Numerous emails generatedfrom a user account

Posted on 2005-04-18
Medium Priority
Last Modified: 2013-12-18

We have a user in our organization who sent an email to copied list of over 1000 people (I know!!) a few of the emails were non-existant but that is not the major problem.

Since this email left our systems we have had reports that the email was being delivered to the recipients many times. As many as 50-100 in 2 hours, each an identical copy of the original email, with each of the original recipients getting spammed in this way.

I am at a loss as to what could be causing this. We have checked the users mailfile for any rules set, none found. We have also run an agent to ensure none are suffering from the known issue below,
Also fine.

The server seems to run fine then all of a sudden the mails will start to be generated. For instance, this weekend, everything was fine from friday 5pm until sunday 12.00 am (on the dot) then the emails again started to be generated.

Any suggestions or ideas are much appreciated on this one, as you can imagine we are receiving a lot of flack and also even threats of legal action.
Question by:A4eIT
  • 13
  • 8
  • 2
  • +2
LVL 46

Expert Comment

by:Sjef Bosman
ID: 13805756
Who says these mails come from your user?? I know my real mail-address has been used many times by some a**holes on the Internet. If it is spam, or junkmail, with your user as sender, tel them to look at the originating server. It is probably not yours...

Or are you sure these mails leave your server? Maybe the user has a virus on his system that triggers the generation of these mails?

Author Comment

ID: 13805839

Thanks for the reply,

At first I thought these mails were externally from spoofing, however there are two facts which lead me away from this fact.

Firstly the people who are getting these messages are all the original recipients of the original mail in question, the recipients are not random.
At first our smtp server (setup by apparently experts) was set as an open relay however this has now been rectified.

Secondly, for the delivery failure on the bad addresses the first step in the routing path is one of our remote servers (the one where the users home server was) which again leads me to believe the above

Author Comment

ID: 13805896
oh and BTW, I assume the users PC is turned off at this time since its the middle of the night

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 46

Expert Comment

by:Sjef Bosman
ID: 13805957
Can you see if the mail is generated by Notes or by some other mailer, e.g. Outlook? Or by some other program that mimics a mailer? Is the user's PC checked for viruses?

You could stop the Router and see what mails are put into mail.box.
LVL 46

Expert Comment

by:Sjef Bosman
ID: 13805980
And what's the content of the mail? Does it have anything to do with your company? Did you question the user?

If you can get hold of such a mail, look at the Document Properties in the mail. The item Received will tell you a great deal about where it came from.

Author Comment

ID: 13805987
Can you see if the mail is generated by Notes or by some other mailer, e.g. Outlook? Or by some other program that mimics a mailer?
Not sure how I would find this info.

Is the user's PC checked for viruses?
I assume the first line would have checked this, also as said, the emails seem to be generated when the users PC should be switched off (midnight)

Author Comment

ID: 13806092
And what's the content of the mail? Does it have anything to do with your company? Did you question the user?

The contenty of the mail is exactly the same as the original one,
Approx 40 lines of text followed by an attachment. This was a totally ligit email just sent to far too many recipients with an unchecked list.

If you can get hold of such a mail, look at the Document Properties in the mail. The item Received will tell you a great deal about where it came from.
I seem to have around 15 of those with duplicate ID numbers,

Each have roughly the same format as below,

Field Name: Received
Data Type: RFC822 Text
Data Length: 232 bytes
Seq Num: 1
Dup Item ID: 13
Field Flags:
RFC822 Type: TEXT
RFC822 Flags: STRICT
Native Value:

"from unknown (HELO unilap.co.uk) (uni174129@  by 0 with SMTP; 16 Apr 2005 04:03:41 -0000"

RFC822 Header Name:


RFC822 Header Delimiter:

": "

RFC822 Header Body:

66 72 6F 6D 20 from
75 6E 6B 6E 6F unkno
77 6E 20 28 48 wn (H
45 4C 4F 20 75 ELO u
6E 69 6C 61 70 nilap
2E 63 6F 2E 75 .co.u
6B 29 20 28 75 k) (u
6E 69 31 37 34 ni174
31 32 39 40 38 129@8
31 2E 31 33 38 1.138
2E 35 37 2E 32 .57.2
31 35 29 0D 0A 15)..
20 20 62 79 20   by
30 20 77 69 74 0 wit
68 20 53 4D 54 h SMT
50 3B 20 31 36 P; 16
20 41 70 72 20  Apr
32 30 30 35 20 2005
30 34 3A 30 33 04:03
3A 34 31 20 2D :41 -
30 30 30 30 0D 0000.
0A                         .

