Email Spoof comes from our own domain

Hi Experts,

Recently we installed Barracuda Email filtering system on our network.  We have an in-house Excahange 2003 server.  We are getting  spam email sent out from our_username@ourdomain.com.  Is it caused by malware or adware? Is this server level or end user PC issue?

I really appreciate If you can give us some suggestion or solution to stop the spam.

We got the follow bounced-back message: I use John Don as user and my domain is abc.com.

Thank you so much in advance.

EN

***************************************************
From: MAILER-DAEMON@btinternet.com [mailto:MAILER-DAEMON@btinternet.com]
Sent: Saturday, June 29, 2013 10:10 AM
To: Don, John
Subject: Delivery failure

Message from btinternet.com.
Unable to deliver message to the following address(es).

<dgmck@btinternet.com>:
This user doesn't have a btinternet.com account (dgmck@btinternet.com) [0]

<ukangel69@btinternet.com>:
This user doesn't have a btinternet.com account (ukangel69@btinternet.com) [0]

--- Original message follows.

The original message is over 5K. Message truncated.

Return-Path: <jdon@abc.com>
X-YahooFilteredBulk: 65.20.0.12
Received-SPF: fail (domain of abc.com does not designate 65.20.0.12 as permitted sender)
X-YMailISG: o0gnU1QWLDsJVYem29kOqvMcGNRq5rxNyuBvqiTb82MOwrqP
 6NKaKrtJlXwR0DVblJ21C6.XsWH828_DXq5y9z3gNJ3keOD7GDxdEIJiiowr
 MinC2YlCpCOXJkFCf9Mj1F9AdsMLYuwmY2ehXHfmM80g6BGwZOtlHpaS0xIH
 gVBWJZ688bhX7OaSv1d0zFpbEGHNvNVsSHSSQxAcABOObioQASsx1Sb9XfvQ
 CUhrR9WexqQpqPVTRQx1Eu_oeDP_MsiAB8Tz03drEg6akYZT.TdJQbFfXSyK
 6ZNfzpuj0TSVk6B88U08c3QQufy7Xs.JnSZd13yS0qZVvMMOP4Ykcc0G2VBs
 56ksHOz_JOBT4SxBeIx2yGrzHjQAh80LzVzFfnq1wcvoYcr0nxNyHfmW4FqA
 2SeKtuXt8vgcP2d7fpiKaoJmf9sPyNefuHmc6wNMtJJwdjfPpH_380URgtB7
 VPnEJnXHEQPdXvaN.FEoklakXAE89zddDWDaX_P11IFFgaAKrBmVShrEXPUa
 7aGjXL2o8b_F.cMIkXdwVwkrtuNva.x5P_lpUNZSVnbBlqudT2nVjfDIxCLN
 60HAqn2nIKQ_iSbaM8UMobLvB9CMhuCU7mrs093EVMeDJf1tjxdZ35O8gDOJ
 o1mLJPev62H_3xb3eP_yP5LNY9YziN8bvRmHBL0dlGidqpDbsscVx0rlG3Go
 JopkP.2Rp5YwTBTbj_9LZwND.6sRQr43Gx4LR_P7cT77MrhA0ud2LTB9DnWz
 QgsntWaW6tItvVbyqj924KG4sGzYCMn7M0aaPGDExbUEXaphwl912NgF6Vhu
 g_YNSKj7lFJ5uf23vjQMZl5hTgfgHab.cyn8.nomol9ZVXvzJh9MLLV0Czz3
 yFl8u78tu_OAPHdc1ET0LN8BwqP_yhi1YPq4DedwiLy8c8L1T4st5OugfcvT
 yt8pBxZzI0wRLHoh_.nbzH98cnlBRDhk4YGeTgE8gcYPSfNdFvPRstX508I_
 SZmerUh96u33hXi4.85tAMaeUx8owA.dNYb4crtdlMM0pPYLUAAvXXoPD3k4
 KBdj2V9b24XagH1SCCHHnCacRbKbXcapRxWnpbCHefmmll71JlKp.pO_DEae
 e36._.dY.ksNAOLUnSgiC_Vh6vAvYbY-
X-Originating-IP: [65.20.0.12]
Authentication-Results: mta1059.bt.mail.ir2.yahoo.com  from=abc.com; domainkeys=neutral (no sig);  from=ndsj.org; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO smtpin06.bt.ext.cpcloud.co.uk) (65.20.0.12)
  by mta1059.bt.mail.ir2.yahoo.com with SMTP; Sat, 29 Jun 2013 17:09:36 +0000
Received: from host-89-230-168-19.ostrowmaz.mm.pl (89.230.168.19) by smtpin06.bt.ext.cpcloud.co.uk (8.6.100.03)
        id 51CB2A4D0158039D; Sat, 29 Jun 2013 17:09:35 +0000
Received: from MichaelPC (unverified [89.230.168.19])
      by nectyr.com (SurgeMail 6.4a) with ESMTP id 413425243-1712458
      for <ukangel69@btinternet.com>; Sat, 29 Jun 2013 13:09:39 -0500
From: "INFO - Even Second" <jdon@abc.com>
To: "'Ukangel69'" <ukangel69@btinternet.com>
Subject: What TIME is it?
Date: Sat, 29 Jun 2013 13:09:39 -0500
Message-ID: <000901ce7427$0e6dda70$2e798d80$@com>
MIME-Version: 1.0
Content-Type: multipart/related;
      boundary="----=_NextPart_000_000A_01CE7407.875C3A70"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AQHOc6t86PZOZK/C40ayuLBkSJUrASlLL+PUgAA2WYA=
Content-Language: en-ca


