Someone Spoofed my Email Address

Posted on 2006-05-24
Medium Priority
Last Modified: 2007-12-19
I have a user on my exchange server whose e-mail address is being spoofed.  All we receive back are bounced e-mails that can't be delivered.  What can I do to stop this?
Question by:drstedim
  • 3
  • 2
  • 2
  • +4
LVL 30

Expert Comment

by:Irwin Santos
ID: 16756749
what's the exact NDR message?
LVL 97

Accepted Solution

war1 earned 375 total points
ID: 16756757
Greetings, drstedim !

You can change the user email address, and then blocked the old address from being delivered.

If you cannot change the user email address, then you have to wait out the spam attack.  How many bounced email are you using?  Usually spam attack ends within 3 days to a week.

Best wishes!

Author Comment

ID: 16756853
This has been going on for about 2 weeks.  The user is getting about 60,000 emails a day all stating that the recipient isn't valid or the spam filter has blocked the e-mail ... or something along those lines.  Emails are coming from 1000's of servers in many different languages.  The user is in Sales and doesn't want to "lose business" due to an email address change; although, I'd imagine 60,000 e-mails a day isn't helping his cause much either.  Here are some examples of message that are coming through:
****** Message from InterScan Messaging Security Suite ******

Sent <<< RCPT TO:<ljqv@yamaha.com>
Received >>> 550 no such recipient

Unable to deliver message to <ljqv@yamaha.com>.

************************     End of message     **********************
Example 2:
Your message to: rabonifas@eganco.com, rah@eganco.com
was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED:

Subject: Re:
Example 3 (this one seems to have some useful info, but I don't know what to do with it):
    **      THIS IS A WARNING MESSAGE ONLY      **

The original message was received at Wed, 24 May 2006 23:01:41 +0200 (CEST)
from 81-203-11-84.user.ono.com []

   ----- Transcript of session follows -----
<norman@palantir.informatik.uni-mannheim.de>... Deferred: Connection refused by palantir.informatik.uni-mannheim.de.
Warning: message still undelivered after 2 hours
Will keep trying until message is 3 days old
Example 4:
****** Message from InterScan E-Mail VirusWall NT ******

Sent >>> RCPT TO: <r@eurobankpr.com>
Received <<< 550 unknown user <r@eurobankpr.com>

Could not deliver mail to this user.
*****************     End of message     ***************
Example 5:
We have received the message sent to email address:


however, this address is not a valid subscription or removal address on
this system. Please check the address and try sending your message again.

Thank you.

I don't know if this helps at all, but thanks for looking!!!

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

LVL 30

Assisted Solution

by:Irwin Santos
Irwin Santos earned 375 total points
ID: 16756890
looks like he got SPAM bombed.

The best way out is to get a NEW email address, rather than fight it, let it go, it will be unproductive.
LVL 97

Expert Comment

ID: 16756977
Spam attack will subside after awhile, if you want to continue using the address.
LVL 10

Expert Comment

ID: 16757946
I have the exact same problem with one of my domains and their is nothing you can do about it now.

Best advice for the future is to use email addresses that aren't likely to be generated by a bot.

Things like sales@  dave@  info@ are examples that are likely to get this sort of problem, instead setup accounts such as wiggetsales@     dave.theman@     wiggetinfo@

Educate staff not to use important email addresses for entering competitions, signing up to forums etc, instead get them to use yahoo or hotmail (in other words disposable) email addresses for such things. Reserve the important email address for clients, or printed adverts. Don't publish the email addresses on your web site where they can be easily harvested.

The spam is bad, the auto responses from spam filters and mail servers can actually cause more "spam" than the original spam. If only admins would turn off such features.

It is amazing so many people don't realise how easy spoofing sender email addresses is, they are quick to blame the return email address for the spam without finding out the facts, I have a number of emails complaining about "my" spam.
LVL 13

Expert Comment

ID: 16761211
It looks like spam.

Can you post the header of the mails.

Header contains all the information about the origin of the mail and list of all the servers it had gone before being delivered.

We, receive many spams, where the senders domain is same as ours. This is very common practice by spammers to use recipents domain name in the senders address. If your antispam server is not configured properly then these mails can get inside, as senders address seems trusted.

Install a good antispam server, if you not have already.

Try Spamassassin with Amavis and Postfix. It runs on linux and its free.


Expert Comment

ID: 16765329
You may want to try setting up Blocking lists if you are running an exchange server.  Check out the following links:

SBL allows you to connect to a database which lists verified spammer ip addresses.  You can then block anything from those addresses.

XBL is another blocking list that should be used in tandem with SBL.  

Another link is the CBL or composite blocking list, but you should not need this if you use XBL since XBL queries the CBL database.

Hope this helps deter any future spam issues and may also help curb your current issue.

Expert Comment

ID: 16768956
My e-add has been on the web since 1994, so I have been spoofed often. If you're visible, there's not much you can do about it, beyond the measures outlines above.

I am, however, concerned that innocent people connected to me might get spam with a virus, etc from my spoofed e-add. For that reason, our whole organization tries to always put a unique identifier in the subject header, something spammers wouldn't ordinarily think to use that also shows we are connected to the organization.

Good luck to your sales person.

Author Comment

ID: 16772278
He is biting the bullet and the e-mail address will be changed.  Thanks for all your help and advice!
LVL 30

Expert Comment

by:Irwin Santos
ID: 16772434
cool. thankyou!

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally published Entrepreneur.com Booming numbers of freelancing professionals are changing the face of work. In the United States alone last year, the number of workers freelancing grew from 700,000 to 54 million, according to a Freelancers’…
Whether you believe the “gig economy,” as it has been dubbed, is the next big economic paradigm shift (https://www.theguardian.com/commentisfree/2015/jul/26/will-we-get-by-gig-economy) or an overstated trend (http://www.wsj.com/articles/proof-of-a-g…
The Bounty Board allows you to request an article or video on any technical topic, or fulfill a bounty request to earn points. Watch this video to learn how to use the Bounty Board to get the content you want, earn points, and browse submitted bount…
Notifications on Experts Exchange help you keep track of your activity and updates in one place. Watch this video to learn how to use them on the site to quickly access the content that matters to you.
Suggested Courses
Course of the Month14 days, 13 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question