ลงชื่อเข้าใช้
 
หน้าหลักLibraryเรียนรู้ดาวน์โหลดการแก้ไขปัญหาชุมชนฟอรัม
ทรัพยากรสำหรับผู้เชี่ยวชาญด้าน IT >
Exchange Server 2003 - Appears like a Spoofing Attack

תשובה Exchange Server 2003 - Appears like a Spoofing Attack

  • 19 เมษายน 2555 15:07
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    We have a client using exchange server 2003, where a single user receives multiple NDR emails from the postmaster@mydomainname.com  stating the "Undeliverable: Delivery failure (somethingxxx@hotmail.co.uk)" etc.

    Investigation So for done

    1. when I track the emails send from that particular user, user didn't send any email like that.

    2. Some X send email on behalf of this user to external emails and the emails got relayed to our gateway Mimesweeper, which didnt relay those email and got an undelivered emails

    ----------------------------------

    Kindly advice on how to work further on

    1. find the source sending email

    2. how to block it

    3. what could be the reason

    4. so for only one user report this issue, will there be any chance multiple users are affected?

     

ตอบทั้งหมด

  • 20 เมษายน 2555 2:32
     
     คำตอบ
    ลงชื่อเข้าใช้เพื่อโหวต
    0
    On Thu, 19 Apr 2012 15:07:56 +0000, Rajkumar-MCITP wrote:
     
    >
    >
    >We have a client using exchange server 2003, where a single user receives multiple NDR emails from the postmaster@mydomainname.com stating the "Undeliverable: Delivery failure (somethingxxx@hotmail.co.uk)" etc.
    >
    >Investigation So for done
    >
    >1. when I track the emails send from that particular user, user didn't send any email like that.
    >
    >2. Some X send email on behalf of this user to external emails and the emails got relayed to our gateway Mimesweeper, which didnt relay those email and got an undelivered emails
    >
    >----------------------------------
    >
    >Kindly advice on how to work further on
    >
    >1. find the source sending email
     
    What would you do with that information? If the NDRs contain the
    headers of the original message you could use those to extract the
    information.
     
    >2. how to block it
     
    You could stand up another SMTP server that is capable of using BATV
    and use it a SMTP relay, but BATV has its own set of complications.
     
    You can put SPF data into your DNS. That will help reduce the problem,
    but it won't eliminate it.
     
    You can use recipient filtering and refuse to accept e-mail sent to
    addresses that aren't in your Active Directory.
     
    You could use a DNSBL that lists sources of backscatter.
     
    You can have a look for "backscatter" in a search engine.
     
    >3. what could be the reason
     
    Your domain is being spoofed. But you already seem to know that.
     
    >4. so for only one user report this issue, will there be any chance multiple users are affected?
     
    Yes.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     
    --- Rich Matheisen MCSE+I, Exchange MVP
    • เสนอเป็นคำตอบโดย Castinlu 20 เมษายน 2555 8:51
    • ทำเครื่องหมายเป็นคำตอบโดย Castinlu 1 พฤษภาคม 2555 5:53
    •  
     
  • 20 เมษายน 2555 9:10
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    hi,

    Can you find lots of messages in the queues of the server. It seems that you are under a NDR attack.

    May be this KB can help you:http://support.microsoft.com/kb/886208   You can try the solution in it and then see if it can fix your issue.

    hope can help you

    thanks,

    CastinLu

    TechNet Community Support

     
  • 20 เมษายน 2555 16:32
     
      มีโค้ด
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    Hi Rich

    Thank you for the reply.

    I did further investigation and come to know the below details. we are still working on this issue to stop the email spoofing

    Emails which got send from the user mailbox was not relayed from internal network. ( we got these details from Mime sweeper log trace)

    SMTPRS on MIME Sweeper Name log entry made at 04/20/2012 00:10:51
Incoming SMTP call from ISA Server IP at 00:10:50.
Address ISA Server IP resolves to ISA Server Name.
<<< 220 SMTP Relay

>>> HELO mail2.cableinet.net

<<< 250 OK

>>> MAIL FROM:<scjywqi@yahoo.com>

<<< 250 scjywqi@yahoo.com OK

>>> RCPT TO:<ouruser@domainname.com>

<<< 250 ouruser@domainname.com OK

    As you informed SPF record is available in DNS. Looking at a ISA servers now. If you find any info on the above log, please inform.

     
  • 20 เมษายน 2555 21:42
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0
    On Fri, 20 Apr 2012 16:32:31 +0000, Rajkumar-MCITP wrote:
     
    >
    >
    >Hi Rich
    >
    >Thank you for the reply.
    >
    >I did further investigation and come to know the below details. we are still working on this issue to stop the email spoofing
    >
    >Emails which got send from the user mailbox was not relayed from internal network. ( we got these details from Mime sweeper log trace) SMTPRS on MIME Sweeper Name log entry made at 04/20/2012 00:10:51
    >Incoming SMTP call from ISA Server IP at 00:10:50.
    >Address ISA Server IP resolves to ISA Server Name.
    ><<< 220 SMTP Relay
    >
    >>>> HELO mail2.cableinet.net
    ><<< 250 OK
    >>>> MAIL FROM:<scjywqi@yahoo.com>
    ><<< 250 scjywqi@yahoo.com OK
    >>>> RCPT TO:<ouruser@domainname.com>
    ><<< 250 ouruser@domainname.com OK
    >
    >
    >As you informed SPF record is available in DNS. Looking at a ISA servers now. If you find any info on the above log, please inform.
     
    The information in that bit of trace isn't a "reverse-NDR", or even a
    NDR. It's just a forged (or made up) yahoo.com e-mail address,
    probably coming from an infected machine. In other words, it's just
    spam. Since yahoo.com prefers not to use SPF, and Exchange doesn't use
    DKIM, you'll have a difficult time trying to deal with it if your spam
    filter is incapable of identifying the message as spam.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     
    --- Rich Matheisen MCSE+I, Exchange MVP
     
  • 1 พฤษภาคม 2555 9:14
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    Hi Rich,

    Need your help again.

    from Mime sweeper, i can see lot of emails sent from affected user to external unknown email address. If  I looked at the source from where the email came from, it is showing those emails are from our ISA server.

    I noted the time for all those emails and I got stuck, to which log i have to see in our ISA server? can you help me in finding which external source is contacting our ISA server and sending those emails?

    Inform if it is not clear, I ll explain in another thread

    Thank you

     
  • 2 พฤษภาคม 2555 2:28
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0
    On Tue, 1 May 2012 09:14:23 +0000, Rajkumar-MCITP wrote:
     
    >
    >
    >Hi Rich,
    >
    >Need your help again.
    >
    >from Mime sweeper, i can see lot of emails sent from affected user to external unknown email address. If I looked at the source from where the email came from, it is showing those emails are from our ISA server.
     
    The message headers should have the necessary "Received:" headers to
    show you what servers handled the message.
     
    If ISA is just acting as a firewall you should have the publishing
    rule set to "Requests appear to come from the original client" unless
    you have some IP routing that would make it look like the replies from
    your server were spoofed (i.e. asymmetric routes).
     
    >I noted the time for all those emails and I got stuck, to which log i have to see in our ISA server? can you help me in finding which external source is contacting our ISA server and sending those emails?
     
    See above.
     
    >Inform if it is not clear, I ll explain in another thread
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     
    --- Rich Matheisen MCSE+I, Exchange MVP