Avatar of Albert Widjaja
Albert Widjaja
Flag for Australia asked on

Receiving spam email from spoofed internal sender on Exchange 2010 SP3 with Symantec Mail Gateway

People,

I'm confused and need your help here with the issue of receiving internally spoofed spam address but the IP address is kept on changing from country to country.

The Email is filtered first by Symantec Email Gateway appliance and then forwarded to the Exchange Server. But I'm not sure if this is Exchange Server issue or Symantec problem ?

When I read this blog, it suggest the below powershell script:

Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

Open in new window


but there are multiple Receive connector here in my Exchange Server 2010 SP3:


[PS] C:\>Get-ReceiveConnector | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | ft -AutoSize

Identity                      User                           Deny  Inherited
---------------------------   ----------------------------   ----- ---------
MAIL01-VM\Default MAIL01-VM   NT AUTHORITY\ANONYMOUS LOGON 	 False False
MAIL02-VM\Default MAIL02-VM   NT AUTHORITY\ANONYMOUS LOGON 	 False False
MAIL01-VM\Inbound SMTP Relay  NT AUTHORITY\ANONYMOUS LOGON 	 False False
MAIL02-VM\Inbound SMTP Relay  NT AUTHORITY\ANONYMOUS LOGON 	 False False
MAIL01-VM\External Relay      NT AUTHORITY\ANONYMOUS LOGON 	 False False
MAIL02-VM\External Relay      NT AUTHORITY\ANONYMOUS LOGON 	 False False
MAIL01-VM\UCCX MAIL01-VM      NT AUTHORITY\ANONYMOUS LOGON 	 False False
MAIL02-VM\UCCX MAIL02-VM      NT AUTHORITY\ANONYMOUS LOGON 	 False False


[PS] C:\>Get-ReceiveConnector | ft -AutoSize

Identity                      Bindings              Enabled
---------------------------   --------------------- -------
MAIL01-VM\Default MAIL01-VM   {:::25, 0.0.0.0:25}   True
MAIL01-VM\Client MAIL01-VM    {:::587, 0.0.0.0:587} True
MAIL02-VM\Default MAIL02-VM   {:::25, 0.0.0.0:25}   True
MAIL02-VM\Client MAIL02-VM    {:::587, 0.0.0.0:587} True
MAIL01-VM\Inbound SMTP Relay  {10.1.2.89:25}        True
MAIL02-VM\Inbound SMTP Relay  {10.1.2.89:25}        True
MAIL01-VM\External Relay      {10.1.2.90:25}        True
MAIL02-VM\External Relay      {10.1.2.91:25}        True
MAIL01-VM\UCCX MAIL01-VM      {0.0.0.0:25}          True
MAIL02-VM\UCCX MAIL02-VM      {0.0.0.0:25}          True

Open in new window


So I'm confused which Receive connector should I be running the powershell script against ?

What's the roll back plan if email flow is affected when executing the wrong powershell against incorrect Receive connector ?

Thanks,
ExchangeAntiSpamEmail Servers

Avatar of undefined
Last Comment
arnold

8/22/2022 - Mon
Albert Widjaja

ASKER
Note:
10.1.2.89 --> the load balancer virtual IP and the Windows NLB name email.domain.com
10.1.2.90 --> MAIL01-VM IP address (HT/CAS role)
10.1.2.91 --> MAIL02-VM IP address (HT/CAS role)
arnold

The generation of the email  is neither the fault of the gateway nor exchange.

I am not sure I understand what you are looking to accomplish.

If the issue is a configuration question on the Symantec gateway, you could remove a rule if you gave whitelisting your internal addresses.

You could impose a rule on the gateway to reject/sequester any email whose sender is on the internal domain.
Albert Widjaja

ASKER
The problem is that more than half of my users received email from network-scanner@mydomain.com from which the IP address of the sender is kept on changing along with te subject.

It sends malicious MS Word document with Macro in it.

So how to block the mail coming from external IP while the sender is spoofed from my internal domain.com ?

Note:
When I execute this powershell command Get-TransportServer | Get-Queue, there is no email send or receive queue.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
arnold

I am not sure what you are asking.

Is the ip that connects to your Symantec gateway outside your LAN?
Looking at the message trace on exchange as well as on the email gateway ....

The sender email is not verified only the destination is.
It is likely that if you have an mfc that has scan to email capability and it is using the network-scanner@mydomain.com it means that a scan to email was used once and sent to a user whose system became infected .........

What do you want to do?
If your users and policy is that any email using mydomain.com has to use the outgoing mail server that is separate from the MX, you can impose a rule on the gateway not to accept any email from a sender on the mydomain.com.
Albert Widjaja

ASKER
Hi Arnold,

I've verified with multiple site offices, there is no MFC or scanner devices with the email sender as network-scanner@domain.com.

This spam issue is happening since yesterday and bombards most of my users companywide.

The IP that connects to my Symantec Gateway appliance is the same as the IP VLAN of the Exchange Servers. (same within the same VLAN).

But the email sender IP address which says the sender from network-scanner@domain.com always comes from external public IP address randomly.
SOLUTION
arnold

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Albert Widjaja

ASKER
OK so How to enable SPF ?

