Solved

Undeliverable Emails - Spoofing? - Exchange 2000

Posted on 2006-11-30
7
756 Views
Last Modified: 2012-08-13
Hello Experts!

This may not have a specific solution, but I at least need some info and direction.

Symptoms:---------------------------------------------------------------------------------------
This morning we started receiving these emails as undeliverable:
From: Mail Delivery Subsystem [MAILER-DAEMON@auohstyli03.oracleoutsourcing.com]
To:  A local distribution group that has an email address attached to it.
Subject: Could not deliver mail: see transcript for details
Message:
     Original message (id 6932129) received at Thu, 30 Nov 2006 08:27:16 -0600
      from <Office@eci2fly.com>

     Message was not delivered to the following addresses:

    bap@tylin.com

Attachments: ATT74782.txt containing text:
Reporting-MTA: dns; auohstyli03.oracleoutsourcing.com
Received-From-MTA: dns; adcavft02.oracle.com
Arrival-Date: Thu, 30 Nov 2006 08:27:16 -0600

Final-Recipient: rfc822; bap@tylin.com
Action: failed
Status: 5.1.1
Last-Attempt-Date: Thu, 30 Nov 2006 08:27:18 -0600
Diagnostic-Code: SMTP;
 Invalid directory entry

It also had what I assume was the original message attached.

Just an hour later we started seeing messages like this:
From: System Administrator – from our exchange box
To:  Myself, or others individually
Subject: Undeliverable: Returned mail: see transcript for details
Message:
Your message did not reach some or all of the intended recipients.

      Subject:      ProParrot
      Sent:      11/30/2006 10:02 AM

The following recipient(s) could not be reached:

      cruttendenjcruttenden@stny.rr.com on 11/30/2006 10:04 AM
            The e-mail account does not exist at the organization this message was sent to.  Check the e-mail address, or contact the recipient directly to find out the correct address.
            < txmx04.mgw.rr.com #5.1.1 SMTP; 550 5.1.1 unknown or illegal alias: cruttendenjcruttenden@stny.rr.com>

Question:--------------------------------------------------------------------------------------
Why are we seeing these all of a sudden (might want to read background info below)?  Are they hijacking our mail system in some way or is it just spoofed?  Either way, how can I stop this?

Background Info:-----------------------------------------------------------------------------
Just a few days ago we contacted out spam service about emails not being delivered from our website (hosted off site) to our company for a contact form.  They said our domain had a high spam number (can’t remember the exact term) and said that we could request a manual removal.  We did request the removal, as we and our web hosting provider (ideawire.com) do not engage in, or condone spamming.  We thought it was simply some sort of error in the heuristics of the spam filter.  Obviously now I am not sure about that.

With all the problems with email I did make a few changes to exchange as far as relays and authorized senders.  After the changes, I did check our system for open relay and other mail settings that might have been set incorrectly, but I did not find anything wrong (I am not an exchange/email expert however).  We have also setup SPF, but I am not sure if that was just added recently or was there from the get-go.

I can post full headers if needed.

Thanks for your input and help!

Also if you have good information to contribute, please also let me know of any recommended sites or books that could help me with this problem (please don’t just post links).
0
Comment
Question by:SupportECI
  • 3
  • 3
7 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 400 total points
Comment Utility
This could be one of a number of things.

1. It could be an NDR attack on your server. This is where email is sent to your server with invalid addresses on purpose. These emails then bounce to the "sender" - except the sender is spoofed and is the real target.
If this is the case, looking at your queues will show if this is the case or not. A large number of messages in the queues waiting to go out is an indication of a problem.

2. As above but you are the target.

3. Your domain is being spoofed as the from address in spam messages.
If that is the case then you are pretty much stuffed as you have to ride out the storm. Under the terms of the RFCs for SMTP (Which govern how SMTP email works) you must accept NDR messages destined for your domain.

It isn't clear from the headers above what your domain name or IP address is, so I cannot go and look at the common blacklist web sites to see whether you are listed and for what reason.

There is always the possibility that you have got blacklisted by a machine on your network being a member of a BOT net that sends out spam. The quickest way to detect that is to block port 25 on your firewall for everyone but the Exchange server and then see what happens. A compromised machine will show in the logs very quickly as it will be trying to send out spam messages and will be unable to.

Simon.
0
 
LVL 13

Assisted Solution

by:vishal_breed
vishal_breed earned 100 total points
Comment Utility
This is NDR email to SPAM email. There are two types of SPAM.

