Office Email address being used to send spoof emails - need serious help making it stop.

Gordon Watt
Gordon Watt used Ask the Experts™
on
Hi,

I hope you can help me with a serious problem with some spam email.

Background -

Our office switch the email to Office 365 the year before last. We have a number of email accounts on the Exchange server.

The address of one of the email accounts has been used by a bot-net to send out spam emails, and now the user is receiving 100s of bounced back undeliverable (error 550) emails.

The action center on Exchange Admin has identified that the email address has been involved with the spam, and has blocked the account from sending out emails, with the error-OutboundSpamLast24Hours=122;OutboundMailLast24Hours=134;OutboundSpamPercent=910;Last Message MessagetraceId:c401e900-91fa-4a20-66e1-08d5d7892e05

This, however, has not stopped the bot-net continuing to send out messages and, as I type this, the bounced back undeliverable messages keep coming in.

Our domain is not currently blacklisted on any mail blacklists, and I would like to keep it that way, but test messages sent out from other accounts in the office are immediately going into the Junk mail folders of GMail recipients because it says that a lot of messages from our domain are spam.

Below is the header of one of the messages returned.  I have determined that the originating IP is not ours.

Can someone please take a look at the header, and give me ideas on how I can stop the user's email address from being used for spam ?

The stars represent names of our servers and domain.

Any help is appreciated.

