Undeliverable Emails - Spoofing? - Exchange 2000

Hello Experts!

This may not have a specific solution, but I at least need some info and direction.

This morning we started receiving these emails as undeliverable:
From: Mail Delivery Subsystem [MAILER-DAEMON@auohstyli03.oracleoutsourcing.com]
To:  A local distribution group that has an email address attached to it.
Subject: Could not deliver mail: see transcript for details
     Original message (id 6932129) received at Thu, 30 Nov 2006 08:27:16 -0600
      from <Office@eci2fly.com>

     Message was not delivered to the following addresses:


Attachments: ATT74782.txt containing text:
Reporting-MTA: dns; auohstyli03.oracleoutsourcing.com
Received-From-MTA: dns; adcavft02.oracle.com
Arrival-Date: Thu, 30 Nov 2006 08:27:16 -0600

Final-Recipient: rfc822; bap@tylin.com
Action: failed
Status: 5.1.1
Last-Attempt-Date: Thu, 30 Nov 2006 08:27:18 -0600
Diagnostic-Code: SMTP;
 Invalid directory entry

It also had what I assume was the original message attached.

Just an hour later we started seeing messages like this:
From: System Administrator – from our exchange box
To:  Myself, or others individually
Subject: Undeliverable: Returned mail: see transcript for details
Your message did not reach some or all of the intended recipients.

      Subject:      ProParrot
      Sent:      11/30/2006 10:02 AM

The following recipient(s) could not be reached:

      cruttendenjcruttenden@stny.rr.com on 11/30/2006 10:04 AM
            The e-mail account does not exist at the organization this message was sent to.  Check the e-mail address, or contact the recipient directly to find out the correct address.
            < txmx04.mgw.rr.com #5.1.1 SMTP; 550 5.1.1 unknown or illegal alias: cruttendenjcruttenden@stny.rr.com>

Why are we seeing these all of a sudden (might want to read background info below)?  Are they hijacking our mail system in some way or is it just spoofed?  Either way, how can I stop this?

Background Info:-----------------------------------------------------------------------------
Just a few days ago we contacted out spam service about emails not being delivered from our website (hosted off site) to our company for a contact form.  They said our domain had a high spam number (can’t remember the exact term) and said that we could request a manual removal.  We did request the removal, as we and our web hosting provider (ideawire.com) do not engage in, or condone spamming.  We thought it was simply some sort of error in the heuristics of the spam filter.  Obviously now I am not sure about that.

With all the problems with email I did make a few changes to exchange as far as relays and authorized senders.  After the changes, I did check our system for open relay and other mail settings that might have been set incorrectly, but I did not find anything wrong (I am not an exchange/email expert however).  We have also setup SPF, but I am not sure if that was just added recently or was there from the get-go.

I can post full headers if needed.

Thanks for your input and help!

Also if you have good information to contribute, please also let me know of any recommended sites or books that could help me with this problem (please don’t just post links).
Who is Participating?
SembeeConnect With a Mentor Commented:
This could be one of a number of things.

1. It could be an NDR attack on your server. This is where email is sent to your server with invalid addresses on purpose. These emails then bounce to the "sender" - except the sender is spoofed and is the real target.
If this is the case, looking at your queues will show if this is the case or not. A large number of messages in the queues waiting to go out is an indication of a problem.

2. As above but you are the target.

3. Your domain is being spoofed as the from address in spam messages.
If that is the case then you are pretty much stuffed as you have to ride out the storm. Under the terms of the RFCs for SMTP (Which govern how SMTP email works) you must accept NDR messages destined for your domain.

It isn't clear from the headers above what your domain name or IP address is, so I cannot go and look at the common blacklist web sites to see whether you are listed and for what reason.

There is always the possibility that you have got blacklisted by a machine on your network being a member of a BOT net that sends out spam. The quickest way to detect that is to block port 25 on your firewall for everyone but the Exchange server and then see what happens. A compromised machine will show in the logs very quickly as it will be trying to send out spam messages and will be unable to.

