I received an email from a contractor the other day who is concerned about SPAM that he is receiving from our mail server. Below is the header info from the email - is anyone able to figure out how this email is getting generated? We do have a couple of Receive Connectors that don't use authentication because it is for equipment that is not on our domain (and impossible to get to from the outside unless you are VPN'd into it) so it allows anonymous users to send notifications out - however I do have network specific networks specified from which the mail server should only be allowing relaying from. My concern is that somehow someone is able to get through my ASA and generate emails using this connector.
Testing for open relays has shown that I have none but I'm particularly concerned about this vulnerability.Return of the open relays
We are running an ASA security appliance.
Received: from Brockman.shec.com (126.96.36.199) by
remote.remotecontractor.ca (192.168.1.10) with Microsoft SMTP Server id
14.1.438.0; Fri, 25 Jul 2014 03:42:09 -0400
Received: from host-49-130.pool.intred.it (188.8.131.52) by Brockman.shec.com
(10.1.1.4) with Microsoft SMTP Server id 14.2.347.0; Fri, 25 Jul 2014
Received: from [10.0.0.114] ([10.0.0.114:9746]
helo=host-49-130.pool.intred.it) by 8C43899A (envelope-from
<firstname.lastname@example.org>) (ecelerity 184.108.40.206854 r(Momo-dev:220.127.116.11)) with ESMTP
id 4F/5E-05BAA-0AC46313; Fri, 25 Jul 2014 09:42:03 +0200
Date: Fri, 25 Jul 2014 09:42:02 +0200
From: NewSlimBody Daily <email@example.com>
Subject: Keeping fit is nothing special now!
Received-SPF: None (CASVR1.costelloassoc.local: firstname.lastname@example.org does
not designate permitted sender hosts)
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.13306.465;SID:SenderIDStatus None;OrigIP:18.104.22.168