Solved

Spam Email

Posted on 2014-10-27
2
238 Views
Last Modified: 2014-10-30
Some of our customers are receiving bad order confirmation emails that have our product information and company name.  It doesn't appear that they are coming from us but how are they getting some of our data?
0
Comment
Question by:Free3454
2 Comments
 
LVL 4

Assisted Solution

by:Jerry Mills
Jerry Mills earned 250 total points
ID: 40406610
Spammers/criminals is most likely reason.  What you need to do is request customer to copy header information on the received email and send to you.  To do that ask customer to do a right click and properties - select all information and past in email to you.  If new version of outlook go backstage (click on file) and select properties and do same thing.

Go to "ip2location.com" and do lookup on IPs.  If it came from you and will be your IP address as the originating address and you may have an infected computer.  If none of the addresses come from you then customer is being spammed.

header will look similar to this:

Received: by 1b09f78c.lowered.bpanswers.bpanswers.co.uk
      (amavisd-new, port 5586) with ESMTP id 1BU09F7K8C;
      for <jerrym@xxxxxxxx.com>; Mon, 27 Oct 2014 08:16:34 -0700
Received: from [104.140.223.213] (port=50454 helo=lowered.bpanswers.bpanswers.co.uk)
      by lima.truwebhost.net with esmtp (Exim 4.82)
      (envelope-from <BloodPressureSolution@bpanswers.co.uk>)
      id 1Xim28-0003qD-6G
      for jerrym@suttergalleries.com; Mon, 27 Oct 2014 11:16:36 -0400
Return-Path: <BloodPressureSolution@bpanswers.co.uk>
From: "Blood Pressure Solution" <BloodPressureSolution@bpanswers.co.uk>
To: <jerrym@suttergalleries.com>
Subject: *** AVAST ***1 food that kept me off BP meds
Date: Mon, 27 Oct 2014 08:16:34 -0700
Message-ID: <4586XKFBWSBDWE453633442-jerrym=xxxxxxx.com@lowered.bpanswers.bpanswers.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="----=_NextPart_000_0795_01CFF1BE.532270C0"
X-Mailer: Microsoft Outlook 15.0
X-Antispam: spam, score=90
X-Antivirus: avast! (VPS 141027-0, 10/27/2014), Inbound message
X-Antivirus-Status: Clean
Content-Language: en-us
Thread-Index: AQJ1zTVMybjoHsUq2XxV/Omnr4utKg==
0
 
LVL 23

Accepted Solution

by:
Dr. Klahn earned 250 total points
ID: 40407681
As you have already determined, finding out where the bogus emails came from is not as important as figuring out where the leak in your data is.

If your customers -- companies on your internal customer lists in your databases -- are getting bad confirmation emails not emanating from your email server, then either (a) your computers have been penetrated or (b) you have a disgruntled employee selling your information out the back door to a hostile.

We would like to think (a) is the issue and there's a virus in the system, or a lazy employee brought in an infection, or somebody put up an unauthorized WAP on the network, as nobody likes to think they're being sold out by an employee.  However, lacking evidence the odds are 50-50 either way.

Install a second firewall behind the first (from a different manufacturer), confirm that the firmware on both is intact, that there are no ports open, and that both firewalls' out-facing maintenance interfaces are disabled.  This makes it harder to tunnel into your LAN.  Getting through one may be possible but getting through two unlike systems is less likely.

Confirm that there are no machines with VPN software installed and that nobody is allowed to VPN into the corporate network from outside the office.

Sweep every computer on the premises with at least two antiviruses, Malwarebytes and Spybot.

Then comes the unpleasant part.  Get your corporate security involved.  Have them sit each employee down who has enough access to the databases to dump them, and question those people.  Check the event logs to see who has been sticking USB drives into their machines, and ask those employees why they are using unauthorized USB drives on company hardware.

At some point an indication should emerge where the leak in your system is.  Unfortunately, the data is gone and it can't be called back.  You can't abandon your customer database; you're going to have to live with this problem.  The best you can do is plug the hole and advise all your clients to ignore anything not emanating from your email server.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Malicious software is nothing new. Viruses have been created and spread since before physical networks became popular; back then viruses spread via floppy disk and modem connections with shared systems. Viruses weren't so rampant and protecting your…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now