Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
Receiving spam email from spoofed internal sender on Exchange 2010 SP3 with Symantec Mail Gateway
People,
I'm confused and need your help here with the issue of receiving internally spoofed spam address but the IP address is kept on changing from country to country.
The Email is filtered first by Symantec Email Gateway appliance and then forwarded to the Exchange Server. But I'm not sure if this is Exchange Server issue or Symantec problem ?
When I read this blog, it suggest the below powershell script:
but there are multiple Receive connector here in my Exchange Server 2010 SP3:
So I'm confused which Receive connector should I be running the powershell script against ?
What's the roll back plan if email flow is affected when executing the wrong powershell against incorrect Receive connector ?
Thanks,
I'm confused and need your help here with the issue of receiving internally spoofed spam address but the IP address is kept on changing from country to country.
The Email is filtered first by Symantec Email Gateway appliance and then forwarded to the Exchange Server. But I'm not sure if this is Exchange Server issue or Symantec problem ?
When I read this blog, it suggest the below powershell script:
Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission
but there are multiple Receive connector here in my Exchange Server 2010 SP3:
[PS] C:\>Get-ReceiveConnector | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | ft -AutoSize
Identity User Deny Inherited
--------------------------- ---------------------------- ----- ---------
MAIL01-VM\Default MAIL01-VM NT AUTHORITY\ANONYMOUS LOGON False False
MAIL02-VM\Default MAIL02-VM NT AUTHORITY\ANONYMOUS LOGON False False
MAIL01-VM\Inbound SMTP Relay NT AUTHORITY\ANONYMOUS LOGON False False
MAIL02-VM\Inbound SMTP Relay NT AUTHORITY\ANONYMOUS LOGON False False
MAIL01-VM\External Relay NT AUTHORITY\ANONYMOUS LOGON False False
MAIL02-VM\External Relay NT AUTHORITY\ANONYMOUS LOGON False False
MAIL01-VM\UCCX MAIL01-VM NT AUTHORITY\ANONYMOUS LOGON False False
MAIL02-VM\UCCX MAIL02-VM NT AUTHORITY\ANONYMOUS LOGON False False
[PS] C:\>Get-ReceiveConnector | ft -AutoSize
Identity Bindings Enabled
--------------------------- --------------------- -------
MAIL01-VM\Default MAIL01-VM {:::25, 0.0.0.0:25} True
MAIL01-VM\Client MAIL01-VM {:::587, 0.0.0.0:587} True
MAIL02-VM\Default MAIL02-VM {:::25, 0.0.0.0:25} True
MAIL02-VM\Client MAIL02-VM {:::587, 0.0.0.0:587} True
MAIL01-VM\Inbound SMTP Relay {10.1.2.89:25} True
MAIL02-VM\Inbound SMTP Relay {10.1.2.89:25} True
MAIL01-VM\External Relay {10.1.2.90:25} True
MAIL02-VM\External Relay {10.1.2.91:25} True
MAIL01-VM\UCCX MAIL01-VM {0.0.0.0:25} True
MAIL02-VM\UCCX MAIL02-VM {0.0.0.0:25} True
So I'm confused which Receive connector should I be running the powershell script against ?
What's the roll back plan if email flow is affected when executing the wrong powershell against incorrect Receive connector ?
Thanks,
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Note:
10.1.2.89 --> the load balancer virtual IP and the Windows NLB name email.domain.com
10.1.2.90 --> MAIL01-VM IP address (HT/CAS role)
10.1.2.91 --> MAIL02-VM IP address (HT/CAS role)
10.1.2.89 --> the load balancer virtual IP and the Windows NLB name email.domain.com
10.1.2.90 --> MAIL01-VM IP address (HT/CAS role)
10.1.2.91 --> MAIL02-VM IP address (HT/CAS role)
The generation of the email is neither the fault of the gateway nor exchange.
I am not sure I understand what you are looking to accomplish.
If the issue is a configuration question on the Symantec gateway, you could remove a rule if you gave whitelisting your internal addresses.
You could impose a rule on the gateway to reject/sequester any email whose sender is on the internal domain.
I am not sure I understand what you are looking to accomplish.
If the issue is a configuration question on the Symantec gateway, you could remove a rule if you gave whitelisting your internal addresses.
You could impose a rule on the gateway to reject/sequester any email whose sender is on the internal domain.
