?
Solved

Could our mail server be used by an outsider?

Posted on 2004-10-03
2
Medium Priority
?
656 Views
Last Modified: 2008-01-09
We have a dedicated server hosted with an ISP.  We are running MailEnable and have a software program written to send out emails.  We also have our own email coming through this MailEnable server.  However one of our users has been receiving all kinds of emails concerning "Message Delivery Failure" and "Message Delivery Delay" (over 30 yesterday alone!).  The problem is that she didn't send the emails.  When I look at the contents of the message (from Postmaster), it shows the following contents on one:

MailEnable: Message Delivery Failure.

The following recipient(s) could not be reached:

      [SMTP:1pierce27@home.com]: General Failure


Message contents follow:

Received: from Huufuljiq ([69.140.154.154]) by ourserver.com with MailEnable ESMTP; Sat, 02 Oct 2004 04:00:14 -0400
From: RBocas <RBocas@tidco.co.tt>
To: 1pierce27@home.com
Subject: So cool a flash,enjoy it
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary=Kfc164Nx11sN069
Message-ID: <CE93EE9E9B4449B9AD60866CAB1CC9.MAI@ourserver.com>
Date: Sat, 02 Oct 2004 04:00:14 -0400

This looks to be a possible virus being sent from ourserver.com (which I've changed the name of), but our user is NOT RBocas@tidco.co.tt....... she's user@ourserver.com and still receiving these messages???  Is this some kind of goofy virus that uses her name to send out bogus email messages???  If so, why does the FROM show someone else's email address?

Another example:

MailEnable: Message delivery has been delayed.

Message is waiting at ourserver.com for delivery to com.

Reason: Mail Server for altavista.com could not be contacted at this time. MailEnable will keep trying to deliver this message and will notify you of any progress.


Message headers follow:
      
Received: from Hgy ([69.140.154.154]) by ourserver.com with MailEnable ESMTP; Sat, 02 Oct 2004 05:28:27 -0400
From: renaissancecruise <renaissancecruise@mail.com>
To: mikemcken3@altavista.com
Subject: A  WinXP patch
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary=Sl68J624i9L6V
Message-ID: <30098FB787404D9F8CF2B3B3BEEA3.MAI@ourserver.com>
Date: Sat, 02 Oct 2004 05:28:27 -0400


Again no where in this message is my user's name mentioned and she didn't send out any emails to these other people!!!  
Any help/suggestions are greatly appreciated!!!
0
Comment
Question by:Overthere
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 12216566
This is classic worm. It is spoofing everything.
It is taking any domains found on the infected machine, then any email addresses on the machine and using them to create new From: and To: lines. It is also clever enough to adjust the "Received From" line to say the domain name. What gives it away as being spoofed is that it is "received from domain.com". A genuine email message will probably say something like "received from mail.domain.com".

Therefore I don't think your email server is being used by an outsider, you are just seeing messages bounced by the other party for user unknown reasons. Not a lot you can do about those, other than get the user to delete them.
The original source is probably the same machine - someone with your user's email address on their system has got infected.

Simon.
0
 

Author Comment

by:Overthere
ID: 12216717
That's sort of what I thought since it was only happening with the ONE email address.  Her email would be saved in quite a few other users address books, therefore a good chance of being used by a worm, etc.

Thanks!!!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The biggest nightmare for any Exchange Server Administrator is to keep the server running without any issue. But the problems often come and they need to be resolved efficiently and timely. Here are important troubleshooting points: Define the Pr…
Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month8 days, 11 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question