Spam received to mystery "users" email group
This morning, our entire company received a spam message sent to [email protected]
, where ourdomain.on.ca
is our actual domain. There is a distinguished name that this could correspond to:
CN=Users,DC=ourdomain,DC=on,DC=ca
Looking at the attributes though, there is no mail, no proxyAddresses, no signs that there is a mailbox configured there.
I did some LDAP queries, searching for:
(proxyAddresses=smtp:[email protected])
([email protected])
But am not seeing any records. (I also search for known email addresses to ensure the tree was being searched properly.)
We are running Exchange 2003. Is there another place to look for group email addresses? Is it possible that the distinguished name is being automatically translated to an email address?
Solution 1:
If you are referring to what appears in the To: field or the Outlook message header, that is irrelevant. You need to inspect the Exchange SMTP logs to determine the actual email addresses used to deliver the message.
The To: field may contain a bogus address that is non-existent, if the message has a valid address in the Bcc: field.
Solution 2:
Well, first of all, before you spend more time trying to associate [email protected]
with a group or person in your environment, let me suggest that you're probably on a snipe hunt.
The actual problem (probably) below:
Like Greg Askew said, it is likely (if not almost certain) that there is no actual email address or group associated with the email address in the To:
field ([email protected]
). It's fairly common practice, in fact, to send group emails to a bogus To:
address, and BCC
the actual recipients, when it might not be appropriate for the recipients to know about who all is being included in the email. This has legitimate applications (such as sending out a mass email to a number of disparate clients), as well as utility in sending out spam.
- In fact, I often use this technique myself with distributions to multiple clients. I'll send an email to
[email protected]
, andBCC
all the clients I want to get the email. They don't need to know about each others existence or status as my clients, or who all I'm sending to, and it cuts down on my workload, having to send one email instead of multiple emails.
The solution:
To mitigate or largely eliminate this kind of problem with spam reaching a group of recipients on your domain, there are a couple easy things to you can do within in Exchange. (As with most things, this functionality is more primitive in 2003 than in 2007 or 2010, but it's still there)
-
Limit who may or may not send to the larger distribution groups.
-
It won't help if all your individual users were listed in the
BCC
(in which case, I'd suggest you need to defend your directory and mail server against Directory Harvest Attacks), but will in the event that this did get sent out to everyone via sending to the address of a large or global distribution list.-
Our Global DL in Exchange 2003:
(I Think there are a total of 8 people or groups in our company that can send an email to the global list, to give you an idea. Smaller groups are more permissive about accepting emails.)
-
-
-
Limit some or all of you internal groups from receiving outside mail
This is a also a good idea, generally, because generally, you don't want people outside your organization sending emails to groups within it.
In Exchange 2003, this is enabled with the
From authenticated users only
tickbox in the above image.
The other beneficial side-effect of these setting is that you invariably get a luser doing a Reply All
to some large distribution list with an asinine comment or acknowledgment of receipt (thanks!
, was I supposed to get this?
, etc.), and that's always unpleasant and inconvenient. Better cut them off before they spam the whole company with their invariably misspelled, ungrammatical, txt msg
-style inanity.