The problem is that more than half of my users received email from network-scanner@mydomain.c
It sends malicious MS Word document with Macro in it.
So how to block the mail coming from external IP while the sender is spoofed from my internal domain.com ?
Note:
When I execute this powershell command Get-TransportServer | Get-Queue, there is no email send or receive queue.
It sends malicious MS Word document with Macro in it.
So how to block the mail coming from external IP while the sender is spoofed from my internal domain.com ?
Note:
When I execute this powershell command Get-TransportServer | Get-Queue, there is no email send or receive queue.
I am not sure what you are asking.
Is the ip that connects to your Symantec gateway outside your LAN?
Looking at the message trace on exchange as well as on the email gateway ....
The sender email is not verified only the destination is.
It is likely that if you have an mfc that has scan to email capability and it is using the network-scanner@mydomain.c
What do you want to do?
If your users and policy is that any email using mydomain.com has to use the outgoing mail server that is separate from the MX, you can impose a rule on the gateway not to accept any email from a sender on the mydomain.com.
Is the ip that connects to your Symantec gateway outside your LAN?
Looking at the message trace on exchange as well as on the email gateway ....
The sender email is not verified only the destination is.
It is likely that if you have an mfc that has scan to email capability and it is using the network-scanner@mydomain.c
What do you want to do?
If your users and policy is that any email using mydomain.com has to use the outgoing mail server that is separate from the MX, you can impose a rule on the gateway not to accept any email from a sender on the mydomain.com.
Hi Arnold,
I've verified with multiple site offices, there is no MFC or scanner devices with the email sender as network-scanner@domain.com
This spam issue is happening since yesterday and bombards most of my users companywide.
The IP that connects to my Symantec Gateway appliance is the same as the IP VLAN of the Exchange Servers. (same within the same VLAN).
But the email sender IP address which says the sender from network-scanner@domain.com
I've verified with multiple site offices, there is no MFC or scanner devices with the email sender as network-scanner@domain.com
This spam issue is happening since yesterday and bombards most of my users companywide.
The IP that connects to my Symantec Gateway appliance is the same as the IP VLAN of the Exchange Servers. (same within the same VLAN).
But the email sender IP address which says the sender from network-scanner@domain.com
One option is to add the email in question to the block list on the gateway.
Do you have a sample of the full message headers?
Have you scanned your systems, include login logs to make sure one of your user accounts was not compromised and is being used to send?
Add a server rule on exchange to divert any email from network-scanner@mydomain.c
Do you want to block/reject messages when the sender is network-scanner@mydomain.c
Look at implementing domain keys, SPF and configuring the Symantec email gateway to enforce it.
Do you have a sample of the full message headers?
Have you scanned your systems, include login logs to make sure one of your user accounts was not compromised and is being used to send?
Add a server rule on exchange to divert any email from network-scanner@mydomain.c
Do you want to block/reject messages when the sender is network-scanner@mydomain.c
Look at implementing domain keys, SPF and configuring the Symantec email gateway to enforce it.
OK so How to enable SPF ?
Do I need to make request to the ISP to put something in the DNS or this can be done from my Windows server internal DNS server ?
Do I need to make request to the ISP to put something in the DNS or this can be done from my Windows server internal DNS server ?
Arnold,
Does some of the receive connector must be modified to prevent this type of issue happening ?
Does some of the receive connector must be modified to prevent this type of issue happening ?
See the description.
It has a tool that will help you create the string that you would use managing your public mydomain.com record and your internal DNS to make sure whether your appliance uses your internal or has its own DNS server .......
http://www.openspf.org
Initially try relaxed option ~all or ?all
You would then would configure your email gateway to also rely/react to SPF data. Note that if available, I think it will enforce on all incoming, so using relaxed initially would be advisable.
It has a tool that will help you create the string that you would use managing your public mydomain.com record and your internal DNS to make sure whether your appliance uses your internal or has its own DNS server .......
http://www.openspf.org
Initially try relaxed option ~all or ?all
You would then would configure your email gateway to also rely/react to SPF data. Note that if available, I think it will enforce on all incoming, so using relaxed initially would be advisable.
view full message/headers or view source. Which outlook do you have? I think certain version no longer have the option to view the full message headers.
See if in the message listing pane, right click on the message and look at the message detail.
Over the versions there were different options, view full headers, view message source, view message detail, etc...
