Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 633
  • Last Modified:

Excessive amounts of spam targeted at one user

We are running an in-house SBS 2011 single Exchange Server. One of my clients is suffering an enormous amount of spam (anything from 50 to 200 spam messages every day).  No one else on our network seems to have too much of a problem. All of the spam seems to be flagged with SCL -1 indicating that it is internal but I have no luck in trying to track this down. I attach an example of two headers from spam messages followed by two headers from 'normal' valid messages for comparison. I have changed the name of our server to mail.fiction.co.uk  and our legitimate user to be john.smith@fiction.co.uk . And changed a few names and numbers to protect the innocent. The rest is pretty much cut and pasted as it is.  Can anyone help me determine what is going on here? Edited-Email-Headers.docx
0
Alan Bateman
Asked:
Alan Bateman
  • 8
  • 5
  • 4
  • +1
1 Solution
 
donnkCommented:
Both look to be externally received:

Received: from nad-fb63e897ada (77.29.186.218)
Received: from kristina (77.xx.yyy.123)

What spam software you using on exchange ?
0
 
Alan BatemanAuthor Commented:
I certainly agree they look like externally received but why do they get an SCL value of -1 assigned to them?  That seems to be treated as 'internal'  and all antispam software allows it into the user's Inbox.  I was using Microsoft's Forefront before all this happened, but I removed it to see if it made any difference. (I thought Forefront may have been assigning the -1 value). I have re-enabled Exchange's inbuilt antispam features including content filtering which Forefront turned off. None of this has got me anywhere the problem was happening before with Forefront and is still happening now with only Exchange native antispam features.  They don't seem to do much good.  Should I trial something like Trend Micro or GFI ? I was hoping to get a handle on where this was coming from before taking appropriate action.
0
 
Simon Butler (Sembee)ConsultantCommented:
If the messages are being tagged with -1 SCL then nothing else is going to touch them.
Does your email come in directly? Has the end user whitelisted anything that could be the cause of it?

Simon.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
Alan BatemanAuthor Commented:
So this is the real issue.  How can I find out who or what is assigning the -1 SCL?  The user has only known good contacts in his whitelist and the same happens to me when I download his email onto a virgin install of Outlook 2013 with no whitelist.  The headers were taken from my clean Outlook install and the emails went straight into my new empty Inbox.
0
 
donnkCommented:
forget outlook it has nothing to do with it.

You need to check exchange and see how your mail is being delivered (directly?) and what AV service you have.
0
 
Alan BatemanAuthor Commented:
Yes the mail is being delivered directly. The MX pointer points to our Small Business Server 2011 which is running Exchange 2010.  There is no Smart Host or anything. AV is only what comes with SBS 2011 (No third party products).
0
 
donnkCommented:
risky!

Check what settings your box has

http://technet.microsoft.com/en-us/library/bb691082(v=exchg.141).aspx

You really need some AV/AS product on the server asap. No way I would let a production server be exposed. Cryptolocker for example ?
0
 
Alan BatemanAuthor Commented:
Content Filter Agent is enabled and Priority 5.  I don't know if that's good or bad? The output from Get-TransportPipeline command is attached. Don't really know what t5his means either.
Get-TransportPipeline.docx
0
 
WORKS2011Austin Tech CompanyCommented:
Does the user having the large amount of SPAM have the issue on a workstation that Outlook is getting all the email? For example if Outlook was closed and the user only used OWA would there still be the problem? To me it sounds like there is an issue with a compromised workstation since it's only one user but it could be the server.

I would run malware bytes on the workstation having the problem, run a full scan it's likely there's a virtual SMTP sending email or relaying it creating all the SPAM.
0
 
donnkCommented:
works2011 - per the headers posted the mail is generated externally to the company.

I agree its an almost certaininty that every PC with email access is infected as they have no AV/AS software in place to catch any and we all know when monitoring an email server loads of it are caught daily.

Seriously go grab an eval copy of Avast small business or GFI whatever NOW and get it on your server then let it scan the entire mail database!

We have had new clients in similar situations you find yourself in and they cant believe it after the first scan when we present a report of 6 pages of A4 showing crap deleted from the mail database. You can allways rely on a user to double click a zip attachment on a fedex email!!
0
 
Alan BatemanAuthor Commented:
I will run a Malwarebytes full scan on his workstation today. (7.35am here at the moment). The 'virtual SMTP' creating all the spam was where I was thinking when I first posted this problem. But I need some help in identifying it.  Presumably it could be a spam bot running on any of the PCs in the network.  It is difficult to get this user to close down outlook for any length of time, He gets a lot of legitimate mail, has multiple shared folders shared calendars, task lists etc , And he is the business owner!
0
 
Simon Butler (Sembee)ConsultantCommented:
Whitelists in Exchange are stored in the mailbox, not the Outlook client. Therefore a new installation of Outlook would show the same thing.

I would start by flushing out the white list, in most cases it isn't required.
The white list is used by Exchange to filter email, so that is the most likely cause if there is no applications on the server doing the job.

Simon.
0
 
WORKS2011Austin Tech CompanyCommented:
works2011 - per the headers posted the mail is generated externally to the company.
I'm not following your logic, isn't all email from an outside source...YES it is. What it appears to me is a relay SMTP is on a workstation which is allowing the spammer to connect to the relay and bypass your server / spam filter.

It is difficult to get this user to close down outlook for any length of time, He gets a lot of legitimate mail, has multiple shared folders shared calendars, task lists etc , And he is the business owner!
As an IT professional it's paramount to explain the consequences of continuing to use his email without allowing proper access to his workstation. I'm sure when his tires have no tread he leaves his car in the shop for new tires. He can live without his computer while troubleshooting.
0
 
Alan BatemanAuthor Commented:
OK. Here's what I've done today.  Firstly I ran a full Malwarebytes scan on the users m/c and it came up clean after a two hour scan. Zero suspect objects! . I also downloaded Avast! Email Server Security and ran a full antivirus scan on my server.  This took about 5 hours but also came up clean!  However, the antispam feature of this protect is obviously filtering incoming emails and has detected about 75% of our incoming email as spam.  It is now labelling it with ***SPAM*** in the title but sending it on to the user anyway.  It still comes into his inbox.  There is an option to delete it which seems to work although this way I have no idea what it's deleting, where it is coming from or whether there are any false positives being deleted.  Avast! doesn't seem to have many options like quarantining etc.  All of the users are running Microsoft Security Essentials  which is green , up-to-date and showing no errors on the one's I've looked at.  What should I do now?
0
 
WORKS2011Austin Tech CompanyCommented:
who has IP address 192.168.8.4 on your network?
0
 
Alan BatemanAuthor Commented:
That is the Small Business Server running Exchange
0
 
donnkCommented:
make a rule in outlook to dump any email with ****SPAM**** into the junk folder.
0
 
WORKS2011Austin Tech CompanyCommented:
have the user receiving the email change his password, since it's only one user this may help.

Trend Micro runs a free trial you may want to try a deep scan on the server.

What does http://mxtoolbox.com tell you
0
 
Alan BatemanAuthor Commented:
Eventually tracked down culprit to an infected workstation only ever used to drive a smart board in our conference room.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

  • 8
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now