Gordon Watt
asked on
Office Email address being used to send spoof emails - need serious help making it stop.
Hi,
I hope you can help me with a serious problem with some spam email.
Background -
Our office switch the email to Office 365 the year before last. We have a number of email accounts on the Exchange server.
The address of one of the email accounts has been used by a bot-net to send out spam emails, and now the user is receiving 100s of bounced back undeliverable (error 550) emails.
The action center on Exchange Admin has identified that the email address has been involved with the spam, and has blocked the account from sending out emails, with the error-OutboundSpamLast24Ho urs=122;Ou tboundMail Last24Hour s=134;Outb oundSpamPe rcent=910; Last Message MessagetraceId:c401e900-91 fa-4a20-66 e1-08d5d78 92e05
This, however, has not stopped the bot-net continuing to send out messages and, as I type this, the bounced back undeliverable messages keep coming in.
Our domain is not currently blacklisted on any mail blacklists, and I would like to keep it that way, but test messages sent out from other accounts in the office are immediately going into the Junk mail folders of GMail recipients because it says that a lot of messages from our domain are spam.
Below is the header of one of the messages returned. I have determined that the originating IP is not ours.
Can someone please take a look at the header, and give me ideas on how I can stop the user's email address from being used for spam ?
The stars represent names of our servers and domain.
Any help is appreciated.
Thanks
GW
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=********.********.com; s=selector1-********-co-uk ;
h=From:Date:Subject:Messag e-ID:Conte nt-Type:MI ME-Version :X-MS-Exch ange-Sende rADCheck;
bh=XoNRiW4Txkb4tjk7hlkf/l+ tTq/Yv6XiT C9tPiWcTQI =;
b=oyaxYzOf11qNyAfYx4FlBXHK O+abgpxbcT 6KU5dTI6OE 68uWV9hWi0 /TxZUpX6NC 86fFVSKhKP S6biDQu8oH K/2sbzXwYH lDGX88Lhwc dSEWvlL08M e8QslmcIwo idQ95fX//c XSSyefRA2u m/q+QirWk+ lOcmgQN2U1 n9ncp+c=
Authentication-Results: spf=none (sender IP is )
smtp.mailfrom=angela@***** ***.co.uk;
Received: from 88.212.244.172 (122.166.237.19) by
ME2PR01MB3716.ausprd01.pro d.outlook. com (2603:10c6:220:2c::12) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) id
15.20.863.17; Thu, 21 Jun 2018 15:12:30 +0000
Message-ID: <B0B503505B8FAF9C40450CB52 100AC9D@** ******.co. uk>
Reply-To: "Mila" <b@gmail.com>
From: "Mila" <angela@********.co.uk>
Subject: Will we communicate?
Date: Thu, 21 Jun 2018 18:09:07 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="df36c828e02e90a0 27e9ce5077 c3"
To: Undisclosed recipients:;
X-Originating-IP: [122.166.237.19]
X-ClientProxiedBy: MA1PR01CA0073.INDPRD01.PRO D.OUTLOOK. COM (2603:1096:a00::13)
To ME2PR01MB3716.ausprd01.pro d.outlook. com (2603:10c6:220:2c::12)
Return-Path: angela@********.co.uk
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-C orrelation -Id: 11bbc41b-1e4c-4d83-7b26-08 d5d7897386
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEI D:(7020095 )(4652020) (7021125)( 4534165)(7 022125)(46 03075)(462 7221)(2017 0228154907 5)(7048125 )(7025125) (7024125)( 7027125)(7 028125)(70 23125)(560 0026)(7110 20)(201705 2603328)(7 153060)(49 563074)(71 93020);SRV R:ME2PR01M B3716;
