Solved

SMTP log

Posted on 2009-04-10
11
1,171 Views
Last Modified: 2012-05-06
Can I capture the original SMTP header information?
I am trying to resolve why my exchange server 2003 ever accepted some spam e-mails. Our notification is a failure message

Your message did not reach some or all of the intended recipients.
      Subject:  NOTICE
      Sent:     4/10/2009 8:06 AM
The following recipient(s) could not be reached:
      6037702302@message.bam.com on 4/10/2009 8:07 AM
            The destination server for this recipient could not be found in Domain Name Service (DNS).  Please verify the email address and retry.  If that fails, contact your administrator.
            <smpcsbs2000.SMPC.smpcarch #5.4.0>
I have an exchange server 2003 S2, all of the delivery option filters are configured and enabled and all are enabled on the SMTP virtual server.
All of the RIPE, APNIC, LACNIC, and AfriNIC allocations are blocked with the connection filter.
Additionally The server is running Trend Micro worry free business security.

Here are typical log entries when this occured,
13:56:22 67.15.110.5 DATA - 250
13:56:22 67.15.110.5 MAIL - 250
13:56:22 67.15.110.5 RCPT - 250
13:56:22 67.15.110.5 DATA - 250
13:56:22 67.15.110.5 MAIL - 250
13:56:22 67.15.110.5 RCPT - 250
13:56:22 67.15.110.5 DATA - 250

ThePlanet.com has this address in their allocation and responed with a request for header information, but I can not find that for the original message.
0
Comment
Question by:FolknerComputing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 4

Expert Comment

by:StefanKittel
ID: 24118732
hello,

with wireshark you can capture all smtp traffic
http://www.wireshark.org/

Stefan
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24119858
Do you know what address the message was sent to? Was it a valid address in your domain?

You need to see the original message, which the logs will not show. If you have just seen the NDR then it is one of three things:

- an NDR attack
- a relay (either open relay, authenticated relay or relay by IP address)
- an out of office message.

If the message has gone through a user's account then you would see that in message tracking.
How did you get the NDR? Do you have your SMTP server set to deliver a copy of the NDRs to another account? If so, then given the message you are actually causing back scatter and I would have to doubt if the recipient filter is working correctly. It isn't clear from what you have posted what is valid and what is not.

Simon.
0
 

Author Comment

by:FolknerComputing
ID: 24120203
I believe I am getting these as NDR's. I am not sending outbound NDR's. You touched on the issue I am trying to determine, to what address was the oringinal incomming message sent.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 65

Expert Comment

by:Mestha
ID: 24125911
As I have already asked, how did you get the NDR?
Was it sent to you by another user, did it just appear in your mailbox? Does your mailbox hold the postmaster@ email address or has it been set to receive a copy of the NDRs?

Simon.
0
 

Author Comment

by:FolknerComputing
ID: 24131014
The NDR's arrive in some end user's mailbox or are sent to a catch all mailbox. What is puzzleing me is why the exchange server ever accepts the messahe for processing.

here is an example:

Received: by smpcsbs2000.smpc.smpcarch
      id <01C9BC41.18699442@smpcsbs2000.smpc.smpcarch>; Mon, 13 Apr 2009 08:06:52 -0600
MIME-Version: 1.0
Content-Type: multipart/report;
      report-type=delivery-status;
      boundary="----_=_NextPart_001_01C9BC41.18699442"
X-DSNContext: 7ce717b1 - 1194 - 00000002 - 00000000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:dsn
Subject: Undeliverable: GOOGLE ADWORDS
Date: Mon, 13 Apr 2009 08:06:52 -0600
Message-ID: <IvhXJ4dEr0000160c@smpcsbs2000.SMPC.smpcarch>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: GOOGLE ADWORDS
thread-index: Acm8QRhnb5QYj374QXa04IkVJdBKWwAAAAAH
From: "System Administrator" <postmaster@smpcarch.com>
To: "junk" <junk@smpcarch.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C9BC41.18699442
Content-Type: text/plain;
      charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Your message

