Solved

SPAM email from our Exchange users

Posted on 2009-04-14
2
553 Views
Last Modified: 2013-12-09
The user says he did not send this email below. Is his computer infected perhaps?
==================================================================
From: Microsoft Exchange
Sent: Tuesday, April 14, 2009 3:28 AM
To: John Smith
Subject: Undeliverable: [SPAM] RE: Dear maynardlcqya@domain.com Pharmacy Message 42647054
 
Delivery has failed to these recipients or distribution lists:
 
maynardlcqya@domain.com
The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.
  _____  
Sent by Microsoft Exchange Server 2007
 
Diagnostic information for administrators:
 
Generating server: martini.bcr.local
 
maynardlcqya@domain.com
#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##
 
Original message headers:
 
Received: from p02c11m114.domain.net (208.65.144.245) by martini.bcr.local
 (10.81.2.40) with Microsoft SMTP Server (TLS) id 8.1.340.0; Tue, 14 Apr 2009
 03:28:26 -0700
Received: from unknown [80.134.197.18] (HELO fsauerbr)  by
 p02c11m114.domain.net (mxl_mta-6.1.1-3)        with SMTP id
 84564e94.3125033872.361583.00-014.p02c11m114.domain.net (envelope-from
 <johns@domain.com>); Tue, 14 Apr 2009 04:28:25 -0600 (MDT)
Content-Return: allowed
X-Mailer: devMail.Net (3.0.1854.22234-2)
Return-Path: <maynardlcqya@domain.com>
Received: (qmail 2442 by uid 600); Tue, 14 Apr 2009 12:28:29 +0100
Message-ID: <20090414132829.2444.qmail@fsauerbr>
To: <maynardlcqya@domain.com>
Subject: [SPAM] RE: Dear maynardlcqya@domain.com Pharmacy Message 42647054
From: "VIAGRA ® Pfizer Inc." <maynardlcqya@domain.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="=_reb-r6D9CC37A-t49E46549"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-Processed-By: Rebuild v2.0-0
X-Spam-Flag: YES
X-Spam: [F=0.9999999502; B=0.500(0); CM=0.999; MH=0.954(2009041408); R=0.600(1093141633); S=0.389(2009020301); SS=0.500; SC=none]
X-MAIL-FROM: <johns@domain.com>
X-SOURCE-IP: [80.134.197.18]
X-AnalysisOut: [v=1.0 c=0 p=nsWfa1DyU0wA:10 a=fEvt8YreRHQA:10 a=_2i3lHUpNM]
X-AnalysisOut: [cA:10]
Date: Tue, 14 Apr 2009 03:28:26 -0700
0
Comment
Question by:pzozulka
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24140954

Nope, he's more than likely not infected. This is more than likely typical NDR spam - and there is unfortunately not much you can do about it. It works because a spammer sends lots of emails - claiming to be from your user(s) and to fake email addresses - to various mail servers over the Internet. These servers, who do not know who the fake recipients are, then create hundreds of NDR messages, bouncing them back to your user's mailbox because that is "apparently" the place where the mail came from. It's a problem with the SMTP protocol, and something which will always exist unless SMTP is overhauled.

Just about the only way which you should be able to stop this spam is using SPF records to control what servers can send for your email domain. SPF will have some effect, but there will be plenty of smaller mail servers out there which spammers can use to "bounce" the mail off because such servers are often not configured to check SPF records.

To actually prevent the users getting the undeliverables, the best way I have found is to create an Outlook rule to delete messages with "Delivery Status Notification" in the subject (assuming that's the type of NDRs you're getting). The risk with this is that they will delete a legitimate NDR though. The servers being used by the spammers should really be configured not to send spam for domains and even recipients they don't know, but that obviously isn't going to happen. You could also just wait - because the spammers tend to hit hard, but then move on after a few hours / couple of days.

-Matt
0
 
LVL 8

Author Closing Comment

by:pzozulka
ID: 31570067
Wow, thanks Matt. Very educational while helpful at the same time. Appreciate it much.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Read this checklist to learn more about the 15 things you should never include in an email signature.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question