See if in the message listing pane, right click on the message and look at the message detail.
Over the versions there were different options, view full headers, view message source, view message detail, etc...
I'm using Outlook 2013 here's what I can see from the email header:
Received: from mail.domain.com (10.1.2.87) by MAIL01-VM.domain.com (10.1.2.89) with Microsoft SMTP Server id 14.3.123.3; Thu, 22 Oct 2015 10:17:13 +1100
X-AuditID: c0a80257-f79ef6d000007003-40-56281cf59a87
Received: from [37.216.237.126] (Unknown_Domain [37.216.237.126]) by mail.domain.com (Symantec Messaging Gateway) with SMTP id A7.D3.28675.6FC18265; Thu, 22 Oct 2015 10:17:13 +1100 (EST)
From: <network.scanner@domain.com>
Subject: Message from "RNP002673A5A8F3"
To: <managers@domain.com>
Date: Thu, 22 Oct 2015 02:17:04 +0300
Message-ID: <17176574086401Q.DCSML-S000380000.002673A5A8F3@domain.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_b579c891-c15d-49fc-a1e7-b36ff1e17ebf_"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprOKsWRWlGSWpSXmKPExsWieuNtne5PGY0wg73zhS2ObJnC6sDoMWPO
BdYAxigRm5TUnMyy1CJ9OwQrQSTjcsdbtoL2Q6wVjcsmMDYwnlzH2sXIwSEhYCLx8Y17FyMn
kCkmceHeerYuRi4OIYG9jBLt7Q+ZQGrYBBQlDp+rAqkRFlCXuLpsJTOILSIgLXG8ZxMLiM0i
oCrxce91NhCbV8BdonvbDkYIW1Di5MwnYDXMAkESXzYeZZrAyDULSWoWkhSErSXx8NctqLi8
xPa3c5ghbDuJV2tusUHYihJTuh+yQ9jOEuu2vWNdwMi+ilEgNzEzR68kPz1RLzk/Vy+xdBMj
MLgOrGAK38G4e6PDIUYBDkYlHt4Lf9TDhFgTy4orcw8xqgCNeLRh9QVGKZa8/LxUJRFeBimN
MCHelMTKqtSi/Pii0pzU4kOMVUBPTmSWEk3OzytJzSuJNzS2sDA0MjcwNjY2MaaKsJI477MF
l0KFBNITS1KzU1MLUotgljNxsIMIzlOMzlLivNzAmBcSKC5IzM0oBZoDVSWlwLvnkWqYkCSS
RHFpcUFmcmZ+aXF8aRE86VxiNONgEeIvriyOT8zJyS+PTwUFmxDY+1LCvIwMDAxCPEDbczNL
IEbDNN5i5IOqggpINTCuk6nlOLckvUyxd0a0Xvcfb8bTb+55bZzI+eZg81XeuXWp96aLMQYd
uhbQ1G/Zo2Bf663+535Xak0qo/jO9KCgWxOtGBQE8zpZ0w17xFum/DsnETMrdMG8eN+9t45W
Lv8/e0f0jcuLDDzi5qb3v7pavODCK81c318Pj7rPm7mNWeezyZJiwd9KLMUZiYZazEXFiQCh
7ABaKgMAAA==
Return-Path: network.scanner@domain.com
X-MS-Exchange-Organization-AuthSource: MAIL01-VM.domain.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AVStamp-Mailbox: SYMANTEC;559153216;0;info
What options do you have configured on your gateway?
Do you currently impose restrictions I.e. Spam, virus blocking?.
It looks as though the messages in question are a result of features on Symantec gateway. I.e. Messages determined to be spam, virus laden get marked and sent from network.scanner@domain.com
What logs you have on the gateway?
Look at the last received line deals with gateway connecting to the server that actually delivered the message to the recipient.
Look on that system for the SMTP connector that is listening on port 25 and bound to 10.1.2.89 or 0.0.0.0 meaning it listens on port 25 of every ip the system has.
Do you currently impose restrictions I.e. Spam, virus blocking?.
It looks as though the messages in question are a result of features on Symantec gateway. I.e. Messages determined to be spam, virus laden get marked and sent from network.scanner@domain.com
What logs you have on the gateway?
Look at the last received line deals with gateway connecting to the server that actually delivered the message to the recipient.