Thanks

GW

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=********.********.com; s=selector1-********-co-uk;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=XoNRiW4Txkb4tjk7hlkf/l+tTq/Yv6XiTC9tPiWcTQI=;
 b=oyaxYzOf11qNyAfYx4FlBXHKO+abgpxbcT6KU5dTI6OE68uWV9hWi0/TxZUpX6NC86fFVSKhKPS6biDQu8oHK/2sbzXwYHlDGX88LhwcdSEWvlL08Me8QslmcIwoidQ95fX//cXSSyefRA2um/q+QirWk+lOcmgQN2U1n9ncp+c=
Authentication-Results: spf=none (sender IP is )
 smtp.mailfrom=angela@********.co.uk;
Received: from 88.212.244.172 (122.166.237.19) by
 ME2PR01MB3716.ausprd01.prod.outlook.com (2603:10c6:220:2c::12) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.863.17; Thu, 21 Jun 2018 15:12:30 +0000
Message-ID: <B0B503505B8FAF9C40450CB52100AC9D@********.co.uk>
Reply-To: "Mila" <b@gmail.com>
From: "Mila" <angela@********.co.uk>
Subject: Will we communicate?
Date: Thu, 21 Jun 2018 18:09:07 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="df36c828e02e90a027e9ce5077c3"
To: Undisclosed recipients:;
X-Originating-IP: [122.166.237.19]
X-ClientProxiedBy: MA1PR01CA0073.INDPRD01.PROD.OUTLOOK.COM (2603:1096:a00::13)
 To ME2PR01MB3716.ausprd01.prod.outlook.com (2603:10c6:220:2c::12)
Return-Path: angela@********.co.uk
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 11bbc41b-1e4c-4d83-7b26-08d5d7897386
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(7021125)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7025125)(7024125)(7027125)(7028125)(7023125)(5600026)(711020)(2017052603328)(7153060)(49563074)(7193020);SRVR:ME2PR01MB3716;
X-Microsoft-Exchange-Diagnostics: 1;ME2PR01MB3716;3:PN8+rh+fOmelaiX0X3n854G3pPrunh4GHDWU0UA5v2CemkOnDUT+Y906JhcnXb8aLlGbH/0cHbQPdKXTII0La+7KW17857PX/eJxZtFMavis/V0w/M+QGJS5k9cppEFzHmf7VNvP19B5jhGGQMC8+jhfb2Y8lGnJ7t3kILlQhktFb3yvknMTL2QKGSpME2WztIlQNNlSZiWOUDdnU41U8D6X3/lkWRlFJ8ZnpFF18S6IVCRV3fw47KKdzoj4aBIp;25:WsVWm21TzZ+pDlIIHRSYwMTWDS6oNh2sI97ammzn0cGyaKZU8AI7IWQz7iE62n4TdGQNQilwWYqqyRIeCmQma2hi8bNNI0xI2XRZd7ZBZSuJ1qyDpEcjt5or7OKmra3oOzBLa9e7PN+6GpOydH8v8/C2wHWvr2bB+Dxsae8xA6gVR6y18/xPs7Dcj5+hGhTXAEaPmxsfY3/uL6l51Xt/BcPo+OE1hHZMdkyl925De/ToDAMvYEOSQcWuH2/hxjlNLTPywghQMpLwcB/BuOzq6CcgXduWtVjSZpFEVlqRqSTYadB1s+PW4Fm6FucYUvRgBVR5DJz/1beN67/+OE1/cg==;31:KbuIbgdw4wmS5E8+itZezkdPSqD7uZStfcchzpvkU/K3LD3KIAKOH5NcXfJRGX+91y6tvsAfwIKZKoNtIBOFszCahokfBk7AUDchNMxSQliIDPsWSckdD6coWxyM4zC11WQ8pSDLNZvCi0/rd6RmfMDXm7LGVhH99dV5+p6x5Kbf3gN+ndU1arqpg1flI3rewd8g8T3uVQEDK/ZUpdt5T0aea8Cj08mkCF5M/cu9rAQ=
X-MS-TrafficTypeDiagnostic: ME2PR01MB3716:|ME2PR01MB3716:
X-Microsoft-Antispam-PRVS: <ME2PR01MB371675B1C5141A6773D733AF81760@ME2PR01MB3716.ausprd01.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(268946806431577);
X-MS-Exchange-SenderADCheck: 1
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3231254)(2017080701022)(944501410)(52105095)(93006095)(93001095)(3002001)(149027)(150027)(6041310)(20161123564045)(20161123558120)(2016111802025)(20161123560045)(20161123562045)(6043046)(6072148)(201708071742011)(7699016);SRVR:ME2PR01MB3716;BCL:0;PCL:0;RULEID:;SRVR:ME2PR01MB3716;
X-Microsoft-Exchange-Diagnostics: 1;ME2PR01MB3716;4:JYlqlRq0PBMWPF7z3RsEsuUM7UIVDNjUW7QIgfJXUwjvVWaM4Z6sxiPrbkfL3RWobbwgn2aZNi8I2vvwOzHv0OMOqUYcUZODzmc37GE4TuzBfolMD4p1TMFyP3NnsN+PciNx82YGY4ezryFixPe8qnMnFFyq9Ckjkq3qW/7yOYtalQG4hwEF1kvHg6o0pND9lLTzjM9oURZly0+n/1Il8rLWb+QN2bmJqteFt6rx9TYnkGEAmy3SIA4d9QM3TAefHoMCUy4i3NirwB9AnGmEOfTSVNpxyx2qyk7AVe1Lv/CQ+ovX0CJq4sAftL8YVldM
X-Forefront-PRVS: 07106EF9B9
X-Forefront-Antispam-Report: SFV:SPM;SFS:(10009020)(6049001)(1496009)(366004)(39850400004)(39380400002)(346002)(396003)(376002)(299900001)(199004)(189003)(43066004)(114624004)(16586007)(53366004)(109986005)(236005)(53936002)(881003)(74482002)(606006)(68736007)(26005)(8676002)(8666007)(63106013)(2476003)(6486002)(53376002)(16526019)(25786009)(6306002)(786003)(97736004)(2860700003)(430100008)(39060400002)(54896002)(22416003)(316002)(486006)(86362001)(2906002)(16576012)(66066001)(3480700004)(478600001)(1600100001)(4810100001)(8936002)(6666003)(81156014)(81166006)(5890100001)(2920100001)(476003)(7736002)(956004)(120186005)(7116003)(5660300001)(4610100001)(106356001)(568964002)(8576002)(386003)(8426002)(33964004)(36756003)(186003)(6116002)(3846002)(7406005)(7416002)(52116002)(105586002)(2616005)(1671002)(84326002)(33656002)(44706002)(77310200001);DIR:OUT;SFP:1501;SCL:5;SRVR:ME2PR01MB3716;H:88.212.244.172;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
Received-SPF: None (protection.outlook.com: ********.co.uk does not designate
 permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Consultant
Commented:
Hi Gordon,

First, if you haven't already, change the password on the email account in question.

