1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spoofed email problems

Discussion in 'Exchange Exams' started by Sparky, Apr 26, 2007.

  1. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Ok, so one of my clients is having problems with spam email. Nothing new but they have just bought an anti-spam solution which has helped but they still get spam from their own domain.

    A few users get junk email (the usual dodgey stuff) from something like recfrs@companyname.com. I then configure the spam filter to block that address and the I.P it has come from but the next day the address changes to sdfsdf@companyname.com and so does the I.P so I’m playing catch up!

    Spoke to one of the senior network guys and he says the email is definitely originating from outwidth the network and then being spoofed somehow.

    I opened up the header of one of the emails today and it was completely blank so that was no help.

    Does anyone know how I can stop this? I was thinking I might be able to do a reverse DNS lookup on the email somehow as the email is not being generated internally when obviously it should be as the email address on the spam email is the company domain.

    All PCs and Servers are patched and AV is up to date.

    Any suggestions? Virtual Beers for any help! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  2. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
    How much spam are we talking about here Sparky?

    At the end of the day you're always going to get some stuff that gets through.
     
  3. AJ

    AJ Administrator Administrator

    6,771
    102
    221
    does the mail come from an ISP first, coz if it does then you could point exchange to only receive mail from the ISP and cut out the spam
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Looking at doing ..................
  4. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    2 or 3 each day to all the important people. :blink

    The only spam that is getting through is from the companies own domain name though which is causing the problem. So at first glance it looks like it has been sent from somebody else within the company but obviously it isnt.

    Its coming from an external source and somehow the email domain is being spoofed. I *think* there is a menthod to configure Exchange to stop this from happening. I have had to configure reverse DNS on email domains before so email isnt rejected from locked down mail servers but now I need to lock down Exchange (I think) to stop this.

    Any Exchange gurus out there? :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  5. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Have a look at the traffic logs on the firewall. They should show you anything that comes in on port 25 and enable you to trace it back. If you get raw logs, make sure you look at the 'real' originating IP - pound to a penny its botnet spam. You won't be able to block this - unfortunately its one of the problems inherent with e-mail. You could try massaging the anti-spam to use something like LDAP authentication for all mail from within the domain (there's no reason for anything that has the internal domain name originating at the gateway - i.e. outside the Exchange environment (presuming thats what they're using) so they should be able to set up some rules to block based on pattern matching in header files or something.

    You could try blocking CIDR blocks from countries where the vast majority opf botnet spam originates (Korea, Singapore, Ukraine, Brazil etc). I've just finished converting the Geo-coded IP database from Decimal representations of IPs to dotted-quad in Excel - if you think that might help gimme a shout and I'll email it to you.

    What anti-spam solution are they using? Most of the decent ones nowadays work on reputation-based technology instead of the old stalwarts of bayesian analysis and pattern/word matching - if they've put in something which DOESN'T use a reputation-based engine at its heart then they are already fighting a losing battle.

    What sort of spam are they getting? Is it pump & dump stock spam? Image based? obfuscated V|@gr@ or C1talis spam? There are some pretty efficient things you can do with Spam Assassin to supplement your paid-for AS solution - you might want to try convincing them to set up an internal relay running Linux & Spam Assassin between the AS box and the Exchange environment - its all about defence in depth nowadays!
     
    Certifications: A few
    WIP: None - f*** 'em
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Cheers Zeb.

    They have forked out for a Sonicwall Email Security appliance. To be honest its doing a great job blocking spam and the only obvious stuff thats getting through is from the companies own domain name.

    If it was just a few 'regular' spam emails I would just tell them that all spam cant be blocked.

    Edit:

    No image based stuff. Just the usual Viagra and then a hyperlink. Not much text in the email to be honest

    Example

    From: Ila [mailto:uyli@sparkycompany.com]
    Sent: 21 March 2007 08:14
    To: Mr Sparky
    Subject: ger ur swiss together



    Quality, Gold,

    Guarantee hold!

    ***



    <http://www.descnew.com>



    ***
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  7. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Sparks

    Can you not configure the external mail relay (presumably on the firewall or via the upstream ISP) with a blacklist that drops everything destined TO the internal domain FROM the internal domain? Since internal mail will be handled by Exchange routing there should be no need to enable mail that (allegedly) originates from within the organisation on the gateway.

    Alternatively, you could look at implementing digital signatures for the internal mail environment - that won't be easy, but should resolve the problem of spoofed internal mails completely
     
    Certifications: A few
    WIP: None - f*** 'em
  8. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Yeah, at the moment inbound SMTP traffic is forwarded to the spam filter and then it hits the Exchange server so I was thinking of blocking all inbound email with @companyname.com as the email should be generated internally.

    The virtual SMTP server on the Exchange server points at the filter (smarthost) for auditing so need to make sure that wont cause a problem.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  9. supag33k

    supag33k Kilobyte Poster

    461
    19
    49
    Okay I had a similar problem some time back and fixed it by configuring the outbound spam filter in the smart host.

    Note that outward filtering can slow the the performance of the Exchange server considerably due to queue lengths etc.

    Also the dns requests for spam checking can significantly affect email performance so a fully functional smart host is really valuable.

    Then check for malware on your internal machines, and make sure that web browsing for all clients is locked down to kosher and productive sites only. This is as a PC with elevated permissions and webmail access could bring in something wicked that drops your network badly.

    Also check and see if someone has installed their own smtp relay internally, if neccessary get HR to perform the dreaded HR punt on their sorry butts.

    This could be the situation, diplomatically check those managers PC's for web settings and make sure they dont have elevated permissions.

    Consider also your DNS setup - as a DNS server on the web [such as your ISP's] should not appear in the "ipconfig /all' for the clients. The client access to web should be via the smart host also.
     
    Certifications: MCSE (NT4/2000/2003/Messaging), MCDBA
    WIP: CCNA, MCTS SQL, Exchange & Security stuff
  10. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    All sorted now (I think!), blocked inbound smtp from the company email domain and no more spam. Internal email still routes ok 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010

Share This Page

Loading...