Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Spam Email Sent from My Email Address...

Posted on 2012-12-27
3
Medium Priority
?
1,351 Views
Last Modified: 2012-12-27
Hi all.
We have a domain environment running Exchange 2007.
A company owner (of all people) has gotten a few bounce-backs / NDRs at about midnight but he never sent any emails to begin with.
I checked our Barracuda Spam Filter and have verified that no email was sent from his email around that time.
When I look at the bounce-back message, there is obviously all kinds of information in there but I'm not sure what could have caused this to happen.
Here are some tidbits of information from the bounce-back.
Maybe someone can help decipher this.  
The internal email address that received this bounce-back is in BOLD below.

Diagnostic information for administrators:

Generating server: mx2.ibc.com.au

bucholtiryo@kadmos.com.au
203.24.93.104 #<203.24.93.104 #5.1.1 smtp; 550 5.1.1 <bucholtiryo@kadmos.com.au>: Recipient address rejected: User unknown in virtual mailbox table> #SMTP#

Original message headers:

Return-Path: <UserA@DomainA.com>
Received: from localhost (localhost [127.0.0.1])      by mx2.ibc.com.au (Postfix)
 with ESMTP id C89EF14167;      Thu, 27 Dec 2012 13:26:32 +0800 (WST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on turing.ibc.com.au
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.9 required=5.0 tests=BAYES_80,DATE_IN_FUTURE_03_06,
      FREEMAIL_FORGED_REPLYTO shortcircuit=no autolearn=no version=3.3.1
X-Spam-Report: *  3.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
      *  2.7 BAYES_80 BODY: Bayes spam probability is 80 to 95%
      *      [score: 0.9233]
      *  1.2 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
X-Virus-Scanned: amavisd-new at weber.ibc.com.au
Received: from mx2.ibc.com.au ([127.0.0.1])
      by localhost (turing.ibc.com.au [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id 6LWbhzUYhtfq; Thu, 27 Dec 2012 13:26:32 +0800 (WST)
Received: from ks3095542.kimsufi.com (ks3095542.kimsufi.com [94.23.59.42])
      by mx2.ibc.com.au (Postfix) with SMTP id 023D314165
      for <bucholtiryo@kadmos.com.au>; Thu, 27 Dec 2012 13:26:31 +0800 (WST)
To: <bucholtiryo@kadmos.com.au>
Subject: *****SPAM***** Search beautiful wives)))
From: UserA <member@forumotion.com>
Reply-To: <elizabeth.sh@live.ca>
Message-ID: <ksocj5jzo44ntbx1gzp5aq43xxai36t@hvirus.forumactif.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Date: Thu, 27 Dec 2012 06:27:52 -0400
X-Spam-Prev-Subject: Search beautiful wives)))
0
Comment
Question by:homerslmpson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 15

Accepted Solution

by:
Rajkumar-MCITP earned 1000 total points
ID: 38723665
Its a spoofing attack.. check with Barracuda Spam Filter to know whether they have the mechanism to block spoofing emails
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38723683
I just found the following which is leading me to believe it's best I leave this alone:

"The Barracuda Spam & Virus Firewall incorporates anti-spoofing features that, when enabled, will not allow an external email to appear as if it came from someone inside the organization. Any email that would have this appearance would be blocked. With the Barracuda Spam & Virus Firewall, this anti-spoofing feature can be enabled and disabled on a domain-by-domain basis. The Barracuda Spam & Virus Firewall includes features that allow larger organizations to specify a list of IP addresses that are allowed to have a “From” address that appears from inside the organization to support multiple sites and multiple email servers.
There is one problem with effectively implementing an anti-spoofing solution: road warrior access. Users that work outside of the network from home or on the road must connect via methods other than standard SMTP such as VPN, SSL-VPN, or Web mail if they want to send email to their colleagues in the organization and have that email appear as if it came from their internal email account. This can be a drawback; however, the consequences of a phishing scheme for an organization are so severe that many large and small organizations are choosing the safer route and implementing comprehensive anti-spoofing solutions. This results in a minor inconvenience when someone who is a member of the company and is traveling wants to send email internally.
"
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 1000 total points
ID: 38723700
It's not so much an attack as it is a misdirection.  Someone put a fake (your boss's) return address on an e-mail, so bounce-backs would go to that e-mail account.

I can send a letter to anyone and put your street address as the return address.  It doesn't mean you sent it, but if the letter can't be delivered, it will be returned to you.  That's what's going on here.  

There is little, if anything, you can do about it.  If you feel it will help, you can contact the folks at kimsufi.com, which is where the e-mail appears to have originated.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question