• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

SPAM Source?

P

partner1220

Weaksauce
Joined
Aug 22, 2008
Messages
75
Our ISP has sent us notice that we are generating SPAM and have included headers for a couple messages. I'm having a tough time 'translating' the headers. Would someone be able to confirm these messages are originating from my server? I've replaced our actual domain with mydomain.com and my actual IP address with myipaddress.

We're still running SBS 2003 w/Exchange fully updated. I've disabled relaying, NDR reports, enabled tar pitting. I'm wondering if this may be coming from an infected PC. Any help would be appreciated

Return-Path: <redactedya@addvalsolutions.com>
<br />
Received: from mydomain.com (cpe-static-mydomain-rtr-f0.sm. <br />
[myipaddress]) by mtain-de06.r1000.mx.aol.com (Internet Inbound) with <br />
ESMTP id 50C9B3800008A; Thu, 25 Jul 2013 10:07:20 -0400 (EDT) <br />
Received: from mail-13-ewr.dyndns.com ([216.146.33.28]) by mydomain.com <br />
with Microsoft SMTPSVC(6.0.3790.4675); Thu, 25 Jul 2013 10:07:17 -0400 <br />
X-Mail-Handler: MailHop by DynDNS <br />
X-Originating-IP: 189.202.35.106 <br />
Received: from 189.202.35.106.cable.dyn.cableonline.com.mx <br />
(189.202.35.106.cable.dyn.cableonline.com.mx [189.202.35.106]) by <br />
mail-13-ewr.dyndns.com (Postfix) with ESMTP id 649E7A4A885 for <br />
<redacted@mydomain.com>
; Thu, 25 Jul 2013 14:07:16 +0000 (UTC) <br />
X-VirtualServer: Default, smailer1.service.addvalsolutions.com, 10.10.2.41 <br />
X-VirtualServerGroup: Default <br />
X-MailingID: 06338673::20130725.53671721::1001::MDB-PRD-BUL-20130725.11319815::redacted@mydomain.com::34122 <br />
X-SMHeaderMap: mid="X-MailingID" <br />
X-Destination-ID: redacted@mydomain.com <br />
X-SMFBL: PVHPujSsGWQzWiQbRMCAeRFSmokgbsENyWg= <br />
Content-Type: text/html; charset="UTF-8" <br />
Content-Transfer-Encoding: quoted-printable <br />
x-subscriber: UFtamvDeROFVwoGOoxxGItqjnVNVtxaZQJq= <br />
X-AccountCode: USEERE <br />
Errors-To: errors@addvalsolutions.com <br />
Reply-To: <noreply@addvalsolutions.com>
<br />
List-Unsubscribe: <mailto:60903627-20130725@unsubs.addvalsolutions.com>
, <http://www.addvalsolutions.com/unsubscribe.php/msg/18082684/20130725>
<br />
MIME-Version: 1.0 <br />

Message-ID: <f1c03fa4a69fc.20130725.29d72b5e82.13a01a115497@189.202.35.106.cable.dyn.cableonline.com.mx>
<br />
Subject: Brand New Weight Loss System in U.S. <br />
Date: Thu, 25 Jul 2013 09:07:15 -0500 <br />
To: <redacted@mydomain.com>
<br />
From: "Dr. OZ's Newsletter" <eldersya@addvalsolutions.com>
<br />
X-OriginalArrivalTime: 25 Jul 2013 14:07:17.0205 (UTC) FILETIME=[4530A050:01CE8940] <br />
x-aol-global-disposition: G <br />
x-aol-sid: 3039ac1d40ce51f131161e4a <br />
X-AOL-IP: myipaddress <br />
X-AOL-SPF: domain : addvalsolutions.com SPF : neutral <br />
<br />
From: Dr. OZ's Newsletter [mailto:eldersya@addvalsolutions.com] <br />
Sent: Thursday, July 25, 2013 10:07 AM <br />
To: redacted@mydomain.com <br />
Subject: Brand New Weight Loss System in U.S. <br />
<br />
View email online <br />
<br />
<br />
<br />
Dr. Oz's Newsletter <br />
This month's top product: <br />
Many obese people are desperate and sure that losing weight and staying slim is impossible. In fact, it has actually been next to impossible until our revolutionary product was finally invented. Nature is the only power capable of working miracles and reversing everything that goes wrong. Your brain is sending too many hunger signals to your stomach now. With the product you lose 10-15 lbs monthly and feel great! Try it today. <br />
<br />
>
5 Moves for Strong Abs - No Crunches! <br />
>
Want a Flat Belly? Dr. Oz's 8 Tips to Make it Happen <br />
>
Surprising Foods That Flatten Your Belly <br />
>
Yes! You Can Lose Weight In 10 Minutes or Less! <br />
<br />
Stay Connected: FACEBOOK | TEXT ALERTS | MOBILE <br />
<br />
In the past you provided BodySlim with your email address [elders@mydomain.com]. Occasionally, you will receive brief advertising announcements regarding special items and services. If you no longer want to receive these advertisements, please click unsubscribe. Please DO NOT CLICK REPLY, as the email will not be read. <br />
To contact us please click here. <br />
BodySlim Wholesale, Customer Service | P.O. Box 31825 -- Seattle, WA 98124-1535 <br />
© 1998-2013 BodySlim Wholesale Corporation. All rights reserved. <br />
Privacy Statement Terms and Conditions Update Email Preferences <br />

