Solved

SMTP log

Posted on 2009-04-10
11
1,165 Views
Last Modified: 2012-05-06
Can I capture the original SMTP header information?
I am trying to resolve why my exchange server 2003 ever accepted some spam e-mails. Our notification is a failure message

Your message did not reach some or all of the intended recipients.
      Subject:  NOTICE
      Sent:     4/10/2009 8:06 AM
The following recipient(s) could not be reached:
      6037702302@message.bam.com on 4/10/2009 8:07 AM
            The destination server for this recipient could not be found in Domain Name Service (DNS).  Please verify the email address and retry.  If that fails, contact your administrator.
            <smpcsbs2000.SMPC.smpcarch #5.4.0>
I have an exchange server 2003 S2, all of the delivery option filters are configured and enabled and all are enabled on the SMTP virtual server.
All of the RIPE, APNIC, LACNIC, and AfriNIC allocations are blocked with the connection filter.
Additionally The server is running Trend Micro worry free business security.

Here are typical log entries when this occured,
13:56:22 67.15.110.5 DATA - 250
13:56:22 67.15.110.5 MAIL - 250
13:56:22 67.15.110.5 RCPT - 250
13:56:22 67.15.110.5 DATA - 250
13:56:22 67.15.110.5 MAIL - 250
13:56:22 67.15.110.5 RCPT - 250
13:56:22 67.15.110.5 DATA - 250

ThePlanet.com has this address in their allocation and responed with a request for header information, but I can not find that for the original message.
0
Comment
Question by:FolknerComputing
  • 6
  • 4
11 Comments
 
LVL 4

Expert Comment

by:StefanKittel
ID: 24118732
hello,

with wireshark you can capture all smtp traffic
http://www.wireshark.org/

Stefan
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24119858
Do you know what address the message was sent to? Was it a valid address in your domain?

You need to see the original message, which the logs will not show. If you have just seen the NDR then it is one of three things:

- an NDR attack
- a relay (either open relay, authenticated relay or relay by IP address)
- an out of office message.

If the message has gone through a user's account then you would see that in message tracking.
How did you get the NDR? Do you have your SMTP server set to deliver a copy of the NDRs to another account? If so, then given the message you are actually causing back scatter and I would have to doubt if the recipient filter is working correctly. It isn't clear from what you have posted what is valid and what is not.

Simon.
0
 

Author Comment

by:FolknerComputing
ID: 24120203
I believe I am getting these as NDR's. I am not sending outbound NDR's. You touched on the issue I am trying to determine, to what address was the oringinal incomming message sent.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 65

Expert Comment

by:Mestha
ID: 24125911
As I have already asked, how did you get the NDR?
Was it sent to you by another user, did it just appear in your mailbox? Does your mailbox hold the postmaster@ email address or has it been set to receive a copy of the NDRs?

Simon.
0
 

Author Comment

by:FolknerComputing
ID: 24131014
The NDR's arrive in some end user's mailbox or are sent to a catch all mailbox. What is puzzleing me is why the exchange server ever accepts the messahe for processing.

here is an example:

Received: by smpcsbs2000.smpc.smpcarch
      id <01C9BC41.18699442@smpcsbs2000.smpc.smpcarch>; Mon, 13 Apr 2009 08:06:52 -0600
MIME-Version: 1.0
Content-Type: multipart/report;
      report-type=delivery-status;
      boundary="----_=_NextPart_001_01C9BC41.18699442"
X-DSNContext: 7ce717b1 - 1194 - 00000002 - 00000000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:dsn
Subject: Undeliverable: GOOGLE ADWORDS
Date: Mon, 13 Apr 2009 08:06:52 -0600
Message-ID: <IvhXJ4dEr0000160c@smpcsbs2000.SMPC.smpcarch>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: GOOGLE ADWORDS
thread-index: Acm8QRhnb5QYj374QXa04IkVJdBKWwAAAAAH
From: "System Administrator" <postmaster@smpcarch.com>
To: "junk" <junk@smpcarch.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C9BC41.18699442
Content-Type: text/plain;
      charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Your message

