Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Undeliverable Emails - Spoofing? - Exchange 2000

Posted on 2006-11-30
Medium Priority
Last Modified: 2012-08-13
Hello Experts!

This may not have a specific solution, but I at least need some info and direction.

This morning we started receiving these emails as undeliverable:
From: Mail Delivery Subsystem [MAILER-DAEMON@auohstyli03.oracleoutsourcing.com]
To:  A local distribution group that has an email address attached to it.
Subject: Could not deliver mail: see transcript for details
     Original message (id 6932129) received at Thu, 30 Nov 2006 08:27:16 -0600
      from <Office@eci2fly.com>

     Message was not delivered to the following addresses:


Attachments: ATT74782.txt containing text:
Reporting-MTA: dns; auohstyli03.oracleoutsourcing.com
Received-From-MTA: dns; adcavft02.oracle.com
Arrival-Date: Thu, 30 Nov 2006 08:27:16 -0600

Final-Recipient: rfc822; bap@tylin.com
Action: failed
Status: 5.1.1
Last-Attempt-Date: Thu, 30 Nov 2006 08:27:18 -0600
Diagnostic-Code: SMTP;
 Invalid directory entry

It also had what I assume was the original message attached.

Just an hour later we started seeing messages like this:
From: System Administrator – from our exchange box
To:  Myself, or others individually
Subject: Undeliverable: Returned mail: see transcript for details
Your message did not reach some or all of the intended recipients.

      Subject:      ProParrot
      Sent:      11/30/2006 10:02 AM

The following recipient(s) could not be reached:

      cruttendenjcruttenden@stny.rr.com on 11/30/2006 10:04 AM
            The e-mail account does not exist at the organization this message was sent to.  Check the e-mail address, or contact the recipient directly to find out the correct address.
            < txmx04.mgw.rr.com #5.1.1 SMTP; 550 5.1.1 unknown or illegal alias: cruttendenjcruttenden@stny.rr.com>

Why are we seeing these all of a sudden (might want to read background info below)?  Are they hijacking our mail system in some way or is it just spoofed?  Either way, how can I stop this?

Background Info:-----------------------------------------------------------------------------
Just a few days ago we contacted out spam service about emails not being delivered from our website (hosted off site) to our company for a contact form.  They said our domain had a high spam number (can’t remember the exact term) and said that we could request a manual removal.  We did request the removal, as we and our web hosting provider (ideawire.com) do not engage in, or condone spamming.  We thought it was simply some sort of error in the heuristics of the spam filter.  Obviously now I am not sure about that.

With all the problems with email I did make a few changes to exchange as far as relays and authorized senders.  After the changes, I did check our system for open relay and other mail settings that might have been set incorrectly, but I did not find anything wrong (I am not an exchange/email expert however).  We have also setup SPF, but I am not sure if that was just added recently or was there from the get-go.

I can post full headers if needed.

Thanks for your input and help!

Also if you have good information to contribute, please also let me know of any recommended sites or books that could help me with this problem (please don’t just post links).
Question by:SupportECI
  • 3
  • 3
LVL 104

Accepted Solution

Sembee earned 1600 total points
ID: 18047025
This could be one of a number of things.

1. It could be an NDR attack on your server. This is where email is sent to your server with invalid addresses on purpose. These emails then bounce to the "sender" - except the sender is spoofed and is the real target.
If this is the case, looking at your queues will show if this is the case or not. A large number of messages in the queues waiting to go out is an indication of a problem.

2. As above but you are the target.

3. Your domain is being spoofed as the from address in spam messages.
If that is the case then you are pretty much stuffed as you have to ride out the storm. Under the terms of the RFCs for SMTP (Which govern how SMTP email works) you must accept NDR messages destined for your domain.

It isn't clear from the headers above what your domain name or IP address is, so I cannot go and look at the common blacklist web sites to see whether you are listed and for what reason.

There is always the possibility that you have got blacklisted by a machine on your network being a member of a BOT net that sends out spam. The quickest way to detect that is to block port 25 on your firewall for everyone but the Exchange server and then see what happens. A compromised machine will show in the logs very quickly as it will be trying to send out spam messages and will be unable to.

