Solved

Spam Email Sent from My Email Address...

Posted on 2012-12-27
3
1,302 Views
Last Modified: 2012-12-27
Hi all.
We have a domain environment running Exchange 2007.
A company owner (of all people) has gotten a few bounce-backs / NDRs at about midnight but he never sent any emails to begin with.
I checked our Barracuda Spam Filter and have verified that no email was sent from his email around that time.
When I look at the bounce-back message, there is obviously all kinds of information in there but I'm not sure what could have caused this to happen.
Here are some tidbits of information from the bounce-back.
Maybe someone can help decipher this.  
The internal email address that received this bounce-back is in BOLD below.

Diagnostic information for administrators:

Generating server: mx2.ibc.com.au

bucholtiryo@kadmos.com.au
203.24.93.104 #<203.24.93.104 #5.1.1 smtp; 550 5.1.1 <bucholtiryo@kadmos.com.au>: Recipient address rejected: User unknown in virtual mailbox table> #SMTP#

Original message headers:

Return-Path: <UserA@DomainA.com>
Received: from localhost (localhost [127.0.0.1])      by mx2.ibc.com.au (Postfix)
 with ESMTP id C89EF14167;      Thu, 27 Dec 2012 13:26:32 +0800 (WST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on turing.ibc.com.au
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.9 required=5.0 tests=BAYES_80,DATE_IN_FUTURE_03_06,
      FREEMAIL_FORGED_REPLYTO shortcircuit=no autolearn=no version=3.3.1
X-Spam-Report: *  3.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
      *  2.7 BAYES_80 BODY: Bayes spam probability is 80 to 95%
      *      [score: 0.9233]
      *  1.2 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
X-Virus-Scanned: amavisd-new at weber.ibc.com.au
Received: from mx2.ibc.com.au ([127.0.0.1])
      by localhost (turing.ibc.com.au [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id 6LWbhzUYhtfq; Thu, 27 Dec 2012 13:26:32 +0800 (WST)
Received: from ks3095542.kimsufi.com (ks3095542.kimsufi.com [94.23.59.42])
      by mx2.ibc.com.au (Postfix) with SMTP id 023D314165
      for <bucholtiryo@kadmos.com.au>; Thu, 27 Dec 2012 13:26:31 +0800 (WST)
To: <bucholtiryo@kadmos.com.au>
Subject: *****SPAM***** Search beautiful wives)))
From: UserA <member@forumotion.com>
Reply-To: <elizabeth.sh@live.ca>
Message-ID: <ksocj5jzo44ntbx1gzp5aq43xxai36t@hvirus.forumactif.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Date: Thu, 27 Dec 2012 06:27:52 -0400
X-Spam-Prev-Subject: Search beautiful wives)))
0
Comment
Question by:homerslmpson
3 Comments
 
LVL 15

Accepted Solution

by:
Rajkumar-MCITP earned 250 total points
ID: 38723665
Its a spoofing attack.. check with Barracuda Spam Filter to know whether they have the mechanism to block spoofing emails
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 38723683
I just found the following which is leading me to believe it's best I leave this alone:

"The Barracuda Spam & Virus Firewall incorporates anti-spoofing features that, when enabled, will not allow an external email to appear as if it came from someone inside the organization. Any email that would have this appearance would be blocked. With the Barracuda Spam & Virus Firewall, this anti-spoofing feature can be enabled and disabled on a domain-by-domain basis. The Barracuda Spam & Virus Firewall includes features that allow larger organizations to specify a list of IP addresses that are allowed to have a “From” address that appears from inside the organization to support multiple sites and multiple email servers.
There is one problem with effectively implementing an anti-spoofing solution: road warrior access. Users that work outside of the network from home or on the road must connect via methods other than standard SMTP such as VPN, SSL-VPN, or Web mail if they want to send email to their colleagues in the organization and have that email appear as if it came from their internal email account. This can be a drawback; however, the consequences of a phishing scheme for an organization are so severe that many large and small organizations are choosing the safer route and implementing comprehensive anti-spoofing solutions. This results in a minor inconvenience when someone who is a member of the company and is traveling wants to send email internally.
"
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 250 total points
ID: 38723700
It's not so much an attack as it is a misdirection.  Someone put a fake (your boss's) return address on an e-mail, so bounce-backs would go to that e-mail account.

I can send a letter to anyone and put your street address as the return address.  It doesn't mean you sent it, but if the letter can't be delivered, it will be returned to you.  That's what's going on here.  

There is little, if anything, you can do about it.  If you feel it will help, you can contact the folks at kimsufi.com, which is where the e-mail appears to have originated.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question