Where the line "from unknown (HELO unilap.co.uk) (uni174129@  by 0 with SMTP; 16 Apr 2005 04:03:41 -0000"

is from different addresses each time.
LVL 46

Expert Comment

by:Sjef Bosman
ID: 13806167
That's right. That line tells you what server passed the message on to what other server. Usually, the bottom Received contains info about the first server the message reached, that's the server the message was offered to by the originating mail client. Each station in between adds more info to Received.

Expert Comment

ID: 13806271
could be a problem with your mail.box, possibly from corruption from an AV program. On all servers that your user routes throught to send internet mail, shut down Domino, rename mail.box to mail.old (and mail2.box to mail2.old etc), then restart Domino to recreate the mail.box ... if the mail.box is the problem, then this should solve it.

Author Comment

ID: 13813368
Ive checked all the message received data and although some domains look common, they are mostly different on each mail so no real info there.

One thing I have noticed is that the routing path seems to point to the fact that it originated from one particular server in our organization, can I trust this info or could it just be the fact that this is the users home server?

I have recreated the mailboxes on the smtp server - would it be worth doing this on the others??

Expert Comment

ID: 13813703
yes, recreate the mail box on all the servers the message routes through.

Author Comment

ID: 13813744
Will try this tonight at close of play, thanks.

Any other ideas???
LVL 46

Expert Comment

by:Sjef Bosman
ID: 13813796
I'd love to look at those mails, it is very hard to explain it from a long distance where to look. What you could do is the following: create an empty database, no template, copy one of those mails (an innocent one), paste it in the new database, close Notes, zip the database and mail it to us. For my mail address, see my EE-profile. About JJ's, can't find it (but the M$-trek-story was fun to read :).

Author Comment

ID: 13813867
Thanks for this, this is soooooo appreciated.

I will up the points on solution and also, if youre interested, will send you some of our decomissioned hardware to sell on ebay or whatever.

Sending email now, has a few of the original looping emails and some delivery faiures to the bad addresses.

I also have IBM and BT working on this so any more suggestions utilizing help from them can be performed.

Thanks again.

Author Comment

ID: 13813872
mail sent - thanks
LVL 46

Expert Comment

by:Sjef Bosman
ID: 13814015
Mail received, thanks. You applied some changes to the original document, didn't you? Recipients removed, subject removed? Or not?? Just copy/paste??

First off impressions:
- you have Domino 6.5, a poor-quality release (to put it mildly); can you upgrade?
- there is a field Comments, it contains "Original 'to' not compliant with RFC 822, stripped"
- what's unilap.co.uk, it comes up in all these mails in the field Delivered_To

There is some interesting anti-Spam info in these mails, but I need more time to figure out what happened.

Author Comment

ID: 13814082

In response to your questions,

Mail received, thanks. You applied some changes to the original document, didn't you? Recipients removed, subject removed? Or not?? Just copy/paste??
Simple copy and paste, exactly as the mails were recieved.

you have Domino 6.5, a poor-quality release (to put it mildly); can you upgrade?
Yep - can do - do you think this may be an issue??

there is a field Comments, it contains "Original 'to' not compliant with RFC 822, stripped
Wouldnt have a clue.

what's unilap.co.uk, it comes up in all these mails in the field Delivered_To
It looks like a small engineering firm located locally near our business. Two of the intended recipients were in this domain. I noticed that ehsbs.local also showed up a lot in there and on the server, not sure what this is though and cannot trace due to .local ending

LVL 46

Accepted Solution

Sjef Bosman earned 1200 total points
ID: 13814975
All mails seem to be originated by ehsbs, in fact which is ehill.plus.com, which is probably www.hillpumps.com, or from arrowtechnical.com, in fact which is reported as 82-47-248-114.cable.ubr03.shef.blueyonder.co.uk. Lots of Sheffield companies are participating. Or are they the same company? There is also an aetuk.com mentioned, maybe they are also involved.

From the field Received:
- from mail pickup service by arrowtechnical.com with Microsoft SMTPSVC;  Mon, 18 Apr 2005 03:15:28 +0100
- from arrowtechnical.com ([]) by smtp-out5.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.6713);  Mon, 18 Apr 2005 03:16:15 +0100
- from  ([]) by A4E; Mon, 18 Apr 2005 03:19:37 +0100 (BST)
- from A4E ([])          by smtp.a4e.co.uk (Lotus Domino Release 6.5)          with SMTP id 2005041803315983-8256 ;          Mon, 18 Apr 2005 03:31:59 +0100
- from mail pickup service by SBS2003.ehsbs.local with Microsoft SMTPSVC;  Mon, 18 Apr 2005 03:00:35 +0100

I think they have a problem, if indeed these mails are generated by them. In all cases, Business Serve AntiSpam information is present, so it might be that software that is to blame for the mail loop. And things are started by "mail pickup service" with Microsoft SMTPSVC.

