Outgoing message selected for spoofed domain

Robert Lopez rlopezcnm at gmail.com
Wed Sep 16 20:48:01 IST 2009


I just saw the following message delivered by MailScanner to CNM
Postmaster account. I sanitized it a bit:

--begin message--
The following e-mails were found to have: Virus Detected

    Sender: xxxx at cnm.edu
IP Address: [an internal IP CNM address for one instance of load
balanced gateway into Exchange cluster]
 Recipient: yyyy at yahoo.com
   Subject: Resume' Worksheet
 MessageID: 0D5F6660235.8DF85
Quarantine: <this was empty>
    Report: Clamd:  message was infected:
Phishing.Heuristics.Email.SpoofedDomain

Full headers are:

 Received: from <name of gateway into Exchange.area-name>.cnm.edu
(<name of same instance of load balanced gateway.area-name>.cnm.edu
[same internal address for instance of gateway into Exchange])
 	by <one DMZ gateway running MailScanner>.cnm.edu (Postfix) with
ESMTPS id 0D5F6660235
 	for <yyyyy at yahoo.com>; Wed, 16 Sep 2009 12:47:28 -0600 (MDT)
 Received: from <Exchange server cluster name.area-name>.cnm.edu
([address on one instance of load balanced Exchange cluster]) by
  <name of same instance of load balanced gateway.area-name>.cnm.edu
([same internal address for instance of gateway into Exchange]) with
mapi; Wed, 16 Sep 2009
  12:47:28 -0600
--end message--

Email has been going out through three gateways running MailScanner
for 3, 2, and 1 month(s) and this is the first instance of this I have
seen.

The gateways into the Exchange cluster and the Exchange cluster all
have the same "area-name".cnm.edu.
The gateways into the Exchange server cluster are load balanced.
The Exchange servers are load balanced.

What should I look for to see why it happened?  I would like it to not
happen again.

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106


More information about the MailScanner mailing list