User getting spam
Hey everyone,
I have a user who keeps getting a large amount of spam sent to their junkmail folder, even though we have an external spam filtering service in place. I checked it and the spam isn't passing through the external filter, so it must be coming from inside, but I can't figure out where. It only seems to be one user. Below is a print out of the header from one of the spam messages. Can someone help me decipher it?
Received: from sprpc-21 (77.73.67.49) by EXCHANGE-SERVER.wheeler.lo
(192.168.1.70) with Microsoft SMTP Server id 14.2.298.4; Mon, 7 Oct 2013
10:56:33 -0500
Received: (qmail 8105 by uid 766); Mon, 7 Oct 2013 15:59:53 -0600
From: Penis Growth Free trial <sepulchralamidst@lonelypl
To: <User email address>
Subject: Give her the best action every night
Date: Mon, 7 Oct 2013 15:17:16 -0600
Message-ID: <001b01cec3a8$8da73270$a8f
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acjidv3gem96AnxE4cHsDFziuh
Content-Language: en-us
Return-Path: sepulchralamidst@lonelypla
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-TM-AS-Product-Ver: SMEX-10.5.0.1057-7.000.101
X-TM-AS-Result: Yes-92.229000-5.000000-31
X-TM-AS-User-Approved-Send
X-TM-AS-User-Blocked-Sende
X-MS-Exchange-Organization
been scanned by Trend Micro Messaging Security Agent;
X-MS-Exchange-Organization
I have a user who keeps getting a large amount of spam sent to their junkmail folder, even though we have an external spam filtering service in place. I checked it and the spam isn't passing through the external filter, so it must be coming from inside, but I can't figure out where. It only seems to be one user. Below is a print out of the header from one of the spam messages. Can someone help me decipher it?
Received: from sprpc-21 (77.73.67.49) by EXCHANGE-SERVER.wheeler.lo
(192.168.1.70) with Microsoft SMTP Server id 14.2.298.4; Mon, 7 Oct 2013
10:56:33 -0500
Received: (qmail 8105 by uid 766); Mon, 7 Oct 2013 15:59:53 -0600
From: Penis Growth Free trial <sepulchralamidst@lonelypl
To: <User email address>
Subject: Give her the best action every night
Date: Mon, 7 Oct 2013 15:17:16 -0600
Message-ID: <001b01cec3a8$8da73270$a8f
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acjidv3gem96AnxE4cHsDFziuh
Content-Language: en-us
Return-Path: sepulchralamidst@lonelypla
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-TM-AS-Product-Ver: SMEX-10.5.0.1057-7.000.101
X-TM-AS-Result: Yes-92.229000-5.000000-31
X-TM-AS-User-Approved-Send
X-TM-AS-User-Blocked-Sende
X-MS-Exchange-Organization
been scanned by Trend Micro Messaging Security Agent;
X-MS-Exchange-Organization
Nick Rhode
Depending on your spam filter you might have to increase his filter (if you can do it via email address). We had a user that was getting 60,000 emails a day but only 25 were legitimate emails that made it through. That is pretty crazy so I made him change his email address so I could eliminate eventually filter out that email address.
ASKER
The weird part is those spam aren't showing that they are coming through the spam filter (which is an external service we pay for). The spam looks to be coming from outside the network, but its not registering as coming from outside the network.
I'm trying to make sure nothing is relaying internally that's not supposed to be.
I'm trying to make sure nothing is relaying internally that's not supposed to be.
He does not have any special rules in his filter to approve addresses or anything? You could try scanning his system for infections:
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Desktop_Anti-Virus/A_12285-Virus-Removal-Methods.html
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Desktop_Anti-Virus/A_12285-Virus-Removal-Methods.html
See this link that parses the header:
http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=3f228448-8020-467b-ab61-9435cf5234c1
Pay particular attention to the "hop" number 2 where it was presumably received by your external server. It looks to have originated from this host:
sprpc-21 77.73.67.49
Does message tracking within exchange show any trace for this message?
http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=3f228448-8020-467b-ab61-9435cf5234c1
Pay particular attention to the "hop" number 2 where it was presumably received by your external server. It looks to have originated from this host:
sprpc-21 77.73.67.49
Does message tracking within exchange show any trace for this message?
ASKER
I have been checking all of the IP addresses, and all of them are on blacklists, but it doesn't seem that the spam is being registered by the Exchange server or by our external spam filter. If someone could please give me a more detailed explanation of the headers, that would be a lot of help.
Who is the spam filter provider you use? Are you using an edge transport role exchange server? Do you have any domains specified as "safe senders" on either your exchange 2010 spam level or your third party spam level (presuming that's what you're referring to by "external spam filter").
If it were me, I'd modify your firewall to allow communication to your border exchange server via the third part mail filter. If you allow any traffic to communicate, it's possible someone can capture your direct IP address for your edge and start sending spam directly to your edge rather than forcing everything to go through the external spam filter process.
ASKER
I am using GFI Mail Essentials Cloud as my spam filter. I am also using the anti-spam role built into Exchange 2010. I do have domains setup as safe senders, but only a handful, and I checked the IP addresses of the spam coming in and they don't match with the IP addresses of the safe senders.
Right now, all internal email does not go through the spam filter, that stays on the intranet. is there a way to force all email to route through my external spam filtering service?
Right now, all internal email does not go through the spam filter, that stays on the intranet. is there a way to force all email to route through my external spam filtering service?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think that did it. I think I was getting spammed from outside sources. Once I blocked all IP addresses from port 25 other than my external spam service provider, the spam stopped almost instantly. Thanks for your help!
No worries, glad it worked out for you. Good luck!