Solved

Spam Email

Posted on 2014-10-27
2
241 Views
Last Modified: 2014-10-30
Some of our customers are receiving bad order confirmation emails that have our product information and company name.  It doesn't appear that they are coming from us but how are they getting some of our data?
0
Comment
Question by:Free3454
2 Comments
 
LVL 4

Assisted Solution

by:Jerry Mills
Jerry Mills earned 250 total points
ID: 40406610
Spammers/criminals is most likely reason.  What you need to do is request customer to copy header information on the received email and send to you.  To do that ask customer to do a right click and properties - select all information and past in email to you.  If new version of outlook go backstage (click on file) and select properties and do same thing.

Go to "ip2location.com" and do lookup on IPs.  If it came from you and will be your IP address as the originating address and you may have an infected computer.  If none of the addresses come from you then customer is being spammed.

header will look similar to this:

Received: by 1b09f78c.lowered.bpanswers.bpanswers.co.uk
      (amavisd-new, port 5586) with ESMTP id 1BU09F7K8C;
      for <jerrym@xxxxxxxx.com>; Mon, 27 Oct 2014 08:16:34 -0700
Received: from [104.140.223.213] (port=50454 helo=lowered.bpanswers.bpanswers.co.uk)
      by lima.truwebhost.net with esmtp (Exim 4.82)
      (envelope-from <BloodPressureSolution@bpanswers.co.uk>)
      id 1Xim28-0003qD-6G
      for jerrym@suttergalleries.com; Mon, 27 Oct 2014 11:16:36 -0400
Return-Path: <BloodPressureSolution@bpanswers.co.uk>
From: "Blood Pressure Solution" <BloodPressureSolution@bpanswers.co.uk>
To: <jerrym@suttergalleries.com>
Subject: *** AVAST ***1 food that kept me off BP meds
Date: Mon, 27 Oct 2014 08:16:34 -0700
Message-ID: <4586XKFBWSBDWE453633442-jerrym=xxxxxxx.com@lowered.bpanswers.bpanswers.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="----=_NextPart_000_0795_01CFF1BE.532270C0"
X-Mailer: Microsoft Outlook 15.0
X-Antispam: spam, score=90
X-Antivirus: avast! (VPS 141027-0, 10/27/2014), Inbound message
X-Antivirus-Status: Clean
Content-Language: en-us
Thread-Index: AQJ1zTVMybjoHsUq2XxV/Omnr4utKg==
0
 
LVL 24

Accepted Solution

by:
Dr. Klahn earned 250 total points
ID: 40407681
As you have already determined, finding out where the bogus emails came from is not as important as figuring out where the leak in your data is.

If your customers -- companies on your internal customer lists in your databases -- are getting bad confirmation emails not emanating from your email server, then either (a) your computers have been penetrated or (b) you have a disgruntled employee selling your information out the back door to a hostile.

We would like to think (a) is the issue and there's a virus in the system, or a lazy employee brought in an infection, or somebody put up an unauthorized WAP on the network, as nobody likes to think they're being sold out by an employee.  However, lacking evidence the odds are 50-50 either way.

Install a second firewall behind the first (from a different manufacturer), confirm that the firmware on both is intact, that there are no ports open, and that both firewalls' out-facing maintenance interfaces are disabled.  This makes it harder to tunnel into your LAN.  Getting through one may be possible but getting through two unlike systems is less likely.

Confirm that there are no machines with VPN software installed and that nobody is allowed to VPN into the corporate network from outside the office.

Sweep every computer on the premises with at least two antiviruses, Malwarebytes and Spybot.

Then comes the unpleasant part.  Get your corporate security involved.  Have them sit each employee down who has enough access to the databases to dump them, and question those people.  Check the event logs to see who has been sticking USB drives into their machines, and ask those employees why they are using unauthorized USB drives on company hardware.

At some point an indication should emerge where the leak in your system is.  Unfortunately, the data is gone and it can't be called back.  You can't abandon your customer database; you're going to have to live with this problem.  The best you can do is plug the hole and advise all your clients to ignore anything not emanating from your email server.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now