External email being routed to wrong recipients

I have had this happen 3 times today.  This is the first day it has happened...

I have had instances of external email addressed to specific internal users being sent to multiple users mailboxes.  For example, an email was sent from an outside source to our exchange server to user@ournetwork.com.  That email was then delivered to multiple peoples mailboxes in our internal network.  It's like the email was routed to many Distribution Lists instead of the specific user.  Everyone on our network did not receive it, just all people in various departments

Like I said, this has happened 3 times today from different external addresses to different internal email addresses.

Any ideas?
LVL 1
daveyd123Asked:
Who is Participating?
 
flyguybobConnect With a Mentor Commented:
When you open the message can you do a View...Options...and see the Internet message headers.

Using relaying, an authenticated user on your e-mail system could send you an e-mail from johnjackobjingleheimerschmidt@aol.com...and that address does not exist.  You would see, in the headers, that it did not come from AOL...but it would appear it was from AOL.

The other thing is that the Sober worm makes it into protected corporate e-mail systems occasionally by a user accessing their external e-mail.
0
 
flyguybobCommented:
BCC field...
0
 
flyguybobCommented:
Mailing list...
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
flyguybobCommented:
spam...
0
 
daveyd123Author Commented:
OK, tons of people just received another email.  The email was addressed to a non-existant mailbox on our network, yet people still got it.  The messages are the same but come from different sources...

One is:"Registration Confirmation

Account and Password Information are attached!

Visit: http://www.unr.edu"

And another is:  Your email was blocked

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached


We have Exchange's Intelligent Message filtering implemented.
0
 
flyguybobCommented:
It sounds like someone on your network (client PC) may have a virus, the Sober Worm.  These viruses do exactly what you are talking about.  Welcome to the life of being an e-mail administrator.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.S

They can also bypass the IMF sometimes because they appear legitimate.

Are you familiar with the term BCC (Blind Carbon Copy, Backstab Carbon Copy) and what it does?  The virus application uses the BCC field to address a message to potentially hundreds of users, while only making it appear like it was to 1 user.

0
 
daveyd123Author Commented:
We do have Virus Scan 8.0i installed on all workstations.  It does say its blocking Port 25 on the workstations.  If that were the case, how would a user send/receive emails?

On one of the email headers it says....  Received from: bhofngiv.edu 24.53.129.167 (RDNS failed) by our email server.com....from admin@unr.edu   To..a non-existant email address@our domiain.com


Would it be best to not let Authenicated users have the ability to relay?
0
 
flyguybobCommented:
It looks like a virus coming from the outside, specifically, an Adelphia subscriber in PA.
http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-24-52-0-0-1

What you have is a case of the worms trying to get in.  The attachments that are normally associated with the message are likely being quarantined, but the message is being allowed to pass.  Make sure the definitions for your Exchange server anti-spam application are updated.

Bob
0
 
daveyd123Author Commented:
Any reason why the emails are delivered to certain mailboxes and not everyones?
0
 
daveyd123Author Commented:
Also, I turned on SMTP logging and I am getting a lot of the following Events in Event Viewer...


This is an SMTP protocol error log for virtual server ID1, connection#10  The remote host 208.29.147.107 responded to the SMTP command "xexch50" with "504 Need to authenicate first"  The full command sent was "XEXCH50 2108 2"  This will probably cause the connection to fail.

There are several of those events...the connection# and the remote host IP address change in each event
0
 
flyguybobCommented:
1) Only the people on the BCC for the virus will recieve the message.  Since the virus does not send to everyone at once, but continually harvests messages, the e-mails will trickle in.

2) People trying to use your server as a spam relay.  If you ever have an open relay, it will be exploited by spammers in about 15 minutes and on the IRC boards as an open relay after about 10 minutes.

Again, welcome to life as an e-mail admin.  I was in IT for about 5 years until I had to deal with all of this stuff.  There was a worm called Melissa, named for a stripper that danced for the virus writier.  There was another worm called ILoveYou.  That one was a nightmare.  Fortunately the coder was pretty crappy and instead of overwriting .jpg files (many of which users and marketing did not back up), it just renamed them with a .vbs extension.  It took ~2 hours to script the fix and run it against ~100GB of data on the file server.
Nimda was not as bad as Melissa or ILoveYou...but it was bad enough.
Fortunately, in most cases, I was paid to go into companies and clean up the mess.  In one case it was my mail system that got hit ~3 weeks after a P.O. for Trend's Scanmail for Exchange was declined.  I wanted to block extensions and Trend had an anti-virus and anti-spam solution all in one...the only real one at the time.
0
 
flyguybobCommented:
Did you read the Trend Micro link?
0
 
daveyd123Author Commented:
OK...It does look like we have the Sober Worm.

Next question...What would be the best way to find out the workstation(s) that have the worm?  We have 500+ PCs all running Mcafee 8.0i and ePO orchestrator

It looks like the worm uses its own SMTP to send out emails.  I am using Stinger on our Exchange server.  
0
 
flyguybobCommented:
I am breaking the Experts Exchange rules here by answering so many questions (seriously, there are rules and I have been called on it) and answering a new Security TA question in an Exchange TA group:

Well, from what I have seen in your headers, it appears that someone on Adelphia has the worm, so it could even be a home user of yours, connecting via VPN, is sending the virus.
The best way to find out what workstations have the worm would be to look at the headers and see if any of the IP addresses are yours.
The worm may use it's own SMTP, but it has to connect to your Exchange server in order to send them to your users.
With 500 workstations, you may want to broadcast an e-mail from the helpdesk instructing users to ensure that their anti-virus and definitions at work are up to date.  If they use their home PC for work, that they ensure that their definitions (and patches) are up to date for their respective AV application.  If they don't have anti-virus 1) That's a bad thing and 2) They can go to http://housecall.trendmicro.com/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.