Benderama
asked on
Spam messages on exchange 2010 server
Hello,
Today we are getting alot of spam mails on one of our servers.
Could this be an infection on our network? All the mails are comming from our domainname and i'm not sure if all of them are spoofed or not?
below you can find the mail header (I changed our domainname to "ourdomainname"
and "eternaldomainname" We are currently using the pop3 connector on the SBS 2011 server to retrieve the mails.
Received: from SBS-SERVER (127.0.0.1) by SBS-SERVER.ourdomainname.b e.local
(127.0.0.1) with Microsoft SMTP Server id 14.1.438.0; Tue, 3 Sep 2013
04:52:48 +0200
Received: by [SBS-SERVER.ourdomainname. be.local (Microsoft Connector for POP3
Mailboxes)] id <"{7E84D4B0-3B9E-416E-8C0E -4F682E1E1 6A6}"@ourd omainname. be.local>;
Tue, 3 Sep 2013 04:52:48 +0200
Resent-Sender: <pop3connector@ourdomainna me.be.loca l>
Return-Path: <subjugationor2@google.com >
Delivered-To: info@ourdomainname.be.be
Received: (qmail 29086 invoked by uid 1010); 3 Sep 2013 02:48:41 -0000
Received: from unknown (HELO mx10.externaldomainname.be ) (127.0.0.1) by
mx-03.externaldomainname.b e with SMTP; 3 Sep 2013 02:48:41 -0000
Received: from mx10-05.externaldomainname .be (mx10-05.externaldomainnam e.be [62.182.61.105]) by
mx10.externaldomainname.be (Postfix) with ESMTP for <info@ourdomainname.be.be> ; Tue, 3 Sep
2013 04:48:41 +0200 (CEST)
Received: from [62.182.60.245] (helo=node02.externaldomai nname.be) by
mx10-05.externaldomainname .be with esmtp (Exim 4.72) (envelope-from
<subjugationor2@google.com >) id 1VGgf9-0007kl-NJ for info@ourdomainname.be.be; Tue,
03 Sep 2013 04:48:25 +0200
Received: from [201.240.25.78] (helo=client-201.240.25.78 .speedy.ne t.pe) by
node02.externaldomainname. be with esmtp (Exim 4.80.1) (envelope-from
<subjugationor2@google.com >) id 1VGgfU-00069T-Td for info@ourdomainname.be.be; Tue,
03 Sep 2013 04:48:37 +0200
Message-ID: <52254BDC.502040@ourdomain name.be.be >
Date: Mon, 2 Sep 2013 21:48:11 -0500
From: <info@ourdomainname.be.be>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <info@ourdomainname.be.be>
Subject: Komt te weten hoe mensen van uw beroep met 30% meer kunnen verdienen!
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: softfail (node02.externaldomainname .be: transitioning domain of google.com does not designate 201.240.25.78 as permitted sender) client-ip=201.240.25.78; envelope-from=subjugationo r2@google. com; helo=client-201.240.25.78. speedy.net .pe;
X-SPF-Result: node02.externaldomainname. be: transitioning domain of google.com does not designate 201.240.25.78 as permitted sender
X-Sender-Warning: Reverse DNS lookup failed for 201.240.25.78 (failed)
X-Filter-ID: XtLePq6GTMn8G68F0EmQve8P4j sjAhrGE5yA AGixSSTJ9o Ysd24rJ//Z 8NFSaENBD0 NLxQssTjZU
Ey4vm0HJJ/hoGECMHBYAF/orpn VDJKmMMjwo w6TbZwfl/P 2ph186Cmir RzJrIxbUEQ uerTMJNEPO
pTYU/X89ghzlSph6Vv7qf0qesB fBcb6zAOhH 54HJzkrOCb OFVgCd5sot aRc6IYCaVu 4tL02rwAls
OJQOWvTfX8TdqEXkwxwMjsp2mN Apczbw4NtG 1DP2+Xf/gh gDK1CWg9H8 VX2op75oH/ kacb7Nexzh
l6/yrzoxWGO7qHLWMrWtMRGpic EQOmdxqTzl V6NwWyI7RO agOfW+S5Av JFCg3qv1TV IpbUymIApx
Q97YKllCUxOUykgxcKIwQ1MQJW KWs7/QTnMe sWJuPTfmkv 0BIkUL/j1Y 48GvmeURQj jEZMoUbQXa
TfrFTPLWa3C/59dqCbBnZOHZ7/ P36hIJghJk /iGTa2C3Fp etN1DL040c uzN1AMlcK/ JP6lAQQgG9
ow==
Authentication-Results: externaldomainname.be; spf=softfail smtp.mailfrom=subjugationo r2@google. com
X-Mailfiltering-Class: whitelisted
X-Mailfiltering-Evidence: sender
X-Recommended-Action: accept
X-Virus-Scanned: Passed
X-Spam-Scanned: 10
X-Spam-Report: The following rules were applied for tagging this message
pts rule name description
---- ---------------------- -------------------------- ---------- ---------- ----
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: carersinholland.com]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
X-Virus-Scanned: Passed
X-Spam-Scanned: -1.5
X-Spam-Status: NO
X-Scanned-By: externaldomainname mailfilter
X-MS-Exchange-Organization -AuthSourc e: SBS-SERVER.ourdomainname.b e.local
X-MS-Exchange-Organization -AuthAs: Anonymous
X-MS-Exchange-Organization -SCL: 1
X-MS-Exchange-Organization -PCL: 2
X-MS-Exchange-Organization -Antispam- Report: DV:3.3.10004.505;OrigIP:un available
Today we are getting alot of spam mails on one of our servers.