Do I need to make request to the ISP to put something in the DNS or this can be done from my Windows server internal DNS server ?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Albert Widjaja

ASKER
Arnold,

Does some of the receive connector must be modified to prevent this type of issue happening ?
SOLUTION
arnold

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
arnold

Can you identify the connector on which these emails enter?  Look at the folk message headers.
Albert Widjaja

ASKER
So how do I get the receive connector information from the email header in the outlook ?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
SOLUTION
arnold

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Albert Widjaja

ASKER
I'm using Outlook 2013 here's what I can see from the email header:

Received: from mail.domain.com (10.1.2.87) by MAIL01-VM.domain.com (10.1.2.89) with Microsoft SMTP Server id 14.3.123.3; Thu, 22 Oct 2015 10:17:13 +1100
X-AuditID: c0a80257-f79ef6d000007003-40-56281cf59a87
Received: from [37.216.237.126] (Unknown_Domain [37.216.237.126]) by mail.domain.com (Symantec Messaging Gateway) with SMTP id A7.D3.28675.6FC18265; Thu, 22 Oct 2015 10:17:13 +1100 (EST)
From: <network.scanner@domain.com>
Subject: Message from "RNP002673A5A8F3"
To: <managers@domain.com>
Date: Thu, 22 Oct 2015 02:17:04 +0300
Message-ID: <17176574086401Q.DCSML-S000380000.002673A5A8F3@domain.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="_b579c891-c15d-49fc-a1e7-b36ff1e17ebf_"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprOKsWRWlGSWpSXmKPExsWieuNtne5PGY0wg73zhS2ObJnC6sDoMWPO
	BdYAxigRm5TUnMyy1CJ9OwQrQSTjcsdbtoL2Q6wVjcsmMDYwnlzH2sXIwSEhYCLx8Y17FyMn
	kCkmceHeerYuRi4OIYG9jBLt7Q+ZQGrYBBQlDp+rAqkRFlCXuLpsJTOILSIgLXG8ZxMLiM0i
	oCrxce91NhCbV8BdonvbDkYIW1Di5MwnYDXMAkESXzYeZZrAyDULSWoWkhSErSXx8NctqLi8
	xPa3c5ghbDuJV2tusUHYihJTuh+yQ9jOEuu2vWNdwMi+ilEgNzEzR68kPz1RLzk/Vy+xdBMj
	MLgOrGAK38G4e6PDIUYBDkYlHt4Lf9TDhFgTy4orcw8xqgCNeLRh9QVGKZa8/LxUJRFeBimN
	MCHelMTKqtSi/Pii0pzU4kOMVUBPTmSWEk3OzytJzSuJNzS2sDA0MjcwNjY2MaaKsJI477MF
	l0KFBNITS1KzU1MLUotgljNxsIMIzlOMzlLivNzAmBcSKC5IzM0oBZoDVSWlwLvnkWqYkCSS
	RHFpcUFmcmZ+aXF8aRE86VxiNONgEeIvriyOT8zJyS+PTwUFmxDY+1LCvIwMDAxCPEDbczNL
	IEbDNN5i5IOqggpINTCuk6nlOLckvUyxd0a0Xvcfb8bTb+55bZzI+eZg81XeuXWp96aLMQYd
	uhbQ1G/Zo2Bf663+535Xak0qo/jO9KCgWxOtGBQE8zpZ0w17xFum/DsnETMrdMG8eN+9t45W
	Lv8/e0f0jcuLDDzi5qb3v7pavODCK81c318Pj7rPm7mNWeezyZJiwd9KLMUZiYZazEXFiQCh
	7ABaKgMAAA==
Return-Path: network.scanner@domain.com
X-MS-Exchange-Organization-AuthSource: MAIL01-VM.domain.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AVStamp-Mailbox: SYMANTEC;559153216;0;info

Open in new window

arnold

What options do you have configured on your gateway?
Do you currently impose restrictions I.e. Spam, virus blocking?.

It looks as though the messages in question are a result of features on Symantec gateway. I.e. Messages determined to be spam, virus laden get marked and sent from network.scanner@domain.com to prevent bounce backs

What logs you have on the gateway?

Look at the last received line deals with gateway connecting to the server that actually delivered the message to the recipient.

Look on that system for the SMTP connector that is listening on port 25 and bound to 10.1.2.89 or 0.0.0.0 meaning it listens on port 25 of every ip the system has.
Albert Widjaja

ASKER
ok, from Exchange Message Tracking log it is coming from this one connector:

Identity                      Bindings              Enabled
---------------------------   --------------------- -------
MAIL01-VM\UCCX MAIL01-VM      {0.0.0.0:25}          True

Open in new window


what do  I need to do ?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
arnold

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Albert Widjaja

ASKER
Arnold, my expectation is to stop or block this email with malicious attachment from network.scanner@domain.com

if it is spoofed from the internal then it won't be in the Symantec Messaging gateway.
if it is coming from the outside which is more likely, then why it is going through the Symantec Mail Gateway ? --> this is still a mystery.
arnold

Check the configuration of your Symantec gateway as that is where the block gas to be imposed.
By the look of the message detail the information contained there is :
1) the external source server 37.
2) the message went through the email gateway,
3) delivered to the exchange server.

Brightmailtracker I think is the header the Symantec email gateway sets.

Compare the detail of a regularly received email that is external in origin.
arnold

Your question in why it is going through email gateway presumably your configuration is


iNternet => Symantec email incoming filter gateway => internal exchange server/s.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Albert Widjaja

ASKER
yes, that's correct Arnold

Internet => Symantec email mesasging gateway appliance => 2x Windows NLB Exchange Server 2010 SP3.
ASKER CERTIFIED SOLUTION
arnold

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.