Solved

Exchange Server 2003 mail delivery problem - Some users report receiving mail that is addressed to other users.

Posted on 2006-06-28
7
677 Views
Last Modified: 2013-11-15
Hi all,

Short desc: Some users report receiving mail that is addressed to other users. These users -sometimes have LONG been deleted from AD and mailboxes purged. Other times, it's a current user. These mails do not appear to be addressed to the receiving user in the CC field.

Environment is Exchange 2003 (native) running on Standard Server 2003 SP1. 2003 Active directory 2000/2003 mixed mode. Incoming mail flow is Internet -> Watchguard firewall - > Barracuda Spam Device -> Exchange Server.

Here are two headers... The first message header is one that was addressed to a valid user "Georgia" but ended up in my mailbox. The second header is one that was addressed to a user that is no longer with the company and has long since been deleted/mailbox purged, but was accepted and delivered also to my mailbox.

I have heard reports of users getting similar mail. What would cause this problem?

########################################################
Microsoft Mail Internet Headers Version 2.0
Received: from barracuda.yaddayadda.com ([192.168.1.33]) by dunsvr06.yaddayadda.com with Microsoft SMTPSVC(6.0.3790.1830);
       Thu, 22 Jun 2006 20:47:46 -0400
X-ASG-Debug-ID: 1151023653-14393-1-2
X-Barracuda-URL: http://192.168.1.33:8000/cgi-bin/mark.cgi
Received: from CHOMIAK-S5YW5GZ (unknown [83.20.3.53])
      by barracuda.yaddayadda.com (Spam Firewall) with ESMTP
      id 22F3BD8DB; Thu, 22 Jun 2006 20:47:44 -0400 (EDT)
Message-ID: <95615586354603.5DDAC7FF8F@I0V1>
From: "Nixon" <Nixoncheeky@earthlink.net>
To: <georgia@yaddayadda.com>
X-ASG-Orig-Subj: Recent stuff You always dreamt to rock hard erections…
Subject: Recent stuff You always dreamt to rock hard erections…
Date: Fri, 23 Jun 2006 02:47:29 +0200
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Thread-Index: 1OLsSha3AIja22EzeQ3vCFZKAnxc8d5Uz3L3
Content-Type: text/plain;
        charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by Barracuda Spam Firewall at yaddayadda.com
X-Barracuda-Header-Alert: BAD HEADER Non-encoded 8-bit data (char 85 hex) in message header 'X-ASG-Orig-Subj'
       X-ASG-Orig-Subj: ...ff You always dreamt to rock hard erections\205 \n
                                                                      ^
X-Barracuda-Spam-Score: 1.77
X-Barracuda-Spam-Status: No, SCORE=1.77 using global scores of TAG_LEVEL=2.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=3.0 tests=SARE_ADULT2, SUBJ_ILLEGAL_CHARS
X-Barracuda-Spam-Report: Code version 3.02, rules version 3.0.15342
      Rule breakdown below pts rule name              description
      ---- ---------------------- --------------------------------------------------
      0.10 SUBJ_ILLEGAL_CHARS     Subject contains too many raw illegal characters
      1.67 SARE_ADULT2            BODY: Contains adult material
Return-Path: Nixonconvalescent@earthlink.net
X-OriginalArrivalTime: 23 Jun 2006 00:47:46.0298 (UTC) FILETIME=[A4D25DA0:01C6965E]
####################################################################

Addressed to a user that is no longer with the company and has long since been deleted/mailbox purged, but was accepted and delivered to a my mailbox.

####################################################################

Microsoft Mail Internet Headers Version 2.0
Received: from barracuda.yaddayadda.com ([192.168.1.33]) by dunsvr06.yaddayadda.com with Microsoft SMTPSVC(6.0.3790.1830);
       Thu, 22 Jun 2006 10:35:13 -0400
X-ASG-Debug-ID: 1150986903-15395-2-0
X-Barracuda-URL: http://192.168.1.33:8000/cgi-bin/mark.cgi
Received: from JACOB-2YHHJQYFC (cpe-70-117-21-239.satx.res.rr.com [70.117.21.239])
      by barracuda.yaddayadda.com (Spam Firewall) with ESMTP
      id DA1D623F3C; Thu, 22 Jun 2006 10:35:03 -0400 (EDT)
Message-ID: <13061306174127.08147DB408@OLFFN>
From: "Efren" <LucilleBurtj7@tokyo.com>
To: <geniece@yaddayadda.com>
X-ASG-Orig-Subj: Never-seen Get a better job
Subject: Never-seen Get a better job
Date: Thu, 22 Jun 2006 09:34:39 -0500
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Thread-Index: ZQJ1KWu6v72wo032X3AJC9c927pKbZRmvtDM
Content-Type: text/plain;
        charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by Barracuda Spam Firewall at yaddayadda.com
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=2.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=3.0 tests=
X-Barracuda-Spam-Report: Code version 3.02, rules version 3.0.15311
      Rule breakdown below pts rule name              description
      ---- ---------------------- --------------------------------------------------
Return-Path: TabithaSkinnerx0@europe.com
X-OriginalArrivalTime: 22 Jun 2006 14:35:13.0612 (UTC) FILETIME=[128388C0:01C69609]




0
Comment
Question by:hotcam
  • 3
  • 2
7 Comments
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 350 total points
ID: 17000723
more than likely it is just SPAMMERS... the reason it the person who recieved the email isn't on any of the headers is that spammers will send an email to 1000s of people in the BCC field.

the reason old and new email addresses are being sent to is b/c of a Directory Harvest Attack on your system:

http://www.pcmag.com/article2/0,1759,1543581,00.asp
0
 
LVL 1

Author Comment

by:hotcam
ID: 17000930
Thanks for the link.

If they use the BCC field, wouldn't the message still end up in the mailbox of the user with the TO: field being correct for that user? From my experience with the BCC field is that each recipient gets the message where the TO: field is addressed -to that user- as if they were the only one that got it...

1) Ben sends message BCC to: Mary, Greg

2a) Greg gets message
To: Greg
From: Ben

2b) Mary gets Message
To: Mary
From: Ben

In this case,

1) Ben sends message (assuming BCC) to: Georgia

2) Brian gets message
To: Georgia
From: Ben

Seems like some kind of "message routing problem" Am I missing something?
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17001159
dont trust the header of ANY email,,, especiall if it comes from a SPAMMER, its called a malformed header.  Read up on it.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 1

Author Comment

by:hotcam
ID: 17001372
I will certainly do that... Leaving this open for now, hopefully...I can get some more people to chime in.
0
 
LVL 9

Expert Comment

by:PC_Rob
ID: 17002217
This is totally SPAM related.  The email headers and address used or shown are VERY often incorrect.

Do you have a SPAM filter that can at least keep these from going to their inbox?  There is nothing you can do (from what I have experienced) to stop these emails, or to show who they were really addressed to.  The whole point of the SPAMMER is to confuse the mail server and SPAM blockers so it will get delievered to as many people as possible.  This is why the headers are all jacked up, etc.

Good luck,

Rob
0
 
LVL 1

Author Comment

by:hotcam
ID: 17002448
Thanks, and yes, the barracuda is the device that's supposed to handle it the spam. You can see what the cuda thought about it in the headers. For the most part, it does a great job if it. For whatever reason, these aren't scoring high enough :-(

0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Find out what you should include to make the best professional email signature for your organization.
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
how to add IIS SMTP to handle application/Scanner relays into office 365.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question