Could this be an infection on our network? All the mails are comming from our domainname and i'm not sure if all of them are spoofed or not?
below you can find the mail header (I changed our domainname to "ourdomainname"
and "eternaldomainname" We are currently using the pop3 connector on the SBS 2011 server to retrieve the mails.
Received: from SBS-SERVER (127.0.0.1) by SBS-SERVER.ourdomainname.b
(127.0.0.1) with Microsoft SMTP Server id 14.1.438.0; Tue, 3 Sep 2013
04:52:48 +0200
Received: by [SBS-SERVER.ourdomainname.
Mailboxes)] id <"{7E84D4B0-3B9E-416E-8C0E
Tue, 3 Sep 2013 04:52:48 +0200
Resent-Sender: <pop3connector@ourdomainna
Return-Path: <subjugationor2@google.com
Delivered-To: info@ourdomainname.be.be
Received: (qmail 29086 invoked by uid 1010); 3 Sep 2013 02:48:41 -0000
Received: from unknown (HELO mx10.externaldomainname.be
mx-03.externaldomainname.b
Received: from mx10-05.externaldomainname
mx10.externaldomainname.be
2013 04:48:41 +0200 (CEST)
Received: from [62.182.60.245] (helo=node02.externaldomai
mx10-05.externaldomainname
<subjugationor2@google.com
03 Sep 2013 04:48:25 +0200
Received: from [201.240.25.78] (helo=client-201.240.25.78
node02.externaldomainname.
<subjugationor2@google.com
03 Sep 2013 04:48:37 +0200
Message-ID: <52254BDC.502040@ourdomain
Date: Mon, 2 Sep 2013 21:48:11 -0500
From: <info@ourdomainname.be.be>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <info@ourdomainname.be.be>
Subject: Komt te weten hoe mensen van uw beroep met 30% meer kunnen verdienen!
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding:
Received-SPF: softfail (node02.externaldomainname
X-SPF-Result: node02.externaldomainname.
X-Sender-Warning: Reverse DNS lookup failed for 201.240.25.78 (failed)
X-Filter-ID: XtLePq6GTMn8G68F0EmQve8P4j
Ey4vm0HJJ/hoGECMHBYAF/orpn
pTYU/X89ghzlSph6Vv7qf0qesB
OJQOWvTfX8TdqEXkwxwMjsp2mN
l6/yrzoxWGO7qHLWMrWtMRGpic
Q97YKllCUxOUykgxcKIwQ1MQJW
TfrFTPLWa3C/59dqCbBnZOHZ7/
ow==
Authentication-Results: externaldomainname.be; spf=softfail smtp.mailfrom=subjugationo
X-Mailfiltering-Class: whitelisted
X-Mailfiltering-Evidence: sender
X-Recommended-Action: accept
X-Virus-Scanned: Passed
X-Spam-Scanned: 10
X-Spam-Report: The following rules were applied for tagging this message
pts rule name description
---- ---------------------- --------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
[URIs: carersinholland.com]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
X-Virus-Scanned: Passed
X-Spam-Scanned: -1.5
X-Spam-Status: NO
X-Scanned-By: externaldomainname mailfilter
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From reading the message headers, these emails did NOT originate inside your network.
ASKER
Hello, I can't find any Event ID 1708.
so if the mails did not originate from inside the network, I guess one of our client pc's with our adress list got infected and is sending out the spam?
The weird part is that its really good spam, its really looks like legit mail and our spamfilters are not seeing this as spam.
i'll guess i'll just tighten up the anti-spam software for a few days and see what happens.
so if the mails did not originate from inside the network, I guess one of our client pc's with our adress list got infected and is sending out the spam?
The weird part is that its really good spam, its really looks like legit mail and our spamfilters are not seeing this as spam.
i'll guess i'll just tighten up the anti-spam software for a few days and see what happens.
Yes if no Event ID 1708 then not from internal, would be my guess.
I would still update and scan all PC's anyway.
But need to get your Spam levels increased and message Filters etc.
Is your mail spam checked before it is collected via POP3 connector on your server?
I would still update and scan all PC's anyway.
But need to get your Spam levels increased and message Filters etc.
Is your mail spam checked before it is collected via POP3 connector on your server?
Any joy with this one benderama?
https://www.experts-exchange.com/questions/27929216/Exchange-SMTP-queue-keeps-adding-spam-messages.html