email spoofing -  help

Posted on 2013-10-16
Medium Priority
Last Modified: 2013-11-11
It appears someone is spoofing our email, Our CSR department received a lot of out of office replies from peiople we dont know or work with. After some investigation,

the actual email that sent it isn't one ours but looks like it,  until you look at the headers anbd see that it belongs to a company in texas. I contacted that company and they told me that the person who owned that email isn't employed there now, I advised them to remove that box and look at the rest of the PC's on their network.

what else can i do?
Question by:BMI-IT
  • 4
  • 4
LVL 10

Expert Comment

ID: 39577421
when you look at the header ; what is the public IP of email server which generated and sent the email ? that server has an open relay that should be taken care of .
LVL 37

Expert Comment

ID: 39577467
for me it seems like an error caused by that person's typo. once the his/her mailbox  is removed from their server, the issue should be fixed.

normally, spoofing emails do not work that way as its email address is commonly fake and its real contact info can't be simply traced back by the email address. your case does not look like that.

Author Comment

ID: 39577591
Thanks guys, we use a AV/spam service (message labs) and have informed them of the issue, as the bounce backs are being filtered by the message labs vendor. It has appeared to have stopped for now, so may hopefully the offending company have killed that mailbox
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 39597344
Just an update, still getting the bouncebacks intermittently, we are not seeing the original message just the out of office replies, that comes back to us.

Still at a loss over this
LVL 37

Expert Comment

ID: 39597402
are you able to post the mail header of one of the typical out-of-office replies?

Author Comment

ID: 39597452
here u go,

this is from a bounce back from someone who was sent the original message,  it it came back to us.

message labs is our spam/av vendor, all email coming in is checked by them.

Michelle Rodriguez <mrodriguez@lillypulitzer.com is where the bounce back came from

and the CSR address is us.

so the CSR dept isn't bothered by this, I made a rule that any message with flaunt in the subject, gets redirected to our spam box. that way I can also keep track

Received: from mail6.bemta8.messagelabs.com ( by exchange
 ( with Microsoft SMTP Server (TLS) id 14.1.355.2; Wed, 23 Oct
 2013 16:51:55 -0400
Return-Path: <>
Received: from [] by server-10.bemta-8.messagelabs.com id
 F0/DE-02749-BE638625; Wed, 23 Oct 2013 20:51:55 +0000
X-Msg-Ref: server-3.tower-37.messagelabs.com!1382561514!408726!1
X-Originating-IP: []
X-SpamReason: No, hits=0.6 required=7.0 tests=HTML_90_100,HTML_MESSAGE
X-StarScan-Version: 6.9.12; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 31549 invoked from network); 23 Oct 2013 20:51:54 -0000
Received: from mail-bl2lp0204.outbound.protection.outlook.com (HELO
 na01-bl2-obe.outbound.protection.outlook.com) (  by
 server-3.tower-37.messagelabs.com with AES128-SHA encrypted SMTP; 23 Oct 2013
 20:51:54 -0000
Received: from BY2PR06MB138.namprd06.prod.outlook.com ( by
 BY2PR06MB139.namprd06.prod.outlook.com ( with Microsoft SMTP
 Server (TLS) id 15.0.785.10; Wed, 23 Oct 2013 20:51:47 +0000
Received: from BY2PR06MB138.namprd06.prod.outlook.com ([]) by
 BY2PR06MB138.namprd06.prod.outlook.com ([]) with Microsoft SMTP
 Server id 15.00.0785.001; Wed, 23 Oct 2013 20:51:46 +0000
From: Michelle Rodriguez <mrodriguez@lillypulitzer.com>
To: "csr@bigmountain.com" <csr@designs.com>
Subject: Automatic reply: [MARKETING] designs: If You Got It
 ... Flaunt It.
Thread-Topic: [MARKETING] designs: If You Got It ... Flaunt It.
Thread-Index: AQHO0DGvVeUWxq23GkeIliwhrShiY5oCwv2Y
Date: Wed, 23 Oct 2013 20:51:46 +0000
Message-ID: <4c6337e1b7064d84911594256b8bf818@BY2PR06MB138.namprd06.prod.outlook.com>
References: <LYRIS-420254679-5439921-2013.10.23-14.51.44--mrodriguez#lillypulitzer.com@rs1.netatlantic.com>
In-Reply-To: <LYRIS-420254679-5439921-2013.10.23-14.51.44--mrodriguez#lillypulitzer.com@rs1.netatlantic.com>
X-Auto-Response-Suppress: All
X-MS-Exchange-Inbox-Rules-Loop: mrodriguez@lillypulitzer.com
x-ms-exchange-parent-message-id: <LYRIS-420254679-5439921-2013.10.23-14.51.44--mrodriguez#lillypulitzer.com@rs1.netatlantic.com>
auto-submitted: auto-generated
x-ms-exchange-generated-message-source: Mailbox Rules Agent
x-forefront-prvs: 000800954F
x-forefront-antispam-report: SFV:NSPM;SFS:(504944002)(189002)(199002)(152014003)(16236675002)(76796001)(81686001)(54316002)(76786001)(74316001)(33646001)(74662001)(83072001)(65816001)(74502001)(31966008)(47446002)(19300405004)(15202345003)(42382001)(80976001)(19580395003)(83322001)(85306002)(80022001)(56776001)(74366001)(78352001)(69226001)(558084003)(15975445006)(74706001)(81342001)(81816001)(81542001)(74876001)(46102001)(53806001)(54356001)(4396001)(49866001)(47736001)(56816003)(77982001)(59766001)(76482001)(50986001)(47976001)(79102001)(76576001)(51856001)(63696002)(46342001)(24736002);DIR:OUT;SFP:;SCL:1;SRVR:BY2PR06MB139;H:BY2PR06MB138.namprd06.prod.outlook.com;CLIP:;FPR:;RD:InfoNoRecords;MX:0;A:0;LANG:en;
Content-Type: multipart/alternative;
MIME-Version: 1.0
X-MS-Exchange-Organization-AuthSource: Exchange.SOA.com
X-MS-Exchange-Organization-AuthAs: Anonymous
LVL 37

Accepted Solution

bbao earned 2000 total points
ID: 39598403
mrodriguez@lillypulitzer.com seems to be a valid email address and using Google search you can see the person's contact information from several PDF files.

this kind of marketing email address normally will not be deleted even if the person has left the company, someone of the company should be monitoring its emails.

Author Closing Comment

ID: 39639638
LVL 37

Expert Comment

ID: 39640601
some details please?

thanks for your grade and points.

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

A method of moving multiple mailboxes (in bulk) to another database in an Exchange 2010/2013/2016 environment...
Migrating Exchange data from one Exchange Server to another server is complicated. Though Exchange administrators can try manual methods to migrate their data from one version of Exchange to another, these manual methods are not that reliable. That…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question