Solved

Spam Email Sent from My Email Address...

Posted on 2012-12-27
3
1,310 Views
Last Modified: 2012-12-27
Hi all.
We have a domain environment running Exchange 2007.
A company owner (of all people) has gotten a few bounce-backs / NDRs at about midnight but he never sent any emails to begin with.
I checked our Barracuda Spam Filter and have verified that no email was sent from his email around that time.
When I look at the bounce-back message, there is obviously all kinds of information in there but I'm not sure what could have caused this to happen.
Here are some tidbits of information from the bounce-back.
Maybe someone can help decipher this.  
The internal email address that received this bounce-back is in BOLD below.

Diagnostic information for administrators:

Generating server: mx2.ibc.com.au

bucholtiryo@kadmos.com.au
203.24.93.104 #<203.24.93.104 #5.1.1 smtp; 550 5.1.1 <bucholtiryo@kadmos.com.au>: Recipient address rejected: User unknown in virtual mailbox table> #SMTP#

Original message headers:

Return-Path: <UserA@DomainA.com>
Received: from localhost (localhost [127.0.0.1])      by mx2.ibc.com.au (Postfix)
 with ESMTP id C89EF14167;      Thu, 27 Dec 2012 13:26:32 +0800 (WST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on turing.ibc.com.au
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.9 required=5.0 tests=BAYES_80,DATE_IN_FUTURE_03_06,
      FREEMAIL_FORGED_REPLYTO shortcircuit=no autolearn=no version=3.3.1
X-Spam-Report: *  3.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
      *  2.7 BAYES_80 BODY: Bayes spam probability is 80 to 95%
      *      [score: 0.9233]
      *  1.2 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
X-Virus-Scanned: amavisd-new at weber.ibc.com.au
Received: from mx2.ibc.com.au ([127.0.0.1])
      by localhost (turing.ibc.com.au [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id 6LWbhzUYhtfq; Thu, 27 Dec 2012 13:26:32 +0800 (WST)
Received: from ks3095542.kimsufi.com (ks3095542.kimsufi.com [94.23.59.42])
      by mx2.ibc.com.au (Postfix) with SMTP id 023D314165
      for <bucholtiryo@kadmos.com.au>; Thu, 27 Dec 2012 13:26:31 +0800 (WST)
To: <bucholtiryo@kadmos.com.au>
Subject: *****SPAM***** Search beautiful wives)))
From: UserA <member@forumotion.com>
Reply-To: <elizabeth.sh@live.ca>
Message-ID: <ksocj5jzo44ntbx1gzp5aq43xxai36t@hvirus.forumactif.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Date: Thu, 27 Dec 2012 06:27:52 -0400
X-Spam-Prev-Subject: Search beautiful wives)))
0
Comment
Question by:homerslmpson
3 Comments
 
LVL 15

Accepted Solution

by:
Rajkumar-MCITP earned 250 total points
ID: 38723665
Its a spoofing attack.. check with Barracuda Spam Filter to know whether they have the mechanism to block spoofing emails
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38723683
I just found the following which is leading me to believe it's best I leave this alone:

"The Barracuda Spam & Virus Firewall incorporates anti-spoofing features that, when enabled, will not allow an external email to appear as if it came from someone inside the organization. Any email that would have this appearance would be blocked. With the Barracuda Spam & Virus Firewall, this anti-spoofing feature can be enabled and disabled on a domain-by-domain basis. The Barracuda Spam & Virus Firewall includes features that allow larger organizations to specify a list of IP addresses that are allowed to have a “From” address that appears from inside the organization to support multiple sites and multiple email servers.
There is one problem with effectively implementing an anti-spoofing solution: road warrior access. Users that work outside of the network from home or on the road must connect via methods other than standard SMTP such as VPN, SSL-VPN, or Web mail if they want to send email to their colleagues in the organization and have that email appear as if it came from their internal email account. This can be a drawback; however, the consequences of a phishing scheme for an organization are so severe that many large and small organizations are choosing the safer route and implementing comprehensive anti-spoofing solutions. This results in a minor inconvenience when someone who is a member of the company and is traveling wants to send email internally.
"
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 250 total points
ID: 38723700
It's not so much an attack as it is a misdirection.  Someone put a fake (your boss's) return address on an e-mail, so bounce-backs would go to that e-mail account.

I can send a letter to anyone and put your street address as the return address.  It doesn't mean you sent it, but if the letter can't be delivered, it will be returned to you.  That's what's going on here.  

There is little, if anything, you can do about it.  If you feel it will help, you can contact the folks at kimsufi.com, which is where the e-mail appears to have originated.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
In this step by step procedure, you will come to know the details of creating an Outlook meeting in 2007, 2010, 2013 & 2016.
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question