Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Lot of email phishing attemps on network all the sudden?  Exchagne 2010

Posted on 2013-10-22
8
Medium Priority
?
493 Views
Last Modified: 2013-10-29
Hello other than the normail making sure we have AV, Spam filtering interally but also a service that check incoming mail prior to hitting our server.   Possibly installing the exchange antspam filter/script(i  have to read up on this).   What else can be done to combat all the sudden lots of phishing emails?  Trying to also figure out where theyre coming from?  Of course we have the numerous mobile devices sycing with exchange willy nilly.

Advice/feedback/ Tips & tricks/ bullet list of Troubleshooting tips?  

Thx
0
Comment
Question by:dee30
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39591504
Most phishing will come from outside, unusual for internal. You need to look at the headers of one of them to see where the source is and verify if it is coming from outside or not.
If it is, and you have an external host doing the scanning, then they aren't doing a very good job! Phishing should be picked up my most antispam services without any problems.

Simon.
0
 

Author Comment

by:dee30
ID: 39591539
I hear you but any time i try to look at header i see nothing.   Over the last week I've tried 3-4 of these get users to email them to me lookup header and no luck seeing header info in ORIGINAL email.  I thought the same about the mcafeeSAAS missing it.  The emails have zip attachments and look like coming from our domain but they aren't.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39591715
If they are sending you the email (hitting forward) then the header information is lost.
For you to see the headers you need to either

a. open the original message.
b. get the end user to drag and drop the email in to a new email (so it is attached) and send that. You should then be able to see the header information.

Simon.
0
Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

 

Author Comment

by:dee30
ID: 39594216
Simon, yes I know this.. i thought i emphasized original email in my reply.  That said went back and figured out why couldn't see original header ins stupid office 2010 b/c ribbon other options header info doesn't do what I'm used to.  I have to go into properties from file/menu a bizillion steps away.   See where email gets through external filtering company with soft filers and exempt from spam and originating 206.19.214.16. Who is referencing cali i think but no other info and it's been blacklisted on three spam sites.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39599731
First - to get to the headers quickly, press the tiny little arrow under Tags when you have the message open - that will show you the headers quickly.

If the email is coming from outside then it should be caught by the external filtering company. You should be challenging them as to why it isn't, particularly if the originator is already blacklisted. By the time it gets to your server it is too late really. The most effective filtering system is host based, but you have to be the primary receiver for that, coming in via another host doesn't work. On your server you are limited to content based filtering, and those are easily fooled and you will catch legitimate email. Only if they have an attachment can you catch them with an AV product. Otherwise content based scanning is too unreliable.

Simon.
0
 

Author Comment

by:dee30
ID: 39601035
still no go on a shorter way to nav to header info in office 2010.

Below is an example of header from yet another one from  this a.m. though incase you want to comment.  I replaced our company specific info with genericreferences:

Received: from p01c12m093.mxlogic.net (208.65.145.247) by ouremailserver.ourdomainname.local
 (Our Internal Exch2010 IP) with Microsoft SMTP Server (TLS) id 14.1.270.1; Fri, 25 Oct
 2013 10:57:56 -0400
Authentication-Results: p01c12m093.mxlogic.net; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none
Received: from unknown [173.227.221.18] (EHLO [173.227.221.18])      by
 p01c12m093.mxlogic.net(mxl_mta-7.1.0-4)      with ESMTP id
 0f68a625.0.10877375.00-2048.16066773.p01c12m093.mxlogic.net (envelope-from
 <audition6@surewest.com>);      Fri, 25 Oct 2013 08:57:52 -0600 (MDT)
Received: from [214.125.235.115] (port=57538 helo=[192.168.6.13]) by
 173.227.221.18 with asmtp id 1rqLaL-000M6-00 for allens@ourdomainname.com; Fri, 25
 Oct 2013 09:57:52 -0500
Message-ID: <526A86AC.0070608@ourdomainname.com>
Date: Fri, 25 Oct 2013 09:57:52 -0500
From: "admin@ourdomainname.com" <admin@ourdomainname.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: <allens@ourdomainname.com>
Subject: Past Due Invoices
Content-Type: multipart/mixed;
      boundary="----=_Part_63453_8955056994.5838701364040"
X-Spam: Not detected
X-Mras: Ok
X-AcceptDeny: action=allow, pattern=*@ourdomainname.com, value=domainFrom
Received-SPF: None
X-MAIL-FROM: <audition6@surewest.com>
X-SOURCE-IP: [173.227.221.18]
X-Spam: exempt
Return-Path: audition6@surewest.com
X-MS-Exchange-Organization-AuthSource: ouremailservername.ourdomainname.local
X-MS-Exchange-Organization-AuthAs: Anonymous
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39601518
I don't know what you are doing by being unable to access the header information quickly.

This is the method I mean:
http://blogs.technet.com/b/exchange/archive/2011/03/23/hey-outlook-2010-where-are-my-message-headers.aspx

This is your problem:
X-Spam: exempt

The support site has this to say on that field:
https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=&aid=27

Looks to me like your settings at MX Logic need to be reviewed.

Check the other spoofed messages, see if they have the same header on them.

Simon.
0
 

Author Comment

by:dee30
ID: 39603924
Simon, YOU ARE THE MAN... I swear I looked all in tool bars for an option and other than the 'email header' i added to a new group in emails menu, that didn't work, I wasn't identifying that shortcut.  THANK YOU!   So, that said, yes to my email to mxL that is all they said 'something in your filters' you need to look at.  Nothings else on specific area/thing or assistance in finding the setting/etc was forthcoming... I'm in working on that today with no freaking salesman around in my building. Had to throw that last unrelated bit in there; peace and quite... lol  Thx
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question