Solved

Excessive amounts of spam targeted at one user

Posted on 2013-12-02
19
532 Views
Last Modified: 2014-04-01
We are running an in-house SBS 2011 single Exchange Server. One of my clients is suffering an enormous amount of spam (anything from 50 to 200 spam messages every day).  No one else on our network seems to have too much of a problem. All of the spam seems to be flagged with SCL -1 indicating that it is internal but I have no luck in trying to track this down. I attach an example of two headers from spam messages followed by two headers from 'normal' valid messages for comparison. I have changed the name of our server to mail.fiction.co.uk  and our legitimate user to be john.smith@fiction.co.uk . And changed a few names and numbers to protect the innocent. The rest is pretty much cut and pasted as it is.  Can anyone help me determine what is going on here? Edited-Email-Headers.docx
0
Comment
Question by:alangbx
  • 8
  • 5
  • 4
  • +1
19 Comments
 
LVL 6

Expert Comment

by:donnk
ID: 39690249
Both look to be externally received:

Received: from nad-fb63e897ada (77.29.186.218)
Received: from kristina (77.xx.yyy.123)

What spam software you using on exchange ?
0
 

Author Comment

by:alangbx
ID: 39690353
I certainly agree they look like externally received but why do they get an SCL value of -1 assigned to them?  That seems to be treated as 'internal'  and all antispam software allows it into the user's Inbox.  I was using Microsoft's Forefront before all this happened, but I removed it to see if it made any difference. (I thought Forefront may have been assigning the -1 value). I have re-enabled Exchange's inbuilt antispam features including content filtering which Forefront turned off. None of this has got me anywhere the problem was happening before with Forefront and is still happening now with only Exchange native antispam features.  They don't seem to do much good.  Should I trial something like Trend Micro or GFI ? I was hoping to get a handle on where this was coming from before taking appropriate action.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39690392
If the messages are being tagged with -1 SCL then nothing else is going to touch them.
Does your email come in directly? Has the end user whitelisted anything that could be the cause of it?

Simon.
0
 

Author Comment

by:alangbx
ID: 39690428
So this is the real issue.  How can I find out who or what is assigning the -1 SCL?  The user has only known good contacts in his whitelist and the same happens to me when I download his email onto a virgin install of Outlook 2013 with no whitelist.  The headers were taken from my clean Outlook install and the emails went straight into my new empty Inbox.
0
 
LVL 6

Expert Comment

by:donnk
ID: 39690449
forget outlook it has nothing to do with it.

You need to check exchange and see how your mail is being delivered (directly?) and what AV service you have.
0
 

Author Comment

by:alangbx
ID: 39690473
Yes the mail is being delivered directly. The MX pointer points to our Small Business Server 2011 which is running Exchange 2010.  There is no Smart Host or anything. AV is only what comes with SBS 2011 (No third party products).
0
 
LVL 6

Expert Comment

by:donnk
ID: 39690848
risky!

Check what settings your box has

http://technet.microsoft.com/en-us/library/bb691082(v=exchg.141).aspx

You really need some AV/AS product on the server asap. No way I would let a production server be exposed. Cryptolocker for example ?
0
 

Author Comment

by:alangbx
ID: 39691272
Content Filter Agent is enabled and Priority 5.  I don't know if that's good or bad? The output from Get-TransportPipeline command is attached. Don't really know what t5his means either.
Get-TransportPipeline.docx
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 39691410
Does the user having the large amount of SPAM have the issue on a workstation that Outlook is getting all the email? For example if Outlook was closed and the user only used OWA would there still be the problem? To me it sounds like there is an issue with a compromised workstation since it's only one user but it could be the server.

I would run malware bytes on the workstation having the problem, run a full scan it's likely there's a virtual SMTP sending email or relaying it creating all the SPAM.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 6

Expert Comment

by:donnk
ID: 39691805
works2011 - per the headers posted the mail is generated externally to the company.

I agree its an almost certaininty that every PC with email access is infected as they have no AV/AS software in place to catch any and we all know when monitoring an email server loads of it are caught daily.

Seriously go grab an eval copy of Avast small business or GFI whatever NOW and get it on your server then let it scan the entire mail database!

We have had new clients in similar situations you find yourself in and they cant believe it after the first scan when we present a report of 6 pages of A4 showing crap deleted from the mail database. You can allways rely on a user to double click a zip attachment on a fedex email!!
0
 

Author Comment

by:alangbx
ID: 39691807
I will run a Malwarebytes full scan on his workstation today. (7.35am here at the moment). The 'virtual SMTP' creating all the spam was where I was thinking when I first posted this problem. But I need some help in identifying it.  Presumably it could be a spam bot running on any of the PCs in the network.  It is difficult to get this user to close down outlook for any length of time, He gets a lot of legitimate mail, has multiple shared folders shared calendars, task lists etc , And he is the business owner!
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39691993
Whitelists in Exchange are stored in the mailbox, not the Outlook client. Therefore a new installation of Outlook would show the same thing.

I would start by flushing out the white list, in most cases it isn't required.
The white list is used by Exchange to filter email, so that is the most likely cause if there is no applications on the server doing the job.

Simon.
0
 
LVL 17

Accepted Solution

by:
WORKS2011 earned 500 total points
ID: 39693714
works2011 - per the headers posted the mail is generated externally to the company.
I'm not following your logic, isn't all email from an outside source...YES it is. What it appears to me is a relay SMTP is on a workstation which is allowing the spammer to connect to the relay and bypass your server / spam filter.

It is difficult to get this user to close down outlook for any length of time, He gets a lot of legitimate mail, has multiple shared folders shared calendars, task lists etc , And he is the business owner!
As an IT professional it's paramount to explain the consequences of continuing to use his email without allowing proper access to his workstation. I'm sure when his tires have no tread he leaves his car in the shop for new tires. He can live without his computer while troubleshooting.
0
 

Author Comment

by:alangbx
ID: 39694035
OK. Here's what I've done today.  Firstly I ran a full Malwarebytes scan on the users m/c and it came up clean after a two hour scan. Zero suspect objects! . I also downloaded Avast! Email Server Security and ran a full antivirus scan on my server.  This took about 5 hours but also came up clean!  However, the antispam feature of this protect is obviously filtering incoming emails and has detected about 75% of our incoming email as spam.  It is now labelling it with ***SPAM*** in the title but sending it on to the user anyway.  It still comes into his inbox.  There is an option to delete it which seems to work although this way I have no idea what it's deleting, where it is coming from or whether there are any false positives being deleted.  Avast! doesn't seem to have many options like quarantining etc.  All of the users are running Microsoft Security Essentials  which is green , up-to-date and showing no errors on the one's I've looked at.  What should I do now?
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 39694157
who has IP address 192.168.8.4 on your network?
0
 

Author Comment

by:alangbx
ID: 39694788
That is the Small Business Server running Exchange
0
 
LVL 6

Expert Comment

by:donnk
ID: 39694846
make a rule in outlook to dump any email with ****SPAM**** into the junk folder.
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 39695849
have the user receiving the email change his password, since it's only one user this may help.

Trend Micro runs a free trial you may want to try a deep scan on the server.

What does http://mxtoolbox.com tell you
0
 

Author Closing Comment

by:alangbx
ID: 39968608
Eventually tracked down culprit to an infected workstation only ever used to drive a smart board in our conference room.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now