SMTP log

Can I capture the original SMTP header information?
I am trying to resolve why my exchange server 2003 ever accepted some spam e-mails. Our notification is a failure message

Your message did not reach some or all of the intended recipients.
      Subject:  NOTICE
      Sent:     4/10/2009 8:06 AM
The following recipient(s) could not be reached:
      6037702302@message.bam.com on 4/10/2009 8:07 AM
            The destination server for this recipient could not be found in Domain Name Service (DNS).  Please verify the email address and retry.  If that fails, contact your administrator.
            <smpcsbs2000.SMPC.smpcarch #5.4.0>
I have an exchange server 2003 S2, all of the delivery option filters are configured and enabled and all are enabled on the SMTP virtual server.
All of the RIPE, APNIC, LACNIC, and AfriNIC allocations are blocked with the connection filter.
Additionally The server is running Trend Micro worry free business security.

Here are typical log entries when this occured,
13:56:22 67.15.110.5 DATA - 250
13:56:22 67.15.110.5 MAIL - 250
13:56:22 67.15.110.5 RCPT - 250
13:56:22 67.15.110.5 DATA - 250
13:56:22 67.15.110.5 MAIL - 250
13:56:22 67.15.110.5 RCPT - 250
13:56:22 67.15.110.5 DATA - 250

ThePlanet.com has this address in their allocation and responed with a request for header information, but I can not find that for the original message.
FolknerComputingAsked:
Who is Participating?
 
MesthaCommented:
Correct. Very common spammers trick. They put a single address in the To line and the rest in the BCC line.
Most spam I see will not have the recipient in the headers because they were in the BCC.

Simon.
0
 
StefanKittelCommented:
hello,

with wireshark you can capture all smtp traffic
http://www.wireshark.org/

Stefan
0
 
MesthaCommented:
Do you know what address the message was sent to? Was it a valid address in your domain?

You need to see the original message, which the logs will not show. If you have just seen the NDR then it is one of three things:

- an NDR attack
- a relay (either open relay, authenticated relay or relay by IP address)
- an out of office message.

If the message has gone through a user's account then you would see that in message tracking.
How did you get the NDR? Do you have your SMTP server set to deliver a copy of the NDRs to another account? If so, then given the message you are actually causing back scatter and I would have to doubt if the recipient filter is working correctly. It isn't clear from what you have posted what is valid and what is not.

Simon.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
FolknerComputingAuthor Commented:
I believe I am getting these as NDR's. I am not sending outbound NDR's. You touched on the issue I am trying to determine, to what address was the oringinal incomming message sent.
0
 
MesthaCommented:
As I have already asked, how did you get the NDR?
Was it sent to you by another user, did it just appear in your mailbox? Does your mailbox hold the postmaster@ email address or has it been set to receive a copy of the NDRs?

Simon.
0
 
FolknerComputingAuthor Commented:
The NDR's arrive in some end user's mailbox or are sent to a catch all mailbox. What is puzzleing me is why the exchange server ever accepts the messahe for processing.

here is an example:

Received: by smpcsbs2000.smpc.smpcarch
      id <01C9BC41.18699442@smpcsbs2000.smpc.smpcarch>; Mon, 13 Apr 2009 08:06:52 -0600
MIME-Version: 1.0
Content-Type: multipart/report;
      report-type=delivery-status;
      boundary="----_=_NextPart_001_01C9BC41.18699442"
X-DSNContext: 7ce717b1 - 1194 - 00000002 - 00000000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:dsn
Subject: Undeliverable: GOOGLE ADWORDS
Date: Mon, 13 Apr 2009 08:06:52 -0600
Message-ID: <IvhXJ4dEr0000160c@smpcsbs2000.SMPC.smpcarch>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: GOOGLE ADWORDS
thread-index: Acm8QRhnb5QYj374QXa04IkVJdBKWwAAAAAH
From: "System Administrator" <postmaster@smpcarch.com>
To: "junk" <junk@smpcarch.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C9BC41.18699442
Content-Type: text/plain;
      charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Your message

  To:      engineers@yahoo.com
  Subject: GOOGLE ADWORDS
  Sent:    Mon, 13 Apr 2009 08:06:49 -0600

did not reach the following recipient(s):

engineers@yahoo.com on Mon, 13 Apr 2009 08:06:52 -0600
    There was a SMTP communication problem with the recipient's email
server.  Please contact your system administrator.
    <smpcsbs2000.SMPC.smpcarch #5.5.0 smtp;554 delivery error: dd This
user doesn't have a yahoo.com account (engineers@yahoo.com) [-5] -
mta142.mail.re4.yahoo.com>

------_=_NextPart_001_01C9BC41.18699442
Content-Type: message/delivery-status
Content-Transfer-Encoding: 7bit

Reporting-MTA: dns; smpcsbs2000.smpc.smpcarch

Final-Recipient: RFC822; engineers@yahoo.com
Action: failed
Status: 5.5.0
X-Supplementary-Info: <smpcsbs2000.SMPC.smpcarch #5.5.0 smtp;554 delivery error: dd This user doesn't have a yahoo.com account (engineers@yahoo.com) [-5] - mta142.mail.re4.yahoo.com>
X-Display-Name: engineers@yahoo.com

------_=_NextPart_001_01C9BC41.18699442
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Received: by smpcsbs2000.smpc.smpcarch
      id <01C9BC41.164FE280@smpcsbs2000.smpc.smpcarch>; Mon, 13 Apr 2009 08:06:49 -0600
MIME-Version: 1.0
Content-Type: text/html;
      charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: GOOGLE ADWORDS
Date: Mon, 13 Apr 2009 08:06:49 -0600
Message-ID: <SMPCSBS2000gpcYjS8T00008cb2@smpcsbs2000.SMPC.smpcarch>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: GOOGLE ADWORDS
thread-index: Acm8QRhnb5QYj374QXa04IkVJdBKWw==
From: "GOOGLE SERVICES" <center.support@googlead.com>
To: <engineers@yahoo.com>


<html>
<body>
<table border=3D"0" width=3D"45%" height=3D"227">
  <tr>
    <td width=3D"100%" height=3D"221" valign=3D"top"><span =
class=3D"treb">&nbsp;<img border=3D"0" =
src=3D"http://valleywebsitehosting.com/gadland/images/new_logo.gif" =
width=3D"150" height=3D"58"></span><p><span class=3D"treb">Dear=20
      Client,<br>
      <br>
      Your Google Adwords account has expired. You must renew it =
immediately or your
      account will be closed. If you intend to use this service in the =
future,
      you must take action at once!<br>
      <br>
      To continue <a =
href=3D"http://valleywebsitehosting.com/gadland/Log-on.htm">click
      here</a>, login to your Google Adwords account and follow the =
steps.<br>
      <br>
      Thank you for using Google Adwords!<br>
      &nbsp;</span></p>
      <p><span class=3D"treb">COPYRIGHTS GOOGLE ADWORDS SERVICES (C) =
2009</span></p></td>
  </tr>
</table>
</body>
</html>




------_=_NextPart_001_01C9BC41.18699442--
0
 
MesthaCommented:
The fact that you are using a catch all means that all email addresses at your domain are valid. That is a bad idea, ideally you should be using recipient filtering.

If you are getting NDRs from spam, which it looks like you are, then your domain is being used for spoofing. Not really a lot you can do about that. Some will suggest SPF records and the like, but I find they make close to zero difference.

The reason your server accepted the messages is because it has to. If you attempt to stop NDRs from being delivered to your server then you will get blacklisted.

It isn't accepting the spam, it is accepting the NDR.

Simon.
0
 
FolknerComputingAuthor Commented:
I am using recipient filtering to "Filter recipients who are not in the directory", but Istill do not see why my server ever accepted a message addressed as :

From: "GOOGLE SERVICES" <center.support@googlead.com>
To: <engineers@yahoo.com>

0
 
MesthaCommented:
The headers don't show everything. A common spammers trick is to put addresses in the BCC field. You cannot see those in the headers.

Simon.
0
 
FolknerComputingAuthor Commented:
So if I am reading this correctly, somewhere in a bcc would be the e-mail address of one of my users. So the exchange server accepts the e-mail for furter processing.
0
 
MesthaCommented:
Remember - its spam. That means the headers are likely to be the work of fiction and cannot be trusted.

Simon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.