Strange Emails Reaching Account On MS Exchange 2003

Posted on 2007-10-10
Last Modified: 2010-04-20
Hi All
I have some strange email reaching one of our email accounts on MS Exchange 2003


Your message did not reach some or all of the intended recipients.

      Subject:      college-educated turn signal
      Sent:      9/9/2007 6:33 PM

The following recipient(s) could not be reached: on 10/10/2007 6:17 AM
            Could not deliver the message in the time limit specified.  Please retry or contact your administrator.
            < #5.4.7>

Now the thing is that I am 100% positive that our server is not open to relay..I did some tracking and concluded that the email above reached however we do not have an account named after that it was sent to the inbox of

The email looks like a bounced email however we do not have any account named that could have sent this email. I checked in the message tracking and that user "even if it does not exist" did never send an email. So is this just some sort of spam ??

The second thing I could not understand if this email reached why did was it stored in the mailbox of

Thx for any help

Question by:http://
    LVL 5

    Expert Comment

    It's probably a bounce-back from some kind of spam, as you suggest.

    My initial thought is that you've got some kind of catchall SMTP_event that forwards unresolved mail to

    Assuming (always a bad idea) that this is using the standard MS catchall script (unsupported, but widespread) it'll be called catchall.vbs (you'll need to search your exchange server for this).

    This document has basic details about it:
    LVL 19

    Author Comment

    Well you are right about me having the catchall script however it is forwarding unresolved mail to not

    Const strDestinationEmail = ";"
    LVL 19

    Author Comment

    As a note I do not have the script referenced in your link as that is the MS version. I do have another one called Exchange 2000/2003 Catchall Mailbox Script package
    The one on the MS site does catch all for a whole domain for deliverable and undeliverable emails. The one I have only does that for undeliverable emails
    LVL 5

    Expert Comment

    Does this mean that mail is getting from info@ourdomain -> manager@ourdomain in some kind of unexplained way, or is the mystery solved? (i.e. manager@ourdomain should be receiving that mail, because there is an alias)
    LVL 19

    Author Comment

    by:http:// is unexplained mainly the two things below

    1- Emails are sent to and reach the inbox of cant find an inbox called expertus neither can I find an alias called expertus "I did not setup this this server". Is there a way to search through the Exchange server and check for contacts and aliases ?

    2- The emails look like bounces, I am 100% positive that I do not have relay enabled I triple checked. So does that mean that this is some kind of nasty spam ?
    LVL 5

    Accepted Solution

    1. If you have a catchall for undeliverable emails and these bounces are addressed to an undeliverable address (i.e. then the catchall script will kick in and redirect the email.  It sounds to me like the address in the catchall ( is aliased to the managers mailbox (you can check this in AD Users & Computers).  Therefore, the path goes:

    a) Incoming Mail addressed to hits Exchange SMTP gateway.
    b) Catchall event adds to the recipient list
    c) Exchange delivers email addressed to to managers mailbox

    2. I think your domain has been spoofed by a spammer.  This means they've used your domain name in their SPAM (this doesn't require them to have compromised any servers, or relayed through your network, only to have falsified some headers).  There's not a lot that can be done about this, although some ISPs support the SPF standard ( ).  This is a DNS-based system for informing mail relaying servers about which originating machines may send mail on behalf of your domain.  Whilst it can be helpful, it won't prevent anything, because the standard is not widely adopted.  Still, every little bit helps!

    If you can't figure out how mail to gets to the address, you've got a 2nd mystery to investigate.  Keep me posted :o)

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Email statistics and Mailbox database quotas You might have an interest in attaining information such as mailbox details, mailbox statistics and mailbox database details from Exchange server. At that point, knowing how to retrieve this information …
    Set OWA language and time zone in Exchange for individuals, all users or per database.
    To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now