Solved

Spam Email

Posted on 2014-10-27
2
262 Views
Last Modified: 2014-10-30
Some of our customers are receiving bad order confirmation emails that have our product information and company name.  It doesn't appear that they are coming from us but how are they getting some of our data?
0
Comment
Question by:Free3454
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 4

Assisted Solution

by:Jerry Mills
Jerry Mills earned 250 total points
ID: 40406610
Spammers/criminals is most likely reason.  What you need to do is request customer to copy header information on the received email and send to you.  To do that ask customer to do a right click and properties - select all information and past in email to you.  If new version of outlook go backstage (click on file) and select properties and do same thing.

Go to "ip2location.com" and do lookup on IPs.  If it came from you and will be your IP address as the originating address and you may have an infected computer.  If none of the addresses come from you then customer is being spammed.

header will look similar to this:

Received: by 1b09f78c.lowered.bpanswers.bpanswers.co.uk
      (amavisd-new, port 5586) with ESMTP id 1BU09F7K8C;
      for <jerrym@xxxxxxxx.com>; Mon, 27 Oct 2014 08:16:34 -0700
Received: from [104.140.223.213] (port=50454 helo=lowered.bpanswers.bpanswers.co.uk)
      by lima.truwebhost.net with esmtp (Exim 4.82)
      (envelope-from <BloodPressureSolution@bpanswers.co.uk>)
      id 1Xim28-0003qD-6G
      for jerrym@suttergalleries.com; Mon, 27 Oct 2014 11:16:36 -0400
Return-Path: <BloodPressureSolution@bpanswers.co.uk>
From: "Blood Pressure Solution" <BloodPressureSolution@bpanswers.co.uk>
To: <jerrym@suttergalleries.com>
Subject: *** AVAST ***1 food that kept me off BP meds
Date: Mon, 27 Oct 2014 08:16:34 -0700
Message-ID: <4586XKFBWSBDWE453633442-jerrym=xxxxxxx.com@lowered.bpanswers.bpanswers.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="----=_NextPart_000_0795_01CFF1BE.532270C0"
X-Mailer: Microsoft Outlook 15.0
X-Antispam: spam, score=90
X-Antivirus: avast! (VPS 141027-0, 10/27/2014), Inbound message
X-Antivirus-Status: Clean
Content-Language: en-us
Thread-Index: AQJ1zTVMybjoHsUq2XxV/Omnr4utKg==
0
 
LVL 27

Accepted Solution

by:
Dr. Klahn earned 250 total points
ID: 40407681
As you have already determined, finding out where the bogus emails came from is not as important as figuring out where the leak in your data is.

If your customers -- companies on your internal customer lists in your databases -- are getting bad confirmation emails not emanating from your email server, then either (a) your computers have been penetrated or (b) you have a disgruntled employee selling your information out the back door to a hostile.

We would like to think (a) is the issue and there's a virus in the system, or a lazy employee brought in an infection, or somebody put up an unauthorized WAP on the network, as nobody likes to think they're being sold out by an employee.  However, lacking evidence the odds are 50-50 either way.

Install a second firewall behind the first (from a different manufacturer), confirm that the firmware on both is intact, that there are no ports open, and that both firewalls' out-facing maintenance interfaces are disabled.  This makes it harder to tunnel into your LAN.  Getting through one may be possible but getting through two unlike systems is less likely.

Confirm that there are no machines with VPN software installed and that nobody is allowed to VPN into the corporate network from outside the office.

Sweep every computer on the premises with at least two antiviruses, Malwarebytes and Spybot.

Then comes the unpleasant part.  Get your corporate security involved.  Have them sit each employee down who has enough access to the databases to dump them, and question those people.  Check the event logs to see who has been sticking USB drives into their machines, and ask those employees why they are using unauthorized USB drives on company hardware.

At some point an indication should emerge where the leak in your system is.  Unfortunately, the data is gone and it can't be called back.  You can't abandon your customer database; you're going to have to live with this problem.  The best you can do is plug the hole and advise all your clients to ignore anything not emanating from your email server.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Nessus scan 5 156
Checkpoint Endpoint Managment 3 97
EE experience on sites similar to VirusTotal? 4 153
CodeIgniter XSS confusion 5 107
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question