Contacts Hijacked and Used for Spoof Emails to Send Malware/Ransomware

William Fulks
William Fulks used Ask the Experts™
on
My employer was hit with malware two months ago and we've contained and treated it. However, it looks like our address book got hijacked. Users are being bombarded every day by spoofed emails using names of our employees, but coming from various domains around the world. Outside customers and vendors we often communicate with are also reporting that they are getting the same type emails, multiple times daily.

I know this is a long shot, but is there anything at all we can do about this? I suppose anybody can type any name in the "From" box on a message and since they have our names and contacts, they are exploiting it. We mark all external emails as [EXTERNAL] so at least people will see that the emails come from outside our domain despite the user's name, but that doesn't help for our vendors, customers, and other contacts.

We currently have Sophos installed on our servers and desktops, and run Barracuda's spam filter. Most of this stuff is getting caught and blocked, but there are so many that a few still slip through.

Any suggestions here?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
I would suggest putting in a firewall rule to block port 25 from everything other than your exchange servers and spam filters. that will block desktops from sending emails via port 25 because if a desktop got infected if could be relaying via port 25 from that desktop to the outside. the only thing that needs to send out via port 25 is your exchange and spam filters, the outlook client doesn't connect via port 25 so you are fine. I actually created a GPO to block this via windows firewall but you can block via windows on all desktops or you can block via hardware firewall.
yo_beeDirector of Information Technology

Commented:
I think your issue lies outside of your firewall.  Most likely the smtp server that is being used is not your Exchange nor is it your Outlook clients send out the email.  

The unfortunate thing about Spoofing is that you cannot control it. If you look at any of the headers you will see some other ip address or server name other than your system's.  This means they are using some other reply host and masking their address with yours as a reply-to.  

There are steps the mail admin can take like forcing a reverse lookup or challenging SPF txt or DMARC or DKIM records, but that is on their end and will not prevent someone from sending to the server making it look like you.
William FulksSystems Analyst & Webmaster

Author

Commented:
Tim, we are blocking those ports. We've got the thing contained, but I still wonder about the amount of info that went out already.

Yo_bee, yeah that's what we're afraid of. It seems to be out of our hands.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

yo_beeDirector of Information Technology

Commented:
It's the nature of the beast.
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
Ok you are blocking those ports then you are good, that will at least keep your infected machines from sending email bypassing your exchange servers. I'm sure that your SPF record is also in place so there will not be much else you can do at this point, the recipient should now filter based on SPF just validate that the email is coming from an authenticated server for your email domain. Their isn't much else you can do at this point, the recipient admins filters should now come into play.
Terry WoodsIT Guru
Most Valuable Expert 2011

Commented:
A strict SPF policy on the domain should help clients better filter out the spam; the SPF record for your domain should end with:
-all

Open in new window

not one of:
~all
+all
?all

Open in new window


You can also remind clients not to click anything in the emails (eg an unsubscribe link), as it will just make the problem worse.
Top Expert 2016
Commented:
You've lost control of your contacts list and probably your users list. email is easy to spoof so it is NOW up to the recipients spam filter to act on these emails.  There is nothing you can do at your end. They will eventually move on.  This is one of the reasons email has been enhanced with spf and dkim records.
Top Expert 2016

Commented:
All you can do is enable spf/dkim/dmarc at your end.  
The receiving parties have to have a procedure where spf/dkim/dmarc fails.. They ignore it at their risk.
William FulksSystems Analyst & Webmaster

Author

Commented:
Thanks everyone for your input.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial