Solved

Lot of email phishing attemps on network all the sudden?  Exchagne 2010

Posted on 2013-10-22
8
474 Views
Last Modified: 2013-10-29
Hello other than the normail making sure we have AV, Spam filtering interally but also a service that check incoming mail prior to hitting our server.   Possibly installing the exchange antspam filter/script(i  have to read up on this).   What else can be done to combat all the sudden lots of phishing emails?  Trying to also figure out where theyre coming from?  Of course we have the numerous mobile devices sycing with exchange willy nilly.

Advice/feedback/ Tips & tricks/ bullet list of Troubleshooting tips?  

Thx
0
Comment
Question by:dee30
  • 4
  • 4
8 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39591504
Most phishing will come from outside, unusual for internal. You need to look at the headers of one of them to see where the source is and verify if it is coming from outside or not.
If it is, and you have an external host doing the scanning, then they aren't doing a very good job! Phishing should be picked up my most antispam services without any problems.

Simon.
0
 

Author Comment

by:dee30
ID: 39591539
I hear you but any time i try to look at header i see nothing.   Over the last week I've tried 3-4 of these get users to email them to me lookup header and no luck seeing header info in ORIGINAL email.  I thought the same about the mcafeeSAAS missing it.  The emails have zip attachments and look like coming from our domain but they aren't.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39591715
If they are sending you the email (hitting forward) then the header information is lost.
For you to see the headers you need to either

a. open the original message.
b. get the end user to drag and drop the email in to a new email (so it is attached) and send that. You should then be able to see the header information.

Simon.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 

Author Comment

by:dee30
ID: 39594216
Simon, yes I know this.. i thought i emphasized original email in my reply.  That said went back and figured out why couldn't see original header ins stupid office 2010 b/c ribbon other options header info doesn't do what I'm used to.  I have to go into properties from file/menu a bizillion steps away.   See where email gets through external filtering company with soft filers and exempt from spam and originating 206.19.214.16. Who is referencing cali i think but no other info and it's been blacklisted on three spam sites.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39599731
First - to get to the headers quickly, press the tiny little arrow under Tags when you have the message open - that will show you the headers quickly.

If the email is coming from outside then it should be caught by the external filtering company. You should be challenging them as to why it isn't, particularly if the originator is already blacklisted. By the time it gets to your server it is too late really. The most effective filtering system is host based, but you have to be the primary receiver for that, coming in via another host doesn't work. On your server you are limited to content based filtering, and those are easily fooled and you will catch legitimate email. Only if they have an attachment can you catch them with an AV product. Otherwise content based scanning is too unreliable.

Simon.
0
 

Author Comment

by:dee30
ID: 39601035
still no go on a shorter way to nav to header info in office 2010.

Below is an example of header from yet another one from  this a.m. though incase you want to comment.  I replaced our company specific info with genericreferences:

Received: from p01c12m093.mxlogic.net (208.65.145.247) by ouremailserver.ourdomainname.local
 (Our Internal Exch2010 IP) with Microsoft SMTP Server (TLS) id 14.1.270.1; Fri, 25 Oct
 2013 10:57:56 -0400
Authentication-Results: p01c12m093.mxlogic.net; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none
Received: from unknown [173.227.221.18] (EHLO [173.227.221.18])      by
 p01c12m093.mxlogic.net(mxl_mta-7.1.0-4)      with ESMTP id
 0f68a625.0.10877375.00-2048.16066773.p01c12m093.mxlogic.net (envelope-from
 <audition6@surewest.com>);      Fri, 25 Oct 2013 08:57:52 -0600 (MDT)
Received: from [214.125.235.115] (port=57538 helo=[192.168.6.13]) by
 173.227.221.18 with asmtp id 1rqLaL-000M6-00 for allens@ourdomainname.com; Fri, 25
 Oct 2013 09:57:52 -0500
Message-ID: <526A86AC.0070608@ourdomainname.com>
Date: Fri, 25 Oct 2013 09:57:52 -0500
From: "admin@ourdomainname.com" <admin@ourdomainname.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: <allens@ourdomainname.com>
Subject: Past Due Invoices
Content-Type: multipart/mixed;
      boundary="----=_Part_63453_8955056994.5838701364040"
X-Spam: Not detected
X-Mras: Ok
X-AcceptDeny: action=allow, pattern=*@ourdomainname.com, value=domainFrom
Received-SPF: None
X-MAIL-FROM: <audition6@surewest.com>
X-SOURCE-IP: [173.227.221.18]
X-Spam: exempt
Return-Path: audition6@surewest.com
X-MS-Exchange-Organization-AuthSource: ouremailservername.ourdomainname.local
X-MS-Exchange-Organization-AuthAs: Anonymous
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39601518
I don't know what you are doing by being unable to access the header information quickly.

This is the method I mean:
http://blogs.technet.com/b/exchange/archive/2011/03/23/hey-outlook-2010-where-are-my-message-headers.aspx

This is your problem:
X-Spam: exempt

The support site has this to say on that field:
https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=&aid=27

Looks to me like your settings at MX Logic need to be reviewed.

Check the other spoofed messages, see if they have the same header on them.

Simon.
0
 

Author Comment

by:dee30
ID: 39603924
Simon, YOU ARE THE MAN... I swear I looked all in tool bars for an option and other than the 'email header' i added to a new group in emails menu, that didn't work, I wasn't identifying that shortcut.  THANK YOU!   So, that said, yes to my email to mxL that is all they said 'something in your filters' you need to look at.  Nothings else on specific area/thing or assistance in finding the setting/etc was forthcoming... I'm in working on that today with no freaking salesman around in my building. Had to throw that last unrelated bit in there; peace and quite... lol  Thx
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSL-VPN 1 45
Application timeout 4 39
Flush end users Deleted Items via PowerShell 2 26
Datacenter Upgrade - Design Question 5 12
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question