Look on that system for the SMTP connector that is listening on port 25 and bound to 10.1.2.89 or 0.0.0.0 meaning it listens on port 25 of every ip the system has.
ok, from Exchange Message Tracking log it is coming from this one connector:
what do I need to do ?
Identity Bindings Enabled
--------------------------- --------------------- -------
MAIL01-VM\UCCX MAIL01-VM {0.0.0.0:25} True
what do I need to do ?
The log is the exchange of message between your Symantec gateway and your server.
The inbound connection from external sources lands on the Symantec gateway you need to look there and depending on what IT IS you want to end with, you would look there.
What is Symantec email gateway configuration? What is it supposed to do when a message is spam? What do you want to happen if these messages are consequences of received quaranteen spam?
Check whether your Symantec email gateway configuration reflects network.scanner@domain.com
What do you hope to end up with at the conclusion of this?
The inbound connection from external sources lands on the Symantec gateway you need to look there and depending on what IT IS you want to end with, you would look there.
What is Symantec email gateway configuration? What is it supposed to do when a message is spam? What do you want to happen if these messages are consequences of received quaranteen spam?
Check whether your Symantec email gateway configuration reflects network.scanner@domain.com
What do you hope to end up with at the conclusion of this?
Arnold, my expectation is to stop or block this email with malicious attachment from network.scanner@domain.com
if it is spoofed from the internal then it won't be in the Symantec Messaging gateway.
if it is coming from the outside which is more likely, then why it is going through the Symantec Mail Gateway ? --> this is still a mystery.
if it is spoofed from the internal then it won't be in the Symantec Messaging gateway.
if it is coming from the outside which is more likely, then why it is going through the Symantec Mail Gateway ? --> this is still a mystery.
Check the configuration of your Symantec gateway as that is where the block gas to be imposed.
By the look of the message detail the information contained there is :
1) the external source server 37.
2) the message went through the email gateway,
3) delivered to the exchange server.
Brightmailtracker I think is the header the Symantec email gateway sets.
Compare the detail of a regularly received email that is external in origin.
By the look of the message detail the information contained there is :
1) the external source server 37.
2) the message went through the email gateway,
3) delivered to the exchange server.
Brightmailtracker I think is the header the Symantec email gateway sets.
Compare the detail of a regularly received email that is external in origin.
Your question in why it is going through email gateway presumably your configuration is
iNternet => Symantec email incoming filter gateway => internal exchange server/s.
iNternet => Symantec email incoming filter gateway => internal exchange server/s.
yes, that's correct Arnold
Internet => Symantec email mesasging gateway appliance => 2x Windows NLB Exchange Server 2010 SP3.
Internet => Symantec email mesasging gateway appliance => 2x Windows NLB Exchange Server 2010 SP3.
Check the configuration of the Symantec email gateway to see what is expected of it.
It look as the destination of the email is managers@domain.com is that a distribution group in your exchange server?
What settings are you imposing on the incoming traffic into the Symantec mail gateway, what does it supposed to do when an email is a spam, virus laden,?
Given the setup and given the record of the example message.
It looks as though an email originating at 37.216.237.136 however, it is unclear whether the information that is then forwarded to managers@domain.com is not as configured when an email matches a criteria, its contents are forwarded to to managers@domain.com per configuration.
Try the following,
using an email provider outside your domain. Send a test message to your domain.com address.
Make sure to masquerade the email address, destination and sender and post the message detail of it.
I am trying to see whether based on the email above is generated internally on the Symantec gateway as a consequence of the message matching a rule and brightmail rule forwards the message as an attachment to the configured destination.
It look as the destination of the email is managers@domain.com is that a distribution group in your exchange server?
What settings are you imposing on the incoming traffic into the Symantec mail gateway, what does it supposed to do when an email is a spam, virus laden,?
Given the setup and given the record of the example message.
It looks as though an email originating at 37.216.237.136 however, it is unclear whether the information that is then forwarded to managers@domain.com is not as configured when an email matches a criteria, its contents are forwarded to to managers@domain.com per configuration.
Try the following,
using an email provider outside your domain. Send a test message to your domain.com address.
Make sure to masquerade the email address, destination and sender and post the message detail of it.
I am trying to see whether based on the email above is generated internally on the Symantec gateway as a consequence of the message matching a rule and brightmail rule forwards the message as an attachment to the configured destination.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial