Link to home
Start Free TrialLog in
Avatar of brady1408
brady1408

asked on

Echange is forwarding junk messages to administrator group

I have a strange things happening, when ever an email comes in for info or root or even john doe, it gets sent to everyone in the built in administrator group, Please help I would like to get this to stop but don't know how.
Avatar of poweruser32
poweruser32

did you check AD to see if any of these email addresses have any forwarding rule set up?
Avatar of brady1408

ASKER

I did and they do not, the only distribution group that they are part of is the support distribution so even then they shouldn't be recieving email for root or info.
Why not reject the messages sent from outside to those addresses. Not a final solution but achieves quick results.
Some version information would be nice.

Are you getting the actual messages or just the NDRs with the spam message attached?

Simon.
Good questions thanks the version is Version: 6.5.6944.0 exchange server 2003 lastest service packs to my knowledge, on I'm getting the whole message, infact here is some header info with the domain changed of course.

This is a good example you will notice that it was sent to accounting@xxx.com I don't have a mailbox set up for accounting nor do I have a distribution group set up with that name, so why are all the people in the Administrator group getting this email when it comes in?

Microsoft Mail Internet Headers Version 2.0
Received: from jacek ([83.26.117.103]) by zzz.com with Microsoft SMTPSVC(6.0.3790.1830);
       Mon, 6 Nov 2006 09:42:18 -0700
Return-Path: <bduwasro@uwa.edu>
Received: from 199.88.23.18 (HELO phosphorus.uwa.edu)
     by zzz.com with esmtp (D>34OE+S5,12 W7V?@)
     id W=X0A:-O41L(<-B>
     for accounting@zzz.com; Mon, 6 Nov 2006 16:41:53 -0060
Date:      Mon, 6 Nov 2006 16:41:53 -0060
From:      "Leonor Cullen" <bduwasro@uwa.edu>
X-Mailer: The Bat! (v3.51.10) Educational
X-Priority: 3 (Normal)
Message-ID: <400621268.84701411230977@thebat.net>
To: accounting@zzz.com
Subject: Be leaner and slim_mer by next week
MIME-Version: 1.0
Content-Type: text/plain;
  charset=Windows-1252
Content-Transfer-Encoding: quoted-printable
X-Spam: Not detected
X-OriginalArrivalTime: 06 Nov 2006 16:42:20.0644 (UTC) FILETIME=[872C0240:01C701C2]


You have forgotten the first rule of spam emails - the entire header can be considered to be false.
The fact that it says that it was sent to accounting doesn't mean that was the only user the spam email was sent to. A very common tactic is to send the email to a long list of people - with the first address in the to: line and the rest in the BCC line.

Simon.
Guess no one ever taught me the first rule then, in that case what can I do to cut down spam? any good recomendations of server side spam filters?
ASKER CERTIFIED SOLUTION
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Just a quick update I plan to accept Sembee's answer as it has been a ton of help but didn't want this to get closed quite yet, I enabled IMF it seemed to help a couple of users but for myself it didn't do a thing, so I am trying the trial version of Vamsoft and so far am very pleased, although I'm a little worried. I'm using the greylisting feature you mentioned and so far 98% of the mail coming into the server has been rejected, that number seems high but it might not be I'm just going to have to give it some time. Also is there a log of rejected senders how do I check for false possitives on the junk filtering, I know how blacklisting works and am not worried about that at all but the greylisting I just don't understand and that's what worries me a little, I don't see what temporarly rejecting an email will do to catch spam, and if it's temperarly rejecting ham then how does it know that it's okay the next time the server tries to send it?
Have a read of my blog post first.
http://www.sembee.co.uk/archive/2006/09/18/24.aspx

I have explained a lot of how greylisting works there.

98% is not unusual. I have sites running in the high 90s myself. You need to watch the logs as you may see the odd piece of legitimate email being rejected. I have seen email messages from eBay be rejected in the past, but I refuse to white list that domain because it is targeted by phishers as well.

Don't forget that greylisting also catches email sent to non-existing users. If you are on Exchange 2003 with SP2 and have recipient filtering enabled then you would be dropping those messages anyway. I drop on my home server 10,000 misaddressed emails a day. That can distort the Vamsoft stats slightly.

Simon.
Very good Sembee I read you blog and before I heard back from you I found another good white paper on the subject found here. http://projects.puremagic.com/greylisting/whitepaper.html

I'm very happy with the way things are going I looked through the logs and every email that was rejected looked like spam to me I couldn't find a ham messege in the list of rejects, so I guess I feel much better about false possitives, there is always something to be said for knowing how something works, it really helped put my mind at ease.

Thanks a ton!!!
Brady1408