LVL 13

Assisted Solution

by:Vishal Breed
Vishal Breed earned 400 total points
ID: 18052673
This is NDR email to SPAM email. There are two types of SPAM.

1] People use your Exchange server which is open to relay to avoid paying SMTP charges & keep themselves away from Cyber Law. Incase any body sue you; the original sender is still unkown to everybody. They spam to advertise for small companies; usage for automated software to send lot of emaisl to block the bandwidth etc.

2] There are some viruses which use Outlook Express or s/w that has option to send email to SMTP server. It sends email to any address using your name or name from your address book (as sender). Incase email is not delivered it will back to the sender (though he has not sent).

Solutions: If you are using E2K SP3 pls follow these articles.





If you are using E2k3 - pls install SP2 & configure in-built anti-spam features. As well as follow this article.


Author Comment

ID: 18102032
Hello all,

Thanks for the comments.

My lack of exchange is about to show.  We have exchange 2003, not 2000.  It is on a W2k server.  Here is a list of what I did:

firewall - blocked all but exchange ip from sending mail (port 25) - nothing showed in log
installed sp2 on exchange 2003
setup intelligent message fileter with values of 7 block and 4 to junk
changed distro groups to only accept messages from auth users
setup recipient filtering to filter mail to unknown addresses
stopped imap pop3 and nntp services
disabled domain guest account

Now a dumb question:  how does exchange receive email?  I thought smtp was just to send (send mail to people)?  but i stopped imap, nntp, and pop3 virtual servers and we still get all of our email?
How can I setup exchange to only accept email from our spam service (several subnets they have provided for us)?

I am still going through website trying to "harden" and "lock down" the exchange box.  Any other suggestions?
PS the emails seem to come in spurts so it may be a few days before we get the undeliverables again.
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

LVL 104

Expert Comment

ID: 18102727
From a security point of view you really need to get Exchange on to Windows 2003.
While recipient filtering helps, on Windows 2000 it actually exposes your server. You are now vulnerable to a directory harvest attack as Windows 2000 doesn't have the protection against those that Windows 2003 SP1 does.

SMTP is the way that email is delivered between servers and how is email is sent.
POP3 is used to pull email by an email client from an email server. Your Exchange server is an email server. POP3 can only be the last hop in the email delivery path.

If you have an external spam filtering service, then they should have provided you with instructions. The usual way to block connections is on the SMTP virtual server in Exchange. Click on Access and then Connection control. Change the option to "Only the list below" and configure the external subnets required. DO NOT add any internal subnets to the list.
If you need to allow internal machines to access an SMTP virtual server then setup a second SMTP virtual server on a second internal IP address, one that is not exposed to the internet in any way.


Author Comment

ID: 18103055
Thanks Sembee,

Are you saying I should remove recipient filtering?  Or are we open to those no matter what?

I setup the restrictions on the smtp server.  Can I leave pop stopped?  all of our clients use outlook while connected locally or via vpn.  

also, on the access tab is an authentication button.  what are your recommendations for that.  Should anonymous access be enabled?  What about basic?  again all users are on windows 2000 or higher and connected to the lan.  We do have outlook web access when users are unable to connect via vpn, but it is used rarely.

thanks again.
LVL 104

Expert Comment

ID: 18103232
Recipient filtering - on Windows 2000 there is no perfect setting. Turn it off and you can be attacked on a NDR attack. Turn it on and you could be under a directory harvest attack. The only option is to either use a third party tool to provide the protection or move to Windows 2003.

Authentication setting - if you are receiving email from your spam filtering service then you will need to leave anonymous enabled. A common issue with newbie Exchange administrators is that they turn that option off, then wonder why they don't receive any email.

If you don't have any clients making POP3 connections, then stop and disable the service. It isn't required.


Author Comment

ID: 18350987
Thanks for the help.

We are purchasing a new server with Server 2003.  See this question http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_22129128.html

Hopefully this will help.  If not I am sure I will be posting again.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question