  To:      engineers@yahoo.com
  Subject: GOOGLE ADWORDS
  Sent:    Mon, 13 Apr 2009 08:06:49 -0600

did not reach the following recipient(s):

engineers@yahoo.com on Mon, 13 Apr 2009 08:06:52 -0600
    There was a SMTP communication problem with the recipient's email
server.  Please contact your system administrator.
    <smpcsbs2000.SMPC.smpcarch #5.5.0 smtp;554 delivery error: dd This
user doesn't have a yahoo.com account (engineers@yahoo.com) [-5] -
mta142.mail.re4.yahoo.com>

------_=_NextPart_001_01C9BC41.18699442
Content-Type: message/delivery-status
Content-Transfer-Encoding: 7bit

Reporting-MTA: dns; smpcsbs2000.smpc.smpcarch

Final-Recipient: RFC822; engineers@yahoo.com
Action: failed
Status: 5.5.0
X-Supplementary-Info: <smpcsbs2000.SMPC.smpcarch #5.5.0 smtp;554 delivery error: dd This user doesn't have a yahoo.com account (engineers@yahoo.com) [-5] - mta142.mail.re4.yahoo.com>
X-Display-Name: engineers@yahoo.com

------_=_NextPart_001_01C9BC41.18699442
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Received: by smpcsbs2000.smpc.smpcarch
      id <01C9BC41.164FE280@smpcsbs2000.smpc.smpcarch>; Mon, 13 Apr 2009 08:06:49 -0600
MIME-Version: 1.0
Content-Type: text/html;
      charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: GOOGLE ADWORDS
Date: Mon, 13 Apr 2009 08:06:49 -0600
Message-ID: <SMPCSBS2000gpcYjS8T00008cb2@smpcsbs2000.SMPC.smpcarch>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: GOOGLE ADWORDS
thread-index: Acm8QRhnb5QYj374QXa04IkVJdBKWw==
From: "GOOGLE SERVICES" <center.support@googlead.com>
To: <engineers@yahoo.com>


<html>
<body>
<table border=3D"0" width=3D"45%" height=3D"227">
  <tr>
    <td width=3D"100%" height=3D"221" valign=3D"top"><span =
class=3D"treb">&nbsp;<img border=3D"0" =
src=3D"http://valleywebsitehosting.com/gadland/images/new_logo.gif" =
width=3D"150" height=3D"58"></span><p><span class=3D"treb">Dear=20
      Client,<br>
      <br>
      Your Google Adwords account has expired. You must renew it =
immediately or your
      account will be closed. If you intend to use this service in the =
future,
      you must take action at once!<br>
      <br>
      To continue <a =
href=3D"http://valleywebsitehosting.com/gadland/Log-on.htm">click
      here</a>, login to your Google Adwords account and follow the =
steps.<br>
      <br>
      Thank you for using Google Adwords!<br>
      &nbsp;</span></p>
      <p><span class=3D"treb">COPYRIGHTS GOOGLE ADWORDS SERVICES (C) =
2009</span></p></td>
  </tr>
</table>
</body>
</html>




------_=_NextPart_001_01C9BC41.18699442--
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24133714
The fact that you are using a catch all means that all email addresses at your domain are valid. That is a bad idea, ideally you should be using recipient filtering.

If you are getting NDRs from spam, which it looks like you are, then your domain is being used for spoofing. Not really a lot you can do about that. Some will suggest SPF records and the like, but I find they make close to zero difference.

The reason your server accepted the messages is because it has to. If you attempt to stop NDRs from being delivered to your server then you will get blacklisted.

It isn't accepting the spam, it is accepting the NDR.

Simon.
0
 

Author Comment

by:FolknerComputing
ID: 24133953
I am using recipient filtering to "Filter recipients who are not in the directory", but Istill do not see why my server ever accepted a message addressed as :

From: "GOOGLE SERVICES" <center.support@googlead.com>
To: <engineers@yahoo.com>

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24134018
The headers don't show everything. A common spammers trick is to put addresses in the BCC field. You cannot see those in the headers.

Simon.
0
 

Author Comment

by:FolknerComputing
ID: 24134132
So if I am reading this correctly, somewhere in a bcc would be the e-mail address of one of my users. So the exchange server accepts the e-mail for furter processing.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24137502
Correct. Very common spammers trick. They put a single address in the To line and the rest in the BCC line.
Most spam I see will not have the recipient in the headers because they were in the BCC.

Simon.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24137506
Remember - its spam. That means the headers are likely to be the work of fiction and cannot be trusted.

Simon.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video discusses moving either the default database or any database to a new volume.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question