mails sent from pc

a customer says he's been informed from several of his contacts that "strange mails" are being sent from his pc
here's what he gets :mail.png
what is this, and how to resolve it?
needless to say that no AV scan, nor mbam, nor roguekiller did find something
system is running windows7 - 64 bit - SSD drive
mail client = Outlook
LVL 94
nobusAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Miguel Angel Perez MuñozCommented:
Are you sure originating email outs from "affected" computer?. I explain better.

Your user has email configured, per example user1@domain.com
Someone on internet (spammer probably) try send spam using this email address. But when email server rejects email and generates NDR, don´t do over sent email, NDR is generated to user1@domain.com. Your user receive NDR and thinks he/she sent this email.

Suggest you search on email server if really this emails gone out from, and use firewall to block traffic over TCP 25 port.
0
Mal OsborneAlpha GeekCommented:
Yep, looks like your user is being spoofed. ie A spammer is using his address as the return, but could be sending from anywhere.

Best defence here is to set up an SPF record in DNS. Spammers seldom spoof email addresses that are protected with SPF.

Here is  some info to get you started:

https://en.wikipedia.org/wiki/Sender_Policy_Framework
0
nobusAuthor Commented:
hey guys - tx for answering !
explain what is NDR  ?
i'm just barely acquanted with windows...
and can you give an example of an SPF record for the above ? and how to implement it ?
i read the wikipedia  abit, but don't really understand it
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Miguel Angel Perez MuñozCommented:
NDR is Non deliverable report, this email saying your email not delivered. Usually has error codes for troubleshooting.

Spf is simply a DNS record to say what servers can send email with this domain. There is lot of tools to do your own: https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
Mal OsborneAlpha GeekCommented:
An NDR is a Non Delivery Receipt.  It is a message sent back to the sender, to let them know their missive did not get through.  In this case, the sender is not really who they say they are, they are a spammer pretending to be someone else.  Kinda like putting someone else's address on te back of an envelope and posting it.

An SPF record is a DNS entry, listing IP addresses of servers that outgoing email is supposed to come from. In its simplest form it will be something like "v=spf1 +ip4:198.167.0.15 -all" The first bit just identifies it as an SPF record, the next says that 198.167.0.15 is a sending mail server, the bit on the end says anything else is not.

So, assume that SPF is in place for exampledomain.com.  A mail server out there somewhere gets an incoming email from Bob@exampledomain.com, send from a server at 198.167.0.15. It looks up the SPF record for exampledomain.com. They match! The incoming server knows that his is a "real" email, were it from a spammer, the SPF and sending IPs would not match.

In the real world, mail servers generally do not reject emails with mismatched SPF outright, but they are regarded with suspicion. Most antispam software uses some sort of points system, mismatched SPF tends to be get bad points, while correct SPF looses bad points.

For this reason, spammers generally don't choose a user whose domain has SPF in place, their spam will tend to get filtered more.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nobusAuthor Commented:
is the above valid for a standalone pc also?
this one is not connected to a domain
0
Miguel Angel Perez MuñozCommented:
This is not AD domain related, we are talking about smtp domains, yahoo.com per example.
0
nobusAuthor Commented:
i supposed that much, but wanted to be sure i get it right
0
Thomas GrassiSystems AdministratorCommented:
just change the users email password

also if you have a security question with the user change that also

if they were spoofed that all we do to resolve any further activity
0
gheistCommented:
Can you help with FULL MAIL HEADERS of message you posted as screenshot?
Since we cannot trace where it came from we can blame mickey mouse, superman or aliens, without a chance to tell which one is real threat.
0
nobusAuthor Commented:
this was in the mail attachment, as details.txt :
Reporting-MTA: dns; mx22.gtsmail.hu
X-Postfix-Queue-ID: B73AA1227
X-Postfix-Sender: rfc822; usert@telenet.be
Arrival-Date: Wed, 23 Sep 2015 15:32:17 +0200 (CEST)

Final-Recipient: rfc822;user@mmm.be
Original-Recipient: rfc822;usert@mmm.be
Action: failed
Status: 5.7.1
Remote-MTA: dns; mxcluster1.one.com
Diagnostic-Code: smtp; 550 5.7.1 Spam (84b8def4-61f7-11e5-9e29-b82a72d88088)
====================
this was the mail body i got :
---
Van: Mail Delivery System [mailto:MAILER-DAEMON@mx2.gtsmail.hu]
Verzonden: woensdag 23 september 2015 15:32
Aan:user@telenet.be
Onderwerp: Undelivered Mail Returned to Sender

This is the mail system at host mx22.gtsmail.hu.

I'm sorry to have to inform you that your message could not be delivered to
one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own
text from the attached returned message.

                   The mail system

<usersselot@mmm.be>: host mxcluster1.one.com[91.198.169.8]
said:
    550 5.7.1 Spam (84b8def4-61f7-11e5-9e29-b82a72d88088) (in reply to end
of
    DATA command)

i hope it's what you need -it's all i got
0
nobusAuthor Commented:
thomas - i can't quite follow what you said - plse explain
0
gheistCommented:
mx22.gtsmail.hu sends the message

Please ask postmaster@gtsmail.hu to stop accepting spam mail and burden your users with backscatter (one full mail headers and related mail logs will make it sound more impressive)

There is almost nothing you can do in your mail server to ease user's life.
0
nobusAuthor Commented:
so i assume i have to live with it?
0
gheistCommented:
You have to contact source of mails
It looks like internet provider, at least if somebody reads postmaster mailbox they will understand what you are talking about.
0
Thomas GrassiSystems AdministratorCommented:
nobus

We have a similar issue with users getting spoofed.

We just clear there email spam and then change the password and we have security questions setup for each user.  We change those questions and answers for them.  

For US this stops the spoofing for that issue.

Does not mean they will not get spoofed again.

We also explain to the user about not given out private information also


HTH
0
nobusAuthor Commented:
>>   then change the password   << you mean the router password - or what ?
0
Thomas GrassiSystems AdministratorCommented:
No the users email password
0
nobusAuthor Commented:
ok will do
0
nobusAuthor Commented:
i hope it's resolved this way
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet / Email Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.