A4eIT
asked on
Numerous emails generatedfrom a user account
Hi,
We have a user in our organization who sent an email to copied list of over 1000 people (I know!!) a few of the emails were non-existant but that is not the major problem.
Since this email left our systems we have had reports that the email was being delivered to the recipients many times. As many as 50-100 in 2 hours, each an identical copy of the original email, with each of the original recipients getting spammed in this way.
I am at a loss as to what could be causing this. We have checked the users mailfile for any rules set, none found. We have also run an agent to ensure none are suffering from the known issue below,
http://www-1.ibm.com/support/docview.wss?rs=0&q1=1088058&uid=swg21088058&loc=en_US&cs=utf-8&cc=us&lang=en
Also fine.
The server seems to run fine then all of a sudden the mails will start to be generated. For instance, this weekend, everything was fine from friday 5pm until sunday 12.00 am (on the dot) then the emails again started to be generated.
Any suggestions or ideas are much appreciated on this one, as you can imagine we are receiving a lot of flack and also even threats of legal action.
We have a user in our organization who sent an email to copied list of over 1000 people (I know!!) a few of the emails were non-existant but that is not the major problem.
Since this email left our systems we have had reports that the email was being delivered to the recipients many times. As many as 50-100 in 2 hours, each an identical copy of the original email, with each of the original recipients getting spammed in this way.
I am at a loss as to what could be causing this. We have checked the users mailfile for any rules set, none found. We have also run an agent to ensure none are suffering from the known issue below,
http://www-1.ibm.com/support/docview.wss?rs=0&q1=1088058&uid=swg21088058&loc=en_US&cs=utf-8&cc=us&lang=en
Also fine.
The server seems to run fine then all of a sudden the mails will start to be generated. For instance, this weekend, everything was fine from friday 5pm until sunday 12.00 am (on the dot) then the emails again started to be generated.
Any suggestions or ideas are much appreciated on this one, as you can imagine we are receiving a lot of flack and also even threats of legal action.
ASKER
Hi,
Thanks for the reply,
At first I thought these mails were externally from spoofing, however there are two facts which lead me away from this fact.
Firstly the people who are getting these messages are all the original recipients of the original mail in question, the recipients are not random.
At first our smtp server (setup by apparently experts) was set as an open relay however this has now been rectified.
Secondly, for the delivery failure on the bad addresses the first step in the routing path is one of our remote servers (the one where the users home server was) which again leads me to believe the above
Thanks for the reply,
At first I thought these mails were externally from spoofing, however there are two facts which lead me away from this fact.
Firstly the people who are getting these messages are all the original recipients of the original mail in question, the recipients are not random.
At first our smtp server (setup by apparently experts) was set as an open relay however this has now been rectified.
Secondly, for the delivery failure on the bad addresses the first step in the routing path is one of our remote servers (the one where the users home server was) which again leads me to believe the above
ASKER
oh and BTW, I assume the users PC is turned off at this time since its the middle of the night
Can you see if the mail is generated by Notes or by some other mailer, e.g. Outlook? Or by some other program that mimics a mailer? Is the user's PC checked for viruses?
You could stop the Router and see what mails are put into mail.box.
You could stop the Router and see what mails are put into mail.box.
And what's the content of the mail? Does it have anything to do with your company? Did you question the user?
If you can get hold of such a mail, look at the Document Properties in the mail. The item Received will tell you a great deal about where it came from.
If you can get hold of such a mail, look at the Document Properties in the mail. The item Received will tell you a great deal about where it came from.
ASKER
Can you see if the mail is generated by Notes or by some other mailer, e.g. Outlook? Or by some other program that mimics a mailer?
Not sure how I would find this info.
Is the user's PC checked for viruses?
I assume the first line would have checked this, also as said, the emails seem to be generated when the users PC should be switched off (midnight)
Not sure how I would find this info.
Is the user's PC checked for viruses?
I assume the first line would have checked this, also as said, the emails seem to be generated when the users PC should be switched off (midnight)
ASKER
And what's the content of the mail? Does it have anything to do with your company? Did you question the user?
The contenty of the mail is exactly the same as the original one,
Approx 40 lines of text followed by an attachment. This was a totally ligit email just sent to far too many recipients with an unchecked list.
If you can get hold of such a mail, look at the Document Properties in the mail. The item Received will tell you a great deal about where it came from.
