none
Spam sent internally via internal Address Book RRS feed

  • Question

  • Hi there
    I'm relatively new to exchange server as I've been hired recently, but one of our company's clients has exchange 2003 setup on a windows server 2003 r2 sp2 server, and many of our client's staff are getting the same spam email thats requesting sensitive information about them. It started about a week ago, but now theyre getting the spam in the dozens. The real problem is that all the incoming email they get has their own or co-workers emails as the sender, so we cant just block the spam on our firewall or server antivirus or anything like that. How would I go about finding where this email is coming from (internally or externally) and what should i be doing to putting an end to this. The last thing i want to do is start changing the ip addresses on our main switches and servers and all that, because that'll take time to get everything back up and running. Is there some kind of script or program i should be looking for hidden somewhere maybe?

    Thank you,


    Taysseer

    Monday, August 29, 2011 6:17 PM

Answers

  • Hi,

    The Spammer may spoof your internal users' email address. Please check the Internet head of the Spam mails. It will tell you who are sending these spam messages.

    Open outlook, right click a spam message and click Internet Head. The information like this:

    Microsoft Mail Internet Headers Version 2.0

    Received: from xxx.domain2.com (101.1.88.97) by
    ex.yourdomain.com (196.60.220.216) with
    Microsoft SMTP Server (TLS) id 14.0.682.1; Fri, 28 May 2010 14:07:22 +0800

    Received: from xxx.domain1.com (157.54.88.97) by
    xxx.domain2.com (101.1.88.97
    ) with
    Microsoft SMTP Server (TLS) id 14.0.682.1; Fri, 28 May 2010 14:07:22 +0800

    ………

    The IP address in read 157.54.88.97 is real sender of this spam email. The IP address in green 196.60.220.216 is your exchange server’s IP address. The hop count of this message is 2: from xxx.domain1.com (157.54.88.97) to xxx.domain2.com (101.1.88.97), then xxx.domain2.com (101.1.88.97) sent to your exchange organization.

    Once you find the culprit, you can block it from your exchange server:

    1. Open EMS, right click SMTP virtual server and choose properties.

    2. In Access tab, click Connection button.

    3. Select “All except the list below”. Add the culprit’s IP address.

    Gen Lin 
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com 

    • Marked as answer by Gen Lin Tuesday, September 6, 2011 8:13 AM
    Tuesday, August 30, 2011 10:47 AM

All replies

  • One detail thats probably imprortant to know is that a lot of the cc'd address taht we see on the emails we do receive are even sending them to email addresses that used to exist in our AD, but have been deleted for up to a few years now. Maybe an old address book floating around somewhere?
    Monday, August 29, 2011 6:23 PM
  • Hi,

    The Spammer may spoof your internal users' email address. Please check the Internet head of the Spam mails. It will tell you who are sending these spam messages.

    Open outlook, right click a spam message and click Internet Head. The information like this:

    Microsoft Mail Internet Headers Version 2.0

    Received: from xxx.domain2.com (101.1.88.97) by
    ex.yourdomain.com (196.60.220.216) with
    Microsoft SMTP Server (TLS) id 14.0.682.1; Fri, 28 May 2010 14:07:22 +0800

    Received: from xxx.domain1.com (157.54.88.97) by
    xxx.domain2.com (101.1.88.97
    ) with
    Microsoft SMTP Server (TLS) id 14.0.682.1; Fri, 28 May 2010 14:07:22 +0800

    ………

    The IP address in read 157.54.88.97 is real sender of this spam email. The IP address in green 196.60.220.216 is your exchange server’s IP address. The hop count of this message is 2: from xxx.domain1.com (157.54.88.97) to xxx.domain2.com (101.1.88.97), then xxx.domain2.com (101.1.88.97) sent to your exchange organization.

    Once you find the culprit, you can block it from your exchange server:

    1. Open EMS, right click SMTP virtual server and choose properties.

    2. In Access tab, click Connection button.

    3. Select “All except the list below”. Add the culprit’s IP address.

    Gen Lin 
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com 

    • Marked as answer by Gen Lin Tuesday, September 6, 2011 8:13 AM
    Tuesday, August 30, 2011 10:47 AM
  • On Tue, 30 Aug 2011 10:47:43 +0000, Gen Lin wrote:
     
    >
    >
    >Hi,
    >
    >The Spammer may spoof your internal users' email address. Please check the Internet head of the Spam mails. It will tell you who are sending these spam messages.
    >
    >Open outlook, right click a spam message and click Internet Head. The information like this:
    >
    >Microsoft Mail Internet Headers Version 2.0
    >
    >Received: from xxx.domain2.com (101.1.88.97) by ex.yourdomain.com (196.60.220.216) with Microsoft SMTP Server (TLS) id 14.0.682.1; Fri, 28 May 2010 14:07:22 +0800
    >
    >Received: from xxx.domain1.com (157.54.88.97) by xxx.domain2.com (101.1.88.97) with Microsoft SMTP Server (TLS) id 14.0.682.1; Fri, 28 May 2010 14:07:22 +0800
    >
    >???
    >
    >The IP address in read 157.54.88.97 is real sender of this spam email.
     
    The ONLY "Received:" header you can trust is one that's been added by
    servers under your control. The IP address 157.54.88.97 may be
    correct, but it's also very likely to be a forgery.
     
    >The IP address in green 196.60.220.216 is your exchange server?s IP address. The hop count of this message is 2: from xxx.domain1.com (157.54.88.97) to xxx.domain2.com (101.1.88.97), then xxx.domain2.com (101.1.88.97) sent to your exchange organization.
    >
    >Once you find the culprit, you can block it from your exchange server:
     
    Or just turn off the port on the switch it's connected to.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, August 31, 2011 12:54 AM
  • Hi,

    Is there any update?

    Thursday, September 1, 2011 7:25 AM