Solved

Possible Mailer or Maybe new tactics from Spammers HELP!!

Posted on 2007-03-27
14
621 Views
Last Modified: 2007-12-19
I've been using IMF for a couple months now...I check the filter archive regularly to make sure legit emails aren't being blocked...it's worked well for me blocking over 6 thousand emails since I turned it on back in November. Starting yesterday, I am noticing an unusual amount of undeliverable messages that are being blocked. I know that people here don't email the people we are getting the undeliverables from as I've asked around, and we have a pretty small office. Less than 20 people. Some of these domains people have never heard of. This is actually a bit scary as I have no way to tell where these messages are generating from. Here are a couple of the senders that are getting blocked by the filter.

MAILER-DAEMON@debian.maxserv.net
MAILER-DAEMON@mail09.talkactive.net
Mail Delivery System <Mailer-Daemon@lin7.mojsite.com>
MAILER-DAEMON@domainmb1.customer.ne.jp
Mail Delivery System <Mailer-Daemon@uniserve.com>
MAILER-DAEMON@hosmail01.mundivia.es
"Postmaster" <postmaster@win2>
MAILER-DAEMON@tarbo.hostasaurus.com
Mail Delivery System <Mailer-Daemon@drive30.station030.com>
MAILER-DAEMON@slave204.xinnet.com
Postmaster@visionarch.com
MAILER-DAEMON@mail.viahansa.com
MAILER-DAEMON@vmail-1.aniverse.com
MAILER-DAEMON@cart.isnet.it
postmaster@lge.com

there are MANY more.

BTW, all of the undeliverable messages are the same. "Sorry, no mailbox here by that name. vpopmail (#5.1.1)"  - "Bad Address"  - etc.

They all seem to be returning messages from different flavors of this address "qdrivenkauz@MyCompaniesDomain.com" By 'different flavors' I mean the name mixed up a bit, like qldrivekauz@MyCompaniesDomain.com

Is a spammer just sending mail from a mail address with our companies domain in it? Because I've seen before where messages were blocked and they were a bogus version of an address with our domain in it.

If the spammer is sending spam out with our domain, would undeliverables be returned to my domain? Or would it go back to where it was sent from? This is weird, because even though I've seen spam with our domain in, for example a spam message from asdfag@MyCompaniesDomain.com sent a message to hiuhsd@mydomain.com and was blocked and placed in the IMF archive. But I've never seen this many undeliverables before. I mean, they're one after the other.

Help?
0
Comment
Question by:jaysonfranklin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
14 Comments
 
LVL 3

Expert Comment

by:Dinga84
ID: 18804070
I would be guessing somebody is spoofing your address, with email i can easily send an email claiming to come from bill.gates@microsoft.com, when i send that to an address that doest exist NoRealAdress@test.com, that addresses exchange server mailer-daemon@test.com will reply to microsoft.com as thats who it thinks is sending it.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18804103
Ok. But I guess with as many times as I've seen a bogus mail address spoofed with our domain name in it, I have never seen a spike in undeliverables like this. So you think I have nothing to worry about?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18804209
Spoofing often comes in batches. The spammer will use your domain name for all email messages sent in that batch. You just need to ride out the storm.
The only thing it could be is you are the target of NDR spam - not where your server is being used to bounce the messages off, but the intended target where the from field has been spoofed.

Simon.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18804286
Is there anything I could do to prevent something like that? Is there any way in Exchange that i could see the number of messages coming in vs blocked messages?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18804318
You can get perfmon to record the number of NDRs being generated by the server, but when it comes to NDRs being generated outside of the server - so in response to the spoofed email - there is very little you can do. You have to accept NDR messages for your domain, if you attempt to block them you will get blacklisted.

Simon.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18809972
Who would blacklist us for blocking NDRs?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18812052
Some of the major blacklist operators have blacklisted because you will not accept the system messages. It is a breach of the RFCs on SMTP handling.

Simon.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18846547
coo...so i guess im just waiting this out eh....i checked to see if i'm an open relay and it's all closed up. is there still anyway somebody could bounce messages off me? like with smtp connectors or anything?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18847362
There are various ways that messages can be bounced off your server.
The two major ones are NDR spam and authenticated relaying.
See my spam cleanup article here: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 
LVL 1

Accepted Solution

by:
jaysonfranklin earned 0 total points
ID: 18860427
The NDRs have been stopped. It took a while, but I found the answer. Theres no way i could have just 'waited out the storm' because i would have been on every blacklist known to man. I knew I had to dig deeper when i was added to my ISPs blacklist. Fortunately for me, that's the only one...

Sender Policy Framework (SPF) is an extension to SMTP. SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam. SPF is defined in Experimental RFC 4408

SPF allows the owner of an Internet domain to use special format of DNS TXT records to specify which machines are authorized to transmit e-mail for that domain. For example, the owner of the example.org domain can designate which machines (or IPs) are authorized to send e-mail whose e-mail address in the Return-Path ends with "@example.org".

So, I set up an SPF record with our hosting company, even though we host our email in-house on exchange...I was able to work with them to set up a policy which only allows email, sent with our domain as the sender, to be checked, like rDNS, to be allowed ONLY when originated from one of our global IPs which ALL our mail should originate from. and Viola...the only thing is....this only helps on my side. recievers should also implement SPF to block all spoofed senderIDs as well....but that's on them.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18884031
This question can be closed, as I was informed not to give out points anymore if i wasn't provided with an answer.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
how to add IIS SMTP to handle application/Scanner relays into office 365.

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question