• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 237
  • Last Modified:

Strange Emails Reaching Account On MS Exchange 2003

Hi All
I have some strange email reaching one of our email accounts on MS Exchange 2003


Your message did not reach some or all of the intended recipients.

      Subject:      college-educated turn signal
      Sent:      9/9/2007 6:33 PM

The following recipient(s) could not be reached:

      ahaberstolz@dauria.demon.co.uk on 10/10/2007 6:17 AM
            Could not deliver the message in the time limit specified.  Please retry or contact your administrator.
            < punt-3.mail.demon.net #5.4.7>

Now the thing is that I am 100% positive that our server is not open to relay..I did some tracking and concluded that the email above reached expertus@ourdomain.com however we do not have an account named expertus@ourdomain.com after that it was sent to the inbox of manager@ourdomain.com.

The email looks like a bounced email however we do not have any account named expertus@ourdomain.com that could have sent this email. I checked in the message tracking and that user "even if it does not exist" did never send an email. So is this just some sort of spam ??

The second thing I could not understand if this email reached expertus@ourdomian.com why did was it stored in the mailbox of manager@ourdomian.com

Thx for any help

http:// thevpn.guru
http:// thevpn.guru
  • 3
  • 3
1 Solution
It's probably a bounce-back from some kind of spam, as you suggest.

My initial thought is that you've got some kind of catchall SMTP_event that forwards unresolved mail to manager@ourdomain.com.

Assuming (always a bad idea) that this is using the standard MS catchall script (unsupported, but widespread) it'll be called catchall.vbs (you'll need to search your exchange server for this).

This document has basic details about it:  http://support.microsoft.com/kb/324021
http:// thevpn.guruAuthor Commented:
Well you are right about me having the catchall script however it is forwarding unresolved mail to info@ourdomain.com not manager@ourdomain.com

Const strDestinationEmail = "smtp:info@ourdomain.com;"
http:// thevpn.guruAuthor Commented:
As a note I do not have the script referenced in your link as that is the MS version. I do have another one called Exchange 2000/2003 Catchall Mailbox Script package
The one on the MS site does catch all for a whole domain for deliverable and undeliverable emails. The one I have only does that for undeliverable emails
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Does this mean that mail is getting from info@ourdomain -> manager@ourdomain in some kind of unexplained way, or is the mystery solved? (i.e. manager@ourdomain should be receiving that mail, because there is an alias)
http:// thevpn.guruAuthor Commented:
well..it is unexplained mainly the two things below

1- Emails are sent to Expertus@mydomain.com and reach the inbox of manager@mydomain.com..I cant find an inbox called expertus neither can I find an alias called expertus "I did not setup this this server". Is there a way to search through the Exchange server and check for contacts and aliases ?

2- The emails look like bounces, I am 100% positive that I do not have relay enabled I triple checked. So does that mean that this is some kind of nasty spam ?
1. If you have a catchall for undeliverable emails and these bounces are addressed to an undeliverable address (i.e. expertus@mydomain.com) then the catchall script will kick in and redirect the email.  It sounds to me like the address in the catchall (info@ourdomain.com) is aliased to the managers mailbox (you can check this in AD Users & Computers).  Therefore, the path goes:

a) Incoming Mail addressed to expertus@mydomain.com hits Exchange SMTP gateway.
b) Catchall event adds info@mydomain.com to the recipient list
c) Exchange delivers email addressed to info@mydomain.com to managers mailbox

2. I think your domain has been spoofed by a spammer.  This means they've used your domain name in their SPAM (this doesn't require them to have compromised any servers, or relayed through your network, only to have falsified some headers).  There's not a lot that can be done about this, although some ISPs support the SPF standard ( http://www.openspf.org/ ).  This is a DNS-based system for informing mail relaying servers about which originating machines may send mail on behalf of your domain.  Whilst it can be helpful, it won't prevent anything, because the standard is not widely adopted.  Still, every little bit helps!

If you can't figure out how mail to info@mydomain.com gets to the manager@mydomain.com address, you've got a 2nd mystery to investigate.  Keep me posted :o)

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now