?
Solved

Possible Mailer or Maybe new tactics from Spammers HELP!!

Posted on 2007-03-27
14
Medium Priority
?
651 Views
Last Modified: 2007-12-19
I've been using IMF for a couple months now...I check the filter archive regularly to make sure legit emails aren't being blocked...it's worked well for me blocking over 6 thousand emails since I turned it on back in November. Starting yesterday, I am noticing an unusual amount of undeliverable messages that are being blocked. I know that people here don't email the people we are getting the undeliverables from as I've asked around, and we have a pretty small office. Less than 20 people. Some of these domains people have never heard of. This is actually a bit scary as I have no way to tell where these messages are generating from. Here are a couple of the senders that are getting blocked by the filter.

MAILER-DAEMON@debian.maxserv.net
MAILER-DAEMON@mail09.talkactive.net
Mail Delivery System <Mailer-Daemon@lin7.mojsite.com>
MAILER-DAEMON@domainmb1.customer.ne.jp
Mail Delivery System <Mailer-Daemon@uniserve.com>
MAILER-DAEMON@hosmail01.mundivia.es
"Postmaster" <postmaster@win2>
MAILER-DAEMON@tarbo.hostasaurus.com
Mail Delivery System <Mailer-Daemon@drive30.station030.com>
MAILER-DAEMON@slave204.xinnet.com
Postmaster@visionarch.com
MAILER-DAEMON@mail.viahansa.com
MAILER-DAEMON@vmail-1.aniverse.com
MAILER-DAEMON@cart.isnet.it
postmaster@lge.com

there are MANY more.

BTW, all of the undeliverable messages are the same. "Sorry, no mailbox here by that name. vpopmail (#5.1.1)"  - "Bad Address"  - etc.

They all seem to be returning messages from different flavors of this address "qdrivenkauz@MyCompaniesDomain.com" By 'different flavors' I mean the name mixed up a bit, like qldrivekauz@MyCompaniesDomain.com

Is a spammer just sending mail from a mail address with our companies domain in it? Because I've seen before where messages were blocked and they were a bogus version of an address with our domain in it.

If the spammer is sending spam out with our domain, would undeliverables be returned to my domain? Or would it go back to where it was sent from? This is weird, because even though I've seen spam with our domain in, for example a spam message from asdfag@MyCompaniesDomain.com sent a message to hiuhsd@mydomain.com and was blocked and placed in the IMF archive. But I've never seen this many undeliverables before. I mean, they're one after the other.

Help?
0
Comment
Question by:jaysonfranklin
  • 6
  • 4
11 Comments
 
LVL 3

Expert Comment

by:Dinga84
ID: 18804070
I would be guessing somebody is spoofing your address, with email i can easily send an email claiming to come from bill.gates@microsoft.com, when i send that to an address that doest exist NoRealAdress@test.com, that addresses exchange server mailer-daemon@test.com will reply to microsoft.com as thats who it thinks is sending it.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18804103
Ok. But I guess with as many times as I've seen a bogus mail address spoofed with our domain name in it, I have never seen a spike in undeliverables like this. So you think I have nothing to worry about?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18804209
Spoofing often comes in batches. The spammer will use your domain name for all email messages sent in that batch. You just need to ride out the storm.
The only thing it could be is you are the target of NDR spam - not where your server is being used to bounce the messages off, but the intended target where the from field has been spoofed.

Simon.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18804286
Is there anything I could do to prevent something like that? Is there any way in Exchange that i could see the number of messages coming in vs blocked messages?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18804318
You can get perfmon to record the number of NDRs being generated by the server, but when it comes to NDRs being generated outside of the server - so in response to the spoofed email - there is very little you can do. You have to accept NDR messages for your domain, if you attempt to block them you will get blacklisted.

Simon.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18809972
Who would blacklist us for blocking NDRs?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18812052
Some of the major blacklist operators have blacklisted because you will not accept the system messages. It is a breach of the RFCs on SMTP handling.

Simon.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18846547
coo...so i guess im just waiting this out eh....i checked to see if i'm an open relay and it's all closed up. is there still anyway somebody could bounce messages off me? like with smtp connectors or anything?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18847362
There are various ways that messages can be bounced off your server.
The two major ones are NDR spam and authenticated relaying.
See my spam cleanup article here: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 
LVL 1

Accepted Solution

by:
jaysonfranklin earned 0 total points
ID: 18860427
The NDRs have been stopped. It took a while, but I found the answer. Theres no way i could have just 'waited out the storm' because i would have been on every blacklist known to man. I knew I had to dig deeper when i was added to my ISPs blacklist. Fortunately for me, that's the only one...

Sender Policy Framework (SPF) is an extension to SMTP. SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam. SPF is defined in Experimental RFC 4408

SPF allows the owner of an Internet domain to use special format of DNS TXT records to specify which machines are authorized to transmit e-mail for that domain. For example, the owner of the example.org domain can designate which machines (or IPs) are authorized to send e-mail whose e-mail address in the Return-Path ends with "@example.org".

So, I set up an SPF record with our hosting company, even though we host our email in-house on exchange...I was able to work with them to set up a policy which only allows email, sent with our domain as the sender, to be checked, like rDNS, to be allowed ONLY when originated from one of our global IPs which ALL our mail should originate from. and Viola...the only thing is....this only helps on my side. recievers should also implement SPF to block all spoofed senderIDs as well....but that's on them.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18884031
This question can be closed, as I was informed not to give out points anymore if i wasn't provided with an answer.
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question