I seem to have around 15 of those with duplicate ID numbers,
Each have roughly the same format as below,
Field Name: Received
Data Type: RFC822 Text
Data Length: 232 bytes
Seq Num: 1
Dup Item ID: 13
Field Flags:
RFC822 Type: TEXT
RFC822 Flags: STRICT
Native Value:
"from unknown (HELO unilap.co.uk) (uni174129@81.138.57.215) by 0 with SMTP; 16 Apr 2005 04:03:41 -0000"
RFC822 Header Name:
"Received"
RFC822 Header Delimiter:
": "
RFC822 Header Body:
66 72 6F 6D 20 from
75 6E 6B 6E 6F unkno
77 6E 20 28 48 wn (H
45 4C 4F 20 75 ELO u
6E 69 6C 61 70 nilap
2E 63 6F 2E 75 .co.u
6B 29 20 28 75 k) (u
6E 69 31 37 34 ni174
31 32 39 40 38 129@8
31 2E 31 33 38 1.138
2E 35 37 2E 32 .57.2
31 35 29 0D 0A 15)..
20 20 62 79 20 by
30 20 77 69 74 0 wit
68 20 53 4D 54 h SMT
50 3B 20 31 36 P; 16
20 41 70 72 20 Apr
32 30 30 35 20 2005
30 34 3A 30 33 04:03
3A 34 31 20 2D :41 -
30 30 30 30 0D 0000.
0A .
Where the line "from unknown (HELO unilap.co.uk) (uni174129@81.138.57.215) by 0 with SMTP; 16 Apr 2005 04:03:41 -0000"
is from different addresses each time.
The contenty of the mail is exactly the same as the original one,
Approx 40 lines of text followed by an attachment. This was a totally ligit email just sent to far too many recipients with an unchecked list.
If you can get hold of such a mail, look at the Document Properties in the mail. The item Received will tell you a great deal about where it came from.
I seem to have around 15 of those with duplicate ID numbers,
Each have roughly the same format as below,
Field Name: Received
Data Type: RFC822 Text
Data Length: 232 bytes
Seq Num: 1
Dup Item ID: 13
Field Flags:
RFC822 Type: TEXT
RFC822 Flags: STRICT
Native Value:
"from unknown (HELO unilap.co.uk) (uni174129@81.138.57.215) by 0 with SMTP; 16 Apr 2005 04:03:41 -0000"
RFC822 Header Name:
"Received"
RFC822 Header Delimiter:
": "
RFC822 Header Body:
66 72 6F 6D 20 from
75 6E 6B 6E 6F unkno
77 6E 20 28 48 wn (H
45 4C 4F 20 75 ELO u
6E 69 6C 61 70 nilap
2E 63 6F 2E 75 .co.u
6B 29 20 28 75 k) (u
6E 69 31 37 34 ni174
31 32 39 40 38 129@8
31 2E 31 33 38 1.138
2E 35 37 2E 32 .57.2
31 35 29 0D 0A 15)..
20 20 62 79 20 by
30 20 77 69 74 0 wit
68 20 53 4D 54 h SMT
50 3B 20 31 36 P; 16
20 41 70 72 20 Apr
32 30 30 35 20 2005
30 34 3A 30 33 04:03
3A 34 31 20 2D :41 -
30 30 30 30 0D 0000.
0A .
Where the line "from unknown (HELO unilap.co.uk) (uni174129@81.138.57.215) by 0 with SMTP; 16 Apr 2005 04:03:41 -0000"
is from different addresses each time.
That's right. That line tells you what server passed the message on to what other server. Usually, the bottom Received contains info about the first server the message reached, that's the server the message was offered to by the originating mail client. Each station in between adds more info to Received.
could be a problem with your mail.box, possibly from corruption from an AV program. On all servers that your user routes throught to send internet mail, shut down Domino, rename mail.box to mail.old (and mail2.box to mail2.old etc), then restart Domino to recreate the mail.box ... if the mail.box is the problem, then this should solve it.
ASKER
Ive checked all the message received data and although some domains look common, they are mostly different on each mail so no real info there.
One thing I have noticed is that the routing path seems to point to the fact that it originated from one particular server in our organization, can I trust this info or could it just be the fact that this is the users home server?
I have recreated the mailboxes on the smtp server - would it be worth doing this on the others??
One thing I have noticed is that the routing path seems to point to the fact that it originated from one particular server in our organization, can I trust this info or could it just be the fact that this is the users home server?
I have recreated the mailboxes on the smtp server - would it be worth doing this on the others??
yes, recreate the mail box on all the servers the message routes through.
ASKER
Will try this tonight at close of play, thanks.
Any other ideas???
Any other ideas???
I'd love to look at those mails, it is very hard to explain it from a long distance where to look. What you could do is the following: create an empty database, no template, copy one of those mails (an innocent one), paste it in the new database, close Notes, zip the database and mail it to us. For my mail address, see my EE-profile. About JJ's, can't find it (but the M$-trek-story was fun to read :).
