Hello,
One of my users reported a dangerous Spam email containing a "You received a voice mail" subject and an attached zip file. This address was a spoofed one from our own internal domain no-reply@ourdomain.com. I did see some emails just like this get caught by exchange spam filters but somehow this one got thru.
I figured out it got thru because I had my own domain whitelisted in spam fighter exchange module. Hopefully changing this will allow the other agents to block this kind of email going forward, but the big problem is not just that it got thru but that it wasn't even addressed to the recipient that actually received it.
How can an email addressed to user1@domain.com be received byuser2@domain.com? I've verified these two users have nothing shared between them, nothing delegated or forwarded. User1 is a mailbox that is no longer in use, but hasn't been disabled yet. This is the first and only time I've seen this, but I'm concerned about legitimate email getting routed incorrectly.
Here is the message properties with my info replaced for security purposes. It doesn't even mention the actual user2 address anywhere. Any ideas on how this got routed wrong?
Received: from INTERNALSERVER.domain.local (internalserverip) by
INTERNALSERVER.domain.local (internalserverip) with Microsoft SMTP Server (TLS) id
ISP IP via Mailbox Transport; Mon, 5 May 2014 09:15:20 -0500
Received: from INTERNALSERVER.domain.local (internalserverip) by
INTERNALSERVER.domain.local (internalserverip) with Microsoft SMTP Server (TLS) id
ISP IP; Mon, 5 May 2014 09:15:12 -0500
Received: from net-93-64-16-64.cust.vodafonedsl.it (93.64.16.64) by
remote.domain.com (internalserverip) with Microsoft SMTP Server id ISP IP
via Frontend Transport; Mon, 5 May 2014 09:15:11 -0500
Message-ID: <NOU3ZHBH.3589518@rowinsky.com>
Date: Mon, 5 May 2014 16:12:57 +0100
From: Microsoft Outlook <no-reply@domain.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: <User1@domain.com>
Subject: You received a voice mail
Content-Type: multipart/mixed;
boundary="------------XXXXXXXXXXXXXXXXXXXX"
Return-Path: falliblemud9@rowinsky.com
X-MS-Exchange-Organization-PRD: domain.com
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (INTERNALSERVER.domain.local: no-reply@domain.com does
not
designate permitted sender hosts)
X-MS-Exchange-Organization-Network-Message-Id: XXXXXXXXXXXXXXXXXXXXXXXXXX
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus None;OrigIP:93.64.16.64
X-SPAMfighter-Result: E-mail accepted (Whitelisted: GlobalWhiteListDomainFound <domain.com>)
X-SPAMfighter-Direction: Inbound
X-MS-Exchange-Organization-AuthSource: INTERNALSERVER.domain.local
X-MS-Exchange-Organization-AuthAs: Anonymous
Thanks.