Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Email Spoof comes from our own domain

Posted on 2013-07-01
8
Medium Priority
?
1,402 Views
Last Modified: 2013-07-09
Hi Experts,

Recently we installed Barracuda Email filtering system on our network.  We have an in-house Excahange 2003 server.  We are getting  spam email sent out from our_username@ourdomain.com.  Is it caused by malware or adware? Is this server level or end user PC issue?

I really appreciate If you can give us some suggestion or solution to stop the spam.

We got the follow bounced-back message: I use John Don as user and my domain is abc.com.

Thank you so much in advance.

EN

***************************************************
From: MAILER-DAEMON@btinternet.com [mailto:MAILER-DAEMON@btinternet.com]
Sent: Saturday, June 29, 2013 10:10 AM
To: Don, John
Subject: Delivery failure

Message from btinternet.com.
Unable to deliver message to the following address(es).

<dgmck@btinternet.com>:
This user doesn't have a btinternet.com account (dgmck@btinternet.com) [0]

<ukangel69@btinternet.com>:
This user doesn't have a btinternet.com account (ukangel69@btinternet.com) [0]

--- Original message follows.

The original message is over 5K. Message truncated.

Return-Path: <jdon@abc.com>
X-YahooFilteredBulk: 65.20.0.12
Received-SPF: fail (domain of abc.com does not designate 65.20.0.12 as permitted sender)
X-YMailISG: o0gnU1QWLDsJVYem29kOqvMcGNRq5rxNyuBvqiTb82MOwrqP
 6NKaKrtJlXwR0DVblJ21C6.XsWH828_DXq5y9z3gNJ3keOD7GDxdEIJiiowr
 MinC2YlCpCOXJkFCf9Mj1F9AdsMLYuwmY2ehXHfmM80g6BGwZOtlHpaS0xIH
 gVBWJZ688bhX7OaSv1d0zFpbEGHNvNVsSHSSQxAcABOObioQASsx1Sb9XfvQ
 CUhrR9WexqQpqPVTRQx1Eu_oeDP_MsiAB8Tz03drEg6akYZT.TdJQbFfXSyK
 6ZNfzpuj0TSVk6B88U08c3QQufy7Xs.JnSZd13yS0qZVvMMOP4Ykcc0G2VBs
 56ksHOz_JOBT4SxBeIx2yGrzHjQAh80LzVzFfnq1wcvoYcr0nxNyHfmW4FqA
 2SeKtuXt8vgcP2d7fpiKaoJmf9sPyNefuHmc6wNMtJJwdjfPpH_380URgtB7
 VPnEJnXHEQPdXvaN.FEoklakXAE89zddDWDaX_P11IFFgaAKrBmVShrEXPUa
 7aGjXL2o8b_F.cMIkXdwVwkrtuNva.x5P_lpUNZSVnbBlqudT2nVjfDIxCLN
 60HAqn2nIKQ_iSbaM8UMobLvB9CMhuCU7mrs093EVMeDJf1tjxdZ35O8gDOJ
 o1mLJPev62H_3xb3eP_yP5LNY9YziN8bvRmHBL0dlGidqpDbsscVx0rlG3Go
 JopkP.2Rp5YwTBTbj_9LZwND.6sRQr43Gx4LR_P7cT77MrhA0ud2LTB9DnWz
 QgsntWaW6tItvVbyqj924KG4sGzYCMn7M0aaPGDExbUEXaphwl912NgF6Vhu
 g_YNSKj7lFJ5uf23vjQMZl5hTgfgHab.cyn8.nomol9ZVXvzJh9MLLV0Czz3
 yFl8u78tu_OAPHdc1ET0LN8BwqP_yhi1YPq4DedwiLy8c8L1T4st5OugfcvT
 yt8pBxZzI0wRLHoh_.nbzH98cnlBRDhk4YGeTgE8gcYPSfNdFvPRstX508I_
 SZmerUh96u33hXi4.85tAMaeUx8owA.dNYb4crtdlMM0pPYLUAAvXXoPD3k4
 KBdj2V9b24XagH1SCCHHnCacRbKbXcapRxWnpbCHefmmll71JlKp.pO_DEae
 e36._.dY.ksNAOLUnSgiC_Vh6vAvYbY-
X-Originating-IP: [65.20.0.12]
Authentication-Results: mta1059.bt.mail.ir2.yahoo.com  from=abc.com; domainkeys=neutral (no sig);  from=ndsj.org; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO smtpin06.bt.ext.cpcloud.co.uk) (65.20.0.12)
  by mta1059.bt.mail.ir2.yahoo.com with SMTP; Sat, 29 Jun 2013 17:09:36 +0000
Received: from host-89-230-168-19.ostrowmaz.mm.pl (89.230.168.19) by smtpin06.bt.ext.cpcloud.co.uk (8.6.100.03)
        id 51CB2A4D0158039D; Sat, 29 Jun 2013 17:09:35 +0000
Received: from MichaelPC (unverified [89.230.168.19])
      by nectyr.com (SurgeMail 6.4a) with ESMTP id 413425243-1712458
      for <ukangel69@btinternet.com>; Sat, 29 Jun 2013 13:09:39 -0500
From: "INFO - Even Second" <jdon@abc.com>
To: "'Ukangel69'" <ukangel69@btinternet.com>
Subject: What TIME is it?
Date: Sat, 29 Jun 2013 13:09:39 -0500
Message-ID: <000901ce7427$0e6dda70$2e798d80$@com>
MIME-Version: 1.0
Content-Type: multipart/related;
      boundary="----=_NextPart_000_000A_01CE7407.875C3A70"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AQHOc6t86PZOZK/C40ayuLBkSJUrASlLL+PUgAA2WYA=
Content-Language: en-ca


This is a multi-part message in MIME format.

------=_NextPart_000_000A_01CE7407.875C3A70
Content-Type: multipart/alternative;
      boundary="----=_NextPart_001_000B_01CE7407.875C3A70"


------=_NextPart_001_000B_01CE7407.875C3A70
Content-Type: text/plain;
      charset="utf-8"
Content-Transfer-Encoding: 7bit


------=_NextPart_001_000B_01CE7407.875C3A70
Content-Type: text/html;
      charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns=3D"http://www.w3.org/TR/REC-html40"><head><META = HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 14 = (filtered medium)"><!--[if !mso]><style>v\:* = {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
      {font-family:Calibri;
      panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
      {font-family:Tahoma;
      panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
      {margin:0in;
      margin-bottom:.0001pt;
      font-size:11.0pt;
      font-family:"Calibri","serif";}
a:link, span.MsoHyperlink
      {mso-style-priority:99;
      color:blue;
      text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
      {mso-style-pri
*** MESSAGE TRUNCATED ***
0
Comment
Question by:EnjoyNet
8 Comments
 
LVL 7

Expert Comment

by:Mohammed Tahir
ID: 39291722
1- Installed and configure Anti-Spam on your exchange server.
2- Ensure your server is not open to Relay.
0
 

Author Comment

by:EnjoyNet
ID: 39291756
Thank you for quick response.

1. how to do it? We have a barracuda box for email filtering.  What do you suggest we do on Exchange?

Best,
0
 
LVL 7

Expert Comment

by:Mohammed Tahir
ID: 39291920
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:EnjoyNet
ID: 39295048
Thank you for the links.

However we are using Exchange 2003.  How can we do it?

Thanks

EN
0
 
LVL 7

Accepted Solution

by:
Mohammed Tahir earned 1200 total points
ID: 39295634
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 400 total points
ID: 39296428
It isn't clear from your question - is there ANYTHING in that header that related to your network? Forget about the domain name - that is spoofed very easily.
You need to prove that the email is originating from your network.

Installing the antispam agents etc on to Exchange 2003 is a waste of time in my opinion for this issue. You need to be sure the email is actually originating from your system.

You should have port 25 outbound blocked completely, so that only the appliance can send email to the internet.

Simon.
0
 
LVL 10

Assisted Solution

by:Vijaya Babu Sekar
Vijaya Babu Sekar earned 400 total points
ID: 39306704
you can add your own smtp domain in your email gateway block list (like FOPE, Messsage lab, Trend IMSS) so that you can not receive Spoofing from your domain.

Please dont add in your exchange server, if you added, internal mails will be blocked.
0
 

Author Closing Comment

by:EnjoyNet
ID: 39312195
Thank you very much.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question