Link to home
Start Free TrialLog in
Avatar of Colin
ColinFlag for United States of America

asked on

Email Spam

I am having issues with one of my users email. He seems to get a lot of undeliverable email notices  in his email the next day, however he never sent any message. It seems like spam, however I have no idea why it would only be happening to him

An example of the spam emails would be:
               The e-mail system was unable to deliver the message, but did not report a specific reason.  Check the address and try again.  If it still fails, contact your system administrator.
            < gateway.geoconsultores.lan #5.0.0 X-Postfix; host    /var/lib/imap/socket/lmtp[/var/lib/imap/socket/lmtp] said: 550-Mailbox    unknown.  Either there is no mailbox associated with this 550-name or you    do not have authorization to see it. 550 5.1.1 User unknown (in reply to    RCPT TO command)>
Avatar of OriNetworks
OriNetworks

Even if the user did not send them message, are you sure the message never came from your server? For example, if a malicious person has their password, they may have logged into your email server as them and sent the emails. If enabled, exchange message tracking would tell you if the messages originated from your server. Otherwise it may have been spoofed and this is an NDR attack.

Setting an spf DNS record for your email server with reduce the chance of spoofing. If an email server receives an email supposedly from your domain, if spf checks are enable it will see if your domain has an spf record. If that spf record matches the address that the email is coming from, it knows it is legit. If not, it knows it is spoofed and ignores it.
Check DL's too, might be he is part of any DL. Normally, this happen with IT admins more...
First have the user change their password, something simple and effective if it's been compromised.

Run malwarebytes on the users workstation, often a SMTP relay is installed locally that compromises email, run a scan and report the results. Download Malware Bytes here.
Avatar of Colin

ASKER

Works2011,
I followed your suggestion above,  We changed the users password on the PC and we also installed the Malware and ran a complete scan, Nothing was detected on the report.

This user is the only user that is having issues with their email. We also see a huge spike in spam emails from the hours of 12 midnight to 4 am
my first thought is turn off the computer tonight to eliminate the workstation, narrow down from workstation to server, etc. If it stops reimage the workstation I would expect you have a root-kit infection that won't be cleaned by most scanners.
Avatar of Colin

ASKER

Works2011, So tonight I would turn off the PC and see if the email still send out emails? At that point it would be opn the exchange side and not on the PC?
Avatar of Colin

ASKER

Works2011, just found out that the PC was shut off last night and every time we have seen this.
Avatar of Colin

ASKER

Still received around 120 spam emails last night
Avatar of Colin

ASKER

I do have the following protection:
 I have the an IMf filter enabled.
 I have my sender ID filtering set to Accept  but i do not have the apply Sender ID filter checked in the Default SMTP Virtual Server Properties General tab.
 I have rules under the connection Filtering set to Barracuda enabled and zen enabled.
I have a Sender Filtering list created.

If looks like a lot of articles say to Apply the sender ID filter in the Default SMTP. Would this be correct?
ASKER CERTIFIED SOLUTION
Avatar of Ryan McCauley
Ryan McCauley
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Your user seems to be a victim of spoofing attack: when a spammer uses his e-mail address as return address to send spam. Unfortunately, there are no many things that you could do about those NDRs except for, perhaps, changing the anti-spam software\system on the mail server.

We had a lot of those incorrect NDRs back in the years and we get rid of them by outsourcing our Anti-SPAM to a hosted solution. There are some good ones on the market: we were using Google’s Postini but we are about to change to Microsoft FOPE.

Another thing you could do to improve the legitimacy of your good e-mail messages and in the same time reduce the NDRs is employing SPF records. For more information about SPF, please see http://www.openspf.org/ and http://en.wikipedia.org/wiki/Sender_Policy_Framework
This is backscatter from someone sending email purporting to be him. This isn't coming from inside your network. You can verify that by examining your outbound SMTP protocol logs for the time/date of the message that you cull from that nondelivery receipt. I would suggest simply verifying that the email isn't coming from your organization in this way. (different email servers use different methods of logging SMTP conversations, so with platform & version we can tell you how to config those logs)

You should also be able to disable NDRs at the server level, or alternatively make a rule for this user that discards NDRs. Again, various mail servers accomplish this in various ways, so let us know the server & version.  Thanks!

-tom
Inspect these notices; if they have the original (non-deliverable) email attached, inspect the headers and find out where it really came from.

If it came indeed from your mailserver, then you need to find out who and how sent it. Can be infected computer.

If it came not from your mailserver, then spaperov's comment above fully applies. The practical means to fight it are:

1. wait coupe of weeks. There's possibility that the issue will go away.
2. report them as spam to spamcop.
3. as the last resort, if user's email address has been compromised and now is being used by spammers, have him change it.

At some point my own email address was also compromised and spammers were sending spam from it. This was quite intensive for about 2 weeks, but then it practically disappeared. I still receive 1-2 such ndr's in several months. Spammers know that many people will blacklist the "from" address of the spam, so they don't use the same one for a long time.
Setting up and SPF record (as already posted in the first post) should be one way to combat this problem as well as installing / configuring a 3rd party Anti-Spam product such as www.vamsoft.com (Vamsoft ORF).

If you are using Exchange 2003, please have a read of my article:

https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2527-How-to-prevent-Spoofed-Emails-in-Exchange-2003.html

Alan
@alanhardisty, I think this solution would help only if the whole world implemented it, detected that the email was spoofed, and didn't send the ndr.

SPF is not very realistic solution if your organization receives any mass-sent newsletters. Lots of them are being sent by marketing firms on behalf of their clients.
SPF, when configured properly works very well.

Any company using SPF and sending out mass-mail via a 3rd party needs to include the 3rd parties IP Address / mail servers in the SPF record.  We have a variety of sources for our emails and they are all included in our SPF record and that means our emails don't get rejected and we don't suffered from spoofing either.

Alan
> Any company using SPF and sending out mass-mail via a 3rd party needs to include the 3rd parties IP Address / mail servers in the SPF record.  

of course... but not all of them do.  Far from it.
While this is not likely the best forum for discussion of SPF pros & cons, SPF certainly does help. What percentage of email goes out to yahoo/aol/hotmail/gmail? All of those would be covered by SPF, in addition to people who use hosted solutions like Postini or appliances like Barracuda.

Correctly configured SPF records take marketing partners and application vendors into account, with the INCLUDE verb and/or the ability to simply add their public IP range(s).

It's not a complete solution to the issue, but it certainly cuts down on spoofing and phishing.
It is a bit like a seat-belt in a car.  It isn't going to stop everyone getting injured, but wearing it will at least mean you are much less likely to get injured.  If you don't wear one, then you can almost guarantee you will get injured in a crash.

Add an air-bag and then the protection increases.

Add a roll-cage and then protection increases more.

But you can still get injured / killed with all the protection in the world.

SPF is simply another layer of protection - use it and it will benefit you.  Don't use it and it won't.
In addition to marketing problem, for this to work, it's not enough that you get your own SPF record published; the 2nd part of the equation is that everybody else should be looking at SPF. "Correctly configured spf" is great, but it should be correctly configured not on your system, but on everybody's system - so they'd detect that in fact this email came not from you.

Another limitation: it requires that your employees are always sending everything only through your own mailserver.
As mentioned before - it is another layer of protection.  It is not the silver-bullet that will kill spam dead.

For the circumstances relating to this question, it can only help, it certainly can't harm the situation, so let's not dismiss it as a waste of time please.

Alan
spf records are meant to provide validity of the sender. While everyone does not have it enabled, many companies do have this filtering feature enabled. At minimum, if you setup an spf record you can expect a reduction in the amount of NDR messages received as a result.
Avatar of Colin

ASKER

OK under my Protocols>>SMTP>>Default SMTP Virtual Server under the General Tab >>Advance button >> under the configuration of the port. I have the following checked

Apply Sender Filter
Apply Recipient Filter
Apply Connection Filter
Apply IMF

What I do not have checked is the Apply Sender ID Filter. Should I apply this?
No, you need to publish SPF record for your domain. See http://www.openspf.org/ for more details.
Avatar of Colin

ASKER

OK to be honest this is a little over my head. One after I completed the MS SPF online utility where do I past the information and where do I place it on my server?

The other thing is that this is the first time in 6 years we have had this setup and we never did an SPF record why do

Is there a simpler easier alternative?
You create a TXT DNS Record and paste the Output from Microsoft's site as the result of the TXT record then save the DNS record changes.

That's it.

SPF is relatively new and will help you with spoofed emails claiming to come from your domain if the receiving party checks SPF when receiving mail.

The issue is that the people receiving the emails are sending NDR's back to the spammer and that means they are sending Backscatter and they will get listed on www.backscatterer.org (a blacklist site).  This is basically poor configuration on their side.
Note that MS wizard will probably create sender id, which is not the same as SPF. SPF website has special article about it.

Use wizard on spf site and it will create the record for you. But you will have to decide who can send on your behalf, and this can be quite nontrivial decision, with the potential to block legitimate emails (i.e. when your users send emails to others, they may be blocked because you now have published spf record). So you have to be very careful, and maybe good idea would be to hire someone competent to do it - not a big project, but requires full understanding of what you are doing.

Once the record is ready, you have to publish it along with your regular dns records for your domain - depending on where your dns records are published, it can be either you, or your registrar.