If the email account is associated with a person, then make sure that person changes all their work passwords.

It is possible that the person's machine is infected with something.  If you can, I would remove that machine, give them a completely new clean installed machine, and then wipe their original one and rebuild it from scratch - trying to get rid of malware just wastes time compared to a rebuild / re-image, and you can never be sure you have gotten rid of it all, no matter what the anti-malware peddlers may like to claim - even if a scan found some things, you don't know what might have been missed.

If you do replace the machine, and the passwords were changed before you removed the potentially infected machine, change them again afterwards.  For what its worth, I would also advise the person to change any passwords for non-work services that they might have logged into from their work machine, and the same advice (work and non-work passwords to be changed) for anyone else that has ever logged in on that same machine.  Hopefully that won't include any domain admins, but if so, change those passwords too in case the malware has compromised the hashes that are left behind.


Have you setup at least SPF records (DKIM and DMarc would be good too - but SPF is a must have)?  If not, do that immediately too.

You can check your setup here:

https://mxtoolbox.com/


Alan.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Question, is that happening in office 365 or exchange?

If it's exchange then this is what could be happening.

1- You are accepting the incoming connection in port 25.
You need to check if your email server is acting as a relay server, check on this link: https://mxtoolbox.com/Pro/#/tool/smtp

2- If it detects that your email server is acting as a relay delete the incoming connector and recreated again.

3- The source attack comes from India through this IP 122.166.237.19

4- An account has been leaked and you need to find out which account, you need more details, I recommend to use the Queue Toolbox.

5- You are being backscattering by an attacker which what it does sends NDR to your email server filing up your Queue making them delay.
The way you can avoid backscattering is disabling NDRS.

Let me know how it goes,
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
Unfortunately you really can't stop anyone from spoofing an email address. The best thing to do is be sure that you have a good SPF record setup, so that recipient email servers can validate that the email is coming from an authenticated server, and if not they can drop the email. Also unfortunately there is no way to block NDRs in O365 unlike on-prem, so you can contact O365 support to see what they think the best option is for that.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Hi,

Many thanks for the replies so far.

Here is an update -

Alan -

The user's password was changed as soon as we started receiving the Undeliverable messages the first time it happened, two days ago.

The PC that she was also disconnected from the network and replaced with a spare, shortly after our second wave of messages yesterday, and we received messages since.

I checked out the domain set up, and we did SPF records, but no DMarc, so I used MXToolbox to create one.

Hemil -

We have our Exchange server hosted with Microsoft, which is why I assume it is Office365.

I checked the email server using MXToolbox, and I do not believe we are hosting an open relay.

I agree that the source attack for that message header comes from India, but I have done lookups on the IP addresses of other headers and they are also located in China.

On Office365 Exchange Admin center, I am unsure where the Queue Toolbox is.

As far as the backscattering, the Non-delivery reports are getting sent back to the user because they are not reaching the spammer's intended target, and getting bounced back. Can you please tell me if disabling NDRS will prevent the NDR messages coming back to our user ?

GW
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
I don't think you can able to block NDRs via online exchange, known as "office365"

You might have to call Microsoft and explain to them the situation, thus they will open an investigation for you.

Something you can do it's to create a postmaster on your incoming connector. That way every NDR will be forwarded to the postmaster@yourdomain.com

Try that before calling Microsoft.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
I forgot to add this comment since I'm using my phone app.

YES! It will stop NDRs being delivered to the user.
Top Expert 2016

Commented:
did lynn also change her password!

is the ip address in your spf record correct? Appears to be from Russia, also the spammers ip address is in Bangalore IN

Author

Commented:
Hi all,

I have managed to enable Dkim and DMarc, and have double checked the SPF records.

On monitoring the user's mailbox, there have been no undeliverable mail notifications in the past 4 hours, so I am hopeful that the problem has settled down.

I will keep an eye on it for the next 24 hours and report back.

GW

Author

Commented:
Well it is a week after I first investigated the problem, and the addition of DKIM and DMarc records seems to have done the trick, as we have not had any more attacks. Thanks to all who replied.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial