Solved

Lot of email phishing attemps on network all the sudden?  Exchagne 2010

Posted on 2013-10-22
8
484 Views
Last Modified: 2013-10-29
Hello other than the normail making sure we have AV, Spam filtering interally but also a service that check incoming mail prior to hitting our server.   Possibly installing the exchange antspam filter/script(i  have to read up on this).   What else can be done to combat all the sudden lots of phishing emails?  Trying to also figure out where theyre coming from?  Of course we have the numerous mobile devices sycing with exchange willy nilly.

Advice/feedback/ Tips & tricks/ bullet list of Troubleshooting tips?  

Thx
0
Comment
Question by:dee30
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39591504
Most phishing will come from outside, unusual for internal. You need to look at the headers of one of them to see where the source is and verify if it is coming from outside or not.
If it is, and you have an external host doing the scanning, then they aren't doing a very good job! Phishing should be picked up my most antispam services without any problems.

Simon.
0
 

Author Comment

by:dee30
ID: 39591539
I hear you but any time i try to look at header i see nothing.   Over the last week I've tried 3-4 of these get users to email them to me lookup header and no luck seeing header info in ORIGINAL email.  I thought the same about the mcafeeSAAS missing it.  The emails have zip attachments and look like coming from our domain but they aren't.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39591715
If they are sending you the email (hitting forward) then the header information is lost.
For you to see the headers you need to either

a. open the original message.
b. get the end user to drag and drop the email in to a new email (so it is attached) and send that. You should then be able to see the header information.

Simon.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:dee30
ID: 39594216
Simon, yes I know this.. i thought i emphasized original email in my reply.  That said went back and figured out why couldn't see original header ins stupid office 2010 b/c ribbon other options header info doesn't do what I'm used to.  I have to go into properties from file/menu a bizillion steps away.   See where email gets through external filtering company with soft filers and exempt from spam and originating 206.19.214.16. Who is referencing cali i think but no other info and it's been blacklisted on three spam sites.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39599731
First - to get to the headers quickly, press the tiny little arrow under Tags when you have the message open - that will show you the headers quickly.

If the email is coming from outside then it should be caught by the external filtering company. You should be challenging them as to why it isn't, particularly if the originator is already blacklisted. By the time it gets to your server it is too late really. The most effective filtering system is host based, but you have to be the primary receiver for that, coming in via another host doesn't work. On your server you are limited to content based filtering, and those are easily fooled and you will catch legitimate email. Only if they have an attachment can you catch them with an AV product. Otherwise content based scanning is too unreliable.

Simon.
0
 

Author Comment

by:dee30
ID: 39601035
still no go on a shorter way to nav to header info in office 2010.

Below is an example of header from yet another one from  this a.m. though incase you want to comment.  I replaced our company specific info with genericreferences:

Received: from p01c12m093.mxlogic.net (208.65.145.247) by ouremailserver.ourdomainname.local
 (Our Internal Exch2010 IP) with Microsoft SMTP Server (TLS) id 14.1.270.1; Fri, 25 Oct
 2013 10:57:56 -0400
Authentication-Results: p01c12m093.mxlogic.net; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none; spf=none
Received: from unknown [173.227.221.18] (EHLO [173.227.221.18])      by
 p01c12m093.mxlogic.net(mxl_mta-7.1.0-4)      with ESMTP id
 0f68a625.0.10877375.00-2048.16066773.p01c12m093.mxlogic.net (envelope-from
 <audition6@surewest.com>);      Fri, 25 Oct 2013 08:57:52 -0600 (MDT)
Received: from [214.125.235.115] (port=57538 helo=[192.168.6.13]) by
 173.227.221.18 with asmtp id 1rqLaL-000M6-00 for allens@ourdomainname.com; Fri, 25
 Oct 2013 09:57:52 -0500
Message-ID: <526A86AC.0070608@ourdomainname.com>
Date: Fri, 25 Oct 2013 09:57:52 -0500
From: "admin@ourdomainname.com" <admin@ourdomainname.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: <allens@ourdomainname.com>
Subject: Past Due Invoices
Content-Type: multipart/mixed;
      boundary="----=_Part_63453_8955056994.5838701364040"
X-Spam: Not detected
X-Mras: Ok
X-AcceptDeny: action=allow, pattern=*@ourdomainname.com, value=domainFrom
Received-SPF: None
X-MAIL-FROM: <audition6@surewest.com>
X-SOURCE-IP: [173.227.221.18]
X-Spam: exempt
Return-Path: audition6@surewest.com
X-MS-Exchange-Organization-AuthSource: ouremailservername.ourdomainname.local
X-MS-Exchange-Organization-AuthAs: Anonymous
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39601518
I don't know what you are doing by being unable to access the header information quickly.

This is the method I mean:
http://blogs.technet.com/b/exchange/archive/2011/03/23/hey-outlook-2010-where-are-my-message-headers.aspx

This is your problem:
X-Spam: exempt

The support site has this to say on that field:
https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=&aid=27

Looks to me like your settings at MX Logic need to be reviewed.

Check the other spoofed messages, see if they have the same header on them.

Simon.
0
 

Author Comment

by:dee30
ID: 39603924
Simon, YOU ARE THE MAN... I swear I looked all in tool bars for an option and other than the 'email header' i added to a new group in emails menu, that didn't work, I wasn't identifying that shortcut.  THANK YOU!   So, that said, yes to my email to mxL that is all they said 'something in your filters' you need to look at.  Nothings else on specific area/thing or assistance in finding the setting/etc was forthcoming... I'm in working on that today with no freaking salesman around in my building. Had to throw that last unrelated bit in there; peace and quite... lol  Thx
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question