• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 575
  • Last Modified:

Why email is routed to the wrong recipient in McAfee & Exchange?

Hi,
I run into an issue over the weekend.
Environment: Exchange 2003 server with McAfee GroupShield 6.0 as anti-spam.
Lots of user reported that they receive many spams over the weekend.
No emails are scored in Internet Header.
Further, according to the Internet Header, the recipient is userA@mycorp.com, but userB@mycorp.com get it.
Q#1. Does anyone experience similar problem with McAfee GroupShield 6.0?
Q#2. What is your overall experience with McAfee solution? I kind of lose confidence now with it now.
Q#3. Why userB receive userA's email? Is it because the 'To:' address spoofed (meaning the actual recipient is still userB@mycorp.com)? Who's fault for this kind of mis-route McAfee or Exchange? Can someone explain the architecure between McAfee & Exchange?
Thanks.
0
richtree
Asked:
richtree
  • 6
  • 6
5 Solutions
 
SembeeCommented:
What you are seeing is the BCC trick.

Email comes in with a single email address in the To: line. The rest of the targets will be listed in the BCC field.
Users have not received another's email, and there is nothing wrong with either Exchange or your McAfee product.

Simon.
0
 
richtreeAuthor Commented:
Hi Simon,
Can you explain in more detail about the BCC trick?
Thanks.
0
 
SembeeCommented:
What more is there to explain? I thought my post above explains everything.

Simon.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
richtreeAuthor Commented:
Hi Simon,
Maybe I confused you. Let me explain the situation in more detail. The following is the information that I copy from userB's Outlook (view - option - Internet Headers). But please be noted that the 'To:' field is for userA, not userB.
Microsoft Mail Internet Headers Version 2.0

Received: from IOANA.0j8euu.org ([86.122.12.17]) by exch.myCorp.com with Microsoft SMTPSVC(6.0.3790.1830);

             Mon, 23 Jul 2007 07:26:46 -0400

Message-ID: <41990335216384.A5E57FC740@TQTR2L>

From: "Michel Marcum" <vttxtsgitkb@rrh-consulting.ch>

To: <userA@myCorp.com>

Subject: Relax and take the time

Date: Mon, 23 Jul 2007 14:26:47 +0300

MIME-Version: 1.0

X-Mailer: Microsoft Office Outlook, Build 11.0.5510

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

Thread-Index: 8iBXoaaSsjV4qn70XPerOFtzzvYpnTdkTTQx

Content-Type: text/html;

        charset="Windows-1251"

Content-Transfer-Encoding: 7bit

Return-Path: wxngbjcayit@rroar.de

X-OriginalArrivalTime: 23 Jul 2007 11:26:46.0914 (UTC) FILETIME=[5AC75620:01C7CD1C]

The above happened when McAfee GroupShield is not functioning properly (not filtering at all). After I called them up and they fixed it by resettting the GroupShield service.
Now back to my original Q#3: How does it happen? If userB is the real recipient, then why did I not see it anywhere in the headers? If userA is the real recipient, then how does the email end up with userB? Is it GroupShield's fault or Exchange's fault. All this confused me. I hope you understand my confusion.
Thanks.
0
 
SembeeCommented:
Do you know what BCC is?
Blind Carbon Copy. The recipient doesn't know that anyone else has been put in the BCC and there is nothing in the headers to show who else received a copy of a message that was BCC to other people.

Simon.
0
 
richtreeAuthor Commented:
I understand what BCC is.
Then why spammers would like this BCC trick? Easier to get through the spam filter or easier to trick the recipient to open the email?
0
 
SembeeCommented:
Spammers like the trick because they can put 2000 (or however many they like) email addresses in to a single email message while not exposing their email list. They can also send a single message to your server for delivery and leave it to your server to split the message up.
It may also be easier to get through if the message was sent from and to a user at your domain, many people whitelist their own domain for various reasons.

Simon.
0
 
richtreeAuthor Commented:
I got it now.
Technically it should be possible to 'see' the list somewhere, maybe on the exchange server. Can you show me how? One reason behind it is to find out if the BCC recipients are valid or invalid so I can judge if the spammer really know all our recipients or just pure guess.
0
 
SembeeCommented:
There is no way that you can see the BCC list. Otherwise there would be no point in having a BCC option. The only person who can see the BCC list is the sender.

Simon.
0
 
richtreeAuthor Commented:
Logically the server must know the BCC list, otherwise how does it know who it should send to? Is it because there is no where on the exchange server to 'peek' into it?
0
 
SembeeCommented:
The server knows, but there is no way to see that information. It is known as the envelope originator, or just the envelope. That information is discarded by the server once the message has been delivered. It is not possible to see the BCC information.

Simon.
0
 
richtreeAuthor Commented:
Thank you for sharing your knowledge.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now