Solved

SPAM email from our Exchange users

Posted on 2009-04-14
2
538 Views
Last Modified: 2013-12-09
The user says he did not send this email below. Is his computer infected perhaps?
==================================================================
From: Microsoft Exchange
Sent: Tuesday, April 14, 2009 3:28 AM
To: John Smith
Subject: Undeliverable: [SPAM] RE: Dear maynardlcqya@domain.com Pharmacy Message 42647054
 
Delivery has failed to these recipients or distribution lists:
 
maynardlcqya@domain.com
The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.
  _____  
Sent by Microsoft Exchange Server 2007
 
Diagnostic information for administrators:
 
Generating server: martini.bcr.local
 
maynardlcqya@domain.com
#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##
 
Original message headers:
 
Received: from p02c11m114.domain.net (208.65.144.245) by martini.bcr.local
 (10.81.2.40) with Microsoft SMTP Server (TLS) id 8.1.340.0; Tue, 14 Apr 2009
 03:28:26 -0700
Received: from unknown [80.134.197.18] (HELO fsauerbr)  by
 p02c11m114.domain.net (mxl_mta-6.1.1-3)        with SMTP id
 84564e94.3125033872.361583.00-014.p02c11m114.domain.net (envelope-from
 <johns@domain.com>); Tue, 14 Apr 2009 04:28:25 -0600 (MDT)
Content-Return: allowed
X-Mailer: devMail.Net (3.0.1854.22234-2)
Return-Path: <maynardlcqya@domain.com>
Received: (qmail 2442 by uid 600); Tue, 14 Apr 2009 12:28:29 +0100
Message-ID: <20090414132829.2444.qmail@fsauerbr>
To: <maynardlcqya@domain.com>
Subject: [SPAM] RE: Dear maynardlcqya@domain.com Pharmacy Message 42647054
From: "VIAGRA ® Pfizer Inc." <maynardlcqya@domain.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="=_reb-r6D9CC37A-t49E46549"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-Processed-By: Rebuild v2.0-0
X-Spam-Flag: YES
X-Spam: [F=0.9999999502; B=0.500(0); CM=0.999; MH=0.954(2009041408); R=0.600(1093141633); S=0.389(2009020301); SS=0.500; SC=none]
X-MAIL-FROM: <johns@domain.com>
X-SOURCE-IP: [80.134.197.18]
X-AnalysisOut: [v=1.0 c=0 p=nsWfa1DyU0wA:10 a=fEvt8YreRHQA:10 a=_2i3lHUpNM]
X-AnalysisOut: [cA:10]
Date: Tue, 14 Apr 2009 03:28:26 -0700
0
Comment
Question by:pzozulka
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
Comment Utility

Nope, he's more than likely not infected. This is more than likely typical NDR spam - and there is unfortunately not much you can do about it. It works because a spammer sends lots of emails - claiming to be from your user(s) and to fake email addresses - to various mail servers over the Internet. These servers, who do not know who the fake recipients are, then create hundreds of NDR messages, bouncing them back to your user's mailbox because that is "apparently" the place where the mail came from. It's a problem with the SMTP protocol, and something which will always exist unless SMTP is overhauled.

Just about the only way which you should be able to stop this spam is using SPF records to control what servers can send for your email domain. SPF will have some effect, but there will be plenty of smaller mail servers out there which spammers can use to "bounce" the mail off because such servers are often not configured to check SPF records.

To actually prevent the users getting the undeliverables, the best way I have found is to create an Outlook rule to delete messages with "Delivery Status Notification" in the subject (assuming that's the type of NDRs you're getting). The risk with this is that they will delete a legitimate NDR though. The servers being used by the spammers should really be configured not to send spam for domains and even recipients they don't know, but that obviously isn't going to happen. You could also just wait - because the spammers tend to hit hard, but then move on after a few hours / couple of days.

-Matt
0
 
LVL 8

Author Closing Comment

by:pzozulka
Comment Utility
Wow, thanks Matt. Very educational while helpful at the same time. Appreciate it much.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
how to add IIS SMTP to handle application/Scanner relays into office 365.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now