ASKER
Thanks for this, this is soooooo appreciated.
I will up the points on solution and also, if youre interested, will send you some of our decomissioned hardware to sell on ebay or whatever.
Sending email now, has a few of the original looping emails and some delivery faiures to the bad addresses.
I also have IBM and BT working on this so any more suggestions utilizing help from them can be performed.
Thanks again.
I will up the points on solution and also, if youre interested, will send you some of our decomissioned hardware to sell on ebay or whatever.
Sending email now, has a few of the original looping emails and some delivery faiures to the bad addresses.
I also have IBM and BT working on this so any more suggestions utilizing help from them can be performed.
Thanks again.
ASKER
mail sent - thanks
Mail received, thanks. You applied some changes to the original document, didn't you? Recipients removed, subject removed? Or not?? Just copy/paste??
First off impressions:
- you have Domino 6.5, a poor-quality release (to put it mildly); can you upgrade?
- there is a field Comments, it contains "Original 'to' not compliant with RFC 822, stripped"
- what's unilap.co.uk, it comes up in all these mails in the field Delivered_To
There is some interesting anti-Spam info in these mails, but I need more time to figure out what happened.
First off impressions:
- you have Domino 6.5, a poor-quality release (to put it mildly); can you upgrade?
- there is a field Comments, it contains "Original 'to' not compliant with RFC 822, stripped"
- what's unilap.co.uk, it comes up in all these mails in the field Delivered_To
There is some interesting anti-Spam info in these mails, but I need more time to figure out what happened.
ASKER
Thanks,
In response to your questions,
Mail received, thanks. You applied some changes to the original document, didn't you? Recipients removed, subject removed? Or not?? Just copy/paste??
Simple copy and paste, exactly as the mails were recieved.
you have Domino 6.5, a poor-quality release (to put it mildly); can you upgrade?
Yep - can do - do you think this may be an issue??
there is a field Comments, it contains "Original 'to' not compliant with RFC 822, stripped
Wouldnt have a clue.
what's unilap.co.uk, it comes up in all these mails in the field Delivered_To
It looks like a small engineering firm located locally near our business. Two of the intended recipients were in this domain. I noticed that ehsbs.local also showed up a lot in there and on the server, not sure what this is though and cannot trace due to .local ending
In response to your questions,
Mail received, thanks. You applied some changes to the original document, didn't you? Recipients removed, subject removed? Or not?? Just copy/paste??
Simple copy and paste, exactly as the mails were recieved.
you have Domino 6.5, a poor-quality release (to put it mildly); can you upgrade?
Yep - can do - do you think this may be an issue??
there is a field Comments, it contains "Original 'to' not compliant with RFC 822, stripped
Wouldnt have a clue.
what's unilap.co.uk, it comes up in all these mails in the field Delivered_To
It looks like a small engineering firm located locally near our business. Two of the intended recipients were in this domain. I noticed that ehsbs.local also showed up a lot in there and on the server, not sure what this is though and cannot trace due to .local ending
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So this does not look like an internal problem??
Can't say yes, can't say no, because it's still unclear from the mails you sent me. Gut-feeling says 80% external.
Another strange thing: the FromDomain contains A4E@a4e.co.uk@A4EX which seems not a normal Notes way to indicate domains. You might have routing problems between your servers.
To find out more if it in- or -external, the least you could do is contact HillPumps, to find out if they experience mail problems.
Another strange thing: the FromDomain contains A4E@a4e.co.uk@A4EX which seems not a normal Notes way to indicate domains. You might have routing problems between your servers.
To find out more if it in- or -external, the least you could do is contact HillPumps, to find out if they experience mail problems.
ASKER
Thanks, will do,
Just a quick point, IBM have stated that the presence of the $mime track in the doc properties on these mails would seem to suggest that the mail had been routed through the smtp and so would agree with us that the source seems to be external.
Thanks for all the help so far, will get back when I have more info.
Just a quick point, IBM have stated that the presence of the $mime track in the doc properties on these mails would seem to suggest that the mail had been routed through the smtp and so would agree with us that the source seems to be external.
Thanks for all the help so far, will get back when I have more info.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi,
I havent forgot about this thread - justr been away from the office for a few days, will be responding shortly, Thanks
I havent forgot about this thread - justr been away from the office for a few days, will be responding shortly, Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi thanks for all the help on this, it appears our isp allows anyone to relay to our company through their relay so ill be on to this with them,
Have split points accordingly and would just like to say a HUGE thanks to everyone who has jumped in on this call.
Have split points accordingly and would just like to say a HUGE thanks to everyone who has jumped in on this call.
Or are you sure these mails leave your server? Maybe the user has a virus on his system that triggers the generation of these mails?