+ Post New Thread
Results 1 to 3 of 3
Internet Related/Filtering/Firewall Thread, Strange email problem in Technical; We have an on premiss 2010 exchange server running GFI mail esentials which is receiving emails from somewhere which is ...
  1. #1
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    2,988
    Thank Post
    287
    Thanked 273 Times in 194 Posts
    Rep Power
    116

    Strange email problem

    We have an on premiss 2010 exchange server running GFI mail esentials which is receiving emails from somewhere which is causing a bit of a concern. Just recently we have been getting spam emails from random email addresses and they all start with fax@... with the subject of "New Fax: x pages"

    Looking at the header information i am seeing this...

    Code:
    Received: from 177-10-232-115.radarinternet.com.br (177.10.232.115) by
    mail.mydomain.co.uk (internalIPAddress) with Microsoft SMTP Server id
    14.3.174.1; Wed, 2 Apr 2014 12:52:56 +0100
    Received: from 177-10-232-115.radarinternet.com.br (177.10.232.115) by
    scan.mydomain.co.uk (10.0.4.100) with Microsoft SMTP Server (TLS) id
    15.0.712.24 via Frontend Transport; 2 Apr 2014 09:21:30 GMT
    Received: from p3plsmtpa07-08.prod.phx3.secureserver.net
    (p3plsmtpa00-03.prod.phx3.secureserver.net [173.201.192.100]) by
    us-mta-1.us.mimecast.lan; 2 Apr 2014 09:27:33 GMT
    Received: from MFP40923133 ([68.14.231.100]) by
    p3plsmtpa04-06.prod.phx3.secureserver.net with id gLSc1n0084NBTNEXJAUK46;2
    Apr 2014 09:24:33 GMT
    Date: Wed, 2 Apr 2014 09:26:33 +0000
    From: <Administrator@mydomain.co.uk>
    Subject: New Fax: 3 pages
    To: <caretaker@mydomain.co.uk>
    Message-ID: <TTEC99dff903-e003-984e-b642-bcac3d6e1aaa@177-10-232-115.radarinternet.com.br>
    MIME-Version: 1.0
    X-Mailer: Uacett 4.0
    X-MC-Unique: S390875VHWVXP5CWHY84M4-1
    Content-Type: multipart/mixed;
                    boundary="TTEC99dff903-e003-984e-b642-bcac3d6e1aaa"
    Return-Path: scans@mydomain.co.uk
    X-MS-Exchange-Organization-AuthSource: Server.domain.internal
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-GFI-SMTP-Submission: 1
    X-GFI-SMTP-Submission: 1
    X-GFI-SMTP-HelloDomain: 177-10-232-115.radarinternet.com.br
    X-GFI-SMTP-RemoteIP: 177.10.232.115
    Ok, if i run through this and explain why i am concerned about these emails..

    1. The second "received from" is a concern.. for a start we don't have anything configured at scan.mydomain.co.uk. I have even emailed my domain administrator at my ISP to confirm this and they can confirm that this is the case, scan.mydomain.co.uk doesn't exist.
    2. The IP address 10.0.4.100 of scan.mydomain.co.uk isn't on the internal network at my place.. infact, i dont even use the 10.x.x.x network range.
    3. The account Administrator is only linked to my email address and is not used as a send email address.
    4. The caretaker account hasn't been activated for years and this email went to someone else in the school who's email address isn't even listed in this header.
    5. Scan@mydomain.co.uk doesn't even exist in my exchange server.

    Now, this is where it gets interesting. At work, nothing will traceroute to scan.mydomain.co.uk even online traceroute utilities won't resolve this domain but when i get home and i do a traceroute to scan.mydomain.co.uk it resolves to an IP address. The pulnuamate IP address is either 93.89.90.10 or 84.18.190.130 both pointing to a catalyst2.net router but the last IP address 92.242.132.16 which resolves to unallocated.barefruit.co.uk. I thought it might be the router that might have been compromised but after changing the router the problem still remains.

    Has anyone else been in this position before? Is the school under attack from some kind of spammer.

  2. #2

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    It happens all the time - I could setup a server and send emails supposedly from your domain name.

    It is probably that somebody has got a list from somewhere with the old email address's on it and started automating spam outbound.

    it could however be that a machine has been infected and a list of addresses harvested from ad if for example a domain admin has logged into it.

  3. #3
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    2,988
    Thank Post
    287
    Thanked 273 Times in 194 Posts
    Rep Power
    116
    Yeah i understand this can be common but i guess it just raised a few alarm bells when i saw the scanmydomain.co.uk as i have a look through the headers of other spam emails to see where it has come from. But what gets me is that if i traceroute scan.mydomain.co.uk at home it resolves to 92.242.132.16 however anywhere else it doesn't resolve.

SHARE:
+ Post New Thread

Similar Threads

  1. Exchange 2003 Strange Email Problem
    By tforeman in forum Windows Server 2000/2003
    Replies: 9
    Last Post: 4th February 2010, 07:24 AM
  2. Strange Email Problem
    By richard in forum Windows
    Replies: 4
    Last Post: 15th June 2007, 06:58 AM
  3. Strange Word problem
    By richard in forum Windows
    Replies: 0
    Last Post: 21st February 2006, 12:47 PM
  4. Strange HD Problem on Debian machine
    By crc-ict in forum *nix
    Replies: 5
    Last Post: 27th January 2006, 08:43 PM
  5. Strange Network Problem this Morning
    By Roger in forum Windows
    Replies: 2
    Last Post: 12th September 2005, 11:01 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •