Solved

External email being routed to wrong recipients

Posted on 2005-05-03
14
754 Views
Last Modified: 2008-02-01
I have had this happen 3 times today.  This is the first day it has happened...

I have had instances of external email addressed to specific internal users being sent to multiple users mailboxes.  For example, an email was sent from an outside source to our exchange server to user@ournetwork.com.  That email was then delivered to multiple peoples mailboxes in our internal network.  It's like the email was routed to many Distribution Lists instead of the specific user.  Everyone on our network did not receive it, just all people in various departments

Like I said, this has happened 3 times today from different external addresses to different internal email addresses.

Any ideas?
0
Comment
Question by:daveyd123
  • 9
  • 5
14 Comments
 
LVL 24

Expert Comment

by:flyguybob
ID: 13920459
BCC field...
0
 
LVL 24

Expert Comment

by:flyguybob
ID: 13920460
Mailing list...
0
 
LVL 24

Expert Comment

by:flyguybob
ID: 13920462
spam...
0
 
LVL 1

Author Comment

by:daveyd123
ID: 13920516
OK, tons of people just received another email.  The email was addressed to a non-existant mailbox on our network, yet people still got it.  The messages are the same but come from different sources...

One is:"Registration Confirmation

Account and Password Information are attached!

Visit: http://www.unr.edu"

And another is:  Your email was blocked

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached


We have Exchange's Intelligent Message filtering implemented.
0
 
LVL 24

Expert Comment

by:flyguybob
ID: 13920672
It sounds like someone on your network (client PC) may have a virus, the Sober Worm.  These viruses do exactly what you are talking about.  Welcome to the life of being an e-mail administrator.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.S

They can also bypass the IMF sometimes because they appear legitimate.

Are you familiar with the term BCC (Blind Carbon Copy, Backstab Carbon Copy) and what it does?  The virus application uses the BCC field to address a message to potentially hundreds of users, while only making it appear like it was to 1 user.

0
 
LVL 24

Accepted Solution

by:
flyguybob earned 100 total points
ID: 13920690
When you open the message can you do a View...Options...and see the Internet message headers.

Using relaying, an authenticated user on your e-mail system could send you an e-mail from johnjackobjingleheimerschmidt@aol.com...and that address does not exist.  You would see, in the headers, that it did not come from AOL...but it would appear it was from AOL.

The other thing is that the Sober worm makes it into protected corporate e-mail systems occasionally by a user accessing their external e-mail.
0
 
LVL 1

Author Comment

by:daveyd123
ID: 13921037
We do have Virus Scan 8.0i installed on all workstations.  It does say its blocking Port 25 on the workstations.  If that were the case, how would a user send/receive emails?

On one of the email headers it says....  Received from: bhofngiv.edu 24.53.129.167 (RDNS failed) by our email server.com....from admin@unr.edu   To..a non-existant email address@our domiain.com


Would it be best to not let Authenicated users have the ability to relay?
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 
LVL 24

Expert Comment

by:flyguybob
ID: 13921263
It looks like a virus coming from the outside, specifically, an Adelphia subscriber in PA.
http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-24-52-0-0-1

What you have is a case of the worms trying to get in.  The attachments that are normally associated with the message are likely being quarantined, but the message is being allowed to pass.  Make sure the definitions for your Exchange server anti-spam application are updated.

Bob
0
 
LVL 1

Author Comment

by:daveyd123
ID: 13921312
Any reason why the emails are delivered to certain mailboxes and not everyones?
0
 
LVL 1

Author Comment

by:daveyd123
ID: 13921353
Also, I turned on SMTP logging and I am getting a lot of the following Events in Event Viewer...


This is an SMTP protocol error log for virtual server ID1, connection#10  The remote host 208.29.147.107 responded to the SMTP command "xexch50" with "504 Need to authenicate first"  The full command sent was "XEXCH50 2108 2"  This will probably cause the connection to fail.

There are several of those events...the connection# and the remote host IP address change in each event
0
 
LVL 24

Expert Comment

by:flyguybob
ID: 13921546
1) Only the people on the BCC for the virus will recieve the message.  Since the virus does not send to everyone at once, but continually harvests messages, the e-mails will trickle in.

2) People trying to use your server as a spam relay.  If you ever have an open relay, it will be exploited by spammers in about 15 minutes and on the IRC boards as an open relay after about 10 minutes.

Again, welcome to life as an e-mail admin.  I was in IT for about 5 years until I had to deal with all of this stuff.  There was a worm called Melissa, named for a stripper that danced for the virus writier.  There was another worm called ILoveYou.  That one was a nightmare.  Fortunately the coder was pretty crappy and instead of overwriting .jpg files (many of which users and marketing did not back up), it just renamed them with a .vbs extension.  It took ~2 hours to script the fix and run it against ~100GB of data on the file server.
Nimda was not as bad as Melissa or ILoveYou...but it was bad enough.
Fortunately, in most cases, I was paid to go into companies and clean up the mess.  In one case it was my mail system that got hit ~3 weeks after a P.O. for Trend's Scanmail for Exchange was declined.  I wanted to block extensions and Trend had an anti-virus and anti-spam solution all in one...the only real one at the time.
0
 
LVL 24

Expert Comment

by:flyguybob
ID: 13921549
Did you read the Trend Micro link?
0
 
LVL 1

Author Comment

by:daveyd123
ID: 13925995
OK...It does look like we have the Sober Worm.

Next question...What would be the best way to find out the workstation(s) that have the worm?  We have 500+ PCs all running Mcafee 8.0i and ePO orchestrator

It looks like the worm uses its own SMTP to send out emails.  I am using Stinger on our Exchange server.  
0
 
LVL 24

Expert Comment

by:flyguybob
ID: 13927063
I am breaking the Experts Exchange rules here by answering so many questions (seriously, there are rules and I have been called on it) and answering a new Security TA question in an Exchange TA group:

Well, from what I have seen in your headers, it appears that someone on Adelphia has the worm, so it could even be a home user of yours, connecting via VPN, is sending the virus.
The best way to find out what workstations have the worm would be to look at the headers and see if any of the IP addresses are yours.
The worm may use it's own SMTP, but it has to connect to your Exchange server in order to send them to your users.
With 500 workstations, you may want to broadcast an e-mail from the helpdesk instructing users to ensure that their anti-virus and definitions at work are up to date.  If they use their home PC for work, that they ensure that their definitions (and patches) are up to date for their respective AV application.  If they don't have anti-virus 1) That's a bad thing and 2) They can go to http://housecall.trendmicro.com/
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now