Solved

Spam Email Sent from My Email Address...

Posted on 2012-12-27
3
1,337 Views
Last Modified: 2012-12-27
Hi all.
We have a domain environment running Exchange 2007.
A company owner (of all people) has gotten a few bounce-backs / NDRs at about midnight but he never sent any emails to begin with.
I checked our Barracuda Spam Filter and have verified that no email was sent from his email around that time.
When I look at the bounce-back message, there is obviously all kinds of information in there but I'm not sure what could have caused this to happen.
Here are some tidbits of information from the bounce-back.
Maybe someone can help decipher this.  
The internal email address that received this bounce-back is in BOLD below.

Diagnostic information for administrators:

Generating server: mx2.ibc.com.au

bucholtiryo@kadmos.com.au
203.24.93.104 #<203.24.93.104 #5.1.1 smtp; 550 5.1.1 <bucholtiryo@kadmos.com.au>: Recipient address rejected: User unknown in virtual mailbox table> #SMTP#

Original message headers:

Return-Path: <UserA@DomainA.com>
Received: from localhost (localhost [127.0.0.1])      by mx2.ibc.com.au (Postfix)
 with ESMTP id C89EF14167;      Thu, 27 Dec 2012 13:26:32 +0800 (WST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on turing.ibc.com.au
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.9 required=5.0 tests=BAYES_80,DATE_IN_FUTURE_03_06,
      FREEMAIL_FORGED_REPLYTO shortcircuit=no autolearn=no version=3.3.1
X-Spam-Report: *  3.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
      *  2.7 BAYES_80 BODY: Bayes spam probability is 80 to 95%
      *      [score: 0.9233]
      *  1.2 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
X-Virus-Scanned: amavisd-new at weber.ibc.com.au
Received: from mx2.ibc.com.au ([127.0.0.1])
      by localhost (turing.ibc.com.au [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id 6LWbhzUYhtfq; Thu, 27 Dec 2012 13:26:32 +0800 (WST)
Received: from ks3095542.kimsufi.com (ks3095542.kimsufi.com [94.23.59.42])
      by mx2.ibc.com.au (Postfix) with SMTP id 023D314165
      for <bucholtiryo@kadmos.com.au>; Thu, 27 Dec 2012 13:26:31 +0800 (WST)
To: <bucholtiryo@kadmos.com.au>
Subject: *****SPAM***** Search beautiful wives)))
From: UserA <member@forumotion.com>
Reply-To: <elizabeth.sh@live.ca>
Message-ID: <ksocj5jzo44ntbx1gzp5aq43xxai36t@hvirus.forumactif.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Date: Thu, 27 Dec 2012 06:27:52 -0400
X-Spam-Prev-Subject: Search beautiful wives)))
0
Comment
Question by:homerslmpson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 15

Accepted Solution

by:
Rajkumar-MCITP earned 250 total points
ID: 38723665
Its a spoofing attack.. check with Barracuda Spam Filter to know whether they have the mechanism to block spoofing emails
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38723683
I just found the following which is leading me to believe it's best I leave this alone:

"The Barracuda Spam & Virus Firewall incorporates anti-spoofing features that, when enabled, will not allow an external email to appear as if it came from someone inside the organization. Any email that would have this appearance would be blocked. With the Barracuda Spam & Virus Firewall, this anti-spoofing feature can be enabled and disabled on a domain-by-domain basis. The Barracuda Spam & Virus Firewall includes features that allow larger organizations to specify a list of IP addresses that are allowed to have a “From” address that appears from inside the organization to support multiple sites and multiple email servers.
There is one problem with effectively implementing an anti-spoofing solution: road warrior access. Users that work outside of the network from home or on the road must connect via methods other than standard SMTP such as VPN, SSL-VPN, or Web mail if they want to send email to their colleagues in the organization and have that email appear as if it came from their internal email account. This can be a drawback; however, the consequences of a phishing scheme for an organization are so severe that many large and small organizations are choosing the safer route and implementing comprehensive anti-spoofing solutions. This results in a minor inconvenience when someone who is a member of the company and is traveling wants to send email internally.
"
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 250 total points
ID: 38723700
It's not so much an attack as it is a misdirection.  Someone put a fake (your boss's) return address on an e-mail, so bounce-backs would go to that e-mail account.

I can send a letter to anyone and put your street address as the return address.  It doesn't mean you sent it, but if the letter can't be delivered, it will be returned to you.  That's what's going on here.  

There is little, if anything, you can do about it.  If you feel it will help, you can contact the folks at kimsufi.com, which is where the e-mail appears to have originated.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
This article describes how to import Lotus Notes Contacts into Outlook 2016, 2013, 2010 and 2007 etc. with a few manual steps. You can easily export and migrate Lotus Notes contacts into Microsoft Outlook without having to use any third party tools.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question