Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Local Domain Being Spoofed

Created: 12 Mar 2013 • Updated: 12 Mar 2013 | 4 comments

External sources are sending emails internally and making it look like its coming from an internal user. When I track it, it is from an external server. I block the domain but I would rather stop it as a whole.

How do some of you handle this?

Received: from mail.xxxxxx (xxxxxxxxxx) by xxxxxx
 (xxxxxxxxxx) with Microsoft SMTP Server id xxxxxxxxx; Tue, 12 Mar 2013
 08:36:58 -0400
X-AuditID: ac120d5b-b7fd16d000003cd0-11-513f216a0242
Received: from svr02.apcmmedia.com (svr02.apcmmedia.com [69.167.182.82])
 (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a
 certificate) by mail.xxxxxxx (Symantec Messaging Gateway) with SMTP
 id D6.90.15568.A612F315; Tue, 12 Mar 2013 08:36:58 -0400 (EDT)
Received: from nobody by svr02.apcmmedia.com with local (Exim 4.80)
 (envelope-from <nobody@svr02.apcmmedia.com>) id 1UFORt-00037s-Os; Tue, 12 Mar
 2013 05:36:57 -0700
To: <Mxxxxxx@xxxxx>, <xxxxxxxxxxxx>,
 <xxxxxxxxxxxx>, <xxxxxxxxxx>,
 <xxxxxxxxxxxxx>, <xxxxxxxxxxxx>,
 <xxxxxxxxxxx>, <xxxxxxxxxxxx>
Subject: no subject
From: <SPOOFED EMAIL>
X-Mailer: Loris v2.32
Content-Type: text/html; charset="windows-1251"
Message-ID: <E1UFORt-00037s-Os@svr02.apcmmedia.com>
Date: Tue, 12 Mar 2013 05:36:57 -0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - svr02.apcmmedia.com
X-AntiAbuse: Original Domain - ourinternaldomain.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - svr02.apcmmedia.com
X-Get-Message-Sender-Via: svr02.apcmmedia.com: uid via acl_c_vhost_owner from authenticated_id: nobody from /only user confirmed/virtual account not confirmed
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGKsWRWlGSWpSXmKPExsXiunxbkG6Won2gwbuZBhb/VgVYbHr2h8Xi
 yOozTBb3r9RazOj6yu7A6nFqWQtbAGMUl01Kak5mWWqRvl0CV8b792tZC44xVtyYfZq5gXED
 YxcjJ4eEgIlEz/ePQDYHkB0v8fsCWxcjF4eQwFImiTl9PUwQzkpGiQ3fDoA5IgIHGCU+7FsC
 1i0sICxx59oiMJtNQEZi/qWDbBBTRSUOztrADmIzC+hK7Dx9gxXE5hUwlnjy/itYnEVAVeL4
 qwvMEPVREn93X2WBsI0lpl7Zygph60lc/vaCCcK2kmi8cgPKtpBovfYS7CAJgXmMEqu3LmGf
 wCg4C8m+BYyMqxjFikqKk9IN9YpKkypLSlOLUxIr9ZLzczcxAoNyjRBv9A7G1dc1DzEKcDAq
 8fAqfLMNFGJNLCuuzD3EKMnBpCTKKydvHyjEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhDdjs12g
 EC/QxKrUonyYlDQHi5I475Sl5oFCAumJJanZqakFqUUwWQ0ODoFjT44cYpRiycvPS1WS4E1Q
 AFogWJSanlqRlplTglDKxMEJsogHaFElSA1vcUFibnFmOkT+FKMlx6crj14wcvS9ApFTZz5/
 wSgENlRKnNcYpEEApCGjNA9uJiz5XGKUlRLmZWRgYBDiAbotN7MEVf4VozgwOIR5q0Gm8GTm
 lcBtfQV0EBPQQXpONiAHlSQipKQaGAWPbJvxkuHtK4Pfj7j674VHxft/MWO7sGE2S2kAX+28
 j59Fjxf9vJZXvu7Pbp4joe4mHrdUL9ebtuT0f8w1ObBjSYAGwzvPnzWsdsxewVxh6j1ifBcv
 JjyetLB1m9L6nuwXmsxpFkIvnlrYbfd+wn7g7S+J6D/rf1Qk28ueT0vbebtj4gJ1cyWW4oxE
 Qy3mouJEAPgHRWo5AwAA
MIME-Version: 1.0
Return-Path: nobody@svr02.apcmmedia.com
X-MS-Exchange-Organization-AuthSource: xxxxxxxxxxxxxx.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AVStamp-Mailbox: SYMANTEC;476774656;0;info
 

