Solved

SPAM email from our Exchange users

Posted on 2009-04-14
2
559 Views
Last Modified: 2013-12-09
The user says he did not send this email below. Is his computer infected perhaps?
==================================================================
From: Microsoft Exchange
Sent: Tuesday, April 14, 2009 3:28 AM
To: John Smith
Subject: Undeliverable: [SPAM] RE: Dear maynardlcqya@domain.com Pharmacy Message 42647054
 
Delivery has failed to these recipients or distribution lists:
 
maynardlcqya@domain.com
The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.
  _____  
Sent by Microsoft Exchange Server 2007
 
Diagnostic information for administrators:
 
Generating server: martini.bcr.local
 
maynardlcqya@domain.com
#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##
 
Original message headers:
 
Received: from p02c11m114.domain.net (208.65.144.245) by martini.bcr.local
 (10.81.2.40) with Microsoft SMTP Server (TLS) id 8.1.340.0; Tue, 14 Apr 2009
 03:28:26 -0700
Received: from unknown [80.134.197.18] (HELO fsauerbr)  by
 p02c11m114.domain.net (mxl_mta-6.1.1-3)        with SMTP id
 84564e94.3125033872.361583.00-014.p02c11m114.domain.net (envelope-from
 <johns@domain.com>); Tue, 14 Apr 2009 04:28:25 -0600 (MDT)
Content-Return: allowed
X-Mailer: devMail.Net (3.0.1854.22234-2)
Return-Path: <maynardlcqya@domain.com>
Received: (qmail 2442 by uid 600); Tue, 14 Apr 2009 12:28:29 +0100
Message-ID: <20090414132829.2444.qmail@fsauerbr>
To: <maynardlcqya@domain.com>
Subject: [SPAM] RE: Dear maynardlcqya@domain.com Pharmacy Message 42647054
From: "VIAGRA ® Pfizer Inc." <maynardlcqya@domain.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="=_reb-r6D9CC37A-t49E46549"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-Processed-By: Rebuild v2.0-0
X-Spam-Flag: YES
X-Spam: [F=0.9999999502; B=0.500(0); CM=0.999; MH=0.954(2009041408); R=0.600(1093141633); S=0.389(2009020301); SS=0.500; SC=none]
X-MAIL-FROM: <johns@domain.com>
X-SOURCE-IP: [80.134.197.18]
X-AnalysisOut: [v=1.0 c=0 p=nsWfa1DyU0wA:10 a=fEvt8YreRHQA:10 a=_2i3lHUpNM]
X-AnalysisOut: [cA:10]
Date: Tue, 14 Apr 2009 03:28:26 -0700
0
Comment
Question by:pzozulka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24140954

Nope, he's more than likely not infected. This is more than likely typical NDR spam - and there is unfortunately not much you can do about it. It works because a spammer sends lots of emails - claiming to be from your user(s) and to fake email addresses - to various mail servers over the Internet. These servers, who do not know who the fake recipients are, then create hundreds of NDR messages, bouncing them back to your user's mailbox because that is "apparently" the place where the mail came from. It's a problem with the SMTP protocol, and something which will always exist unless SMTP is overhauled.

Just about the only way which you should be able to stop this spam is using SPF records to control what servers can send for your email domain. SPF will have some effect, but there will be plenty of smaller mail servers out there which spammers can use to "bounce" the mail off because such servers are often not configured to check SPF records.

To actually prevent the users getting the undeliverables, the best way I have found is to create an Outlook rule to delete messages with "Delivery Status Notification" in the subject (assuming that's the type of NDRs you're getting). The risk with this is that they will delete a legitimate NDR though. The servers being used by the spammers should really be configured not to send spam for domains and even recipients they don't know, but that obviously isn't going to happen. You could also just wait - because the spammers tend to hit hard, but then move on after a few hours / couple of days.

-Matt
0
 
LVL 8

Author Closing Comment

by:pzozulka
ID: 31570067
Wow, thanks Matt. Very educational while helpful at the same time. Appreciate it much.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question