Link to home
Start Free TrialLog in
Avatar of William Fulks
William FulksFlag for United States of America

asked on

Contacts Hijacked and Used for Spoof Emails to Send Malware/Ransomware

My employer was hit with malware two months ago and we've contained and treated it. However, it looks like our address book got hijacked. Users are being bombarded every day by spoofed emails using names of our employees, but coming from various domains around the world. Outside customers and vendors we often communicate with are also reporting that they are getting the same type emails, multiple times daily.

I know this is a long shot, but is there anything at all we can do about this? I suppose anybody can type any name in the "From" box on a message and since they have our names and contacts, they are exploiting it. We mark all external emails as [EXTERNAL] so at least people will see that the emails come from outside our domain despite the user's name, but that doesn't help for our vendors, customers, and other contacts.

We currently have Sophos installed on our servers and desktops, and run Barracuda's spam filter. Most of this stuff is getting caught and blocked, but there are so many that a few still slip through.

Any suggestions here?
Avatar of timgreen7077

I would suggest putting in a firewall rule to block port 25 from everything other than your exchange servers and spam filters. that will block desktops from sending emails via port 25 because if a desktop got infected if could be relaying via port 25 from that desktop to the outside. the only thing that needs to send out via port 25 is your exchange and spam filters, the outlook client doesn't connect via port 25 so you are fine. I actually created a GPO to block this via windows firewall but you can block via windows on all desktops or you can block via hardware firewall.
I think your issue lies outside of your firewall.  Most likely the smtp server that is being used is not your Exchange nor is it your Outlook clients send out the email.  

The unfortunate thing about Spoofing is that you cannot control it. If you look at any of the headers you will see some other ip address or server name other than your system's.  This means they are using some other reply host and masking their address with yours as a reply-to.  

There are steps the mail admin can take like forcing a reverse lookup or challenging SPF txt or DMARC or DKIM records, but that is on their end and will not prevent someone from sending to the server making it look like you.
Avatar of William Fulks


Tim, we are blocking those ports. We've got the thing contained, but I still wonder about the amount of info that went out already.

Yo_bee, yeah that's what we're afraid of. It seems to be out of our hands.
It's the nature of the beast.
Ok you are blocking those ports then you are good, that will at least keep your infected machines from sending email bypassing your exchange servers. I'm sure that your SPF record is also in place so there will not be much else you can do at this point, the recipient should now filter based on SPF just validate that the email is coming from an authenticated server for your email domain. Their isn't much else you can do at this point, the recipient admins filters should now come into play.
A strict SPF policy on the domain should help clients better filter out the spam; the SPF record for your domain should end with:

Open in new window

not one of:

Open in new window

You can also remind clients not to click anything in the emails (eg an unsubscribe link), as it will just make the problem worse.
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
All you can do is enable spf/dkim/dmarc at your end.  
The receiving parties have to have a procedure where spf/dkim/dmarc fails.. They ignore it at their risk.
Thanks everyone for your input.