Exchange 2013 email spoofing

hello all, (just new to network admin few months in the job) 

so to give a bit of background on our system we have a exchange 2013 server with a external and internal domains, for instance our internal domain is abcinternal.co.uk used for our systems and users ect and our external domain is abcexternal.com our mail server is mail.abcexternal.com used for emails on ip xxx.xxx.183.114

Internal Domain - abcinternal.co.uk 

External Domain - abcexternal.com

issue we have been having recently is we have been getting domain spoofed i have setup a SPF record on our external DNS for abcexternal.com which reads "v=spf1 mx mx:mail.abcexternal.com ip4:xxx.xxx.183.114 -all" but we keep getting spoofed emails even with this, firstly does the SPF record look correct and secondly would i need to create a SPF record for the internal domain on the external DNS too, to give you a example, this is the header from a email that was send recently (spoofed)

any suggestions what i can do to fix this, i know the SCL is high but out SCL filter is very low due to email junk issues

Received: from IEXCHANGE2013.abcinternal.co.uk (xxx.xxx.254.201) by

IEXCHANGE2013.abcinternal.co.uk (xxx.xxx.254.201) with Microsoft SMTP

Server (TLS) id 15.0.712.24 via Mailbox Transport; Wed, 18 Dec 2013 13:32:07

+0000

Received: from IEXCHANGE2013.abcinternal.co.uk (xxx.xxx.254.201) by

iexchange2013.abcinternal.co.uk (xxx.xxx.254.201) with Microsoft SMTP

Server (TLS) id 15.0.712.24; Wed, 18 Dec 2013 13:32:06 +0000

Received: from 061244048185.static.ctinets.com (61.244.48.185) by

IEXCHANGE2013.abcinternal.co.uk (xxx.xxx.254.201) with Microsoft SMTP

Server id 15.0.712.24 via Frontend Transport; Wed, 18 Dec 2013 13:32:05 +0000

Received: from [204.122.243.204] (port=90614 helo=[xxx.168.9.06]) by

61.244.48.185 with asmtp id 1rqLaL-000MX-00 for user@abcexternal.com;

Wed, 18 Dec 2013 21:34:53 +0800

Message-ID: <52B1A3A5.4000703@abcexternal.com>

Date: Wed, 18 Dec 2013 21:34:53 +0800

From: Voice Mail <user@abcexternal.com>

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1

MIME-Version: 1.0

To: <user@abcexternal.com>

Subject: [virus Win32/TrojanDownloader.Waski.A trojan] New Voice message

Content-Type: multipart/mixed;

                boundary="----=_Part_51648_8160897801.7764692916738"

X-Spam: Not detected

X-Mras: Ok

Return-Path: AmericanExpress@welcome.aexp.com

X-MS-Exchange-Organization-Network-Message-Id: 86a83526-e1f9-4a37-381e-08d0ca0cade7

X-ESET-AS: SCORE=80

X-MS-Exchange-Organization-SCL: 8

X-EsetResult: clean (cleaned), contained Win32/TrojanDownloader.Waski.A trojan

X-EsetId: F1A06A3BE6A78839EBE83527B4B88E39B3E56463EC

X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0

X-MS-Exchange-Organization-AuthSource: iexchange2013.abcinternal.co.uk

X-MS-Exchange-Organization-AuthAs: Anonymous

best regards

Gordon

December 19th, 2013 5:37am

Hi,

According to the message header, I found that AmericanExpress@welcome.aexp.com
disguised as 52B1A3A5.4000703@abcexternal.com
to send spoofing message to us.

It seems that our SPF not working well. I suggest removing it and re-creating a new SPF.

Please also checking whether our AVs update to the latest.

 

Hope it is helpful

 

Thanks

Mavis 

Free Windows Admin Tool Kit Click here and download it now
December 25th, 2013 12:30am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics