Spam Spoofing

440sixpack

Senior member
May 30, 2000
790
0
76
Not sure if this belongs in the Security forum or here, but let's give it a whirl.

Apparently someone is spoofing one of my company's email addresses as the return address for spam. It has been going on for probably close to 2 weeks now and I get at least a couple hundred "Return to Sender" or "Invalid Address" bounces daily.

As an extra bonus it appears the spam is all directed at Russian domains as most of the bounces I get are in cyrillic so I have no idea what they are saying, and the remaining almost always appear to be .ru domains.

We have an SPF record for our domain, and what research I have down seems to indicate there's not much I can do but ride it out.

One thing I would like to check is whether or not our email server has been compromised are we are actually the source of the spam. I am no IT pro, just the co-owner of this small company, so if anyone can tell me what to look for in Exchange (SBS 2003 version) to see if any of this garbage is coming from us I'd appreciate it. DNSreports does not have our IP in any spam databases, so I'm hoping that's a good sign the traffic is not actually coming from us.

Thanks,

Steve
 

netsysadmin

Senior member
Feb 17, 2002
458
0
0
Do you have any kind of spam filters? We have a Barracuda and could filter out the bad mail.

John
 

440sixpack

Senior member
May 30, 2000
790
0
76
We don't, we never really have had that much of an issue receiving spam (at least not that IMF couldn't handle). I think someone spoofed one of our email addresses in the past, but this round has lasted longer.
 

skyking

Lifer
Nov 21, 2001
22,365
5,329
146
look at the full header info on the returned email. If it is your IP as the originating one, you are compromised.
 

Jeff7181

Lifer
Aug 21, 2002
18,368
11
81
Seems like a pretty simple filter could be put in place to block these "returned" emails from entering your domain from outside.
 

440sixpack

Senior member
May 30, 2000
790
0
76
Originally posted by: skyking
look at the full header info on the returned email. If it is your IP as the originating one, you are compromised.

So if this is part of the header info:

Return-path: <xxxx@xxxx.com>
Received: from [209.12.118.68] (helo=BOLMOCC) by megatron.mirahost.ru with esmtp (Exim 4.67) (envelope-from <xxxx@xxxx.com> ) id 1MJDzY-0006fk-Ra for postmaster@vezhasklo.ru; Wed, 24 Jun 2009 00:57:27 +0300

and 209.12.118.68 is not our static IP (which it isn't), then they are not coming from us then, yes?

I looked at a bunch of the returned emails, and there are all sorts of different IP's in the header as the "Received from". As long as these aren't coming from us I guess I can live with it, but I hate the thought that we might be pissing off half of Russia at us, I don't need the Spetznaz showing up at my office. :)
 

NickOlsen8390

Senior member
Jun 19, 2007
387
0
0
This is called Backscatter. It happens. Is the email in question posted on a website? Do a spyware check on the computers lately?
No there not coming from you, The return address is a email address associated with your domain, so when a server tries to send it back, you get it. Most likely is a spam zombie cluster just sending out with your addresses.