[SOLVED] Corporate email sending spam

NEW2IT · 04-04-2008, 06:07 AM

I noticed yesterday in our spam filter that one of our email accounts received a bunch of delivery failures, and that account was not used yesterday as that person is on vacation. Since the filter caught them I just deleted them and moved on. My boss called me this morning and told me he had received a bunch of failures that the filter did not catch. I looked into a few and it seems that somehow spam emails that we normally receive are being sent out via his email address and then are being blocked or sent to invalid addresses and sent back. We use Groupwise on a Novell server over a LAN. I am not sure what is happening or what to do?

**Cellus** · 04-04-2008, 01:08 PM

Before jumping to any conclusions I recommend you inspect the e-mail headers and logs and really check to see where they actually came from. It is not uncommon in spam tactics to spoof the e-mail address and have it say it originated from you to fool the spam filters. Really check to make sure if the delivery failures are actual delivery failures, and really check to make sure suspect mail that may have originated from you actually came from you.

It can be very annoying, but spammers use this technique because it works on filters sometimes.

Mack · 04-05-2008, 09:01 AM

Hi don't want to high-jack tread but this happend to me recently. Some mail programs you can check where the mail originated from. In my case it originated from a yahoo adress even though in the email it looked like I had sent it.

johnwill · 04-05-2008, 10:09 AM

This is very common, it's one of the many tricks SPAMMERS use. They spoof a specific domain and send spam for a period of time until most filters have put that domain in their spam filters. It happened to my domain last year, I was getting hundreds of bounce messages a day for all sorts of random addresses from my domain.

Weather the storm, they'll give up on your domain after a few days and move on to some other hapless victim.

gmavai · 04-07-2008, 11:31 PM

Before you do anything drastic, check the email/internet headers of the emails and see where they're coming from - are they really from your email accnt or from someone 'else'. This can be due to spammers using spoofing techniques to fool users that the emails they're receiving are from legitimite sources.

johnwill · 04-08-2008, 06:19 AM

Here's one page on tracing the headers...

http://www.usus.org/elements/tracing.htm

NEW2IT · 04-09-2008, 05:52 AM

Great link. Things have slowed down a bit as far as our email goes. I have a copy of an email header we received back that I tried to dissect via that link but I am having a little trouble with doing so. I am an untrained Network Admin. just trying to learn as much as I can before I pull out all my soon to be grey hair. Being a grunt was so much easier. Here it is. I replaced our email address with spoofedemail@here.com. I am just curious how to find out where it actually came from for future knowledge. Thanks.

Received: from [66.228.226.19] (HELO smtp155.redcondor.com)
by prtel.com (CommuniGate Pro SMTP 4.2.6)
with ESMTP id 247296310 for revcmp@prtel.com; Fri, 04 Apr 2008 12:51:21 -0500
Received: from dsl88-244-31814.ttnet.net.tr <spoofedemail@here.com> ([88.224.124.70]) by smtp155.redcondor.com; Fri, 04 Apr 2008 09:51:17 -0800
X-RC-HOST: smtp155.redcondor.com
X-RC-DBID: e7e9281b-cb7a-4b22-a2a4-f7e7e618a83d
X-RC-ID: 20080404175117217
X-RC-IP: 88.224.124.70
X-RC-FROM: <spoofedemail@here.com>
X-RC-RCPT: <revcmp@prtel.com>
Message-ID: <000601c8967c$01744e00$ae44c7af@txbspqk>
From: "andreas claud" <spoofedemail@here.com>
To: "Clarence Haynes" <revcmp@prtel.com>
Subject: High Quality Watches Available Now
Date: Fri, 04 Apr 2008 16:03:33 +0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

oldmn · 04-09-2008, 06:47 AM

Any time you have an online business with contact information you will get these.
The best thing is just delete them and move on.
They have done the same thing, used it and moved on.
Anyone that could figure out how to stop it

johnwill · 04-11-2008, 05:34 AM

Well, this is a clue!

From: "andreas claud" <spoofedemail@here.com>

04-04-2008, 06:07 AM	#1 (permalink)
NEW2IT Registered User Join Date: Jan 2008 Posts: 25 OS: XP	[SOLVED] Corporate email sending spam I noticed yesterday in our spam filter that one of our email accounts received a bunch of delivery failures, and that account was not used yesterday as that person is on vacation. Since the filter caught them I just deleted them and moved on. My boss called me this morning and told me he had received a bunch of failures that the filter did not catch. I looked into a few and it seems that somehow spam emails that we normally receive are being sent out via his email address and then are being blocked or sent to invalid addresses and sent back. We use Groupwise on a Novell server over a LAN. I am not sure what is happening or what to do?

