Solved

SMTP log

Posted on 2009-04-10
11
1,155 Views
Last Modified: 2012-05-06
Can I capture the original SMTP header information?
I am trying to resolve why my exchange server 2003 ever accepted some spam e-mails. Our notification is a failure message

Your message did not reach some or all of the intended recipients.
      Subject:  NOTICE
      Sent:     4/10/2009 8:06 AM
The following recipient(s) could not be reached:
      6037702302@message.bam.com on 4/10/2009 8:07 AM
            The destination server for this recipient could not be found in Domain Name Service (DNS).  Please verify the email address and retry.  If that fails, contact your administrator.
            <smpcsbs2000.SMPC.smpcarch #5.4.0>
I have an exchange server 2003 S2, all of the delivery option filters are configured and enabled and all are enabled on the SMTP virtual server.
All of the RIPE, APNIC, LACNIC, and AfriNIC allocations are blocked with the connection filter.
Additionally The server is running Trend Micro worry free business security.

Here are typical log entries when this occured,
13:56:22 67.15.110.5 DATA - 250
13:56:22 67.15.110.5 MAIL - 250
13:56:22 67.15.110.5 RCPT - 250
13:56:22 67.15.110.5 DATA - 250
13:56:22 67.15.110.5 MAIL - 250
13:56:22 67.15.110.5 RCPT - 250
13:56:22 67.15.110.5 DATA - 250

ThePlanet.com has this address in their allocation and responed with a request for header information, but I can not find that for the original message.
0
Comment
Question by:FolknerComputing
  • 6
  • 4
11 Comments
 
LVL 4

Expert Comment

by:StefanKittel
ID: 24118732
hello,

with wireshark you can capture all smtp traffic
http://www.wireshark.org/

Stefan
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24119858
Do you know what address the message was sent to? Was it a valid address in your domain?

You need to see the original message, which the logs will not show. If you have just seen the NDR then it is one of three things:

- an NDR attack
- a relay (either open relay, authenticated relay or relay by IP address)
- an out of office message.

If the message has gone through a user's account then you would see that in message tracking.
How did you get the NDR? Do you have your SMTP server set to deliver a copy of the NDRs to another account? If so, then given the message you are actually causing back scatter and I would have to doubt if the recipient filter is working correctly. It isn't clear from what you have posted what is valid and what is not.

Simon.
0
 

Author Comment

by:FolknerComputing
ID: 24120203
I believe I am getting these as NDR's. I am not sending outbound NDR's. You touched on the issue I am trying to determine, to what address was the oringinal incomming message sent.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24125911
As I have already asked, how did you get the NDR?
Was it sent to you by another user, did it just appear in your mailbox? Does your mailbox hold the postmaster@ email address or has it been set to receive a copy of the NDRs?

Simon.
0
 

Author Comment

by:FolknerComputing
ID: 24131014
The NDR's arrive in some end user's mailbox or are sent to a catch all mailbox. What is puzzleing me is why the exchange server ever accepts the messahe for processing.

here is an example:

Received: by smpcsbs2000.smpc.smpcarch
      id <01C9BC41.18699442@smpcsbs2000.smpc.smpcarch>; Mon, 13 Apr 2009 08:06:52 -0600
MIME-Version: 1.0
Content-Type: multipart/report;
      report-type=delivery-status;
      boundary="----_=_NextPart_001_01C9BC41.18699442"
X-DSNContext: 7ce717b1 - 1194 - 00000002 - 00000000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:dsn
Subject: Undeliverable: GOOGLE ADWORDS
Date: Mon, 13 Apr 2009 08:06:52 -0600
Message-ID: <IvhXJ4dEr0000160c@smpcsbs2000.SMPC.smpcarch>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: GOOGLE ADWORDS
thread-index: Acm8QRhnb5QYj374QXa04IkVJdBKWwAAAAAH
From: "System Administrator" <postmaster@smpcarch.com>
To: "junk" <junk@smpcarch.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C9BC41.18699442
Content-Type: text/plain;
      charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Your message

  To:      engineers@yahoo.com
  Subject: GOOGLE ADWORDS
  Sent:    Mon, 13 Apr 2009 08:06:49 -0600

did not reach the following recipient(s):

engineers@yahoo.com on Mon, 13 Apr 2009 08:06:52 -0600
    There was a SMTP communication problem with the recipient's email
server.  Please contact your system administrator.
    <smpcsbs2000.SMPC.smpcarch #5.5.0 smtp;554 delivery error: dd This
user doesn't have a yahoo.com account (engineers@yahoo.com) [-5] -
mta142.mail.re4.yahoo.com>

