Spam Email

Some of our customers are receiving bad order confirmation emails that have our product information and company name.  It doesn't appear that they are coming from us but how are they getting some of our data?
Free3454Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jerry MillsCommented:
Spammers/criminals is most likely reason.  What you need to do is request customer to copy header information on the received email and send to you.  To do that ask customer to do a right click and properties - select all information and past in email to you.  If new version of outlook go backstage (click on file) and select properties and do same thing.

Go to "ip2location.com" and do lookup on IPs.  If it came from you and will be your IP address as the originating address and you may have an infected computer.  If none of the addresses come from you then customer is being spammed.

header will look similar to this:

Received: by 1b09f78c.lowered.bpanswers.bpanswers.co.uk
      (amavisd-new, port 5586) with ESMTP id 1BU09F7K8C;
      for <jerrym@xxxxxxxx.com>; Mon, 27 Oct 2014 08:16:34 -0700
Received: from [104.140.223.213] (port=50454 helo=lowered.bpanswers.bpanswers.co.uk)
      by lima.truwebhost.net with esmtp (Exim 4.82)
      (envelope-from <BloodPressureSolution@bpanswers.co.uk>)
      id 1Xim28-0003qD-6G
      for jerrym@suttergalleries.com; Mon, 27 Oct 2014 11:16:36 -0400
Return-Path: <BloodPressureSolution@bpanswers.co.uk>
From: "Blood Pressure Solution" <BloodPressureSolution@bpanswers.co.uk>
To: <jerrym@suttergalleries.com>
Subject: *** AVAST ***1 food that kept me off BP meds
Date: Mon, 27 Oct 2014 08:16:34 -0700
Message-ID: <4586XKFBWSBDWE453633442-jerrym=xxxxxxx.com@lowered.bpanswers.bpanswers.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="----=_NextPart_000_0795_01CFF1BE.532270C0"
X-Mailer: Microsoft Outlook 15.0
X-Antispam: spam, score=90
X-Antivirus: avast! (VPS 141027-0, 10/27/2014), Inbound message
X-Antivirus-Status: Clean
Content-Language: en-us
Thread-Index: AQJ1zTVMybjoHsUq2XxV/Omnr4utKg==
0
Dr. KlahnPrincipal Software EngineerCommented:
As you have already determined, finding out where the bogus emails came from is not as important as figuring out where the leak in your data is.

If your customers -- companies on your internal customer lists in your databases -- are getting bad confirmation emails not emanating from your email server, then either (a) your computers have been penetrated or (b) you have a disgruntled employee selling your information out the back door to a hostile.

We would like to think (a) is the issue and there's a virus in the system, or a lazy employee brought in an infection, or somebody put up an unauthorized WAP on the network, as nobody likes to think they're being sold out by an employee.  However, lacking evidence the odds are 50-50 either way.

Install a second firewall behind the first (from a different manufacturer), confirm that the firmware on both is intact, that there are no ports open, and that both firewalls' out-facing maintenance interfaces are disabled.  This makes it harder to tunnel into your LAN.  Getting through one may be possible but getting through two unlike systems is less likely.

Confirm that there are no machines with VPN software installed and that nobody is allowed to VPN into the corporate network from outside the office.

Sweep every computer on the premises with at least two antiviruses, Malwarebytes and Spybot.

Then comes the unpleasant part.  Get your corporate security involved.  Have them sit each employee down who has enough access to the databases to dump them, and question those people.  Check the event logs to see who has been sticking USB drives into their machines, and ask those employees why they are using unauthorized USB drives on company hardware.

At some point an indication should emerge where the leak in your system is.  Unfortunately, the data is gone and it can't be called back.  You can't abandon your customer database; you're going to have to live with this problem.  The best you can do is plug the hole and advise all your clients to ignore anything not emanating from your email server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.