Spam messages on exchange 2010 server
Hello,
Today we are getting alot of spam mails on one of our servers.
Could this be an infection on our network? All the mails are comming from our domainname and i'm not sure if all of them are spoofed or not?
below you can find the mail header (I changed our domainname to "ourdomainname"
and "eternaldomainname" We are currently using the pop3 connector on the SBS 2011 server to retrieve the mails.
Received: from SBS-SERVER (127.0.0.1) by SBS-SERVER.ourdomainname.b
(127.0.0.1) with Microsoft SMTP Server id 14.1.438.0; Tue, 3 Sep 2013
04:52:48 +0200
Received: by [SBS-SERVER.ourdomainname.
Mailboxes)] id <"{7E84D4B0-3B9E-416E-8C0E
Tue, 3 Sep 2013 04:52:48 +0200
Resent-Sender: <pop3connector@ourdomainna
Return-Path: <subjugationor2@google.com
Delivered-To: info@ourdomainname.be.be
Received: (qmail 29086 invoked by uid 1010); 3 Sep 2013 02:48:41 -0000
Received: from unknown (HELO mx10.externaldomainname.be
mx-03.externaldomainname.b
Received: from mx10-05.externaldomainname
mx10.externaldomainname.be
2013 04:48:41 +0200 (CEST)
Received: from [62.182.60.245] (helo=node02.externaldomai
mx10-05.externaldomainname
<subjugationor2@google.com
03 Sep 2013 04:48:25 +0200
Received: from [201.240.25.78] (helo=client-201.240.25.78
node02.externaldomainname.
<subjugationor2@google.com
03 Sep 2013 04:48:37 +0200
Message-ID: <52254BDC.502040@ourdomain
Date: Mon, 2 Sep 2013 21:48:11 -0500
From: <info@ourdomainname.be.be>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <info@ourdomainname.be.be>
Subject: Komt te weten hoe mensen van uw beroep met 30% meer kunnen verdienen!
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding:
Received-SPF: softfail (node02.externaldomainname
X-SPF-Result: node02.externaldomainname.
X-Sender-Warning: Reverse DNS lookup failed for 201.240.25.78 (failed)
X-Filter-ID: XtLePq6GTMn8G68F0EmQve8P4j
Ey4vm0HJJ/hoGECMHBYAF/orpn
pTYU/X89ghzlSph6Vv7qf0qesB
OJQOWvTfX8TdqEXkwxwMjsp2mN
l6/yrzoxWGO7qHLWMrWtMRGpic
Q97YKllCUxOUykgxcKIwQ1MQJW
TfrFTPLWa3C/59dqCbBnZOHZ7/
ow==
Authentication-Results: externaldomainname.be; spf=softfail smtp.mailfrom=subjugationo
X-Mailfiltering-Class: whitelisted
X-Mailfiltering-Evidence: sender
X-Recommended-Action: accept
X-Virus-Scanned: Passed
X-Spam-Scanned: 10
X-Spam-Report: The following rules were applied for tagging this message
pts rule name description
---- ---------------------- --------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
[URIs: carersinholland.com]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
X-Virus-Scanned: Passed
X-Spam-Scanned: -1.5
X-Spam-Status: NO
X-Scanned-By: externaldomainname mailfilter
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
Today we are getting alot of spam mails on one of our servers.
Could this be an infection on our network? All the mails are comming from our domainname and i'm not sure if all of them are spoofed or not?
below you can find the mail header (I changed our domainname to "ourdomainname"
and "eternaldomainname" We are currently using the pop3 connector on the SBS 2011 server to retrieve the mails.
Received: from SBS-SERVER (127.0.0.1) by SBS-SERVER.ourdomainname.b
(127.0.0.1) with Microsoft SMTP Server id 14.1.438.0; Tue, 3 Sep 2013
04:52:48 +0200
Received: by [SBS-SERVER.ourdomainname.
Mailboxes)] id <"{7E84D4B0-3B9E-416E-8C0E
Tue, 3 Sep 2013 04:52:48 +0200
Resent-Sender: <pop3connector@ourdomainna
Return-Path: <subjugationor2@google.com
Delivered-To: info@ourdomainname.be.be
Received: (qmail 29086 invoked by uid 1010); 3 Sep 2013 02:48:41 -0000
Received: from unknown (HELO mx10.externaldomainname.be
mx-03.externaldomainname.b
Received: from mx10-05.externaldomainname
mx10.externaldomainname.be
2013 04:48:41 +0200 (CEST)
Received: from [62.182.60.245] (helo=node02.externaldomai
mx10-05.externaldomainname
<subjugationor2@google.com
03 Sep 2013 04:48:25 +0200
Received: from [201.240.25.78] (helo=client-201.240.25.78
node02.externaldomainname.
<subjugationor2@google.com
03 Sep 2013 04:48:37 +0200
Message-ID: <52254BDC.502040@ourdomain
Date: Mon, 2 Sep 2013 21:48:11 -0500
From: <info@ourdomainname.be.be>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <info@ourdomainname.be.be>
Subject: Komt te weten hoe mensen van uw beroep met 30% meer kunnen verdienen!
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding:
Received-SPF: softfail (node02.externaldomainname
X-SPF-Result: node02.externaldomainname.
X-Sender-Warning: Reverse DNS lookup failed for 201.240.25.78 (failed)
X-Filter-ID: XtLePq6GTMn8G68F0EmQve8P4j
Ey4vm0HJJ/hoGECMHBYAF/orpn
pTYU/X89ghzlSph6Vv7qf0qesB
OJQOWvTfX8TdqEXkwxwMjsp2mN
l6/yrzoxWGO7qHLWMrWtMRGpic
Q97YKllCUxOUykgxcKIwQ1MQJW
TfrFTPLWa3C/59dqCbBnZOHZ7/
ow==
Authentication-Results: externaldomainname.be; spf=softfail smtp.mailfrom=subjugationo
X-Mailfiltering-Class: whitelisted
X-Mailfiltering-Evidence: sender
X-Recommended-Action: accept
X-Virus-Scanned: Passed
X-Spam-Scanned: 10
X-Spam-Report: The following rules were applied for tagging this message
pts rule name description
---- ---------------------- --------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
[URIs: carersinholland.com]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
X-Virus-Scanned: Passed
X-Spam-Scanned: -1.5
X-Spam-Status: NO
X-Scanned-By: externaldomainname mailfilter
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From reading the message headers, these emails did NOT originate inside your network.
ASKER
Hello, I can't find any Event ID 1708.
so if the mails did not originate from inside the network, I guess one of our client pc's with our adress list got infected and is sending out the spam?
The weird part is that its really good spam, its really looks like legit mail and our spamfilters are not seeing this as spam.
i'll guess i'll just tighten up the anti-spam software for a few days and see what happens.
so if the mails did not originate from inside the network, I guess one of our client pc's with our adress list got infected and is sending out the spam?
The weird part is that its really good spam, its really looks like legit mail and our spamfilters are not seeing this as spam.
i'll guess i'll just tighten up the anti-spam software for a few days and see what happens.
Yes if no Event ID 1708 then not from internal, would be my guess.
I would still update and scan all PC's anyway.
But need to get your Spam levels increased and message Filters etc.
Is your mail spam checked before it is collected via POP3 connector on your server?
I would still update and scan all PC's anyway.
But need to get your Spam levels increased and message Filters etc.
Is your mail spam checked before it is collected via POP3 connector on your server?
Any joy with this one benderama?
https://www.experts-exchange.com/questions/27929216/Exchange-SMTP-queue-keeps-adding-spam-messages.html