------_=_NextPart_001_01C9BC41.18699442
Content-Type: message/delivery-status
Content-Transfer-Encoding: 7bit

Reporting-MTA: dns; smpcsbs2000.smpc.smpcarch

Final-Recipient: RFC822; engineers@yahoo.com
Action: failed
Status: 5.5.0
X-Supplementary-Info: <smpcsbs2000.SMPC.smpcarch #5.5.0 smtp;554 delivery error: dd This user doesn't have a yahoo.com account (engineers@yahoo.com) [-5] - mta142.mail.re4.yahoo.com>
X-Display-Name: engineers@yahoo.com

------_=_NextPart_001_01C9BC41.18699442
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Received: by smpcsbs2000.smpc.smpcarch
      id <01C9BC41.164FE280@smpcsbs2000.smpc.smpcarch>; Mon, 13 Apr 2009 08:06:49 -0600
MIME-Version: 1.0
Content-Type: text/html;
      charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: GOOGLE ADWORDS
Date: Mon, 13 Apr 2009 08:06:49 -0600
Message-ID: <SMPCSBS2000gpcYjS8T00008cb2@smpcsbs2000.SMPC.smpcarch>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: GOOGLE ADWORDS
thread-index: Acm8QRhnb5QYj374QXa04IkVJdBKWw==
From: "GOOGLE SERVICES" <center.support@googlead.com>
To: <engineers@yahoo.com>


<html>
<body>
<table border=3D"0" width=3D"45%" height=3D"227">
  <tr>
    <td width=3D"100%" height=3D"221" valign=3D"top"><span =
class=3D"treb">&nbsp;<img border=3D"0" =
src=3D"http://valleywebsitehosting.com/gadland/images/new_logo.gif" =
width=3D"150" height=3D"58"></span><p><span class=3D"treb">Dear=20
      Client,<br>
      <br>
      Your Google Adwords account has expired. You must renew it =
immediately or your
      account will be closed. If you intend to use this service in the =
future,
      you must take action at once!<br>
      <br>
      To continue <a =
href=3D"http://valleywebsitehosting.com/gadland/Log-on.htm">click
      here</a>, login to your Google Adwords account and follow the =
steps.<br>
      <br>
      Thank you for using Google Adwords!<br>
      &nbsp;</span></p>
      <p><span class=3D"treb">COPYRIGHTS GOOGLE ADWORDS SERVICES (C) =
2009</span></p></td>
  </tr>
</table>
</body>
</html>




------_=_NextPart_001_01C9BC41.18699442--
0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 
LVL 65

Expert Comment

by:Mestha
ID: 24133714
The fact that you are using a catch all means that all email addresses at your domain are valid. That is a bad idea, ideally you should be using recipient filtering.

If you are getting NDRs from spam, which it looks like you are, then your domain is being used for spoofing. Not really a lot you can do about that. Some will suggest SPF records and the like, but I find they make close to zero difference.

The reason your server accepted the messages is because it has to. If you attempt to stop NDRs from being delivered to your server then you will get blacklisted.

It isn't accepting the spam, it is accepting the NDR.

Simon.
0
 

Author Comment

by:FolknerComputing
ID: 24133953
I am using recipient filtering to "Filter recipients who are not in the directory", but Istill do not see why my server ever accepted a message addressed as :

From: "GOOGLE SERVICES" <center.support@googlead.com>
To: <engineers@yahoo.com>

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24134018
The headers don't show everything. A common spammers trick is to put addresses in the BCC field. You cannot see those in the headers.

Simon.
0
 

Author Comment

by:FolknerComputing
ID: 24134132
So if I am reading this correctly, somewhere in a bcc would be the e-mail address of one of my users. So the exchange server accepts the e-mail for furter processing.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24137502
Correct. Very common spammers trick. They put a single address in the To line and the rest in the BCC line.
Most spam I see will not have the recipient in the headers because they were in the BCC.

Simon.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24137506
Remember - its spam. That means the headers are likely to be the work of fiction and cannot be trusted.

Simon.
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now