1] People use your Exchange server which is open to relay to avoid paying SMTP charges & keep themselves away from Cyber Law. Incase any body sue you; the original sender is still unkown to everybody. They spam to advertise for small companies; usage for automated software to send lot of emaisl to block the bandwidth etc.

2] There are some viruses which use Outlook Express or s/w that has option to send email to SMTP server. It sends email to any address using your name or name from your address book (as sender). Incase email is not delivered it will back to the sender (though he has not sent).

Solutions: If you are using E2K SP3 pls follow these articles.

http://support.microsoft.com/?id=310380

http://support.microsoft.com/?id=319356

http://support.microsoft.com/?id=324958

http://support.microsoft.com/kb/895853/en-us

If you are using E2k3 - pls install SP2 & configure in-built anti-spam features. As well as follow this article.

http://www.microsoft.com/technet/prodtechnol/exchange/guides/StopEmailVirus/f766057c-a3e9-4924-a2d9-79199d8eec62.mspx?pf=true
0
 
LVL 1

Author Comment

by:SupportECI
Comment Utility
Hello all,

Thanks for the comments.

My lack of exchange is about to show.  We have exchange 2003, not 2000.  It is on a W2k server.  Here is a list of what I did:

firewall - blocked all but exchange ip from sending mail (port 25) - nothing showed in log
installed sp2 on exchange 2003
setup intelligent message fileter with values of 7 block and 4 to junk
changed distro groups to only accept messages from auth users
setup recipient filtering to filter mail to unknown addresses
stopped imap pop3 and nntp services
disabled domain guest account

Now a dumb question:  how does exchange receive email?  I thought smtp was just to send (send mail to people)?  but i stopped imap, nntp, and pop3 virtual servers and we still get all of our email?
How can I setup exchange to only accept email from our spam service (several subnets they have provided for us)?

I am still going through website trying to "harden" and "lock down" the exchange box.  Any other suggestions?
PS the emails seem to come in spurts so it may be a few days before we get the undeliverables again.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 104

Expert Comment

by:Sembee
Comment Utility
From a security point of view you really need to get Exchange on to Windows 2003.
While recipient filtering helps, on Windows 2000 it actually exposes your server. You are now vulnerable to a directory harvest attack as Windows 2000 doesn't have the protection against those that Windows 2003 SP1 does.

SMTP is the way that email is delivered between servers and how is email is sent.
POP3 is used to pull email by an email client from an email server. Your Exchange server is an email server. POP3 can only be the last hop in the email delivery path.

If you have an external spam filtering service, then they should have provided you with instructions. The usual way to block connections is on the SMTP virtual server in Exchange. Click on Access and then Connection control. Change the option to "Only the list below" and configure the external subnets required. DO NOT add any internal subnets to the list.
If you need to allow internal machines to access an SMTP virtual server then setup a second SMTP virtual server on a second internal IP address, one that is not exposed to the internet in any way.

Simon.
0
 
LVL 1

Author Comment

by:SupportECI
Comment Utility
Thanks Sembee,

Are you saying I should remove recipient filtering?  Or are we open to those no matter what?

I setup the restrictions on the smtp server.  Can I leave pop stopped?  all of our clients use outlook while connected locally or via vpn.  

also, on the access tab is an authentication button.  what are your recommendations for that.  Should anonymous access be enabled?  What about basic?  again all users are on windows 2000 or higher and connected to the lan.  We do have outlook web access when users are unable to connect via vpn, but it is used rarely.

thanks again.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Recipient filtering - on Windows 2000 there is no perfect setting. Turn it off and you can be attacked on a NDR attack. Turn it on and you could be under a directory harvest attack. The only option is to either use a third party tool to provide the protection or move to Windows 2003.

Authentication setting - if you are receiving email from your spam filtering service then you will need to leave anonymous enabled. A common issue with newbie Exchange administrators is that they turn that option off, then wonder why they don't receive any email.

If you don't have any clients making POP3 connections, then stop and disable the service. It isn't required.

Simon.
0
 
LVL 1

Author Comment

by:SupportECI
Comment Utility
Thanks for the help.

We are purchasing a new server with Server 2003.  See this question http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_22129128.html

Hopefully this will help.  If not I am sure I will be posting again.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Resolve DNS query failed errors for Exchange
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video discusses moving either the default database or any database to a new volume.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now