Possible Mailer or Maybe new tactics from Spammers HELP!!

I've been using IMF for a couple months now...I check the filter archive regularly to make sure legit emails aren't being blocked...it's worked well for me blocking over 6 thousand emails since I turned it on back in November. Starting yesterday, I am noticing an unusual amount of undeliverable messages that are being blocked. I know that people here don't email the people we are getting the undeliverables from as I've asked around, and we have a pretty small office. Less than 20 people. Some of these domains people have never heard of. This is actually a bit scary as I have no way to tell where these messages are generating from. Here are a couple of the senders that are getting blocked by the filter.

MAILER-DAEMON@debian.maxserv.net
MAILER-DAEMON@mail09.talkactive.net
Mail Delivery System <Mailer-Daemon@lin7.mojsite.com>
MAILER-DAEMON@domainmb1.customer.ne.jp
Mail Delivery System <Mailer-Daemon@uniserve.com>
MAILER-DAEMON@hosmail01.mundivia.es
"Postmaster" <postmaster@win2>
MAILER-DAEMON@tarbo.hostasaurus.com
Mail Delivery System <Mailer-Daemon@drive30.station030.com>
MAILER-DAEMON@slave204.xinnet.com
Postmaster@visionarch.com
MAILER-DAEMON@mail.viahansa.com
MAILER-DAEMON@vmail-1.aniverse.com
MAILER-DAEMON@cart.isnet.it
postmaster@lge.com

there are MANY more.

BTW, all of the undeliverable messages are the same. "Sorry, no mailbox here by that name. vpopmail (#5.1.1)"  - "Bad Address"  - etc.

They all seem to be returning messages from different flavors of this address "qdrivenkauz@MyCompaniesDomain.com" By 'different flavors' I mean the name mixed up a bit, like qldrivekauz@MyCompaniesDomain.com

Is a spammer just sending mail from a mail address with our companies domain in it? Because I've seen before where messages were blocked and they were a bogus version of an address with our domain in it.

If the spammer is sending spam out with our domain, would undeliverables be returned to my domain? Or would it go back to where it was sent from? This is weird, because even though I've seen spam with our domain in, for example a spam message from asdfag@MyCompaniesDomain.com sent a message to hiuhsd@mydomain.com and was blocked and placed in the IMF archive. But I've never seen this many undeliverables before. I mean, they're one after the other.

Help?
LVL 1
jaysonfranklinAsked:
Who is Participating?
 
jaysonfranklinAuthor Commented:
The NDRs have been stopped. It took a while, but I found the answer. Theres no way i could have just 'waited out the storm' because i would have been on every blacklist known to man. I knew I had to dig deeper when i was added to my ISPs blacklist. Fortunately for me, that's the only one...

Sender Policy Framework (SPF) is an extension to SMTP. SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam. SPF is defined in Experimental RFC 4408

SPF allows the owner of an Internet domain to use special format of DNS TXT records to specify which machines are authorized to transmit e-mail for that domain. For example, the owner of the example.org domain can designate which machines (or IPs) are authorized to send e-mail whose e-mail address in the Return-Path ends with "@example.org".

So, I set up an SPF record with our hosting company, even though we host our email in-house on exchange...I was able to work with them to set up a policy which only allows email, sent with our domain as the sender, to be checked, like rDNS, to be allowed ONLY when originated from one of our global IPs which ALL our mail should originate from. and Viola...the only thing is....this only helps on my side. recievers should also implement SPF to block all spoofed senderIDs as well....but that's on them.
0
 
Dinga84Commented:
I would be guessing somebody is spoofing your address, with email i can easily send an email claiming to come from bill.gates@microsoft.com, when i send that to an address that doest exist NoRealAdress@test.com, that addresses exchange server mailer-daemon@test.com will reply to microsoft.com as thats who it thinks is sending it.
0
 
jaysonfranklinAuthor Commented:
Ok. But I guess with as many times as I've seen a bogus mail address spoofed with our domain name in it, I have never seen a spike in undeliverables like this. So you think I have nothing to worry about?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
SembeeCommented:
Spoofing often comes in batches. The spammer will use your domain name for all email messages sent in that batch. You just need to ride out the storm.
The only thing it could be is you are the target of NDR spam - not where your server is being used to bounce the messages off, but the intended target where the from field has been spoofed.

Simon.
0
 
jaysonfranklinAuthor Commented:
Is there anything I could do to prevent something like that? Is there any way in Exchange that i could see the number of messages coming in vs blocked messages?
0
 
SembeeCommented:
You can get perfmon to record the number of NDRs being generated by the server, but when it comes to NDRs being generated outside of the server - so in response to the spoofed email - there is very little you can do. You have to accept NDR messages for your domain, if you attempt to block them you will get blacklisted.

Simon.
0
 
jaysonfranklinAuthor Commented:
Who would blacklist us for blocking NDRs?
0
 
SembeeCommented:
Some of the major blacklist operators have blacklisted because you will not accept the system messages. It is a breach of the RFCs on SMTP handling.

Simon.
0
 
jaysonfranklinAuthor Commented:
coo...so i guess im just waiting this out eh....i checked to see if i'm an open relay and it's all closed up. is there still anyway somebody could bounce messages off me? like with smtp connectors or anything?
0
 
SembeeCommented:
There are various ways that messages can be bounced off your server.
The two major ones are NDR spam and authenticated relaying.
See my spam cleanup article here: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 
jaysonfranklinAuthor Commented:
This question can be closed, as I was informed not to give out points anymore if i wasn't provided with an answer.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.