Gordon Watt
asked on
Office Email address being used to send spoof emails - need serious help making it stop.
Hi,
I hope you can help me with a serious problem with some spam email.
Background -
Our office switch the email to Office 365 the year before last. We have a number of email accounts on the Exchange server.
The address of one of the email accounts has been used by a bot-net to send out spam emails, and now the user is receiving 100s of bounced back undeliverable (error 550) emails.
The action center on Exchange Admin has identified that the email address has been involved with the spam, and has blocked the account from sending out emails, with the error-OutboundSpamLast24Ho
This, however, has not stopped the bot-net continuing to send out messages and, as I type this, the bounced back undeliverable messages keep coming in.
Our domain is not currently blacklisted on any mail blacklists, and I would like to keep it that way, but test messages sent out from other accounts in the office are immediately going into the Junk mail folders of GMail recipients because it says that a lot of messages from our domain are spam.
Below is the header of one of the messages returned. I have determined that the originating IP is not ours.
Can someone please take a look at the header, and give me ideas on how I can stop the user's email address from being used for spam ?
The stars represent names of our servers and domain.
Any help is appreciated.
Thanks
GW
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=********.********.com; s=selector1-********-co-uk
h=From:Date:Subject:Messag
bh=XoNRiW4Txkb4tjk7hlkf/l+
b=oyaxYzOf11qNyAfYx4FlBXHK
Authentication-Results: spf=none (sender IP is )
smtp.mailfrom=angela@*****
Received: from 88.212.244.172 (122.166.237.19) by
ME2PR01MB3716.ausprd01.pro
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.20.863.17; Thu, 21 Jun 2018 15:12:30 +0000
Message-ID: <B0B503505B8FAF9C40450CB52
Reply-To: "Mila" <b@gmail.com>
From: "Mila" <angela@********.co.uk>
Subject: Will we communicate?
Date: Thu, 21 Jun 2018 18:09:07 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="df36c828e02e90a0
To: Undisclosed recipients:;
X-Originating-IP: [122.166.237.19]
X-ClientProxiedBy: MA1PR01CA0073.INDPRD01.PRO
To ME2PR01MB3716.ausprd01.pro
Return-Path: angela@********.co.uk
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-C
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEI
X-Microsoft-Exchange-Diagn
X-MS-TrafficTypeDiagnostic
X-Microsoft-Antispam-PRVS:
X-Exchange-Antispam-Report
X-MS-Exchange-SenderADChec
X-Exchange-Antispam-Report
X-Microsoft-Exchange-Diagn
X-Forefront-PRVS: 07106EF9B9
X-Forefront-Antispam-Repor
Received-SPF: None (protection.outlook.com: ********.co.uk does not designate
permitted sender hosts)
X-Microsoft-Exchange-Diagn
I hope you can help me with a serious problem with some spam email.
Background -
Our office switch the email to Office 365 the year before last. We have a number of email accounts on the Exchange server.
The address of one of the email accounts has been used by a bot-net to send out spam emails, and now the user is receiving 100s of bounced back undeliverable (error 550) emails.
The action center on Exchange Admin has identified that the email address has been involved with the spam, and has blocked the account from sending out emails, with the error-OutboundSpamLast24Ho
This, however, has not stopped the bot-net continuing to send out messages and, as I type this, the bounced back undeliverable messages keep coming in.
Our domain is not currently blacklisted on any mail blacklists, and I would like to keep it that way, but test messages sent out from other accounts in the office are immediately going into the Junk mail folders of GMail recipients because it says that a lot of messages from our domain are spam.
Below is the header of one of the messages returned. I have determined that the originating IP is not ours.
Can someone please take a look at the header, and give me ideas on how I can stop the user's email address from being used for spam ?
The stars represent names of our servers and domain.
Any help is appreciated.
Thanks
GW
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=********.********.com; s=selector1-********-co-uk
h=From:Date:Subject:Messag
bh=XoNRiW4Txkb4tjk7hlkf/l+
b=oyaxYzOf11qNyAfYx4FlBXHK
Authentication-Results: spf=none (sender IP is )
smtp.mailfrom=angela@*****
Received: from 88.212.244.172 (122.166.237.19) by
ME2PR01MB3716.ausprd01.pro
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.20.863.17; Thu, 21 Jun 2018 15:12:30 +0000
Message-ID: <B0B503505B8FAF9C40450CB52
Reply-To: "Mila" <b@gmail.com>
From: "Mila" <angela@********.co.uk>
Subject: Will we communicate?
Date: Thu, 21 Jun 2018 18:09:07 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="df36c828e02e90a0
To: Undisclosed recipients:;
X-Originating-IP: [122.166.237.19]
X-ClientProxiedBy: MA1PR01CA0073.INDPRD01.PRO
To ME2PR01MB3716.ausprd01.pro
Return-Path: angela@********.co.uk
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-C
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEI
X-Microsoft-Exchange-Diagn
X-MS-TrafficTypeDiagnostic
X-Microsoft-Antispam-PRVS:
X-Exchange-Antispam-Report
X-MS-Exchange-SenderADChec
X-Exchange-Antispam-Report
X-Microsoft-Exchange-Diagn
X-Forefront-PRVS: 07106EF9B9
X-Forefront-Antispam-Repor
Received-SPF: None (protection.outlook.com: ********.co.uk does not designate
permitted sender hosts)
X-Microsoft-Exchange-Diagn
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Unfortunately you really can't stop anyone from spoofing an email address. The best thing to do is be sure that you have a good SPF record setup, so that recipient email servers can validate that the email is coming from an authenticated server, and if not they can drop the email. Also unfortunately there is no way to block NDRs in O365 unlike on-prem, so you can contact O365 support to see what they think the best option is for that.
ASKER
Hi,
Many thanks for the replies so far.
Here is an update -
Alan -
The user's password was changed as soon as we started receiving the Undeliverable messages the first time it happened, two days ago.
The PC that she was also disconnected from the network and replaced with a spare, shortly after our second wave of messages yesterday, and we received messages since.
I checked out the domain set up, and we did SPF records, but no DMarc, so I used MXToolbox to create one.
Hemil -
We have our Exchange server hosted with Microsoft, which is why I assume it is Office365.
I checked the email server using MXToolbox, and I do not believe we are hosting an open relay.
I agree that the source attack for that message header comes from India, but I have done lookups on the IP addresses of other headers and they are also located in China.
On Office365 Exchange Admin center, I am unsure where the Queue Toolbox is.
As far as the backscattering, the Non-delivery reports are getting sent back to the user because they are not reaching the spammer's intended target, and getting bounced back. Can you please tell me if disabling NDRS will prevent the NDR messages coming back to our user ?
GW
Many thanks for the replies so far.
Here is an update -
Alan -
The user's password was changed as soon as we started receiving the Undeliverable messages the first time it happened, two days ago.
The PC that she was also disconnected from the network and replaced with a spare, shortly after our second wave of messages yesterday, and we received messages since.
I checked out the domain set up, and we did SPF records, but no DMarc, so I used MXToolbox to create one.
Hemil -
We have our Exchange server hosted with Microsoft, which is why I assume it is Office365.
I checked the email server using MXToolbox, and I do not believe we are hosting an open relay.
I agree that the source attack for that message header comes from India, but I have done lookups on the IP addresses of other headers and they are also located in China.
On Office365 Exchange Admin center, I am unsure where the Queue Toolbox is.
As far as the backscattering, the Non-delivery reports are getting sent back to the user because they are not reaching the spammer's intended target, and getting bounced back. Can you please tell me if disabling NDRS will prevent the NDR messages coming back to our user ?
GW
I don't think you can able to block NDRs via online exchange, known as "office365"
You might have to call Microsoft and explain to them the situation, thus they will open an investigation for you.
Something you can do it's to create a postmaster on your incoming connector. That way every NDR will be forwarded to the postmaster@yourdomain.com
Try that before calling Microsoft.
You might have to call Microsoft and explain to them the situation, thus they will open an investigation for you.
Something you can do it's to create a postmaster on your incoming connector. That way every NDR will be forwarded to the postmaster@yourdomain.com
Try that before calling Microsoft.
I forgot to add this comment since I'm using my phone app.
YES! It will stop NDRs being delivered to the user.
YES! It will stop NDRs being delivered to the user.
did lynn also change her password!
is the ip address in your spf record correct? Appears to be from Russia, also the spammers ip address is in Bangalore IN
is the ip address in your spf record correct? Appears to be from Russia, also the spammers ip address is in Bangalore IN
ASKER
Hi all,
I have managed to enable Dkim and DMarc, and have double checked the SPF records.
On monitoring the user's mailbox, there have been no undeliverable mail notifications in the past 4 hours, so I am hopeful that the problem has settled down.
I will keep an eye on it for the next 24 hours and report back.
GW
I have managed to enable Dkim and DMarc, and have double checked the SPF records.
On monitoring the user's mailbox, there have been no undeliverable mail notifications in the past 4 hours, so I am hopeful that the problem has settled down.
I will keep an eye on it for the next 24 hours and report back.
GW
ASKER
Well it is a week after I first investigated the problem, and the addition of DKIM and DMarc records seems to have done the trick, as we have not had any more attacks. Thanks to all who replied.
If it's exchange then this is what could be happening.
1- You are accepting the incoming connection in port 25.
You need to check if your email server is acting as a relay server, check on this link: https://mxtoolbox.com/Pro/#/tool/smtp
2- If it detects that your email server is acting as a relay delete the incoming connector and recreated again.
3- The source attack comes from India through this IP 122.166.237.19
4- An account has been leaked and you need to find out which account, you need more details, I recommend to use the Queue Toolbox.
5- You are being backscattering by an attacker which what it does sends NDR to your email server filing up your Queue making them delay.
The way you can avoid backscattering is disabling NDRS.
Let me know how it goes,