Solved

Email Spoof comes from our own domain

Posted on 2013-07-01
8
1,264 Views
Last Modified: 2013-07-09
Hi Experts,

Recently we installed Barracuda Email filtering system on our network.  We have an in-house Excahange 2003 server.  We are getting  spam email sent out from our_username@ourdomain.com.  Is it caused by malware or adware? Is this server level or end user PC issue?

I really appreciate If you can give us some suggestion or solution to stop the spam.

We got the follow bounced-back message: I use John Don as user and my domain is abc.com.

Thank you so much in advance.

EN

***************************************************
From: MAILER-DAEMON@btinternet.com [mailto:MAILER-DAEMON@btinternet.com]
Sent: Saturday, June 29, 2013 10:10 AM
To: Don, John
Subject: Delivery failure

Message from btinternet.com.
Unable to deliver message to the following address(es).

<dgmck@btinternet.com>:
This user doesn't have a btinternet.com account (dgmck@btinternet.com) [0]

<ukangel69@btinternet.com>:
This user doesn't have a btinternet.com account (ukangel69@btinternet.com) [0]

--- Original message follows.

The original message is over 5K. Message truncated.

Return-Path: <jdon@abc.com>
X-YahooFilteredBulk: 65.20.0.12
Received-SPF: fail (domain of abc.com does not designate 65.20.0.12 as permitted sender)
X-YMailISG: o0gnU1QWLDsJVYem29kOqvMcGNRq5rxNyuBvqiTb82MOwrqP
 6NKaKrtJlXwR0DVblJ21C6.XsWH828_DXq5y9z3gNJ3keOD7GDxdEIJiiowr
 MinC2YlCpCOXJkFCf9Mj1F9AdsMLYuwmY2ehXHfmM80g6BGwZOtlHpaS0xIH
 gVBWJZ688bhX7OaSv1d0zFpbEGHNvNVsSHSSQxAcABOObioQASsx1Sb9XfvQ
 CUhrR9WexqQpqPVTRQx1Eu_oeDP_MsiAB8Tz03drEg6akYZT.TdJQbFfXSyK
 6ZNfzpuj0TSVk6B88U08c3QQufy7Xs.JnSZd13yS0qZVvMMOP4Ykcc0G2VBs
 56ksHOz_JOBT4SxBeIx2yGrzHjQAh80LzVzFfnq1wcvoYcr0nxNyHfmW4FqA
 2SeKtuXt8vgcP2d7fpiKaoJmf9sPyNefuHmc6wNMtJJwdjfPpH_380URgtB7
 VPnEJnXHEQPdXvaN.FEoklakXAE89zddDWDaX_P11IFFgaAKrBmVShrEXPUa
 7aGjXL2o8b_F.cMIkXdwVwkrtuNva.x5P_lpUNZSVnbBlqudT2nVjfDIxCLN
 60HAqn2nIKQ_iSbaM8UMobLvB9CMhuCU7mrs093EVMeDJf1tjxdZ35O8gDOJ
 o1mLJPev62H_3xb3eP_yP5LNY9YziN8bvRmHBL0dlGidqpDbsscVx0rlG3Go
 JopkP.2Rp5YwTBTbj_9LZwND.6sRQr43Gx4LR_P7cT77MrhA0ud2LTB9DnWz
 QgsntWaW6tItvVbyqj924KG4sGzYCMn7M0aaPGDExbUEXaphwl912NgF6Vhu
 g_YNSKj7lFJ5uf23vjQMZl5hTgfgHab.cyn8.nomol9ZVXvzJh9MLLV0Czz3
 yFl8u78tu_OAPHdc1ET0LN8BwqP_yhi1YPq4DedwiLy8c8L1T4st5OugfcvT
 yt8pBxZzI0wRLHoh_.nbzH98cnlBRDhk4YGeTgE8gcYPSfNdFvPRstX508I_
 SZmerUh96u33hXi4.85tAMaeUx8owA.dNYb4crtdlMM0pPYLUAAvXXoPD3k4
 KBdj2V9b24XagH1SCCHHnCacRbKbXcapRxWnpbCHefmmll71JlKp.pO_DEae
 e36._.dY.ksNAOLUnSgiC_Vh6vAvYbY-
X-Originating-IP: [65.20.0.12]
Authentication-Results: mta1059.bt.mail.ir2.yahoo.com  from=abc.com; domainkeys=neutral (no sig);  from=ndsj.org; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO smtpin06.bt.ext.cpcloud.co.uk) (65.20.0.12)
  by mta1059.bt.mail.ir2.yahoo.com with SMTP; Sat, 29 Jun 2013 17:09:36 +0000
Received: from host-89-230-168-19.ostrowmaz.mm.pl (89.230.168.19) by smtpin06.bt.ext.cpcloud.co.uk (8.6.100.03)
        id 51CB2A4D0158039D; Sat, 29 Jun 2013 17:09:35 +0000
Received: from MichaelPC (unverified [89.230.168.19])
      by nectyr.com (SurgeMail 6.4a) with ESMTP id 413425243-1712458
      for <ukangel69@btinternet.com>; Sat, 29 Jun 2013 13:09:39 -0500
From: "INFO - Even Second" <jdon@abc.com>
To: "'Ukangel69'" <ukangel69@btinternet.com>
Subject: What TIME is it?
Date: Sat, 29 Jun 2013 13:09:39 -0500
Message-ID: <000901ce7427$0e6dda70$2e798d80$@com>
MIME-Version: 1.0
Content-Type: multipart/related;
      boundary="----=_NextPart_000_000A_01CE7407.875C3A70"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AQHOc6t86PZOZK/C40ayuLBkSJUrASlLL+PUgAA2WYA=
Content-Language: en-ca


This is a multi-part message in MIME format.

------=_NextPart_000_000A_01CE7407.875C3A70
Content-Type: multipart/alternative;
      boundary="----=_NextPart_001_000B_01CE7407.875C3A70"


------=_NextPart_001_000B_01CE7407.875C3A70
Content-Type: text/plain;
      charset="utf-8"
Content-Transfer-Encoding: 7bit


------=_NextPart_001_000B_01CE7407.875C3A70
Content-Type: text/html;
      charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns=3D"http://www.w3.org/TR/REC-html40"><head><META = HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 14 = (filtered medium)"><!--[if !mso]><style>v\:* = {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
      {font-family:Calibri;
      panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
      {font-family:Tahoma;
      panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
      {margin:0in;
      margin-bottom:.0001pt;
      font-size:11.0pt;
      font-family:"Calibri","serif";}
a:link, span.MsoHyperlink
      {mso-style-priority:99;
      color:blue;
      text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
      {mso-style-pri
*** MESSAGE TRUNCATED ***
0
Comment
Question by:EnjoyNet
8 Comments
 
LVL 7

Expert Comment

by:Mohammed Tahir
ID: 39291722
1- Installed and configure Anti-Spam on your exchange server.
2- Ensure your server is not open to Relay.
0
 

Author Comment

by:EnjoyNet
ID: 39291756
Thank you for quick response.

1. how to do it? We have a barracuda box for email filtering.  What do you suggest we do on Exchange?

Best,
0
 
LVL 7

Expert Comment

by:Mohammed Tahir
ID: 39291920
0
 

Author Comment

by:EnjoyNet
ID: 39295048
Thank you for the links.

However we are using Exchange 2003.  How can we do it?

Thanks

EN
0
Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 7

Accepted Solution

by:
Mohammed Tahir earned 300 total points
ID: 39295634
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
ID: 39296428
It isn't clear from your question - is there ANYTHING in that header that related to your network? Forget about the domain name - that is spoofed very easily.
You need to prove that the email is originating from your network.

Installing the antispam agents etc on to Exchange 2003 is a waste of time in my opinion for this issue. You need to be sure the email is actually originating from your system.

You should have port 25 outbound blocked completely, so that only the appliance can send email to the internet.

Simon.
0
 
LVL 10

Assisted Solution

by:Vijaya Babu Sekar
Vijaya Babu Sekar earned 100 total points
ID: 39306704
you can add your own smtp domain in your email gateway block list (like FOPE, Messsage lab, Trend IMSS) so that you can not receive Spoofing from your domain.

Please dont add in your exchange server, if you added, internal mails will be blocked.
0
 

Author Closing Comment

by:EnjoyNet
ID: 39312195
Thank you very much.
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now