This is a multi-part message in MIME format.

------=_NextPart_000_000A_01CE7407.875C3A70
Content-Type: multipart/alternative;
      boundary="----=_NextPart_001_000B_01CE7407.875C3A70"


------=_NextPart_001_000B_01CE7407.875C3A70
Content-Type: text/plain;
      charset="utf-8"
Content-Transfer-Encoding: 7bit


------=_NextPart_001_000B_01CE7407.875C3A70
Content-Type: text/html;
      charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns=3D"http://www.w3.org/TR/REC-html40"><head><META = HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 14 = (filtered medium)"><!--[if !mso]><style>v\:* = {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
      {font-family:Calibri;
      panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
      {font-family:Tahoma;
      panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
      {margin:0in;
      margin-bottom:.0001pt;
      font-size:11.0pt;
      font-family:"Calibri","serif";}
a:link, span.MsoHyperlink
      {mso-style-priority:99;
      color:blue;
      text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
      {mso-style-pri
*** MESSAGE TRUNCATED ***
EnjoyNetAsked:
Who is Participating?
 
Mohammed TahirMicrosoft Exchange and O365 AdministratorCommented:
0
 
Mohammed TahirMicrosoft Exchange and O365 AdministratorCommented:
1- Installed and configure Anti-Spam on your exchange server.
2- Ensure your server is not open to Relay.
0
 
EnjoyNetAuthor Commented:
Thank you for quick response.

1. how to do it? We have a barracuda box for email filtering.  What do you suggest we do on Exchange?

Best,
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Mohammed TahirMicrosoft Exchange and O365 AdministratorCommented:
0
 
EnjoyNetAuthor Commented:
Thank you for the links.

However we are using Exchange 2003.  How can we do it?

Thanks

EN
0
 
Simon Butler (Sembee)ConsultantCommented:
It isn't clear from your question - is there ANYTHING in that header that related to your network? Forget about the domain name - that is spoofed very easily.
You need to prove that the email is originating from your network.

Installing the antispam agents etc on to Exchange 2003 is a waste of time in my opinion for this issue. You need to be sure the email is actually originating from your system.

You should have port 25 outbound blocked completely, so that only the appliance can send email to the internet.

Simon.
0
 
Vijaya Babu SekarAssociate Ops ManagerCommented:
you can add your own smtp domain in your email gateway block list (like FOPE, Messsage lab, Trend IMSS) so that you can not receive Spoofing from your domain.

Please dont add in your exchange server, if you added, internal mails will be blocked.
0
 
EnjoyNetAuthor Commented:
Thank you very much.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.