Exchange/Email Tracking question for techies

FaithStrike · 22 Sep 2005

I know no one likes exchange and would cutoff their left arm before they would use if given a choice. Bu ti don't have a choice at this time so I need to deal with it. My question is this: I have some spam coming in that appears to be sent from my server to a mailbox on that server, although the email address the recepient sees is bogus and not a real address. I know this is called address spoofing but what I need to do is try and track this message from where it really came. The software I have filtering email will not stop it because it has the same domain name as my company. Please any suggestions as to what I can do to track this will be appreciated.

Faithstrike

ORANGE · 23 Sep 2005

Urrr can you set up a filter to divert it to your spam and or trash? If its using the same subject at least. Thats a quick fix that doesn't really solve the problem but gets the job done.

EvilSlayer · 23 Sep 2005

Have you viewed the message header?

This will show the real originating domain.

What you want to look for are the lines that begin with "Received: from".

The last such line shows the origin of the mail. This is not so easy to spoof as just spoofing the "From" field.

I run a web site. As such, I get a LOT of spam to my "info" and "Admin" addresses.

I have caught some people who thought they were being cute by sending me viruses attached to e-mails. I guess they thought they were being quite the hacker because they spoofed only the "from" field. The message header gave them up and I reported them to their ISP and sent them an e-mail letting them know.

They may have been the victim of a worm, but I had some good reasons to doubt it.

If the last "Received: from" line is your domain, then someone has an e-mail worm on their computer that is sending out the spam and you need to report it to your IT staff so they can track down and kill it.

symen · 23 Sep 2005

What Evilslayer said.

Also, just a little addendum, be aware that some trickier spammers have started trying to forge Received: headers as well. Check the headers to make sure they show a consistent path (The 'Received from' address should always match the 'Received by' address on the header below it). Also, make sure that when you look at the 'Received from' address, you look at the second address in parenthesis, as the first one is the domain set by the sending computer, which can't really be trusted as the SMTP protocol allows you to set it to whatever you want. The second address is the return IP address from the connection with its DNS reverse lookup, so it's much more difficult to forge.

Once you figure out where the messages are coming from, you might be able to filter based on a certain address appearing in the Received: headers. Of course, that will depend on whether your software will let you use arbitrary headers as filtering sources.

Hope this helps!

Full Otto · 26 Sep 2005

We are an exchange company (20,000 + running it) I can ask Mark the guy that sits next to me, he can tell you what you need to do. He is also the Anti-Spam guy as well.

Blazt · 1 Oct 2005

Exchange Issues

What version are you using? Exchange 2003 by default doesn'ta allow unauthenticated SMTP traffic to be forwarded through it. Microsoft did this to stop the spammers from using their local improperly configured mail server as a spam gateway.

Check the advanced header and find out the IP Address it's coming from and do some network research.

Blazt
-Certified Ethical Hacker

Log in / Register

Forums

Exchange/Email Tracking question for techies

FaithStrike DragonWolf

ORANGE DragonWolf

EvilSlayer

symen DragonWolf

Full Otto Chain Gun Madman

Blazt

Share This Page