Solved

Lot of email phishing attemps on network all the sudden?  Exchagne 2010

Posted on 2013-10-22
8
439 Views
Last Modified: 2013-10-29
Hello other than the normail making sure we have AV, Spam filtering interally but also a service that check incoming mail prior to hitting our server.   Possibly installing the exchange antspam filter/script(i  have to read up on this).   What else can be done to combat all the sudden lots of phishing emails?  Trying to also figure out where theyre coming from?  Of course we have the numerous mobile devices sycing with exchange willy nilly.

Advice/feedback/ Tips & tricks/ bullet list of Troubleshooting tips?  

Thx
0
Comment
Question by:dee30
  • 4
  • 4
8 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Most phishing will come from outside, unusual for internal. You need to look at the headers of one of them to see where the source is and verify if it is coming from outside or not.
If it is, and you have an external host doing the scanning, then they aren't doing a very good job! Phishing should be picked up my most antispam services without any problems.

Simon.
0
 

Author Comment

by:dee30
Comment Utility
I hear you but any time i try to look at header i see nothing.   Over the last week I've tried 3-4 of these get users to email them to me lookup header and no luck seeing header info in ORIGINAL email.  I thought the same about the mcafeeSAAS missing it.  The emails have zip attachments and look like coming from our domain but they aren't.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
If they are sending you the email (hitting forward) then the header information is lost.
For you to see the headers you need to either

a. open the original message.
b. get the end user to drag and drop the email in to a new email (so it is attached) and send that. You should then be able to see the header information.

Simon.
0
 

Author Comment

by:dee30
Comment Utility
Simon, yes I know this.. i thought i emphasized original email in my reply.  That said went back and figured out why couldn't see original header ins stupid office 2010 b/c ribbon other options header info doesn't do what I'm used to.  I have to go into properties from file/menu a bizillion steps away.   See where email gets through external filtering company with soft filers and exempt from spam and originating 206.19.214.16. Who is referencing cali i think but no other info and it's been blacklisted on three spam sites.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
First - to get to the headers quickly, press the tiny little arrow under Tags when you have the message open - that will show you the headers quickly.

If the email is coming from outside then it should be caught by the external filtering company. You should be challenging them as to why it isn't, particularly if the originator is already blacklisted. By the time it gets to your server it is too late really. The most effective filtering system is host based, but you have to be the primary receiver for that, coming in via another host doesn't work. On your server you are limited to content based filtering, and those are easily fooled and you will catch legitimate email. Only if they have an attachment can you catch them with an AV product. Otherwise content based scanning is too unreliable.

Simon.
0
 

Author Comment

by:dee30
Comment Utility
still no go on a shorter way to nav to header info in office 2010.

Below is an example of header from yet another one from  this a.m. though incase you want to comment.  I replaced our company specific info with genericreferences:

Received: from p01c12m093.mxlogic.net (208.65.145.247) by ouremailserver.ourdomainname.local
 (Our Internal Exch2010 IP) with Microsoft SMTP Server (TLS) id 14.1.270.1; Fri, 25 Oct
 2013 10:57:56 -0400
Authentication-Results: p01c12m093.mxlogic.net; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none
Received: from unknown [173.227.221.18] (EHLO [173.227.221.18])      by
 p01c12m093.mxlogic.net(mxl_mta-7.1.0-4)      with ESMTP id
 0f68a625.0.10877375.00-2048.16066773.p01c12m093.mxlogic.net (envelope-from
 <audition6@surewest.com>);      Fri, 25 Oct 2013 08:57:52 -0600 (MDT)
Received: from [214.125.235.115] (port=57538 helo=[192.168.6.13]) by
 173.227.221.18 with asmtp id 1rqLaL-000M6-00 for allens@ourdomainname.com; Fri, 25
 Oct 2013 09:57:52 -0500
Message-ID: <526A86AC.0070608@ourdomainname.com>
Date: Fri, 25 Oct 2013 09:57:52 -0500
From: "admin@ourdomainname.com" <admin@ourdomainname.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: <allens@ourdomainname.com>
Subject: Past Due Invoices
Content-Type: multipart/mixed;
      boundary="----=_Part_63453_8955056994.5838701364040"
X-Spam: Not detected
X-Mras: Ok
X-AcceptDeny: action=allow, pattern=*@ourdomainname.com, value=domainFrom
Received-SPF: None
X-MAIL-FROM: <audition6@surewest.com>
X-SOURCE-IP: [173.227.221.18]
X-Spam: exempt
Return-Path: audition6@surewest.com
X-MS-Exchange-Organization-AuthSource: ouremailservername.ourdomainname.local
X-MS-Exchange-Organization-AuthAs: Anonymous
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
Comment Utility
I don't know what you are doing by being unable to access the header information quickly.

This is the method I mean:
http://blogs.technet.com/b/exchange/archive/2011/03/23/hey-outlook-2010-where-are-my-message-headers.aspx

This is your problem:
X-Spam: exempt

The support site has this to say on that field:
https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=&aid=27

Looks to me like your settings at MX Logic need to be reviewed.

Check the other spoofed messages, see if they have the same header on them.

Simon.
0
 

Author Comment

by:dee30
Comment Utility
Simon, YOU ARE THE MAN... I swear I looked all in tool bars for an option and other than the 'email header' i added to a new group in emails menu, that didn't work, I wasn't identifying that shortcut.  THANK YOU!   So, that said, yes to my email to mxL that is all they said 'something in your filters' you need to look at.  Nothings else on specific area/thing or assistance in finding the setting/etc was forthcoming... I'm in working on that today with no freaking salesman around in my building. Had to throw that last unrelated bit in there; peace and quite... lol  Thx
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now