Solved

Excessive amounts of spam targeted at one user

Posted on 2013-12-02
19
560 Views
Last Modified: 2014-04-01
We are running an in-house SBS 2011 single Exchange Server. One of my clients is suffering an enormous amount of spam (anything from 50 to 200 spam messages every day).  No one else on our network seems to have too much of a problem. All of the spam seems to be flagged with SCL -1 indicating that it is internal but I have no luck in trying to track this down. I attach an example of two headers from spam messages followed by two headers from 'normal' valid messages for comparison. I have changed the name of our server to mail.fiction.co.uk  and our legitimate user to be john.smith@fiction.co.uk . And changed a few names and numbers to protect the innocent. The rest is pretty much cut and pasted as it is.  Can anyone help me determine what is going on here? Edited-Email-Headers.docx
0
Comment
Question by:Alan Bateman
  • 8
  • 5
  • 4
  • +1
19 Comments
 
LVL 6

Expert Comment

by:donnk
ID: 39690249
Both look to be externally received:

Received: from nad-fb63e897ada (77.29.186.218)
Received: from kristina (77.xx.yyy.123)

What spam software you using on exchange ?
0
 

Author Comment

by:Alan Bateman
ID: 39690353
I certainly agree they look like externally received but why do they get an SCL value of -1 assigned to them?  That seems to be treated as 'internal'  and all antispam software allows it into the user's Inbox.  I was using Microsoft's Forefront before all this happened, but I removed it to see if it made any difference. (I thought Forefront may have been assigning the -1 value). I have re-enabled Exchange's inbuilt antispam features including content filtering which Forefront turned off. None of this has got me anywhere the problem was happening before with Forefront and is still happening now with only Exchange native antispam features.  They don't seem to do much good.  Should I trial something like Trend Micro or GFI ? I was hoping to get a handle on where this was coming from before taking appropriate action.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39690392
If the messages are being tagged with -1 SCL then nothing else is going to touch them.
Does your email come in directly? Has the end user whitelisted anything that could be the cause of it?

Simon.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Alan Bateman
ID: 39690428
So this is the real issue.  How can I find out who or what is assigning the -1 SCL?  The user has only known good contacts in his whitelist and the same happens to me when I download his email onto a virgin install of Outlook 2013 with no whitelist.  The headers were taken from my clean Outlook install and the emails went straight into my new empty Inbox.
0
 
LVL 6

Expert Comment

by:donnk
ID: 39690449
forget outlook it has nothing to do with it.

You need to check exchange and see how your mail is being delivered (directly?) and what AV service you have.
0
 

Author Comment

by:Alan Bateman
ID: 39690473
Yes the mail is being delivered directly. The MX pointer points to our Small Business Server 2011 which is running Exchange 2010.  There is no Smart Host or anything. AV is only what comes with SBS 2011 (No third party products).
0
 
LVL 6

Expert Comment

by:donnk
ID: 39690848
risky!

Check what settings your box has

http://technet.microsoft.com/en-us/library/bb691082(v=exchg.141).aspx

You really need some AV/AS product on the server asap. No way I would let a production server be exposed. Cryptolocker for example ?
0
 

Author Comment

by:Alan Bateman
ID: 39691272
Content Filter Agent is enabled and Priority 5.  I don't know if that's good or bad? The output from Get-TransportPipeline command is attached. Don't really know what t5his means either.
Get-TransportPipeline.docx
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 39691410
Does the user having the large amount of SPAM have the issue on a workstation that Outlook is getting all the email? For example if Outlook was closed and the user only used OWA would there still be the problem? To me it sounds like there is an issue with a compromised workstation since it's only one user but it could be the server.

I would run malware bytes on the workstation having the problem, run a full scan it's likely there's a virtual SMTP sending email or relaying it creating all the SPAM.
0
 
LVL 6

Expert Comment

by:donnk
ID: 39691805
works2011 - per the headers posted the mail is generated externally to the company.

I agree its an almost certaininty that every PC with email access is infected as they have no AV/AS software in place to catch any and we all know when monitoring an email server loads of it are caught daily.

Seriously go grab an eval copy of Avast small business or GFI whatever NOW and get it on your server then let it scan the entire mail database!

We have had new clients in similar situations you find yourself in and they cant believe it after the first scan when we present a report of 6 pages of A4 showing crap deleted from the mail database. You can allways rely on a user to double click a zip attachment on a fedex email!!
0
 

Author Comment

by:Alan Bateman
ID: 39691807
I will run a Malwarebytes full scan on his workstation today. (7.35am here at the moment). The 'virtual SMTP' creating all the spam was where I was thinking when I first posted this problem. But I need some help in identifying it.  Presumably it could be a spam bot running on any of the PCs in the network.  It is difficult to get this user to close down outlook for any length of time, He gets a lot of legitimate mail, has multiple shared folders shared calendars, task lists etc , And he is the business owner!
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39691993
Whitelists in Exchange are stored in the mailbox, not the Outlook client. Therefore a new installation of Outlook would show the same thing.

I would start by flushing out the white list, in most cases it isn't required.
The white list is used by Exchange to filter email, so that is the most likely cause if there is no applications on the server doing the job.

Simon.
0
 
LVL 17

Accepted Solution

by:
WORKS2011 earned 500 total points
ID: 39693714
works2011 - per the headers posted the mail is generated externally to the company.
I'm not following your logic, isn't all email from an outside source...YES it is. What it appears to me is a relay SMTP is on a workstation which is allowing the spammer to connect to the relay and bypass your server / spam filter.

It is difficult to get this user to close down outlook for any length of time, He gets a lot of legitimate mail, has multiple shared folders shared calendars, task lists etc , And he is the business owner!
As an IT professional it's paramount to explain the consequences of continuing to use his email without allowing proper access to his workstation. I'm sure when his tires have no tread he leaves his car in the shop for new tires. He can live without his computer while troubleshooting.
0
 

Author Comment

by:Alan Bateman
ID: 39694035
OK. Here's what I've done today.  Firstly I ran a full Malwarebytes scan on the users m/c and it came up clean after a two hour scan. Zero suspect objects! . I also downloaded Avast! Email Server Security and ran a full antivirus scan on my server.  This took about 5 hours but also came up clean!  However, the antispam feature of this protect is obviously filtering incoming emails and has detected about 75% of our incoming email as spam.  It is now labelling it with ***SPAM*** in the title but sending it on to the user anyway.  It still comes into his inbox.  There is an option to delete it which seems to work although this way I have no idea what it's deleting, where it is coming from or whether there are any false positives being deleted.  Avast! doesn't seem to have many options like quarantining etc.  All of the users are running Microsoft Security Essentials  which is green , up-to-date and showing no errors on the one's I've looked at.  What should I do now?
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 39694157
who has IP address 192.168.8.4 on your network?
0
 

Author Comment

by:Alan Bateman
ID: 39694788
That is the Small Business Server running Exchange
0
 
LVL 6

Expert Comment

by:donnk
ID: 39694846
make a rule in outlook to dump any email with ****SPAM**** into the junk folder.
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 39695849
have the user receiving the email change his password, since it's only one user this may help.

Trend Micro runs a free trial you may want to try a deep scan on the server.

What does http://mxtoolbox.com tell you
0
 

Author Closing Comment

by:Alan Bateman
ID: 39968608
Eventually tracked down culprit to an infected workstation only ever used to drive a smart board in our conference room.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question