X-Microsoft-Exchange-Diagn ostics: 1;ME2PR01MB3716;3:PN8+rh+f OmelaiX0X3 n854G3pPru nh4GHDWU0U A5v2CemkOn DUT+Y906Jh cnXb8aLlGb H/0cHbQPdK XTII0La+7K W17857PX/e JxZtFMavis /V0w/M+QGJ S5k9cppEFz Hmf7VNvP19 B5jhGGQMC8 +jhfb2Y8lG nJ7t3kILlQ hktFb3yvkn MTL2QKGSpM E2WztIlQNN lSZiWOUDdn U41U8D6X3/ lkWRlFJ8Zn pFF18S6IVC RV3fw47KKd zoj4aBIp;2 5:WsVWm21T zZ+pDlIIHR SYwMTWDS6o Nh2sI97amm zn0cGyaKZU 8AI7IWQz7i E62n4TdGQN QilwWYqqyR IeCmQma2hi 8bNNI0xI2X RZd7ZBZSuJ 1qyDpEcjt5 or7OKmra3o OzBLa9e7PN +6GpOydH8v 8/C2wHWvr2 bB+Dxsae8x A6gVR6y18/ xPs7Dcj5+h GhTXAEaPmx sfY3/uL6l5 1Xt/BcPo+O E1hHZMdkyl 925De/ToDA MvYEOSQcWu H2/hxjlNLT PywghQMpLw cB/BuOzq6C cgXduWtVjS ZpFEVlqRqS TYadB1s+PW 4Fm6FucYUv RgBVR5DJz/ 1beN67/+OE 1/cg==;31: KbuIbgdw4w mS5E8+itZe zkdPSqD7uZ Stfcchzpvk U/K3LD3KIA KOH5NcXfJR GX+91y6tvs AfwIKZKoNt IBOFszCaho kfBk7AUDch NMxSQliIDP sWSckdD6co WxyM4zC11W Q8pSDLNZvC i0/rd6RmfM DXm7LGVhH9 9dV5+p6x5K bf3gN+ndU1 arqpg1flI3 rewd8g8T3u VQEDK/ZUpd t5T0aea8Cj 08mkCF5M/c u9rAQ=
X-MS-TrafficTypeDiagnostic : ME2PR01MB3716:|ME2PR01MB37 16:
X-Microsoft-Antispam-PRVS: <ME2PR01MB371675B1C5141A67 73D733AF81 760@ME2PR0 1MB3716.au sprd01.pro d.outlook. com>
X-Exchange-Antispam-Report -Test: UriScan:(268946806431577);
X-MS-Exchange-SenderADChec k: 1
X-Exchange-Antispam-Report -CFA-Test: BCL:0;PCL:0;RULEID:(102415 395)(60405 22)(240104 7)(5005006 )(81215010 46)(102015 01046)(323 1254)(2017 080701022) (944501410 )(52105095 )(93006095 )(93001095 )(3002001) (149027)(1 50027)(604 1310)(2016 1123564045 )(20161123 558120)(20 1611180202 5)(2016112 3560045)(2 0161123562 045)(60430 46)(607214 8)(2017080 71742011)( 7699016);S RVR:ME2PR0 1MB3716;BC L:0;PCL:0; RULEID:;SR VR:ME2PR01 MB3716;
X-Microsoft-Exchange-Diagn ostics: 1;ME2PR01MB3716;4:JYlqlRq0 PBMWPF7z3R sEsuUM7UIV DNjUW7QIgf JXUwjvVWaM 4Z6sxiPrbk fL3RWobbwg n2aZNi8I2v vwOzHv0OMO qUYcUZODzm c37GE4TuzB folMD4p1TM FyP3NnsN+P ciNx82YGY4 ezryFixPe8 qnMnFFyq9C kjkq3qW/7y OYtalQG4hw EF1kvHg6o0 pND9lLTzjM 9oURZly0+n /1Il8rLWb+ QN2bmJqteF t6rx9TYnkG EAmy3SIA4d 9QM3TAefHo MCUy4i3Nir wB9AnGmEOf TSVNpxyx2q yk7AVe1Lv/ CQ+ovX0CJq 4sAftL8YVl dM
X-Forefront-PRVS: 07106EF9B9
X-Forefront-Antispam-Repor t: SFV:SPM;SFS:(10009020)(604 9001)(1496 009)(36600 4)(3985040 0004)(3938 0400002)(3 46002)(396 003)(37600 2)(2999000 01)(199004 )(189003)( 43066004)( 114624004) (16586007) (53366004) (109986005 )(236005)( 53936002)( 881003)(74 482002)(60 6006)(6873 6007)(2600 5)(8676002 )(8666007) (63106013) (2476003)( 6486002)(5 3376002)(1 6526019)(2 5786009)(6 306002)(78 6003)(9773 6004)(2860 700003)(43 0100008)(3 9060400002 )(54896002 )(22416003 )(316002)( 486006)(86 362001)(29 06002)(165 76012)(660 66001)(348 0700004)(4 78600001)( 1600100001 )(48101000 01)(893600 2)(6666003 )(81156014 )(81166006 )(58901000 01)(292010 0001)(4760 03)(773600 2)(956004) (120186005 )(7116003) (566030000 1)(4610100 001)(10635 6001)(5689 64002)(857 6002)(3860 03)(842600 2)(3396400 4)(3675600 3)(186003) (6116002)( 3846002)(7 406005)(74 16002)(521 16002)(105 586002)(26 16005)(167 1002)(8432 6002)(3365 6002)(4470 6002)(7731 0200001);D IR:OUT;SFP :1501;SCL: 5;SRVR:ME2 PR01MB3716 ;H:88.212. 244.172;FP R:;SPF:Non e;LANG:en; PTR:InfoNo Records;A: 1;MX:1;
Received-SPF: None (protection.outlook.com: ********.co.uk does not designate
permitted sender hosts)
X-Microsoft-Exchange-Diagn ostics: =?us-ascii?Q?