An authenticated sender, for what it's worth: tony@opus-uk.co.uk

I'd suggest to call the other companies involved. They must have noticed that mail isn't the way it used to be.
And I'd verify the anti-spam software configuration.

Author Comment

ID: 13815088
So this does not look like an internal problem??
LVL 46

Expert Comment

by:Sjef Bosman
ID: 13815159
Can't say yes, can't say no, because it's still unclear from the mails you sent me. Gut-feeling says 80% external.

Another strange thing: the FromDomain contains A4E@a4e.co.uk@A4EX which seems not a normal Notes way to indicate domains. You might have routing problems between your servers.

To find out more if it in- or -external, the least you could do is contact HillPumps, to find out if they experience mail problems.

Author Comment

ID: 13815371
Thanks, will do,

Just a quick point, IBM have stated that the presence of the $mime track in the doc properties on these mails would seem to suggest that the mail had been routed through the smtp and so would agree with us that the source seems to be external.

Thanks for all the help so far, will get back when I have more info.
LVL 31

Assisted Solution

qwaletee earned 600 total points
ID: 13819101
Hi A4eIT,

Sjef pinged me, asking me to jump in on this.

I would not be so sure about the $Mimerack indicatig an external problem.  First, we have to make sure we udnerstand what was SUPPOSED to be happening, i.e., the original send, and what IS happening now, i.e., who is getting what delivered, and who is getting what delivery failures.

So, please correct and amplify:
    *   The e-Mail was originally sent by a person within your Notes domain
    *   That person is no longer with you, and the account has been terminated
    *   That person sent a message with 1,000 addressees some time agi (how long ago)
    *   All the addressees were extrenal, i.e., had Internet addresses not at your company
    *   Subsequently (how often, how recently?) all 1,000 original addressees complain they recieve extra copies of the old message
    *   You aslo receive, just as frequently, delivery failures for any of the original addressees that are ot current valid e-Mail addresses
    *   How many DOmino servers do you have?
    *   Does each user home server send SMTP to the internet, or is there a "gateway" Domino server?
    *   Whichever server(s) send SMTP to Internet -- do they use a realy, or do they directly contact each destination SMTP server (i.e., for qwaletee @ experts-exchange.com, does it send to mail.experts-exchange.com at, or do all messages, regardless of destination domain, route through a "relay" that does the distribution on the Internet).  Relays may be interbal (a gateway), external (an ISP send mail for you) or DMZ (gateway to protect internal mail servers)
    *   Do you have Message Tracking turned on?  It will allow you to see what your DOmino server actually sent and received.  WIth 1,000 addresses, it should be pretty easy to spot whether yoru sender sent all of them or only has the delivery failures
    *   Have you tried matching up the observed activity with the message and miscellaneous logs of your Domino servers?

The reason why $MimeTrack is almost irrelevant is as follows. Native SMTP content is prety mucg always considered to be MIME, even if it is simple text or just a single encoded file.  Domino can store MIME< but it does not store it as plain text - because MIME content can be nested, Domino stores it as a aspecial type of data that could be reconstructed to a blob of MIME text, and taskes each MIEM section and puts in a separate Body item.  This process is called ITEMIZATION (turning MIME parts into Notes ITEMS).  The opposite also holds true, and is called SERIALIZATION (whether teh original text was MIME stored in DOmino, or whether it was rich text or plain text that had to be converted to MIME).  The information about when and where this proces occurs is stored in a Notes item called $MimeTrack, wich, on SMTP send, is also serialized into an SMTP header.  When DOmino itemizes, it takes whatever is in that same header, turns it into the $MimeTrack field, and appends teh new Itemization log.

If you send a message to a bad address, what shoudl happen is:
    *   Domino server creates $MimeTrack item as it converts mail
    *   $MimeTrack has a single entry
    *   Single X_Lotus_MimeTrack SMTP header added
    *   When Domino receives delivery failure, it converts the existing X_Lotus_MimeTrack into $MimeTrack
    *   It then adds a second entry to the $MimeTrack field (single item, no duplicates, but it is now a two-item text list)

So, you see, all delivery failures from external will have a $MimeTrack.  And all delivery failures of messages that were originally from a Lotus Notes client, went to the Internetm and bounced back, should have TWO entries in the $MimeTrack text list... except that tehy sometimes won't, because there is no standard for how an SMTP server constructs a nondelivery report.

