Solved

Possible Mailer or Maybe new tactics from Spammers HELP!!

Posted on 2007-03-27
14
609 Views
Last Modified: 2007-12-19
I've been using IMF for a couple months now...I check the filter archive regularly to make sure legit emails aren't being blocked...it's worked well for me blocking over 6 thousand emails since I turned it on back in November. Starting yesterday, I am noticing an unusual amount of undeliverable messages that are being blocked. I know that people here don't email the people we are getting the undeliverables from as I've asked around, and we have a pretty small office. Less than 20 people. Some of these domains people have never heard of. This is actually a bit scary as I have no way to tell where these messages are generating from. Here are a couple of the senders that are getting blocked by the filter.

MAILER-DAEMON@debian.maxserv.net
MAILER-DAEMON@mail09.talkactive.net
Mail Delivery System <Mailer-Daemon@lin7.mojsite.com>
MAILER-DAEMON@domainmb1.customer.ne.jp
Mail Delivery System <Mailer-Daemon@uniserve.com>
MAILER-DAEMON@hosmail01.mundivia.es
"Postmaster" <postmaster@win2>
MAILER-DAEMON@tarbo.hostasaurus.com
Mail Delivery System <Mailer-Daemon@drive30.station030.com>
MAILER-DAEMON@slave204.xinnet.com
Postmaster@visionarch.com
MAILER-DAEMON@mail.viahansa.com
MAILER-DAEMON@vmail-1.aniverse.com
MAILER-DAEMON@cart.isnet.it
postmaster@lge.com

there are MANY more.

BTW, all of the undeliverable messages are the same. "Sorry, no mailbox here by that name. vpopmail (#5.1.1)"  - "Bad Address"  - etc.

They all seem to be returning messages from different flavors of this address "qdrivenkauz@MyCompaniesDomain.com" By 'different flavors' I mean the name mixed up a bit, like qldrivekauz@MyCompaniesDomain.com

Is a spammer just sending mail from a mail address with our companies domain in it? Because I've seen before where messages were blocked and they were a bogus version of an address with our domain in it.

If the spammer is sending spam out with our domain, would undeliverables be returned to my domain? Or would it go back to where it was sent from? This is weird, because even though I've seen spam with our domain in, for example a spam message from asdfag@MyCompaniesDomain.com sent a message to hiuhsd@mydomain.com and was blocked and placed in the IMF archive. But I've never seen this many undeliverables before. I mean, they're one after the other.

Help?
0
Comment
Question by:jaysonfranklin
  • 6
  • 4
14 Comments
 
LVL 3

Expert Comment

by:Dinga84
ID: 18804070
I would be guessing somebody is spoofing your address, with email i can easily send an email claiming to come from bill.gates@microsoft.com, when i send that to an address that doest exist NoRealAdress@test.com, that addresses exchange server mailer-daemon@test.com will reply to microsoft.com as thats who it thinks is sending it.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18804103
Ok. But I guess with as many times as I've seen a bogus mail address spoofed with our domain name in it, I have never seen a spike in undeliverables like this. So you think I have nothing to worry about?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18804209
Spoofing often comes in batches. The spammer will use your domain name for all email messages sent in that batch. You just need to ride out the storm.
The only thing it could be is you are the target of NDR spam - not where your server is being used to bounce the messages off, but the intended target where the from field has been spoofed.

Simon.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18804286
Is there anything I could do to prevent something like that? Is there any way in Exchange that i could see the number of messages coming in vs blocked messages?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18804318
You can get perfmon to record the number of NDRs being generated by the server, but when it comes to NDRs being generated outside of the server - so in response to the spoofed email - there is very little you can do. You have to accept NDR messages for your domain, if you attempt to block them you will get blacklisted.

Simon.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18809972
Who would blacklist us for blocking NDRs?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18812052
Some of the major blacklist operators have blacklisted because you will not accept the system messages. It is a breach of the RFCs on SMTP handling.

Simon.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18846547
coo...so i guess im just waiting this out eh....i checked to see if i'm an open relay and it's all closed up. is there still anyway somebody could bounce messages off me? like with smtp connectors or anything?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18847362
There are various ways that messages can be bounced off your server.
The two major ones are NDR spam and authenticated relaying.
See my spam cleanup article here: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 
LVL 1

Accepted Solution

by:
jaysonfranklin earned 0 total points
ID: 18860427
The NDRs have been stopped. It took a while, but I found the answer. Theres no way i could have just 'waited out the storm' because i would have been on every blacklist known to man. I knew I had to dig deeper when i was added to my ISPs blacklist. Fortunately for me, that's the only one...

Sender Policy Framework (SPF) is an extension to SMTP. SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam. SPF is defined in Experimental RFC 4408

SPF allows the owner of an Internet domain to use special format of DNS TXT records to specify which machines are authorized to transmit e-mail for that domain. For example, the owner of the example.org domain can designate which machines (or IPs) are authorized to send e-mail whose e-mail address in the Return-Path ends with "@example.org".

So, I set up an SPF record with our hosting company, even though we host our email in-house on exchange...I was able to work with them to set up a policy which only allows email, sent with our domain as the sender, to be checked, like rDNS, to be allowed ONLY when originated from one of our global IPs which ALL our mail should originate from. and Viola...the only thing is....this only helps on my side. recievers should also implement SPF to block all spoofed senderIDs as well....but that's on them.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 18884031
This question can be closed, as I was informed not to give out points anymore if i wasn't provided with an answer.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
This video discusses moving either the default database or any database to a new volume.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now