[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Possible Mailer or Maybe new tactics from Spammers HELP!!

Posted on 2007-03-27
14
Medium Priority
?
645 Views
Last Modified: 2007-12-19
I've been using IMF for a couple months now...I check the filter archive regularly to make sure legit emails aren't being blocked...it's worked well for me blocking over 6 thousand emails since I turned it on back in November. Starting yesterday, I am noticing an unusual amount of undeliverable messages that are being blocked. I know that people here don't email the people we are getting the undeliverables from as I've asked around, and we have a pretty small office. Less than 20 people. Some of these domains people have never heard of. This is actually a bit scary as I have no way to tell where these messages are generating from. Here are a couple of the senders that are getting blocked by the filter.

MAILER-DAEMON@debian.maxserv.net
MAILER-DAEMON@mail09.talkactive.net
Mail Delivery System <Mailer-Daemon@lin7.mojsite.com>
MAILER-DAEMON@domainmb1.customer.ne.jp
Mail Delivery System <Mailer-Daemon@uniserve.com>
MAILER-DAEMON@hosmail01.mundivia.es
"Postmaster" <postmaster@win2>
MAILER-DAEMON@tarbo.hostasaurus.com
Mail Delivery System <Mailer-Daemon@drive30.station030.com>
MAILER-DAEMON@slave204.xinnet.com
Postmaster@visionarch.com
MAILER-DAEMON@mail.viahansa.com
MAILER-DAEMON@vmail-1.aniverse.com
MAILER-DAEMON@cart.isnet.it
postmaster@lge.com

there are MANY more.

BTW, all of the undeliverable messages are the same. "Sorry, no mailbox here by that name. vpopmail (#5.1.1)"  - "Bad Address"  - etc.

They all seem to be returning messages from different flavors of this address "qdrivenkauz@MyCompaniesDomain.com" By 'different flavors' I mean the name mixed up a bit, like qldrivekauz@MyCompaniesDomain.com

Is a spammer just sending mail from a mail address with our companies domain in it? Because I've seen before where messages were blocked and they were a bogus version of an address with our domain in it.

If the spammer is sending spam out with our domain, would undeliverables be returned to my domain? Or would it go back to where it was sent from? This is weird, because even though I've seen spam with our domain in, for example a spam message from asdfag@MyCompaniesDomain.com sent a message to hiuhsd@mydomain.com and was blocked and placed in the IMF archive. But I've never seen this many undeliverables before. I mean, they're one after the other.

Help?
0
Comment
Question by:jaysonfranklin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
14 Comments
 
LVL 3

Expert Comment

by:Dinga84
ID: 18804070
I would be guessing somebody is spoofing your address, with email i can easily send an email claiming to come from bill.gates@microsoft.com, when i send that to an address that doest exist NoRealAdress@test.com, that addresses exchange server mailer-daemon@test.com will reply to microsoft.com as thats who it thinks is sending it.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18804103
Ok. But I guess with as many times as I've seen a bogus mail address spoofed with our domain name in it, I have never seen a spike in undeliverables like this. So you think I have nothing to worry about?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18804209
Spoofing often comes in batches. The spammer will use your domain name for all email messages sent in that batch. You just need to ride out the storm.
The only thing it could be is you are the target of NDR spam - not where your server is being used to bounce the messages off, but the intended target where the from field has been spoofed.

Simon.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18804286
Is there anything I could do to prevent something like that? Is there any way in Exchange that i could see the number of messages coming in vs blocked messages?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18804318
You can get perfmon to record the number of NDRs being generated by the server, but when it comes to NDRs being generated outside of the server - so in response to the spoofed email - there is very little you can do. You have to accept NDR messages for your domain, if you attempt to block them you will get blacklisted.

Simon.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18809972
Who would blacklist us for blocking NDRs?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18812052
Some of the major blacklist operators have blacklisted because you will not accept the system messages. It is a breach of the RFCs on SMTP handling.

Simon.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18846547
coo...so i guess im just waiting this out eh....i checked to see if i'm an open relay and it's all closed up. is there still anyway somebody could bounce messages off me? like with smtp connectors or anything?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18847362
There are various ways that messages can be bounced off your server.
The two major ones are NDR spam and authenticated relaying.
See my spam cleanup article here: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 
LVL 1

Accepted Solution

by:
jaysonfranklin earned 0 total points
ID: 18860427
The NDRs have been stopped. It took a while, but I found the answer. Theres no way i could have just 'waited out the storm' because i would have been on every blacklist known to man. I knew I had to dig deeper when i was added to my ISPs blacklist. Fortunately for me, that's the only one...

Sender Policy Framework (SPF) is an extension to SMTP. SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam. SPF is defined in Experimental RFC 4408

SPF allows the owner of an Internet domain to use special format of DNS TXT records to specify which machines are authorized to transmit e-mail for that domain. For example, the owner of the example.org domain can designate which machines (or IPs) are authorized to send e-mail whose e-mail address in the Return-Path ends with "@example.org".

So, I set up an SPF record with our hosting company, even though we host our email in-house on exchange...I was able to work with them to set up a policy which only allows email, sent with our domain as the sender, to be checked, like rDNS, to be allowed ONLY when originated from one of our global IPs which ALL our mail should originate from. and Viola...the only thing is....this only helps on my side. recievers should also implement SPF to block all spoofed senderIDs as well....but that's on them.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18884031
This question can be closed, as I was informed not to give out points anymore if i wasn't provided with an answer.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question