Spam Spoofing

[440sixpack]

Not sure if this belongs in the Security forum or here, but let's give it a whirl.

Apparently someone is spoofing one of my company's email addresses as the return address for spam. It has been going on for probably close to 2 weeks now and I get at least a couple hundred "Return to Sender" or "Invalid Address" bounces daily.

As an extra bonus it appears the spam is all directed at Russian domains as most of the bounces I get are in cyrillic so I have no idea what they are saying, and the remaining almost always appear to be .ru domains.

We have an SPF record for our domain, and what research I have down seems to indicate there's not much I can do but ride it out.

One thing I would like to check is whether or not our email server has been compromised are we are actually the source of the spam. I am no IT pro, just the co-owner of this small company, so if anyone can tell me what to look for in Exchange (SBS 2003 version) to see if any of this garbage is coming from us I'd appreciate it. DNSreports does not have our IP in any spam databases, so I'm hoping that's a good sign the traffic is not actually coming from us.

Thanks,

Steve

 

[netsysadmin]

Do you have any kind of spam filters? We have a Barracuda and could filter out the bad mail.

John

 

[440sixpack]

We don't, we never really have had that much of an issue receiving spam (at least not that IMF couldn't handle). I think someone spoofed one of our email addresses in the past, but this round has lasted longer.

 

[skyking]

look at the full header info on the returned email. If it is your IP as the originating one, you are compromised.

 

[Jeff7181]

Seems like a pretty simple filter could be put in place to block these "returned" emails from entering your domain from outside.

 

[RadiclDreamer]

http://www.mxtoolbox.com/blacklists.aspx

This will tell you from multiple lists if you are blacklisted

 

[440sixpack]

Originally posted by: skyking
look at the full header info on the returned email. If it is your IP as the originating one, you are compromised.

So if this is part of the header info:

Return-path: <xxxx@xxxx.com>
Received: from [209.12.118.68] (helo=BOLMOCC) by megatron.mirahost.ru with esmtp (Exim 4.67) (envelope-from <xxxx@xxxx.com> ) id 1MJDzY-0006fk-Ra for postmaster@vezhasklo.ru; Wed, 24 Jun 2009 00:57:27 +0300

and 209.12.118.68 is not our static IP (which it isn't), then they are not coming from us then, yes?

I looked at a bunch of the returned emails, and there are all sorts of different IP's in the header as the "Received from". As long as these aren't coming from us I guess I can live with it, but I hate the thought that we might be pissing off half of Russia at us, I don't need the Spetznaz showing up at my office.

 

[NickOlsen8390]

This is called Backscatter. It happens. Is the email in question posted on a website? Do a spyware check on the computers lately?
No there not coming from you, The return address is a email address associated with your domain, so when a server tries to send it back, you get it. Most likely is a spam zombie cluster just sending out with your addresses.