• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 503
  • Last Modified:

Lot of email phishing attemps on network all the sudden? Exchagne 2010

Hello other than the normail making sure we have AV, Spam filtering interally but also a service that check incoming mail prior to hitting our server.   Possibly installing the exchange antspam filter/script(i  have to read up on this).   What else can be done to combat all the sudden lots of phishing emails?  Trying to also figure out where theyre coming from?  Of course we have the numerous mobile devices sycing with exchange willy nilly.

Advice/feedback/ Tips & tricks/ bullet list of Troubleshooting tips?  

Thx
0
dee30
Asked:
dee30
  • 4
  • 4
1 Solution
 
Simon Butler (Sembee)ConsultantCommented:
Most phishing will come from outside, unusual for internal. You need to look at the headers of one of them to see where the source is and verify if it is coming from outside or not.
If it is, and you have an external host doing the scanning, then they aren't doing a very good job! Phishing should be picked up my most antispam services without any problems.

Simon.
0
 
dee30Author Commented:
I hear you but any time i try to look at header i see nothing.   Over the last week I've tried 3-4 of these get users to email them to me lookup header and no luck seeing header info in ORIGINAL email.  I thought the same about the mcafeeSAAS missing it.  The emails have zip attachments and look like coming from our domain but they aren't.
0
 
Simon Butler (Sembee)ConsultantCommented:
If they are sending you the email (hitting forward) then the header information is lost.
For you to see the headers you need to either

a. open the original message.
b. get the end user to drag and drop the email in to a new email (so it is attached) and send that. You should then be able to see the header information.

Simon.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
dee30Author Commented:
Simon, yes I know this.. i thought i emphasized original email in my reply.  That said went back and figured out why couldn't see original header ins stupid office 2010 b/c ribbon other options header info doesn't do what I'm used to.  I have to go into properties from file/menu a bizillion steps away.   See where email gets through external filtering company with soft filers and exempt from spam and originating 206.19.214.16. Who is referencing cali i think but no other info and it's been blacklisted on three spam sites.
0
 
Simon Butler (Sembee)ConsultantCommented:
First - to get to the headers quickly, press the tiny little arrow under Tags when you have the message open - that will show you the headers quickly.

If the email is coming from outside then it should be caught by the external filtering company. You should be challenging them as to why it isn't, particularly if the originator is already blacklisted. By the time it gets to your server it is too late really. The most effective filtering system is host based, but you have to be the primary receiver for that, coming in via another host doesn't work. On your server you are limited to content based filtering, and those are easily fooled and you will catch legitimate email. Only if they have an attachment can you catch them with an AV product. Otherwise content based scanning is too unreliable.

Simon.
0
 
dee30Author Commented:
still no go on a shorter way to nav to header info in office 2010.

Below is an example of header from yet another one from  this a.m. though incase you want to comment.  I replaced our company specific info with genericreferences:

Received: from p01c12m093.mxlogic.net (208.65.145.247) by ouremailserver.ourdomainname.local
 (Our Internal Exch2010 IP) with Microsoft SMTP Server (TLS) id 14.1.270.1; Fri, 25 Oct
 2013 10:57:56 -0400
Authentication-Results: p01c12m093.mxlogic.net; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none
Received: from unknown [173.227.221.18] (EHLO [173.227.221.18])      by
 p01c12m093.mxlogic.net(mxl_mta-7.1.0-4)      with ESMTP id
 0f68a625.0.10877375.00-2048.16066773.p01c12m093.mxlogic.net (envelope-from
 <audition6@surewest.com>);      Fri, 25 Oct 2013 08:57:52 -0600 (MDT)
Received: from [214.125.235.115] (port=57538 helo=[192.168.6.13]) by
 173.227.221.18 with asmtp id 1rqLaL-000M6-00 for allens@ourdomainname.com; Fri, 25
 Oct 2013 09:57:52 -0500
Message-ID: <526A86AC.0070608@ourdomainname.com>
Date: Fri, 25 Oct 2013 09:57:52 -0500
From: "admin@ourdomainname.com" <admin@ourdomainname.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: <allens@ourdomainname.com>
Subject: Past Due Invoices
Content-Type: multipart/mixed;
      boundary="----=_Part_63453_8955056994.5838701364040"
X-Spam: Not detected
X-Mras: Ok
X-AcceptDeny: action=allow, pattern=*@ourdomainname.com, value=domainFrom
Received-SPF: None
X-MAIL-FROM: <audition6@surewest.com>
X-SOURCE-IP: [173.227.221.18]
X-Spam: exempt
Return-Path: audition6@surewest.com
X-MS-Exchange-Organization-AuthSource: ouremailservername.ourdomainname.local
X-MS-Exchange-Organization-AuthAs: Anonymous
0
 
Simon Butler (Sembee)ConsultantCommented:
I don't know what you are doing by being unable to access the header information quickly.

This is the method I mean:
http://blogs.technet.com/b/exchange/archive/2011/03/23/hey-outlook-2010-where-are-my-message-headers.aspx

This is your problem:
X-Spam: exempt

The support site has this to say on that field:
https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=&aid=27

Looks to me like your settings at MX Logic need to be reviewed.

Check the other spoofed messages, see if they have the same header on them.

Simon.
0
 
dee30Author Commented:
Simon, YOU ARE THE MAN... I swear I looked all in tool bars for an option and other than the 'email header' i added to a new group in emails menu, that didn't work, I wasn't identifying that shortcut.  THANK YOU!   So, that said, yes to my email to mxL that is all they said 'something in your filters' you need to look at.  Nothings else on specific area/thing or assistance in finding the setting/etc was forthcoming... I'm in working on that today with no freaking salesman around in my building. Had to throw that last unrelated bit in there; peace and quite... lol  Thx
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now