Example of a message sent from Notes to Notes (Sjef's message to me):
Single field called $MimeTrack on my received message
"Serialize by Router on Server1/The-Academy(Release 6.5.2|June 01, 2004) at 19-04-2005 15:37:51" -- this is Sjef's server converting from Rich Text to MIME
"Serialize complete at 19-04-2005 15:37:51" -- continuation of same
"Itemize by SMTP Server on Montreal-NS002/DMR/CA(Release 5.0.11  |July 24, 2002) at 04/19/2005 09:26:25 AM" -- My SMTP gateway converting it back.

See how this matches up against the Received headers:
=========Dup Item ID 0============
"from canada-smtp1.consulting.fujitsu.com ([])          by Montreal-NS002.notes.dmr (Lotus Domino Release 5.0.11)          with ESMTP id 2005041909262581:95739 ;          Tue, 19 Apr 2005 09:26:25 -0400"
=========Dup Item ID 1============
"from server1.the-academy.corp ([]) by canada-smtp1.consulting.fujitsu.com (8.13.3/8.13.3) with ESMTP id j3JDWop1023420 for <dovid@dmr.com>; Tue, 19 Apr 2005 09:32:50 -0400"

We see that 19-04-2005 15:37:51 (serialization time) is close to Dup Item ID 1 time 09:32:50 -0400, assuming Sjef servers lives at UTC+2.  It actually arrives five minutes earlier than it left, but that's probably a server clock sync issue.

Now, if the original received and serialization headers are intact, you should be able to tell what time Domino converted and sent the messages.  If they have the original times in $MimeTrack, then most likely this is happening beyond your gateway Domino server.  If they have more recent times, then you know your Domino server is sending them again.

Note: Even with original times, there is a possibility that it is coming from Domino, because f the SMTP outbound router somehow gets "stucK," it could have an outgoing queue that never gets cleared.  I believe it stores that information in temp files on disk.  So, what could be happening is that a document could have been converted successfully, then put into the send queue, successfully sent, but remained in the queue to be retransmitted.  What you would need to see is the FIRST RECEIVED header in the message, to see whether the next server up the line claims to have received it from Domino at the old time or the recent time.  If there is more than one reciepient domain involved, you can get a definite answer.  If there is only one, you coudl have the opposite problem -- it could be the receiving SMTP server got the message, and keep requeing it (which is exceedingly unlikely if this occurs at multiple SMTP servers, which is why I said it would be a definite answer in that case).

I'd say it is probably more important to get the intact mal headers from a SUCESSFUL recipeint than it is to analyze the delivery failures you have been receiving.

Best regards,

Author Comment

ID: 13874929

I havent forgot about this thread - justr been away from the office for a few days, will be responding shortly, Thanks

Assisted Solution

riprowan earned 200 total points
ID: 14006671
A4eIT - everything you need to know is in your post dated 04/18/2005 06:46AM PDT.  The fact of the matter is that the emails that your users are receiving are not being generated by your systems.  They are being generated elsewhere.  Thererfore, the generation of the email is NOT YOUR PROBLEM.

Please see the answers given here: http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21411404.html

My answer is that one of those emails was harvested by a spammer.  What you are seeing is common behavior of spammers harvesting reliable email addresses.  What is happening is that the spammer is sending a copy of the original mail, with an apparent "from" from people on the original email, and "sending-to" people on the original email.

Change your mail logging level to Verbose.  You can find this in your Domino Server Configuration - Router / SMTP / Advanced / Controls.  Then restart the router.  Monitor your logs or watch in the server console.  If you will thoroughly log your mail traffic, I bet that you will see that the inbound connections are NOT coming from any of the addresses that are listed on the emails, but rather from some completely different server (the spammer).

Author Comment

ID: 14008659
Hi thanks for all the help on this, it appears our isp allows anyone to relay to our company through their relay so ill be on to this with them,
Have split points accordingly and would just like to say a HUGE thanks to everyone who has jumped in on this call.

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For users on the Lotus Notes 8 Standard client, this article provides information on checking the Java Heap size and adjusting it to half of your system RAM in attempt to get the Lotus Notes 8.x Standard client to run faster.  I've had to exercise t…
I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question