User's email address is being spoofed.

Hello,

The email address of a user of ours is routinely being spoofed by spammers.

Is there a report in the Office 365 portal to let us see the IP address of the computer that used her email to send?

If yes, please advise what to click in order to run that report.

Thanks,
nav2567Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Todd NelsonSystems EngineerCommented:
If you have one of the emails, you should be able to grab that information from the message headers.
0
Dr. KlahnPrincipal Software EngineerCommented:
Is there a report in the Office 365 portal to let us see the IP address of the computer that used her email to send?

If the spam is not coming out of your network, then no.  You need at least one -- preferably a large selection -- of the offending emails to examine the origination headers.  That information may not be useful, though.

If the origination header shows "192.168.0.xxx" to "192.168.0.yyy" and so on, all you know is that the email originated inside somebody's LAN.  Email routing headers can be, and are generally, spoofed in spam.

If you get a set of matching origination headers from trackable IPs, it still may not do any good.  Spoofed spam emanating from Russia, Africa, the Middle East or the Far East is not stoppable.

What you can do:  If your MTA and MX setup does not include SPF keys, DKIM and DMARC - then you should set them up.  This will take care of the problem at sites which check these anti-spam features.
1
Olgierd UngehojerSenior Network AdministratorCommented:
The most of the time IPs are different with every single email. You have to change password and then check what user has infected computer. After cleaning you can use this email address again.
0
Mal OsborneAlpha GeekCommented:
Sounds like you need to look at implementing an SPF record.

This is a record in DNS, which specifies the IP addresses that email from your domain is expected to be sent from.  The receiving mail server can then then check, and see if it matches. This is a common form of antispam.

When spammers send spam, they usually impersonate a legitimate email address, as you are seeing. Impersonating  an email address that is backed by an SPF record could still be done, however it would mean a lot of the spam would not get to its destination. Hence, spammers usually pick an email address without an SPF record.

Having an SPF record will also mean that legitimate email you send will tend to not be accidentally blocked as spam.  SPF is pretty simple, provided you can figure out all of the IP addresses that should send email for your domain.

More on SPF here:
https://en.wikipedia.org/wiki/Sender_Policy_Framework
http://www.openspf.org/
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dr. KlahnPrincipal Software EngineerCommented:
EE requested stale question closure.  All comments apposite and addressed the topic.  Points assigned according to the magnitude of the contribution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.