locked
Spam spoofing occuring on our network, Exchange 2010 RRS feed

  • Question

  • I've been chasing this issue but have not had any progress as of yet.  It started earlier this week...we use a Barracuda Spam and Virus firewall that relays all inbound and outbound email through.  The queue started to back up to 500+ email and the sender is not within our domain.  I been trying to track which mail client might be sending the spam but have had no luck so far.

    Is there a way to find out what mail client is sending all of this email?  We're running Exch 2010 with a Mailbox server, CAS/HUB.


    Geo

    Wednesday, September 5, 2012 9:50 PM

Answers

  • This has been fixed.  The root cause was on our ASA firewall.  It was allowing port 25 traffic through the IP used for OWA when it should be that all mail traffic is sent to the IP of the spam filter.  This item was overlooked in the ACL when we recently replaced our firewall.  So I guess that explains why the majority of the spam that I saw in the spam filter queue was outbound...it was never going through the Barracuda inbound.

    I was tipped off when I was clearing the spam out of the mail queue and saw a spam message with the IP address of our OWA in the subject.  Thanks again for all the suggestions.


    Geo

    • Marked as answer by Noya Lau Monday, September 24, 2012 6:11 AM
    Wednesday, September 12, 2012 5:07 PM

All replies

  • If they're originating within your network, I'd enable protocol logging on your Exchange receive connectors.

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Wednesday, September 5, 2012 9:56 PM
  • I enabled protocol logging for both the receive and send connectors.  The receive connector logs only showed the spoofed From/To address with the IP's of our spam firewall and load balancer.  Unless I'm missing something, I didn't really find anything useful.  Now looking at the Send Connector log, this is one of the entries that I see....I'm still going through the log

    ----attempting to connect
    ----
    ----,<,220 mail.company.com ESMTP (29af0aab73539d1783b54b936e192375),
    ----,>,EHLO CASServer.company.local,
    ----,<,"250-mail.company.com Hello CASServer.company.local [x.x.x.x], pleased to meet you",
    ----,<,250-SIZE 100000000,
    -----,<,250-PIPELINING,
    -----,<,250-8BITMIME,
    -----,<,250 HELP,
    -----,sending message
    -----,>,MAIL FROM:Valid User@company.com SIZE=24165,
    -----,>,RCPT TO:<Valid User@gmail.com>,
    -----,<,250 Sender <Valid User@company.com> OK,
    -----,<,450 too many connections from your IP (rate controlled),
    -----,>,RSET,
    ------,sending message
    ------,>,MAIL FROM:<xqaekvrc@biyooukp.com> SIZE=2206 BODY=7BIT,
    ------,>,RCPT TO:<jm_gzcosmetics@163.com>,
    ------,-,,Remote


    Geo

    Thursday, September 6, 2012 9:06 PM
  • I don't think you're going to be able to do anything on the Exchange side if it's coming from the Barracuda.  You need to address it there.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Thursday, September 6, 2012 9:23 PM
  • Please check to see if you have sender spoof protection enabled on your barracuda.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Friday, September 7, 2012 2:43 PM
  • In addition, you can use the Sender ID to combat spoofing. The Sender ID agent is an e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail is sent. Sender ID validates the origin of e-mail by verifying the IP address of the sender against the purported owner of the sender domain. For details, see this document. Hope helps.


    Noya Lau

    TechNet Community Support

    Sunday, September 9, 2012 9:37 AM
  • This has been fixed.  The root cause was on our ASA firewall.  It was allowing port 25 traffic through the IP used for OWA when it should be that all mail traffic is sent to the IP of the spam filter.  This item was overlooked in the ACL when we recently replaced our firewall.  So I guess that explains why the majority of the spam that I saw in the spam filter queue was outbound...it was never going through the Barracuda inbound.

    I was tipped off when I was clearing the spam out of the mail queue and saw a spam message with the IP address of our OWA in the subject.  Thanks again for all the suggestions.


    Geo

    • Marked as answer by Noya Lau Monday, September 24, 2012 6:11 AM
    Wednesday, September 12, 2012 5:07 PM