Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SPAM email from our Exchange users

Posted on 2009-04-14
2
Medium Priority
?
582 Views
Last Modified: 2013-12-09
The user says he did not send this email below. Is his computer infected perhaps?
==================================================================
From: Microsoft Exchange
Sent: Tuesday, April 14, 2009 3:28 AM
To: John Smith
Subject: Undeliverable: [SPAM] RE: Dear maynardlcqya@domain.com Pharmacy Message 42647054
 
Delivery has failed to these recipients or distribution lists:
 
maynardlcqya@domain.com
The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.
  _____  
Sent by Microsoft Exchange Server 2007
 
Diagnostic information for administrators:
 
Generating server: martini.bcr.local
 
maynardlcqya@domain.com
#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##
 
Original message headers:
 
Received: from p02c11m114.domain.net (208.65.144.245) by martini.bcr.local
 (10.81.2.40) with Microsoft SMTP Server (TLS) id 8.1.340.0; Tue, 14 Apr 2009
 03:28:26 -0700
Received: from unknown [80.134.197.18] (HELO fsauerbr)  by
 p02c11m114.domain.net (mxl_mta-6.1.1-3)        with SMTP id
 84564e94.3125033872.361583.00-014.p02c11m114.domain.net (envelope-from
 <johns@domain.com>); Tue, 14 Apr 2009 04:28:25 -0600 (MDT)
Content-Return: allowed
X-Mailer: devMail.Net (3.0.1854.22234-2)
Return-Path: <maynardlcqya@domain.com>
Received: (qmail 2442 by uid 600); Tue, 14 Apr 2009 12:28:29 +0100
Message-ID: <20090414132829.2444.qmail@fsauerbr>
To: <maynardlcqya@domain.com>
Subject: [SPAM] RE: Dear maynardlcqya@domain.com Pharmacy Message 42647054
From: "VIAGRA ® Pfizer Inc." <maynardlcqya@domain.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="=_reb-r6D9CC37A-t49E46549"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-Processed-By: Rebuild v2.0-0
X-Spam-Flag: YES
X-Spam: [F=0.9999999502; B=0.500(0); CM=0.999; MH=0.954(2009041408); R=0.600(1093141633); S=0.389(2009020301); SS=0.500; SC=none]
X-MAIL-FROM: <johns@domain.com>
X-SOURCE-IP: [80.134.197.18]
X-AnalysisOut: [v=1.0 c=0 p=nsWfa1DyU0wA:10 a=fEvt8YreRHQA:10 a=_2i3lHUpNM]
X-AnalysisOut: [cA:10]
Date: Tue, 14 Apr 2009 03:28:26 -0700
0
Comment
Question by:pzozulka
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 2000 total points
ID: 24140954

Nope, he's more than likely not infected. This is more than likely typical NDR spam - and there is unfortunately not much you can do about it. It works because a spammer sends lots of emails - claiming to be from your user(s) and to fake email addresses - to various mail servers over the Internet. These servers, who do not know who the fake recipients are, then create hundreds of NDR messages, bouncing them back to your user's mailbox because that is "apparently" the place where the mail came from. It's a problem with the SMTP protocol, and something which will always exist unless SMTP is overhauled.

Just about the only way which you should be able to stop this spam is using SPF records to control what servers can send for your email domain. SPF will have some effect, but there will be plenty of smaller mail servers out there which spammers can use to "bounce" the mail off because such servers are often not configured to check SPF records.

To actually prevent the users getting the undeliverables, the best way I have found is to create an Outlook rule to delete messages with "Delivery Status Notification" in the subject (assuming that's the type of NDRs you're getting). The risk with this is that they will delete a legitimate NDR though. The servers being used by the spammers should really be configured not to send spam for domains and even recipients they don't know, but that obviously isn't going to happen. You could also just wait - because the spammers tend to hit hard, but then move on after a few hours / couple of days.

-Matt
0
 
LVL 8

Author Closing Comment

by:pzozulka
ID: 31570067
Wow, thanks Matt. Very educational while helpful at the same time. Appreciate it much.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question