I hope you can help me with a serious problem with some spam email.
Background -
Our office switch the email to Office 365 the year before last. We have a number of email accounts on the Exchange server.
The address of one of the email accounts has been used by a bot-net to send out spam emails, and now the user is receiving 100s of bounced back undeliverable (error 550) emails.
The action center on Exchange Admin has identified that the email address has been involved with the spam, and has blocked the account from sending out emails, with the error-OutboundSpamLast24Ho
This, however, has not stopped the bot-net continuing to send out messages and, as I type this, the bounced back undeliverable messages keep coming in.
Our domain is not currently blacklisted on any mail blacklists, and I would like to keep it that way, but test messages sent out from other accounts in the office are immediately going into the Junk mail folders of GMail recipients because it says that a lot of messages from our domain are spam.
Below is the header of one of the messages returned. I have determined that the originating IP is not ours.
Can someone please take a look at the header, and give me ideas on how I can stop the user's email address from being used for spam ?
The stars represent names of our servers and domain.
Any help is appreciated.
Thanks
GW
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=********.********.com; s=selector1-********-co-uk
h=From:Date:Subject:Messag
bh=XoNRiW4Txkb4tjk7hlkf/l+
b=oyaxYzOf11qNyAfYx4FlBXHK
Authentication-Results: spf=none (sender IP is )
smtp.mailfrom=angela@*****
Received: from 88.212.244.172 (122.166.237.19) by
ME2PR01MB3716.ausprd01.pro
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.20.863.17; Thu, 21 Jun 2018 15:12:30 +0000
Message-ID: <B0B503505B8FAF9C40450CB52
Reply-To: "Mila" <b@gmail.com>
From: "Mila" <angela@********.co.uk>
Subject: Will we communicate?
Date: Thu, 21 Jun 2018 18:09:07 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="df36c828e02e90a0
To: Undisclosed recipients:;
X-Originating-IP: [122.166.237.19]
X-ClientProxiedBy: MA1PR01CA0073.INDPRD01.PRO
To ME2PR01MB3716.ausprd01.pro
Return-Path: angela@********.co.uk
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-C
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEI
X-Microsoft-Exchange-Diagn
X-MS-TrafficTypeDiagnostic
X-Microsoft-Antispam-PRVS:
X-Exchange-Antispam-Report
X-MS-Exchange-SenderADChec
X-Exchange-Antispam-Report
X-Microsoft-Exchange-Diagn
X-Forefront-PRVS: 07106EF9B9
X-Forefront-Antispam-Repor
Received-SPF: None (protection.outlook.com: ********.co.uk does not designate
permitted sender hosts)
X-Microsoft-Exchange-Diagn
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Unfortunately you really can't stop anyone from spoofing an email address. The best thing to do is be sure that you have a good SPF record setup, so that recipient email servers can validate that the email is coming from an authenticated server, and if not they can drop the email. Also unfortunately there is no way to block NDRs in O365 unlike on-prem, so you can contact O365 support to see what they think the best option is for that.
ASKER
Hi,
Many thanks for the replies so far.
Here is an update -
Alan -
The user's password was changed as soon as we started receiving the Undeliverable messages the first time it happened, two days ago.
The PC that she was also disconnected from the network and replaced with a spare, shortly after our second wave of messages yesterday, and we received messages since.
I checked out the domain set up, and we did SPF records, but no DMarc, so I used MXToolbox to create one.
Hemil -
We have our Exchange server hosted with Microsoft, which is why I assume it is Office365.
I checked the email server using MXToolbox, and I do not believe we are hosting an open relay.
I agree that the source attack for that message header comes from India, but I have done lookups on the IP addresses of other headers and they are also located in China.
On Office365 Exchange Admin center, I am unsure where the Queue Toolbox is.
As far as the backscattering, the Non-delivery reports are getting sent back to the user because they are not reaching the spammer's intended target, and getting bounced back. Can you please tell me if disabling NDRS will prevent the NDR messages coming back to our user ?
GW
Many thanks for the replies so far.
Here is an update -
Alan -
The user's password was changed as soon as we started receiving the Undeliverable messages the first time it happened, two days ago.
The PC that she was also disconnected from the network and replaced with a spare, shortly after our second wave of messages yesterday, and we received messages since.
I checked out the domain set up, and we did SPF records, but no DMarc, so I used MXToolbox to create one.
Hemil -
We have our Exchange server hosted with Microsoft, which is why I assume it is Office365.
I checked the email server using MXToolbox, and I do not believe we are hosting an open relay.
I agree that the source attack for that message header comes from India, but I have done lookups on the IP addresses of other headers and they are also located in China.
On Office365 Exchange Admin center, I am unsure where the Queue Toolbox is.
As far as the backscattering, the Non-delivery reports are getting sent back to the user because they are not reaching the spammer's intended target, and getting bounced back. Can you please tell me if disabling NDRS will prevent the NDR messages coming back to our user ?
GW
I don't think you can able to block NDRs via online exchange, known as "office365"
You might have to call Microsoft and explain to them the situation, thus they will open an investigation for you.
Something you can do it's to create a postmaster on your incoming connector. That way every NDR will be forwarded to the postmaster@yourdomain.com
Try that before calling Microsoft.
You might have to call Microsoft and explain to them the situation, thus they will open an investigation for you.
Something you can do it's to create a postmaster on your incoming connector. That way every NDR will be forwarded to the postmaster@yourdomain.com
Try that before calling Microsoft.
I forgot to add this comment since I'm using my phone app.
YES! It will stop NDRs being delivered to the user.
YES! It will stop NDRs being delivered to the user.
did lynn also change her password!
is the ip address in your spf record correct? Appears to be from Russia, also the spammers ip address is in Bangalore IN
is the ip address in your spf record correct? Appears to be from Russia, also the spammers ip address is in Bangalore IN
ASKER
Hi all,
I have managed to enable Dkim and DMarc, and have double checked the SPF records.
On monitoring the user's mailbox, there have been no undeliverable mail notifications in the past 4 hours, so I am hopeful that the problem has settled down.
I will keep an eye on it for the next 24 hours and report back.
GW
I have managed to enable Dkim and DMarc, and have double checked the SPF records.
On monitoring the user's mailbox, there have been no undeliverable mail notifications in the past 4 hours, so I am hopeful that the problem has settled down.
I will keep an eye on it for the next 24 hours and report back.
GW
ASKER
Well it is a week after I first investigated the problem, and the addition of DKIM and DMarc records seems to have done the trick, as we have not had any more attacks. Thanks to all who replied.
If it's exchange then this is what could be happening.
1- You are accepting the incoming connection in port 25.
You need to check if your email server is acting as a relay server, check on this link: https://mxtoolbox.com/Pro/#/tool/smtp
2- If it detects that your email server is acting as a relay delete the incoming connector and recreated again.
3- The source attack comes from India through this IP 122.166.237.19
4- An account has been leaked and you need to find out which account, you need more details, I recommend to use the Queue Toolbox.
5- You are being backscattering by an attacker which what it does sends NDR to your email server filing up your Queue making them delay.
The way you can avoid backscattering is disabling NDRS.
Let me know how it goes,