Troubleshooting SPAM for the System Administrator or Technician

Here’s an example of a process that you could use to evaluate where a piece of SPAM mail is coming from and decide how to stop it.  There's some check points along the way designed to help you stop and think through your options and next steps.

Troubleshooting Steps

1. Get the original emails with headers intact (see steps below)

2. Read headers by opening the attached email, navigating to File, then Properties, look for the textbox at the bottom labeled Internet headers (see example below)

3. Use the header to figure out who is sending the email. You need to figure out where the email is originating from in order to prescribe a fix. Most email servers have a SPAM filter and have the ability to put SPAMers on a global BLACKLIST. This is only appropriate when we can isolate the SPAMers down to 1-3 IPs or one domain and confirm no legitimate email will be blocked as a consequence.

In the example below we can see this email originated from 178.124.110.246 Use ARIN.net to do a whois lookup on the IP address of the sender. The result is here http://whois.arin.net/rest/net/NET-178-0-0-0-1/pft The owner of this IP block is in Amsterdamn.

4. Check the SPAM flag score in the header. The SPAM filtering can be adjusted based on score, but as this impacts all users you should have a very compelling reason and for this change. We also would provide notification to end-users before making this change.

In this example we see the SPAM flag score is WHITELISTED. This is clearly the reason these emails are getting past.

5. Investigate the email server WHITELIST and BLACKLIST.

In this example we see that any email address @EXAMPLE_DOMAIN is on a global WHITELIST.

6. Be aware that changing servers settings could impact users ability to receive email and things are generally setup the way they are for a particular reason. If you aren’t sure why something is setup a certain way ASK before you make any changes.

In this example  @EXAMPLE_DOMAIN is on a global WHITELIST because emails sent from the company's websites are SPOOFED addresses. These are legit emails that we want EXAMPLE_DOMAIN to receive. This is not exactly ideal, but the website cannot be modified with a fix.

7. Weigh the options, talk to everyone you need to talk to, gather as much information you need to in order to make a decision then come up with a plan of action.

In this example we can remove @EXAMPLE_DOMAIN from the global WHITELIST and add in the individual email accounts used by the websites specifically.

8. Once you have a plan of action make sure you understand the consequences / impact of the changes you are about to make. If you are unsure… STOP and ASK.

In this example the change may result in some legit internal emails being flagged as SPAM.

9. Determine who you need to notify about the changes. Is it the end user, the all users, your boss? How much notification should you provide? 2 min, 1 hour, 2 days? If you still aren’t sure… STOP and ASK.

If there is even a remote chance that someone’s internal legit email is going to be flagged as SPAM we recommend notifying the users about what to expect and how you plan to mitigate this issue when it comes back up.

In this example, there might be a better approach were like BLACKLIST this specific IP address.

Get SPAM Emails with Headers Intact

Have the user follow these steps:

- Create a new email message addressed to YOUR_EMAIL

- Choose Attach Item then Outlook Item

- A window to browse your Outlook mailbox will popup

- Navigate through your emails until you find one of the SPAM messages

- Left-click to select the message

- Click the OK button

- Repeat this process for as many SPAM emails as you like

Email Header Example

Header from EXAMPLE_EMAIL_ADDRESS Rolex Today -38%

X-Antivirus: AVG for E-mail

Received: from EXAMPLE_EMAIL_SERVER (EXAMPLE_EMAIL_SERVER_IP) by

EXAMPLE_EMAIL_SERVER (EXAMPLE_EMAIL_SERVER_IP) with Microsoft SMTP Server

(TLS) id 14.1.355.2; Sat, 31 Dec 2011 12:15:24 -0800

Received: from localhost (localhost.localdomain [127.0.0.1]) by

EXAMPLE_EMAIL_SERVER (Postfix) with ESMTP id 18FAADE for

<EXAMPLE_EMAIL_ADDRESS>; Sat, 31 Dec 2011 12:15:25 -0800 (PST)

X-Relayed-From: 178.124.110.246

X-Relayed-From-Added: Yes

X-Virus-Scanned: by amavisd-new at EXAMPLE_EMAIL_SERVER

X-Spam-Flag: NO

X-Spam-Score: 0

X-Spam-Level:

X-Spam-Status: No, score=x tagged_above=-999 required=4 WHITELISTED tests=[]

Received: from EXAMPLE_EMAIL_SERVER ([127.0.0.1]) by localhost

(EXAMPLE_EMAIL_SERVER [127.0.0.1]) (amavisd-new, port 10024) with ESMTP

id 33nftJEdODDU for <EXAMPLE_EMAIL_ADDRESS >; Sat, 31 Dec 2011 12:15:25 -0800

(PST)

Received: from microsof-b96170 (unknown [178.124.110.246]) by

EXAMPLE_EMAIL_SERVER (Postfix) with SMTP id 389EF64 for

<EXAMPLE_EMAIL_ADDRESS >; Sat, 31 Dec 2011 12:15:23 -0800 (PST)

Message-ID: <EXAMPLE_MESSAGE_ID>

To: <EXAMPLE_EMAIL_ADDRESS >

Subject: EXAMPLE_EMAIL_ADDRESS  Rolex Today -38%

From: <EXAMPLE_EMAIL_ADDRESS >

MIME-Version: 1.0

Content-Type: text/html; charset="ISO-8859-1"

Content-Transfer-Encoding: 7bit

Date: Sat, 31 Dec 2011 12:15:23 -0800

Return-Path: EXAMPLE_EMAIL_ADDRESS

X-MS-Exchange-Organization-AuthSource: EXAMPLE_EMAIL_SERVER

X-MS-Exchange-Organization-AuthAs: Anonymous

Simply Smart Technology is a Chicago based IT Support provider offering cloud based Microsoft Exchange services and email system adminstration services.