Email scam problem

PLCITS
PLCITS used Ask the Experts™
on
Some clients are receiving scam emails asking for pay invoices from one account from  our exchange, the account  is not in use  no body has the password to that account just me how is possible the client are receiving email if in the spam filter is not showed emails sent to that client?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Principal Software Engineer
Commented:
It is quite simple to spoof any email address desired.  All that's needed is access to an open relay.  The sender can specify any sender email desired, and drop in so many fake headers that (without expert human analysis) it looks like the email came from your MTA.

If the email originated outside your network and did not go out through your MTA, then when the header chain is examined by a human this will be obvious.  However, almost no receiving MTAs will outright reject mail that does not match DKIM or SPF, and few even bother to check these.  And nobody I know bothers to check the header chain for authenticity when reading email.

You could ask all your clients to enable strict SPF authentication for your domain, but I daresay most of them will say "Huh? Wazzat?" if you do.

About the best you can do is say "The problem's not under our control and it's not really under your control either.  It's being spoofed outside our network.  However, you can enable SPF and DKIM and that'll solve it."

On the other hand, if the header chain is examined and the spoofed mail really is going out through your MTA, then you have at least one dishonest employee or subverted machine on your network, and in that case you need to chase it down right quick by looking through your outgoing email logs and finding the culprit.
MichelangeloSystem Administrator / Postmaster
Commented:
Moreover, Paste scam email headers here
https://testconnectivity.microsoft.com/MHA/Pages/mha.aspx

And see wether its originating from your network
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Are you using Exchange as a spam filter?  Try a much stronger spam filter. My own mail system deletes these kind of emails all the time. My clients use Hosted Exchange and the spam filters (not Exchange) quarantine these emails.

It is important to improve your spam filters because ransomware uses emails to spread.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial