rogue email apparently being issued from our site.

We have a single sbs2008 server running exchange, with around 10 local users all running Windows V7 64 bit pro. We are using AVG for anti virus, and have malwarebytes enterprise edition installed also.

Every few days we seem to get an e-mail apparently issued from one of our workers, ie from a genuine network user, to several of our clients.

The properties of the e-mail indicates that the email originated from our public IP address, but we cannot find anything in the sent items folder for the user it is issued from.

II can see several e-mails in the deleted items folder for this user which indicates that some messages were undeliverable, but some are clearly getting through the the recipient, but I cant see any trace of these.

The undeliverable e-mail shows :-

Diagnostic information for administrators:

Generating server: SBS2008.tgbdom.local

dave.surname@domainname.com
 gweu3c.linde.com #550 #5.1.0 Address rejected. ##

Original message headers:
Received: from SBS2008.ourdomain.local ([fe80::415b:f737:c0e7:3927]) by
 SBS2008.ourdomain.local ([fe80::415b:f737:c0e7:3927%10]) with mapi; Mon, 7 Sep
 2015 12:41:00 +0100
From: malcolm surname <malcolm.surname@ourdomainname.co.uk>
To: "Simon.surname@domain.com" <Simon.surname2@domain.com>, "dave.surname@domain.com"
      <dave.surname@domain.com>, "will.surname3@domain.com" <will.surname3@domain.com>,
      "Fionna.surname@domain2.co.uk" <Fionna.surname@domain2.co.uk>
Date: Mon, 7 Sep 2015 12:40:48 +0100
Subject: Yours invoice-39829unsqc
Thread-Topic: Yours invoice-39829unsqc
Thread-Index: AdDpYgp94Kmny3yTSbu6zJvJeuaAtg==
Message-ID: <4BA9FDE58FCC87499C76D2776D34E53601B61595D43B@SBS2008.tgbdom.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/mixed;
      boundary="_004_4BA9FDE58FCC87499C76D2776D34E53601B61595D43BSBS2008tgbd_"
MIME-Version: 1.0

The email has a .zip attachment, which I presume is a virus.

How do we identify how this is being delivered, and how do we go about stopping it?

Many thanks
LVL 1
nigelbeatsonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dennis AriesCEO @ Arkro ITCommented:
Chances are that the email is delivered directly to your mailserver from outside. Since all mail is adressed to your local domain, no relaying is performed and the mail is allowed.  The From-statement in the mail is of no relevance since that is just bogus information.

You can block these emails by (part of) the subject or bodytext by going to you Exchange Server, Transport Rules.

Go to Organization Configuration > Hub Transport > Transport Rules tab > click New Transport Rule
On the Introduction page, type a name and optionally a description for the rule.
On the Conditions page, select the when the Subject field or message body contains specific words condition
In the rule description, click specific words and enter the strings found in the ‘Yours invoice’ messages
On the Actions page, select the Delete message without notifying anyone action.
On the Exceptions page, select any exception predicates
nigelbeatsonAuthor Commented:
how do they get through our security to dump things directly on to our server?

thanks
arnoldCommented:
While what Dennis said is true that there is no relaying when emails are addressed to ones domain, the issue here is that this message dud not originate outside your network since it is missing the required received line that would reflect the source from which the external user connected.

Look at your exchange server logs.  Presumably you have IIS setup.
Does your site include a contact me form?  This is what is being used.

Often a locally transferred will not appear in the received line that the server contacted itself the contact form issuing the mapi interface to inject the message into your exchange server's queue.

The contact form does not validate the sender/recipient.  One option you should consider if the contact form is needed, add the remote_addr into the header of the message using x-sender-ip: IIS set remote_addr from the ...............
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

KimputerCommented:
This part of the header shows it's indeed something internal:

Received: from SBS2008.ourdomain.local ([fe80::415b:f737:c0e7:3927]) by
  SBS2008.ourdomain.local ([fe80::415b:f737:c0e7:3927%10]) with mapi; Mon, 7 Sep
  2015 12:41:00 +0100

Usually you see this when you're an open relay, but that would show SMTP in the header, not mapi.
Also, if it was from a user with Outlook, it would have this:

X-MimeOLE: Produced By Microsoft Exchange Vxxx
or
Received: from xx.local ([xx]) by
xx.local ([xxx]) with mapi id
 xx.xx.0438.000

Since it doesn't, it's probably a clever virus or custom program BUT INSIDE YOUR OWN NETWORK. In any case, shutdown everything (servers and pc's) and scan everything OFFLINE (don't start Windows, start the antivirus  from USB or CD)
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Agree with @Kimputer.

You need to check your network and you should have a mail security software in your exchange.

Zac
David AtkinTechnical DirectorCommented:
Start by looking at the message tracking logs in Exchange> Toolbox.
Filter by date and look for the outbound emails.

Its likely that the source is either a virus on the users laptop or someone using your server as a relay.

Run Malwarebytes on the users laptop to check for threats.

Do a smtp check from mxtoolbox.com - Check to make sure that you're not an open relay.

Change the users password from the server.  If someone is using the details to relay mail then this will stop them.

Once the issue has been resolved, run a blacklist on your domain and external IP from mxtoolbox.com.  You'll have to get yourself removed if you're on any as you'll get bounce backs from other mail server.  Only do this once the threat has been identified and removed though.

One more thing to note, its not good practice having two real time protection scanners installed at one time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nigelbeatsonAuthor Commented:
many thanks to all
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.