email spoofing - help

It appears someone is spoofing our email, Our CSR department received a lot of out of office replies from peiople we dont know or work with. After some investigation,

the actual email that sent it isn't one ours but looks like it,  until you look at the headers anbd see that it belongs to a company in texas. I contacted that company and they told me that the person who owned that email isn't employed there now, I advised them to remove that box and look at the rest of the PC's on their network.

what else can i do?
BMI-ITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

akhalighiCommented:
when you look at the header ; what is the public IP of email server which generated and sent the email ? that server has an open relay that should be taken care of .
0
bbaoIT ConsultantCommented:
for me it seems like an error caused by that person's typo. once the his/her mailbox  is removed from their server, the issue should be fixed.

normally, spoofing emails do not work that way as its email address is commonly fake and its real contact info can't be simply traced back by the email address. your case does not look like that.
0
BMI-ITAuthor Commented:
Thanks guys, we use a AV/spam service (message labs) and have informed them of the issue, as the bounce backs are being filtered by the message labs vendor. It has appeared to have stopped for now, so may hopefully the offending company have killed that mailbox
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

BMI-ITAuthor Commented:
Just an update, still getting the bouncebacks intermittently, we are not seeing the original message just the out of office replies, that comes back to us.

Still at a loss over this
0
bbaoIT ConsultantCommented:
are you able to post the mail header of one of the typical out-of-office replies?
0
BMI-ITAuthor Commented:
here u go,

this is from a bounce back from someone who was sent the original message,  it it came back to us.

message labs is our spam/av vendor, all email coming in is checked by them.

Michelle Rodriguez <mrodriguez@lillypulitzer.com is where the bounce back came from

and the CSR address is us.

so the CSR dept isn't bothered by this, I made a rule that any message with flaunt in the subject, gets redirected to our spam box. that way I can also keep track


Received: from mail6.bemta8.messagelabs.com (216.82.243.55) by exchange
 (192.168.1.12) with Microsoft SMTP Server (TLS) id 14.1.355.2; Wed, 23 Oct
 2013 16:51:55 -0400
Return-Path: <>
Received: from [216.82.241.83:14497] by server-10.bemta-8.messagelabs.com id
 F0/DE-02749-BE638625; Wed, 23 Oct 2013 20:51:55 +0000
X-Msg-Ref: server-3.tower-37.messagelabs.com!1382561514!408726!1
X-Originating-IP: [207.46.163.204]
X-SpamReason: No, hits=0.6 required=7.0 tests=HTML_90_100,HTML_MESSAGE
X-StarScan-Received:
X-StarScan-Version: 6.9.12; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 31549 invoked from network); 23 Oct 2013 20:51:54 -0000
Received: from mail-bl2lp0204.outbound.protection.outlook.com (HELO
 na01-bl2-obe.outbound.protection.outlook.com) (207.46.163.204)  by
 server-3.tower-37.messagelabs.com with AES128-SHA encrypted SMTP; 23 Oct 2013
 20:51:54 -0000
Received: from BY2PR06MB138.namprd06.prod.outlook.com (10.242.47.150) by
 BY2PR06MB139.namprd06.prod.outlook.com (10.242.47.151) with Microsoft SMTP
 Server (TLS) id 15.0.785.10; Wed, 23 Oct 2013 20:51:47 +0000
Received: from BY2PR06MB138.namprd06.prod.outlook.com ([127.0.0.1]) by
 BY2PR06MB138.namprd06.prod.outlook.com ([169.254.8.7]) with Microsoft SMTP
 Server id 15.00.0785.001; Wed, 23 Oct 2013 20:51:46 +0000
From: Michelle Rodriguez <mrodriguez@lillypulitzer.com>
To: "csr@bigmountain.com" <csr@designs.com>
Subject: Automatic reply: [MARKETING] designs: If You Got It
 ... Flaunt It.
Thread-Topic: [MARKETING] designs: If You Got It ... Flaunt It.
Thread-Index: AQHO0DGvVeUWxq23GkeIliwhrShiY5oCwv2Y
Date: Wed, 23 Oct 2013 20:51:46 +0000
Message-ID: <4c6337e1b7064d84911594256b8bf818@BY2PR06MB138.namprd06.prod.outlook.com>
References: <LYRIS-420254679-5439921-2013.10.23-14.51.44--mrodriguez#lillypulitzer.com@rs1.netatlantic.com>
In-Reply-To: <LYRIS-420254679-5439921-2013.10.23-14.51.44--mrodriguez#lillypulitzer.com@rs1.netatlantic.com>
X-MS-Has-Attach:
X-Auto-Response-Suppress: All
X-MS-Exchange-Inbox-Rules-Loop: mrodriguez@lillypulitzer.com
X-MS-TNEF-Correlator:
x-ms-exchange-parent-message-id: <LYRIS-420254679-5439921-2013.10.23-14.51.44--mrodriguez#lillypulitzer.com@rs1.netatlantic.com>
auto-submitted: auto-generated
x-ms-exchange-generated-message-source: Mailbox Rules Agent
x-forefront-prvs: 000800954F
x-forefront-antispam-report: SFV:NSPM;SFS:(504944002)(189002)(199002)(152014003)(16236675002)(76796001)(81686001)(54316002)(76786001)(74316001)(33646001)(74662001)(83072001)(65816001)(74502001)(31966008)(47446002)(19300405004)(15202345003)(42382001)(80976001)(19580395003)(83322001)(85306002)(80022001)(56776001)(74366001)(78352001)(69226001)(558084003)(15975445006)(74706001)(81342001)(81816001)(81542001)(74876001)(46102001)(53806001)(54356001)(4396001)(49866001)(47736001)(56816003)(77982001)(59766001)(76482001)(50986001)(47976001)(79102001)(76576001)(51856001)(63696002)(46342001)(24736002);DIR:OUT;SFP:;SCL:1;SRVR:BY2PR06MB139;H:BY2PR06MB138.namprd06.prod.outlook.com;CLIP:10.242.47.150;FPR:;RD:InfoNoRecords;MX:0;A:0;LANG:en;
Content-Type: multipart/alternative;
      boundary="_000_4c6337e1b7064d84911594256b8bf818BY2PR06MB138namprd06pro_"
MIME-Version: 1.0
X-MS-Exchange-Organization-AuthSource: Exchange.SOA.com
X-MS-Exchange-Organization-AuthAs: Anonymous
0
bbaoIT ConsultantCommented:
mrodriguez@lillypulitzer.com seems to be a valid email address and using Google search you can see the person's contact information from several PDF files.

this kind of marketing email address normally will not be deleted even if the person has left the company, someone of the company should be monitoring its emails.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BMI-ITAuthor Commented:
resolved
0
bbaoIT ConsultantCommented:
some details please?

thanks for your grade and points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.