External sources are sending emails internally and making it look like its coming from an internal user. When I track it, it is from an external server. I block the domain but I would rather stop it as a whole.
How do some of you handle this?
Received: from mail.xxxxxx (xxxxxxxxxx) by xxxxxx
(xxxxxxxxxx) with Microsoft SMTP Server id xxxxxxxxx; Tue, 12 Mar 2013
08:36:58 -0400
X-AuditID: ac120d5b-b7fd16d000003cd0-11-513f216a0242
Received: from svr02.apcmmedia.com (svr02.apcmmedia.com [69.167.182.82])
(using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a
certificate) by mail.xxxxxxx (Symantec Messaging Gateway) with SMTP
id D6.90.15568.A612F315; Tue, 12 Mar 2013 08:36:58 -0400 (EDT)
Received: from nobody by svr02.apcmmedia.com with local (Exim 4.80)
(envelope-from <nobody@svr02.apcmmedia.com>) id 1UFORt-00037s-Os; Tue, 12 Mar
2013 05:36:57 -0700
To: <Mxxxxxx@xxxxx>, <xxxxxxxxxxxx>,
<xxxxxxxxxxxx>, <xxxxxxxxxx>,
<xxxxxxxxxxxxx>, <xxxxxxxxxxxx>,
<xxxxxxxxxxx>, <xxxxxxxxxxxx>
Subject: no subject
From: <SPOOFED EMAIL>
X-Mailer: Loris v2.32
Content-Type: text/html; charset="windows-1251"
Message-ID: <E1UFORt-00037s-Os@svr02.apcmmedia.com>
Date: Tue, 12 Mar 2013 05:36:57 -0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - svr02.apcmmedia.com
X-AntiAbuse: Original Domain - ourinternaldomain.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - svr02.apcmmedia.com
X-Get-Message-Sender-Via: svr02.apcmmedia.com: uid via acl_c_vhost_owner from authenticated_id: nobody from /only user confirmed/virtual account not confirmed
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGKsWRWlGSWpSXmKPExsXiunxbkG6Won2gwbuZBhb/VgVYbHr2h8Xi
yOozTBb3r9RazOj6yu7A6nFqWQtbAGMUl01Kak5mWWqRvl0CV8b792tZC44xVtyYfZq5gXED
YxcjJ4eEgIlEz/ePQDYHkB0v8fsCWxcjF4eQwFImiTl9PUwQzkpGiQ3fDoA5IgIHGCU+7FsC
1i0sICxx59oiMJtNQEZi/qWDbBBTRSUOztrADmIzC+hK7Dx9gxXE5hUwlnjy/itYnEVAVeL4
qwvMEPVREn93X2WBsI0lpl7Zygph60lc/vaCCcK2kmi8cgPKtpBovfYS7CAJgXmMEqu3LmGf
wCg4C8m+BYyMqxjFikqKk9IN9YpKkypLSlOLUxIr9ZLzczcxAoNyjRBv9A7G1dc1DzEKcDAq
8fAqfLMNFGJNLCuuzD3EKMnBpCTKKydvHyjEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhDdjs12g
EC/QxKrUonyYlDQHi5I475Sl5oFCAumJJanZqakFqUUwWQ0ODoFjT44cYpRiycvPS1WS4E1Q
AFogWJSanlqRlplTglDKxMEJsogHaFElSA1vcUFibnFmOkT+FKMlx6crj14wcvS9ApFTZz5/
wSgENlRKnNcYpEEApCGjNA9uJiz5XGKUlRLmZWRgYBDiAbotN7MEVf4VozgwOIR5q0Gm8GTm
lcBtfQV0EBPQQXpONiAHlSQipKQaGAWPbJvxkuHtK4Pfj7j674VHxft/MWO7sGE2S2kAX+28
j59Fjxf9vJZXvu7Pbp4joe4mHrdUL9ebtuT0f8w1ObBjSYAGwzvPnzWsdsxewVxh6j1ifBcv
JjyetLB1m9L6nuwXmsxpFkIvnlrYbfd+wn7g7S+J6D/rf1Qk28ueT0vbebtj4gJ1cyWW4oxE
Qy3mouJEAPgHRWo5AwAA
MIME-Version: 1.0
Return-Path: nobody@svr02.apcmmedia.com
X-MS-Exchange-Organization-AuthSource: xxxxxxxxxxxxxx.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AVStamp-Mailbox: SYMANTEC;476774656;0;info