggest that my initial comment http:#a37239208 is accepted as the solution.  The rest of the comments are either repeating the advice in my article, are relevant to Exchange 2007 / 2010 thus not relevant or are wrong, then it turns to debate over anti-virus / malware tools and the correct way to run them which is unrelated to the question as this is pure spam, not an infection.

Alan
0
Andrej PirmanCommented:
@alanhardinsty
"...My article covers how to reduce spam in Exchange 2003 by using the free / built-in tools available so if my article is followed, then the problem would go away...."

I am not so sure about it - user just wouldn't SEE the problem, while most of servers around the globe would still allow mail FROM user's domain to be sent FROM other servers. This is not to be masked just by not seeing NDRs, but better to prevent it as much as possible. Here proper SPF record comes in.
SPF record in DNS zone is like an instruction to the whole world, to all the mail servers, relays and antispam filters which mail server is allowed to send mail on behalf of your domain. Most of other mail servers, if configured properly, will deny all other mail, which do not obey this SPF rule.

Beside that, I am not so comfortable reading both in the same place - an advice and suggestion that your advice is the only one being worth the points. My opinion is to let user decide. No hard feelings - that's just my opinion.

0
Alan HardistyCo-OwnerCommented:
@labsy - are you saying SPF records are the answer to this question?

Author has abandoned the question - so the Experts are being asked how to best close the question in the absence of the asker, so waiting for them to appear may be a very long wait, which is why this question is being cleaned up by the cleanup volunteers.
0
Andrej PirmanCommented:
@Alan: "...are you saying SPF records are the answer to this question?"

Yes and no. SPF would stop most (but not all) of spam/relay attempts on SOURCE, while good AV and AntiSpam protection will stop it on DESTINATION. I bet on both - full measures to prevent spam and relay at any point will improve mail messaging in general, so many suggestions in this thread are to be evaluated.

My order of points split would be:
1st place: Antivirus & Antimalware on both, client and mail server
2nd place: SPF, proper configuration of Firewall
3rd place: all advice on how to disinfect and celan client computer of malware, since it was not the original question here
0
Alan HardistyCo-OwnerCommented:
The debate about what to do to sort out the problem was over long ago.

It is about choosing what comment or comments that are already posted would solve the problem in the absence of the asker selecting a comment or comments as a solution.  We are not being asked to solve the problem but close the question, so please post your comments based on the comments prior to the cleanup volunteers comment asking how to close.
0
jbobstAuthor Commented:
So sorry for the abandonment of this question.  I will close it out and assign points.  In the end, it seems that the emails stopped after about 24 hours, and we didn't do anything on our end, so I assume the "problem" mail server out there on the internet was either fixed or shut down.  Normally, our Anti-Spam (Trend Micro Worry Free Business) product is pretty good about keeping the spam down, it's just that for the 24 hours or so this user was somewhat flooded with inbound mail.

Not to start another debate on the topic, but I have often found that many of the virus/malware infections actually prevent the user from even launching any sort of anti-virus application when running in normal mode.  Most of the time, the only way to even try to run an anti-virus tool is to go into safe mode or pull the hard drive and slave it to a healthy computer and scan it from there.  Then again, combofix is often about the only product I have found that will clean an infected computer if malwarebytes and an AV program still don't fix it.  Not sure why the big companies like Symantec/Norton, McAfee, AVG, etc. can't also create a tool like Combofix.  Combofix seems slightly "scary" to me since it seems like it was a tool created by some guy in his basement (not saying it was, just trying to make an analogy).
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.