Vishal BreedConnect With a Mentor Program ManagerCommented:
This is NDR email to SPAM email. There are two types of SPAM.

1] People use your Exchange server which is open to relay to avoid paying SMTP charges & keep themselves away from Cyber Law. Incase any body sue you; the original sender is still unkown to everybody. They spam to advertise for small companies; usage for automated software to send lot of emaisl to block the bandwidth etc.

2] There are some viruses which use Outlook Express or s/w that has option to send email to SMTP server. It sends email to any address using your name or name from your address book (as sender). Incase email is not delivered it will back to the sender (though he has not sent).

Solutions: If you are using E2K SP3 pls follow these articles.





If you are using E2k3 - pls install SP2 & configure in-built anti-spam features. As well as follow this article.

SupportECIAuthor Commented:
Hello all,

Thanks for the comments.

My lack of exchange is about to show.  We have exchange 2003, not 2000.  It is on a W2k server.  Here is a list of what I did:

firewall - blocked all but exchange ip from sending mail (port 25) - nothing showed in log
installed sp2 on exchange 2003
setup intelligent message fileter with values of 7 block and 4 to junk
changed distro groups to only accept messages from auth users
setup recipient filtering to filter mail to unknown addresses
stopped imap pop3 and nntp services
disabled domain guest account

Now a dumb question:  how does exchange receive email?  I thought smtp was just to send (send mail to people)?  but i stopped imap, nntp, and pop3 virtual servers and we still get all of our email?
How can I setup exchange to only accept email from our spam service (several subnets they have provided for us)?

I am still going through website trying to "harden" and "lock down" the exchange box.  Any other suggestions?
PS the emails seem to come in spurts so it may be a few days before we get the undeliverables again.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

From a security point of view you really need to get Exchange on to Windows 2003.
While recipient filtering helps, on Windows 2000 it actually exposes your server. You are now vulnerable to a directory harvest attack as Windows 2000 doesn't have the protection against those that Windows 2003 SP1 does.

SMTP is the way that email is delivered between servers and how is email is sent.
POP3 is used to pull email by an email client from an email server. Your Exchange server is an email server. POP3 can only be the last hop in the email delivery path.

If you have an external spam filtering service, then they should have provided you with instructions. The usual way to block connections is on the SMTP virtual server in Exchange. Click on Access and then Connection control. Change the option to "Only the list below" and configure the external subnets required. DO NOT add any internal subnets to the list.
If you need to allow internal machines to access an SMTP virtual server then setup a second SMTP virtual server on a second internal IP address, one that is not exposed to the internet in any way.

SupportECIAuthor Commented:
Thanks Sembee,

Are you saying I should remove recipient filtering?  Or are we open to those no matter what?

I setup the restrictions on the smtp server.  Can I leave pop stopped?  all of our clients use outlook while connected locally or via vpn.  

also, on the access tab is an authentication button.  what are your recommendations for that.  Should anonymous access be enabled?  What about basic?  again all users are on windows 2000 or higher and connected to the lan.  We do have outlook web access when users are unable to connect via vpn, but it is used rarely.

thanks again.
Recipient filtering - on Windows 2000 there is no perfect setting. Turn it off and you can be attacked on a NDR attack. Turn it on and you could be under a directory harvest attack. The only option is to either use a third party tool to provide the protection or move to Windows 2003.

Authentication setting - if you are receiving email from your spam filtering service then you will need to leave anonymous enabled. A common issue with newbie Exchange administrators is that they turn that option off, then wonder why they don't receive any email.

If you don't have any clients making POP3 connections, then stop and disable the service. It isn't required.

SupportECIAuthor Commented:
Thanks for the help.

We are purchasing a new server with Server 2003.  See this question http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_22129128.html

Hopefully this will help.  If not I am sure I will be posting again.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.