04-04-2008, 01:08 PM	#2 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,526 OS: Windows Vista Business SP1, Windows XP Professional SP3 My System	Re: Corporate email sending spam Before jumping to any conclusions I recommend you inspect the e-mail headers and logs and really check to see where they actually came from. It is not uncommon in spam tactics to spoof the e-mail address and have it say it originated from you to fool the spam filters. Really check to make sure if the delivery failures are actual delivery failures, and really check to make sure suspect mail that may have originated from you actually came from you. It can be very annoying, but spammers use this technique because it works on filters sometimes. __________________ TSF Networking Team HijackThis 5 Step Process Donate!

04-05-2008, 09:01 AM	#3 (permalink)
Mack Registered User Join Date: Nov 2004 Location: Ireland Posts: 229 OS: Vista/Xp sp3 My System	Re: Corporate email sending spam Hi don't want to high-jack tread but this happend to me recently. Some mail programs you can check where the mail originated from. In my case it originated from a yahoo adress even though in the email it looked like I had sent it.

04-05-2008, 10:09 AM	#4 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 28,754 OS: XP-Pro, Vista, Linux Blog Entries: 1	Re: Corporate email sending spam This is very common, it's one of the many tricks SPAMMERS use. They spoof a specific domain and send spam for a period of time until most filters have put that domain in their spam filters. It happened to my domain last year, I was getting hundreds of bounce messages a day for all sorts of random addresses from my domain. Weather the storm, they'll give up on your domain after a few days and move on to some other hapless victim. __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

04-07-2008, 11:31 PM	#5 (permalink)
gmavai Registered User Join Date: Mar 2008 Posts: 1 OS: xp	Re: Corporate email sending spam Before you do anything drastic, check the email/internet headers of the emails and see where they're coming from - are they really from your email accnt or from someone 'else'. This can be due to spammers using spoofing techniques to fool users that the emails they're receiving are from legitimite sources.

04-08-2008, 06:19 AM	#6 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 28,754 OS: XP-Pro, Vista, Linux Blog Entries: 1	Re: Corporate email sending spam Here's one page on tracing the headers... http://www.usus.org/elements/tracing.htm __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

04-09-2008, 05:52 AM	#7 (permalink)
NEW2IT Registered User Join Date: Jan 2008 Posts: 25 OS: XP	Re: Corporate email sending spam Great link. Things have slowed down a bit as far as our email goes. I have a copy of an email header we received back that I tried to dissect via that link but I am having a little trouble with doing so. I am an untrained Network Admin. just trying to learn as much as I can before I pull out all my soon to be grey hair. Being a grunt was so much easier. Here it is. I replaced our email address with spoofedemail@here.com. I am just curious how to find out where it actually came from for future knowledge. Thanks. Received: from [66.228.226.19] (HELO smtp155.redcondor.com) by prtel.com (CommuniGate Pro SMTP 4.2.6) with ESMTP id 247296310 for revcmp@prtel.com; Fri, 04 Apr 2008 12:51:21 -0500 Received: from dsl88-244-31814.ttnet.net.tr <spoofedemail@here.com> ([88.224.124.70]) by smtp155.redcondor.com; Fri, 04 Apr 2008 09:51:17 -0800 X-RC-HOST: smtp155.redcondor.com X-RC-DBID: e7e9281b-cb7a-4b22-a2a4-f7e7e618a83d X-RC-ID: 20080404175117217 X-RC-IP: 88.224.124.70 X-RC-FROM: <spoofedemail@here.com> X-RC-RCPT: <revcmp@prtel.com> Message-ID: <000601c8967c$01744e00$ae44c7af@txbspqk> From: "andreas claud" <spoofedemail@here.com> To: "Clarence Haynes" <revcmp@prtel.com> Subject: High Quality Watches Available Now Date: Fri, 04 Apr 2008 16:03:33 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

04-09-2008, 06:47 AM	#8 (permalink)
oldmn Hardware Tech Join Date: Oct 2005 Location: Gig Harbor Wa Posts: 2,137 OS: XP Pro SP3 X 3 My System	Re: Corporate email sending spam Any time you have an online business with contact information you will get these. The best thing is just delete them and move on. They have done the same thing, used it and moved on. Anyone that could figure out how to stop it __________________ AVG \| MEMTEST86 \| Zone Alarm \| XXCLONE \| Adaware \| Beyond Compare \| Everest If TSF has helped you, Tell us about it! or Donate to help keep the site up! Sorry no PM's for problems.

04-11-2008, 05:34 AM	#9 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 28,754 OS: XP-Pro, Vista, Linux Blog Entries: 1	Re: Corporate email sending spam Well, this is a clue! From: "andreas claud" <spoofedemail@here.com> __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience