breid7718
asked on
Strange messages in out queue
I have an Exchange Server 5.5 that gathers about 100 or so strange messages in the Outbound Awaiting Delivery queue every day in a slow trickle.
They look like spam or virus related things - they will have no originator and the destination is always some sort of loopy bs address like aaa5.8m.com, groogle.com, or the like. They fail with a [network error during host resolution] message and just build up out there in the queue. I have been purging them manually, but am concerned about their source.
We are not open relaying - everything requires authentication and I've been through the process of covering relay holes. We WERE at one time open relaying and were being used for spam for about a month before I found it, several years ago. I am also pretty confident that no one is purposefully using a mass mailer inside the building. We are well antivirused, so I don't think someone is hosting a trojan innocently.
Can anyone help me identify the source of these messages and determine how to fix the root problem behind it?
They look like spam or virus related things - they will have no originator and the destination is always some sort of loopy bs address like aaa5.8m.com, groogle.com, or the like. They fail with a [network error during host resolution] message and just build up out there in the queue. I have been purging them manually, but am concerned about their source.
We are not open relaying - everything requires authentication and I've been through the process of covering relay holes. We WERE at one time open relaying and were being used for spam for about a month before I found it, several years ago. I am also pretty confident that no one is purposefully using a mass mailer inside the building. We are well antivirused, so I don't think someone is hosting a trojan innocently.
Can anyone help me identify the source of these messages and determine how to fix the root problem behind it?
ASKER
I can find Administratior notifications for NDRs (and have them turned off) on the IMS property page, but I don't see an option to actually turn off NDRs. Where can I find that option?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Read this to understand a reverse NDR attack http://www.cmsconnect.com/Praetor/RNDR/prRNDR.htm