(AWS)
Click to expand...
 
Received: from mydomain.com (cpe-static-mydomain-rtr-f0.sm. <br />
[myipaddress]) by mtain-de06.r1000.mx.aol.com (Internet Inbound) with <br />
ESMTP id 50C9B3800008A; Thu, 25 Jul 2013 10:07:20 -0400 (EDT) <br />
Received: from mail-13-ewr.dyndns.com ([216.146.33.28]) by mydomain.com <br />
with Microsoft SMTPSVC(6.0.3790.4675); Thu, 25 Jul 2013 10:07:17 -0400 <br />
X-Mail-Handler: MailHop by DynDNS <br />
X-Originating-IP: 189.202.35.106 <br />
Received: from 189.202.35.106.cable.dyn.cableonline.com.mx <br />
(189.202.35.106.cable.dyn.cableonline.com.mx [189.202.35.106]) by <br />
mail-13-ewr.dyndns.com (Postfix) with ESMTP id 649E7A4A885 for <br />
<redacted@mydomain.com
Click to expand...

When reading headers you start at the bottom and work your way up most of the time.

So the e-mail origininated at 189.202.35.106, which looks like a cable provider in Mexico.

It was recieved by mail-13-ewr.dyndns.com for an address redacted@mydomain.com.

Which then sent to mydomain.com (cpe-static-mydomain-rtr-f0.sm. [myipaddress]) which is using Microsoft SMTP.

Then mydomain.com sent it to mtain-de06.r1000.mx.aol.com.

So if I were guessing, you are at the very least relaying. Questions I have are:

  • Do you have just one example?
  • Does someone in your office have thier out of office turned on?
  • Is someone forwarding thier e-mail to thier personal address?
  • Who is redacted@mydomain.com?
  • Follow up: Is thier machine infected and using your Exchange to relay?
  • Is redacted@mydomain.com a valid e-mail address and what does the account look like?

Just my initial thoughts after going through the headers. But if mydomain.com (cpe-static-mydomain-rtr-f0.sm. [myipaddress]) is all your information, then it is your system that is doing it.
 
Thank you for the response - Here are the answers to your questions:

Do you have just one example?
- They have provided 3-4 examples I believe

Does someone in your office have thier out of office turned on?
- It's certainly possible, there are ~60 accounts, 20 full time staff. The remaining are volunteers/part-timers. There are a number of distribution lists and Exchange contacts as well.

Is someone forwarding thier e-mail to thier personal address?
- Also possible, but is there any way I can find out at the system level?

Who is redacted@mydomain.com?
- This is the actual user it was sent to, I did not change 'redacted'. There is no actual account redacted@mydomain.com (Including DLs/contacts)

Follow up: Is thier machine infected and using your Exchange to relay?
- I'm using Symantec Corporate and all machines come up clean. I've also walked through the MS KB article to disable relaying some time ago, but I will revisit and ensure I haven't missed anything

Is redacted@mydomain.com a valid e-mail address and what does the account look like?
- It is not an actual account

I'm using a Sonicwall TZ210 - Are you aware of anything that would help me enable the proper logging/tracing to better track this down?
 
Do a search in Message Tracking center for the sender of that e-mail on the date and around that time and see what that says. I am guessing that your ISP changed the e-mail address from the actual one to redacted.

This should give you what happened with the e-mail once it hit your box and what your box did with it.

Message Tracking center is under Tools in the Exchange System Manager in 2003.
 
Whoever this user is, they have forwarding turned on so that mail that goes to redacted@mydomain.com gets forwarded outside the domain to AOL.

Your SBS server should have logs. (If it doesn't have them turned on, you need to find a new line of work)
Look in those to find what's going on. It'll tell you which user it is.
Ban the user or prevent them from forwarding email to AOL.

You may also be able to look through each user's settings and see who's forwarding to AOL. Then ban them.
 
partner1220 said:
Found the message in the tracking center. Is this a matter of me allowing relays?

Edit: Sorry, the embedded image didn't work - Here's a link:http://postimg.org/image/dli2ofwkl/
Click to expand...

If you're allowing relays, you need to be shot.

EDIT: Just to be clear, just because you're behind Dyn Email Gateway or BackupMX doesn't mean your server can be broken and misconfigured.
I swear most people using SBS or Exchange for email have *not-clue-zero* on how to run an email server. Drives me nuts.
 
Last edited:
Ah, not sure how I missed this, but the message is actually being sent to a distribution list. The DL is comprised of a group of external contacts (board members' personal) emails. I would assume this DL e-mail is getting spammed... I've always hated that they've done this, but I have never really had any 'proof' this was a bad idea.

I'm using BackupMX for just that, backup in the event the server/connection is down. I'm not assuming it fixes any my problems or protects me in any way, but thanks for your helpful feedback.

Using http://mxtoolbox.com/diagnostic.aspx and http://www.mailradar.com/openrelay/, I confirmed it is NOT an open relay. Guess I can avoid the bullets...
 
partner1220 said:
Found the message in the tracking center. Is this a matter of me allowing relays?

Edit: Sorry, the embedded image didn't work - Here's a link:http://postimg.org/image/dli2ofwkl/
Click to expand...

It depends. You have blanked out the e-mail address that it was sent to, is that a valid e-mail address in your network? If not, then you are likely and open relay of some sort. If it is a valid e-mail address then you need to, check that user's account, check that user's computer.

Are they forwarding their e-mail? I guess what I am saying is find out why the e-mail is being forwarded.

You received 3 or 4 messages as an example of spamming. Are they all to the same person? Are they all being sent out to the same person?

Troubleshooting is all about eliminating possibilities, and following the path. So follow the path the e-mail took. Check each stop that you can. Is there something in common that these messages have (who they were sent to, who it went to outside of your network, etc?)
 
Thanks again for your help and guidance - I really appreciate it.

I did confirm the other examples are going to the same DL.

I see the following options:
1 - Stop using DLs / Exchange contacts. Give users actual mailboxes. However, they will probably just forward their e-mail back to their personal accounts, so this really isn't a great/long-term option
2 - Alternate spam/virus service. Currently using Symantec. As a non-profit, they receive an extreme discount ($5/year/user for antivirus and antispam).

Any others?
 
partner1220 said:
Ah, not sure how I missed this, but the message is actually being sent to a distribution list. The DL is comprised of a group of external contacts (board members' personal) emails. I would assume this DL e-mail is getting spammed... I've always hated that they've done this, but I have never really had any 'proof' this was a bad idea.

I'm using BackupMX for just that, backup in the event the server/connection is down. I'm not assuming it fixes any my problems or protects me in any way, but thanks for your helpful feedback.

Using http://mxtoolbox.com/diagnostic.aspx and http://www.mailradar.com/openrelay/, I confirmed it is NOT an open relay. Guess I can avoid the bullets...
Click to expand...

THAT is a pickle. I do not envy you.

You may want to switch Dyn's BackupMX to Dyn's Email Gateway, it'll take out a good portion of the spam with the right settings.

You may also want to implement a scanner internally. You can set up a freeware/linux intermediate scanner very easily with postfix and spam assassin or kapersky, along with some other tools.
 
partner1220 said:
Ah, not sure how I missed this, but the message is actually being sent to a distribution list. The DL is comprised of a group of external contacts (board members' personal) emails. I would assume this DL e-mail is getting spammed... I've always hated that they've done this, but I have never really had any 'proof' this was a bad idea.

I'm using BackupMX for just that, backup in the event the server/connection is down. I'm not assuming it fixes any my problems or protects me in any way, but thanks for your helpful feedback.

Using http://mxtoolbox.com/diagnostic.aspx and http://www.mailradar.com/openrelay/, I confirmed it is NOT an open relay. Guess I can avoid the bullets...
Click to expand...

In 2003 you can limit DLs to only authenticated accounts can send e-mail to them. So you may need to change that DL to that for now.

The other thing to look at is getting an Anti-Spam solution. Either an appliance or a service. If you go service route, SpamHero is not too bad. But there are others out there like Barracuda, ProofPoint and more.

The Anti-Spam solution would limit the incoming spam that could be sent out.
 
You must log in or register to reply here.
Back
Top