Solved

Email Spoof comes from our own domain

Posted on 2013-07-01
8
1,275 Views
Last Modified: 2013-07-09
Hi Experts,

Recently we installed Barracuda Email filtering system on our network.  We have an in-house Excahange 2003 server.  We are getting  spam email sent out from our_username@ourdomain.com.  Is it caused by malware or adware? Is this server level or end user PC issue?

I really appreciate If you can give us some suggestion or solution to stop the spam.

We got the follow bounced-back message: I use John Don as user and my domain is abc.com.

Thank you so much in advance.

EN

***************************************************
From: MAILER-DAEMON@btinternet.com [mailto:MAILER-DAEMON@btinternet.com]
Sent: Saturday, June 29, 2013 10:10 AM
To: Don, John
Subject: Delivery failure

Message from btinternet.com.
Unable to deliver message to the following address(es).

<dgmck@btinternet.com>:
This user doesn't have a btinternet.com account (dgmck@btinternet.com) [0]

<ukangel69@btinternet.com>:
This user doesn't have a btinternet.com account (ukangel69@btinternet.com) [0]

--- Original message follows.

The original message is over 5K. Message truncated.

Return-Path: <jdon@abc.com>
X-YahooFilteredBulk: 65.20.0.12
Received-SPF: fail (domain of abc.com does not designate 65.20.0.12 as permitted sender)
X-YMailISG: o0gnU1QWLDsJVYem29kOqvMcGNRq5rxNyuBvqiTb82MOwrqP
 6NKaKrtJlXwR0DVblJ21C6.XsWH828_DXq5y9z3gNJ3keOD7GDxdEIJiiowr
 MinC2YlCpCOXJkFCf9Mj1F9AdsMLYuwmY2ehXHfmM80g6BGwZOtlHpaS0xIH
 gVBWJZ688bhX7OaSv1d0zFpbEGHNvNVsSHSSQxAcABOObioQASsx1Sb9XfvQ
 CUhrR9WexqQpqPVTRQx1Eu_oeDP_MsiAB8Tz03drEg6akYZT.TdJQbFfXSyK
 6ZNfzpuj0TSVk6B88U08c3QQufy7Xs.JnSZd13yS0qZVvMMOP4Ykcc0G2VBs
 56ksHOz_JOBT4SxBeIx2yGrzHjQAh80LzVzFfnq1wcvoYcr0nxNyHfmW4FqA
 2SeKtuXt8vgcP2d7fpiKaoJmf9sPyNefuHmc6wNMtJJwdjfPpH_380URgtB7
 VPnEJnXHEQPdXvaN.FEoklakXAE89zddDWDaX_P11IFFgaAKrBmVShrEXPUa
 7aGjXL2o8b_F.cMIkXdwVwkrtuNva.x5P_lpUNZSVnbBlqudT2nVjfDIxCLN
 60HAqn2nIKQ_iSbaM8UMobLvB9CMhuCU7mrs093EVMeDJf1tjxdZ35O8gDOJ
 o1mLJPev62H_3xb3eP_yP5LNY9YziN8bvRmHBL0dlGidqpDbsscVx0rlG3Go
 JopkP.2Rp5YwTBTbj_9LZwND.6sRQr43Gx4LR_P7cT77MrhA0ud2LTB9DnWz
 QgsntWaW6tItvVbyqj924KG4sGzYCMn7M0aaPGDExbUEXaphwl912NgF6Vhu
 g_YNSKj7lFJ5uf23vjQMZl5hTgfgHab.cyn8.nomol9ZVXvzJh9MLLV0Czz3
 yFl8u78tu_OAPHdc1ET0LN8BwqP_yhi1YPq4DedwiLy8c8L1T4st5OugfcvT
 yt8pBxZzI0wRLHoh_.nbzH98cnlBRDhk4YGeTgE8gcYPSfNdFvPRstX508I_
 SZmerUh96u33hXi4.85tAMaeUx8owA.dNYb4crtdlMM0pPYLUAAvXXoPD3k4
 KBdj2V9b24XagH1SCCHHnCacRbKbXcapRxWnpbCHefmmll71JlKp.pO_DEae
 e36._.dY.ksNAOLUnSgiC_Vh6vAvYbY-
X-Originating-IP: [65.20.0.12]
Authentication-Results: mta1059.bt.mail.ir2.yahoo.com  from=abc.com; domainkeys=neutral (no sig);  from=ndsj.org; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO smtpin06.bt.ext.cpcloud.co.uk) (65.20.0.12)
  by mta1059.bt.mail.ir2.yahoo.com with SMTP; Sat, 29 Jun 2013 17:09:36 +0000
Received: from host-89-230-168-19.ostrowmaz.mm.pl (89.230.168.19) by smtpin06.bt.ext.cpcloud.co.uk (8.6.100.03)
        id 51CB2A4D0158039D; Sat, 29 Jun 2013 17:09:35 +0000
Received: from MichaelPC (unverified [89.230.168.19])
      by nectyr.com (SurgeMail 6.4a) with ESMTP id 413425243-1712458
      for <ukangel69@btinternet.com>; Sat, 29 Jun 2013 13:09:39 -0500
From: "INFO - Even Second" <jdon@abc.com>
To: "'Ukangel69'" <ukangel69@btinternet.com>
Subject: What TIME is it?
Date: Sat, 29 Jun 2013 13:09:39 -0500
Message-ID: <000901ce7427$0e6dda70$2e798d80$@com>
MIME-Version: 1.0
Content-Type: multipart/related;
      boundary="----=_NextPart_000_000A_01CE7407.875C3A70"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AQHOc6t86PZOZK/C40ayuLBkSJUrASlLL+PUgAA2WYA=
Content-Language: en-ca


This is a multi-part message in MIME format.

------=_NextPart_000_000A_01CE7407.875C3A70
Content-Type: multipart/alternative;
      boundary="----=_NextPart_001_000B_01CE7407.875C3A70"


------=_NextPart_001_000B_01CE7407.875C3A70
Content-Type: text/plain;
      charset="utf-8"
Content-Transfer-Encoding: 7bit


------=_NextPart_001_000B_01CE7407.875C3A70
Content-Type: text/html;
      charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns=3D"http://www.w3.org/TR/REC-html40"><head><META = HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 14 = (filtered medium)"><!--[if !mso]><style>v\:* = {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
      {font-family:Calibri;
      panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
      {font-family:Tahoma;
      panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
      {margin:0in;
      margin-bottom:.0001pt;
      font-size:11.0pt;
      font-family:"Calibri","serif";}
a:link, span.MsoHyperlink
      {mso-style-priority:99;
      color:blue;
      text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
      {mso-style-pri
*** MESSAGE TRUNCATED ***
0
Comment
Question by:EnjoyNet
8 Comments
 
LVL 7

Expert Comment

by:Mohammed Tahir
ID: 39291722
1- Installed and configure Anti-Spam on your exchange server.
2- Ensure your server is not open to Relay.
0
 

Author Comment

by:EnjoyNet
ID: 39291756
Thank you for quick response.

1. how to do it? We have a barracuda box for email filtering.  What do you suggest we do on Exchange?

Best,
0
 
LVL 7

Expert Comment

by:Mohammed Tahir
ID: 39291920
0
 

Author Comment

by:EnjoyNet
ID: 39295048
Thank you for the links.

However we are using Exchange 2003.  How can we do it?

Thanks

EN
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 7

Accepted Solution

by:
Mohammed Tahir earned 300 total points
ID: 39295634
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
ID: 39296428
It isn't clear from your question - is there ANYTHING in that header that related to your network? Forget about the domain name - that is spoofed very easily.
You need to prove that the email is originating from your network.

Installing the antispam agents etc on to Exchange 2003 is a waste of time in my opinion for this issue. You need to be sure the email is actually originating from your system.

You should have port 25 outbound blocked completely, so that only the appliance can send email to the internet.

Simon.
0
 
LVL 10

Assisted Solution

by:Vijaya Babu Sekar
Vijaya Babu Sekar earned 100 total points
ID: 39306704
you can add your own smtp domain in your email gateway block list (like FOPE, Messsage lab, Trend IMSS) so that you can not receive Spoofing from your domain.

Please dont add in your exchange server, if you added, internal mails will be blocked.
0
 

Author Closing Comment

by:EnjoyNet
ID: 39312195
Thank you very much.
0

Featured Post

Can’t get the mobile email signature right?

Not having any luck when trying to create an email signature for mobile devices? Does the formatting keep messing up? Make sure you have great email signatures on all devices by using Exclaimer Cloud - Signatures for Office 365.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
This video discusses moving either the default database or any database to a new volume.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now