Comments 4 CommentsJump to latest comment

_Ryan_'s picture

Here is the message audit log:

ID: ac120d5b-b7fd16d000003cd0-11-513f216a0242

Message-ID:
<e1ufort-00037s-os@svr02.apcmmedia.com>
 
Accepted From: 69.167.182.82 (Logical IP = 69.167.182.82 )
Scanners:
Local Host
 
Time accepted: Tuesday, Mar 12, 2013 08:36:58 AM EDT
Direction: Inbound
Sender:
nobody@svr02.apcmmedia.com
 
 
Authenticated username: (none)
 
Original recipients:
ALL LOCAL DOMAIN USERS 
 
 
Original Subject:
no subject
Identified attachment(s): None
 
Suspect attachment(s):  None
 
  • Recipient Data
  • Intended recipient:
    local domain user 
     
     
    • Verdict: Details
    • Verdict Filter Policy Policy Group Details
      None
      default
      default None
       
     
    • Tracker: Details
    • H4sIAAAAAAAAA+NgFlrGKsWRWlGSWpSXmKPExsXiunxbkG6Won2gwbuZBhb/VgVYbHr2h8Xi
      yOozTBb3r9RazOj6yu7A6nFqWQtbAGMUl01Kak5mWWqRvl0CV8b792tZC44xVtyYfZq5gXED
      YxcjJ4eEgIlEz/ePQDYHkB0v8fsCWxcjF4eQwFImiTl9PUwQzkpGiQ3fDoA5IgIHGCU+7FsC
      1i0sICxx59oiMJtNQEZi/qWDbBBTRSUOztrADmIzC+hK7Dx9gxXE5hUwlnjy/itYnEVAVeL4
      qwvMEPVREn93X2WBsI0lpl7Zygph60lc/vaCCcK2kmi8cgPKtpBovfYS7CAJgXmMEqu3LmGf
      wCg4C8m+BYyMqxjFikqKk9IN9YpKkypLSlOLUxIr9ZLzczcxAoNyjRBv9A7G1dc1DzEKcDAq
      8fAqfLMNFGJNLCuuzD3EKMnBpCTKKydvHyjEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhDdjs12g
      EC/QxKrUonyYlDQHi5I475Sl5oFCAumJJanZqakFqUUwWQ0ODoFjT44cYpRiycvPS1WS4E1Q
      AFogWJSanlqRlplTglDKxMEJsogHaFElSA1vcUFibnFmOkT+FKMlx6crj14wcvS9ApFTZz5/
      wSgENlRKnNcYpEEApCGjNA9uJiz5XGKUlRLmZWRgYBDiAbotN7MEVf4VozgwOIR5q0Gm8GTm
      lcBtfQV0EBPQQXpONiAHlSQipKQaGAWPbJvxkuHtK4Pfj7j674VHxft/MWO7sGE2S2kAX+28
      j59Fjxf9vJZXvu7Pbp4joe4mHrdUL9ebtuT0f8w1ObBjSYAGwzvPnzWsdsxewVxh6j1ifBcv
      JjyetLB1m9L6nuwXmsxpFkIvnlrYbfd+wn7g7S+J6D/rf1Qk28ueT0vbebtj4gJ1cyWW4oxE
      Qy3mouJEAPgHRWo5AwAA
     
    Actions taken: Deliver message normally
     
    • Delivery: Success Details
    • Delivered To Delivered with TLS Delivery Time Recipient  
      CAS/HUB SERVER  No Tuesday, Mar 12, 2013 08:36:59 AM EDT local email address  
      CAS/HUB SERVER No Tuesday, Mar 12, 2013 08:36:59 AM EDT local email address  
      CAS/HUB SERVER No Tuesday, Mar 12, 2013 08:36:59 AM EDT local email address  
      CAS/HUB SERVER No Tuesday, Mar 12, 2013 08:36:59 AM EDT local email address  
      CAS/HUB SERVER No Tuesday, Mar 12, 2013 08:36:59 AM EDT local email address  
     
    Untested verdicts:
    Message was sent from a suspect spammer, Content Filtering violation: DKIM Validation Failure: Modify subject line with "[DKIM Failure]", Content Filtering violation: Delete Executable Files Violations, Content Filtering violation: Symantec Data Loss Prevention, Content Filtering violation: Delete Email Policy Violations, Content Filtering violation: RTI Executable File Removal Policy, Content Filtering violation: TLS ENCRYPTION OUTBOUND - CIGNA, Content Filtering violation: Legal Disclaimer, Content Filtering violation: SPF Validation Softfail: Modify subject line with "[SPF Softfail]", Content Filtering violation: SenderID Validation Softfail: Modify subject line with "[SenderID Softfail]", Content Filtering violation: Delete True Type Executable Files Violations, User allow, User reject, Virus attack, Directory Harvest Attack, Connection Classification, Blocked language, Known language

     
     
    Other recipients:
    ALL LOCAL DOMAIN EMAIL ADDRESSES

 

A.Simeoni's picture

I suggest you have a look at the BATV:

How to enable Symantec Messaging Gateway's bounce attack prevention for specific domains.

http://www.symantec.com/docs/HOWTO54540

 

If this doesn't sort the issue i suggest you open a case with Support in order for us to have a look at the complete headers.

 

 

TSE-JDavis's picture

We would normally recommend that you blacklist your own domain. If that is not acceptable, my suggestion would be to set up an SPF record for your domain and enable SPF checking. This way the SMG will check the record and see that these remote servers aren't authorized to send mail from your domain.

Cricket17's picture

You really need to setup SPF for your outbound mail servers.  If you are getting spam spoofing your domain, certainly other are, including your customers.

Start with something simple like

      apcmmedia.com   IN TXT "v=spf1 ip4:1.2.3.4 ~all"

replace 1.2.3.4 with the public IP address of your outbound mail server.  If you have more than one, just add more ip4:x.x.x.x items to the record.  The ~all means you are not sure this is a complete list.  You may need to talk to others at your company to make sure Sales or Marketing haven't outsourced something.

Once you have an SPF record published, you can use DMARC to find out who is sending using your domain. The big ISPs (google, yahoo, microsoft, etc) have deployed DMARC reporting.  Start with this DNS record (wrapped for clarity):

     _dmarc.apcmmedia.com IN TXT

               "v=DMARC1;p=none;rua=mailto:Reports@apcmmedia.com;
               ruf=mailto:ForensicReports@apcmmedia.com;rf=afrf;pct=100

 

p=   The DMARC policy, in this case the recipient mail system shoud not do anything special. you can also specify quarantine or reject.
rau= send summary reports ~1x/day to this e-mail address.  These are in XML format.
raf= send forensic reports - copies of actual e-mails that failed SPF back to this address
rf = report format. Default if afrf
pct = % of e-mails to apply policy to

I recommend using the free DMARCian.com site to parse the RAU reports. If you sign up, they give you an additional e-mail addess @dmarcian.com to add to the RAU field.  I'm using dmarcian and it's reporting on 2-3 million e-mails per day for me.

You also have a spam reputation problem.  Both ReputationAuthority and Senderbase show a lot of spam from one of your hosts:

          svr02.apcmmedia.com / 69.167.182.82  hosted at LiquidWeb

http://www.reputationauthority.org/domain_lookup.p...
http://www.senderbase.org/senderbase_queries/detai...

Good Luck