  To:      engineers@yahoo.com
  Subject: GOOGLE ADWORDS
  Sent:    Mon, 13 Apr 2009 08:06:49 -0600

did not reach the following recipient(s):

engineers@yahoo.com on Mon, 13 Apr 2009 08:06:52 -0600
    There was a SMTP communication problem with the recipient's email
server.  Please contact your system administrator.
    <smpcsbs2000.SMPC.smpcarch #5.5.0 smtp;554 delivery error: dd This
user doesn't have a yahoo.com account (engineers@yahoo.com) [-5] -
mta142.mail.re4.yahoo.com>

------_=_NextPart_001_01C9BC41.18699442
Content-Type: message/delivery-status
Content-Transfer-Encoding: 7bit

Reporting-MTA: dns; smpcsbs2000.smpc.smpcarch

Final-Recipient: RFC822; engineers@yahoo.com
Action: failed
Status: 5.5.0
X-Supplementary-Info: <smpcsbs2000.SMPC.smpcarch #5.5.0 smtp;554 delivery error: dd This user doesn't have a yahoo.com account (engineers@yahoo.com) [-5] - mta142.mail.re4.yahoo.com>
X-Display-Name: engineers@yahoo.com

------_=_NextPart_001_01C9BC41.18699442
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Received: by smpcsbs2000.smpc.smpcarch
      id <01C9BC41.164FE280@smpcsbs2000.smpc.smpcarch>; Mon, 13 Apr 2009 08:06:49 -0600
MIME-Version: 1.0
Content-Type: text/html;
      charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: GOOGLE ADWORDS
Date: Mon, 13 Apr 2009 08:06:49 -0600
Message-ID: <SMPCSBS2000gpcYjS8T00008cb2@smpcsbs2000.SMPC.smpcarch>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: GOOGLE ADWORDS
thread-index: Acm8QRhnb5QYj374QXa04IkVJdBKWw==
From: "GOOGLE SERVICES" <center.support@googlead.com>
To: <engineers@yahoo.com>


<html>
<body>
<table border=3D"0" width=3D"45%" height=3D"227">
  <tr>
    <td width=3D"100%" height=3D"221" valign=3D"top"><span =
class=3D"treb">&nbsp;<img border=3D"0" =
src=3D"http://valleywebsitehosting.com/gadland/images/new_logo.gif" =
width=3D"150" height=3D"58"></span><p><span class=3D"treb">Dear=20
      Client,<br>
      <br>
      Your Google Adwords account has expired. You must renew it =
immediately or your
      account will be closed. If you intend to use this service in the =
future,
      you must take action at once!<br>
      <br>
      To continue <a =
href=3D"http://valleywebsitehosting.com/gadland/Log-on.htm">click
      here</a>, login to your Google Adwords account and follow the =
steps.<br>
      <br>
      Thank you for using Google Adwords!<br>
      &nbsp;</span></p>
      <p><span class=3D"treb">COPYRIGHTS GOOGLE ADWORDS SERVICES (C) =
2009</span></p></td>
  </tr>
</table>
</body>
</html>




------_=_NextPart_001_01C9BC41.18699442--
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24133714
The fact that you are using a catch all means that all email addresses at your domain are valid. That is a bad idea, ideally you should be using recipient filtering.

If you are getting NDRs from spam, which it looks like you are, then your domain is being used for spoofing. Not really a lot you can do about that. Some will suggest SPF records and the like, but I find they make close to zero difference.

The reason your server accepted the messages is because it has to. If you attempt to stop NDRs from being delivered to your server then you will get blacklisted.

It isn't accepting the spam, it is accepting the NDR.

Simon.
0
 

Author Comment

by:FolknerComputing
ID: 24133953
I am using recipient filtering to "Filter recipients who are not in the directory", but Istill do not see why my server ever accepted a message addressed as :

From: "GOOGLE SERVICES" <center.support@googlead.com>
To: <engineers@yahoo.com>

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24134018
The headers don't show everything. A common spammers trick is to put addresses in the BCC field. You cannot see those in the headers.

Simon.
0
 

Author Comment

by:FolknerComputing
ID: 24134132
So if I am reading this correctly, somewhere in a bcc would be the e-mail address of one of my users. So the exchange server accepts the e-mail for furter processing.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24137502
Correct. Very common spammers trick. They put a single address in the To line and the rest in the BCC line.
Most spam I see will not have the recipient in the headers because they were in the BCC.

Simon.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24137506
Remember - its spam. That means the headers are likely to be the work of fiction and cannot be trusted.

Simon.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question