User getting spam

Hey everyone,
I have a user who keeps getting a large amount of spam sent to their junkmail folder, even though we have an external spam filtering service in place.  I checked it and the spam isn't passing through the external filter, so it must be coming from inside, but I can't figure out where.  It only seems to be one user.  Below is a print out of the header from one of the spam messages.  Can someone help me decipher it?

Received: from sprpc-21 (77.73.67.49) by EXCHANGE-SERVER.wheeler.local
 (192.168.1.70) with Microsoft SMTP Server id 14.2.298.4; Mon, 7 Oct 2013
 10:56:33 -0500
Received: (qmail 8105 by uid 766); Mon, 7 Oct 2013 15:59:53 -0600
From: Penis Growth Free trial <sepulchralamidst@lonelyplanet.com>
To: <User email address>
Subject: Give her the best action every night
Date: Mon, 7 Oct 2013 15:17:16 -0600
Message-ID: <001b01cec3a8$8da73270$a8f59750$@com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="----=_NextPart_000_001A_01CEC3A8.8DA73270"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acjidv3gem96AnxE4cHsDFziuhBKjA==
Content-Language: en-us
Return-Path: sepulchralamidst@lonelyplanet.com
X-MS-Exchange-Organization-AuthSource: EXCHANGE-SERVER.wheeler.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-TM-AS-Product-Ver: SMEX-10.5.0.1057-7.000.1014-20194.001
X-TM-AS-Result: Yes-92.229000-5.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
X-MS-Exchange-Organization-AVStamp-Mailbox: SMEXr^dE;1031550;0;This mail has
 been scanned by Trend Micro Messaging Security Agent;
X-MS-Exchange-Organization-SCL: 5
AremPAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nick RhodeIT DirectorCommented:
Depending on your spam filter you might have to increase his filter (if you can do it via email address).  We had a user that was getting 60,000 emails a day but only 25 were legitimate emails that made it through.  That is pretty crazy so I made him change his email address so I could eliminate eventually filter out that email address.
0
AremPAuthor Commented:
The weird part is those spam aren't showing that they are coming through the spam filter (which is an external service we pay for).  The spam looks to be coming from outside the network, but its not registering as coming from outside the network.

I'm trying to make sure nothing is relaying internally that's not supposed to be.
0
Nick RhodeIT DirectorCommented:
He does not have any special rules in his filter to approve addresses or anything?  You could try scanning his system for infections:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Desktop_Anti-Virus/A_12285-Virus-Removal-Methods.html
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

piattndCommented:
See this link that parses the header:

http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=3f228448-8020-467b-ab61-9435cf5234c1

Pay particular attention to the "hop" number 2 where it was presumably received by your external server.  It looks to have originated from this host:

sprpc-21 77.73.67.49

Does message tracking within exchange show any trace for this message?
0
AremPAuthor Commented:
I have been checking all of the IP addresses, and all of them are on blacklists, but it doesn't seem that the spam is being registered by the Exchange server or by our external spam filter.  If someone could please give me a more detailed explanation of the headers, that would be a lot of help.
0
piattndCommented:
Who is the spam filter provider you use?  Are you using an edge transport role exchange server?  Do you have any domains specified as "safe senders" on either your exchange 2010 spam level or your third party spam level (presuming that's what you're referring to by "external spam filter").
0
piattndCommented:
If it were me, I'd modify your firewall to allow communication to your border exchange server via the third part mail filter.  If you allow any traffic to communicate, it's possible someone can capture your direct IP address for your edge and start sending spam directly to your edge rather than forcing everything to go through the external spam filter process.
0
AremPAuthor Commented:
I am using GFI Mail Essentials Cloud as my spam filter.  I am also using the anti-spam role built into Exchange 2010.  I do have domains setup as safe senders, but only a handful, and I checked the IP addresses of the spam coming in and they don't match with the IP addresses of the safe senders.

Right now, all internal email does not go through the spam filter, that stays on the intranet.  is there a way to force all email to route through my external spam filtering service?
0
piattndCommented:
I wouldn't worry about internal mail traffic right now, focus on attacks from the outside.

Check your firewall settings to ensure you only allow SMTP communications to your border exchange server from your third party mail filter, otherwise people can bypass your third party mail filter, thus exposing yourself.

In the case of this particular spam, it originated from the outside (so it appears).  If you cannot see any evidence of this spam going through your spam filter provider, then it's very likely they didn't send it to your spam filter provider, they sent it directly to you (reference again the firewall adjustments to prevent this from happening).

Lets say that you were able to track the message back through your spam filter provider, you'd need to make sure it wasn't a case of email domain spoofing (where someone tricks the system into thinking the message was sent from a domain it really wasn't sent from).  The countermeasure for that attack is called SPF checking.  Essentially, domains around the world can opt to publish an SPF record that indicates IP addresses mail from their domain can come from.  If someone is doing SPF checking on message receipt, it looks at those SPF records, and if the originating server IP doesn't match the record, it drops the message for failing SPF check.

So what happens if you don't check SPF records?  Well, I can generate a mail from "someonecool@sometrusteddomain.com", where 'sometrusteddomain.com' is a domain you have set as a safe sender, and your filter system would send the message straight through for matching a safe domain.  If you aren't checking SPF records, look into enabling that feature through your third party mail filtering configuration.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AremPAuthor Commented:
I think that did it.  I think I was getting spammed from outside sources. Once I blocked all IP addresses from port 25 other than my external spam service provider, the spam stopped almost instantly.  Thanks for your help!
0
piattndCommented:
No worries, glad it worked out for you.  Good luck!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.