Solved

Spam Email Sent from My Email Address...

Posted on 2012-12-27
3
1,277 Views
Last Modified: 2012-12-27
Hi all.
We have a domain environment running Exchange 2007.
A company owner (of all people) has gotten a few bounce-backs / NDRs at about midnight but he never sent any emails to begin with.
I checked our Barracuda Spam Filter and have verified that no email was sent from his email around that time.
When I look at the bounce-back message, there is obviously all kinds of information in there but I'm not sure what could have caused this to happen.
Here are some tidbits of information from the bounce-back.
Maybe someone can help decipher this.  
The internal email address that received this bounce-back is in BOLD below.

Diagnostic information for administrators:

Generating server: mx2.ibc.com.au

bucholtiryo@kadmos.com.au
203.24.93.104 #<203.24.93.104 #5.1.1 smtp; 550 5.1.1 <bucholtiryo@kadmos.com.au>: Recipient address rejected: User unknown in virtual mailbox table> #SMTP#

Original message headers:

Return-Path: <UserA@DomainA.com>
Received: from localhost (localhost [127.0.0.1])      by mx2.ibc.com.au (Postfix)
 with ESMTP id C89EF14167;      Thu, 27 Dec 2012 13:26:32 +0800 (WST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on turing.ibc.com.au
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.9 required=5.0 tests=BAYES_80,DATE_IN_FUTURE_03_06,
      FREEMAIL_FORGED_REPLYTO shortcircuit=no autolearn=no version=3.3.1
X-Spam-Report: *  3.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
      *  2.7 BAYES_80 BODY: Bayes spam probability is 80 to 95%
      *      [score: 0.9233]
      *  1.2 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
X-Virus-Scanned: amavisd-new at weber.ibc.com.au
Received: from mx2.ibc.com.au ([127.0.0.1])
      by localhost (turing.ibc.com.au [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id 6LWbhzUYhtfq; Thu, 27 Dec 2012 13:26:32 +0800 (WST)
Received: from ks3095542.kimsufi.com (ks3095542.kimsufi.com [94.23.59.42])
      by mx2.ibc.com.au (Postfix) with SMTP id 023D314165
      for <bucholtiryo@kadmos.com.au>; Thu, 27 Dec 2012 13:26:31 +0800 (WST)
To: <bucholtiryo@kadmos.com.au>
Subject: *****SPAM***** Search beautiful wives)))
From: UserA <member@forumotion.com>
Reply-To: <elizabeth.sh@live.ca>
Message-ID: <ksocj5jzo44ntbx1gzp5aq43xxai36t@hvirus.forumactif.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Date: Thu, 27 Dec 2012 06:27:52 -0400
X-Spam-Prev-Subject: Search beautiful wives)))
0
Comment
Question by:homerslmpson
3 Comments
 
LVL 15

Accepted Solution

by:
Rajkumar-MCITP earned 250 total points
ID: 38723665
Its a spoofing attack.. check with Barracuda Spam Filter to know whether they have the mechanism to block spoofing emails
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38723683
I just found the following which is leading me to believe it's best I leave this alone:

"The Barracuda Spam & Virus Firewall incorporates anti-spoofing features that, when enabled, will not allow an external email to appear as if it came from someone inside the organization. Any email that would have this appearance would be blocked. With the Barracuda Spam & Virus Firewall, this anti-spoofing feature can be enabled and disabled on a domain-by-domain basis. The Barracuda Spam & Virus Firewall includes features that allow larger organizations to specify a list of IP addresses that are allowed to have a “From” address that appears from inside the organization to support multiple sites and multiple email servers.
There is one problem with effectively implementing an anti-spoofing solution: road warrior access. Users that work outside of the network from home or on the road must connect via methods other than standard SMTP such as VPN, SSL-VPN, or Web mail if they want to send email to their colleagues in the organization and have that email appear as if it came from their internal email account. This can be a drawback; however, the consequences of a phishing scheme for an organization are so severe that many large and small organizations are choosing the safer route and implementing comprehensive anti-spoofing solutions. This results in a minor inconvenience when someone who is a member of the company and is traveling wants to send email internally.
"
0
 
LVL 33

Assisted Solution

by:paulmacd
paulmacd earned 250 total points
ID: 38723700
It's not so much an attack as it is a misdirection.  Someone put a fake (your boss's) return address on an e-mail, so bounce-backs would go to that e-mail account.

I can send a letter to anyone and put your street address as the return address.  It doesn't mean you sent it, but if the letter can't be delivered, it will be returned to you.  That's what's going on here.  

There is little, if anything, you can do about it.  If you feel it will help, you can contact the folks at kimsufi.com, which is where the e-mail appears to have originated.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now